Lorna Woods,
Professor of Internet Law, University of Essex
Introduction
Elgizouli
is the first UK Supreme Court judgment on the Data Protection Act 2018
(DPA). The headline news is that
‘substantial compliance’ with the requirements set down in the Act is
insufficient to make data transfers to third countries lawful. The judgment
concerns Part Three, which implements the Law
Enforcement Directive (Directive (EU) 2016/680) and focusses on procedural
protections, but in terms of approach may have implications for the UK courts’
approach to the DPA and General Data Protection Regulation (GDPR) more
generally, especially as it relates to the protection of individual rights
found in the European Court of Human Rights (ECHR).
Facts
Eligizouli’s son was implicated
in the murder in Syria of UK and UK citizens. As part of its investigations
into the group responsible for the murders, the US made a mutual legal
assistance (MLA) request to the UK, asking for information to be transferred.
Theresa May, as Home Secretary, requested that the information would not be
used either directly or indirectly in a prosecution that could lead to the
imposition of the death penalty, an assurance the US did not give. Nonetheless,
Sajid Javid, a subsequent Home Secretary, agreed to provide the information.
Eligizouli brought an action for
judicial review, raising two questions: (1) whether the common law precluded
the Secretary of State from exercising his or her powers in this way; and (2)
whether such a transfer was lawful under the DPA understood in the light of EU
law. Specifically, the appellant argued
that the Home Secretary’s decision was an unlawful breach of:
1)
the first data protection principle in section
35 of the Act;
2)
the second data protection principle in section
36;
3)
the provisions governing international transfers
of personal data for law enforcement purposes in sections 73 to 76; and
4)
the special processing restrictions in section
80.
It was further argued that the
Home Secretary had paid no regard to the duties imposed on him by the DPA. At
first instance, the Divisional Court had held that the Home Secretary had
demonstrated “substantial compliance” with the Act and that “special
circumstances” could be relied on in relation to the transfer.
Judgment
The Supreme Court (by a majority)
found that the common law had not evolved to a point where it recognised a
principle prohibiting the provision of MLA that would facilitate the death
penalty. The Court was, however,
unanimous in holding that the Home Secretary’s decision was unlawful under the
DPA, specifically as regards the conditions under which data can be transferred
to another jurisdiction and the leading judgment was given by Lord Kerr
(although he was in the minority on the
common law point). Lady Hale’s judgment constitutes, in her words, a ‘short
guide to the judgments’ [2].
There was agreement between all
parties that Part 3 was in issue – that is, that there would be processing of
personal data for a “law enforcement purpose” by a controller which is also a
“competent authority” for the purposes of the Part 3 of the DPA. It was also common ground that the Home
Secretary did not expressly consider his duties under the DPA.
The main focus of the judgment
was the conditions surrounding the transfer of the data to the US; the relevant
provisions are found in ss. 73-76. Specifically, data cannot be transferred
unless the three conditions in s 73(1)(a) are met. The first, in s. 73(2), is
that “the transfer is necessary for any of the law enforcement purposes”.
Section 73(3) contains the second condition. It lists three circumstances in
which a transfer may take place:
1)
when it is based on an adequacy decision (simplifying
data transfers) as set out in s. 74;
2)
if there is no such adequacy decision, then
there are appropriate safeguards in accordance with s. 75; or
3)
if neither (1) nor (2) apply, is based on
special circumstances in accordance with s. 76.
The third condition relates to
the recipient of the information.
The Court was agreed that the
Home Secretary’s decision was not based on an adequacy decision, nor were there
appropriate safeguards in the sense of s. 75. As Lady Hale remarked, “[t]his
transfer was not based on an adequacy decision or on there being appropriate
safeguards, because there were none” [10]. The issue of whether the decision
was lawful would therefore depend on whether special circumstances existed; the
Court did not consider whether special circumstances could only be relied on if
neither of the other two categories apply. Section
76(1) specifies that special circumstances will apply if the transfer is
necessary for one of five listed purposes:
1)
to protect the vital interests of the data
subject or another person;
2)
to safeguard the legitimate interests of the
data subject;
3)
for the prevention of an immediate and serious
threat to the public security of a member State or a third country;
4)
in individual cases for any of the law
enforcement purposes, or
5)
in individual cases for a legal purpose.
Section 31 DPA defines the law
enforcement purposes. It would seem that s. 76(1)(d) and (e) are relevant here,
but they are subject to a further control. Section 76(2) specifies they “do not
apply if the controller determines that fundamental rights and freedoms of the
data subject override the public interest in the transfer”. Further, according
to s 76(3), the transfer must in all cases be documented.
Special circumstances, according
to the Court, requires a specific assessment of whether these conditions are
satisfied. The Court stated that the purpose of section 73 was to “set out a
structured framework for decision-making, with appropriate documentation” [219]
and, as the ICO submitted, requires:
‘conscious and contemporaneous’ consideration
of the statutory tests prior to any transfer taking place. Further, the
record-keeping requirement, including the requirement to set out the
‘justification for the transfer’ … cannot sensibly be read as requiring no more
than ex post cosideration of whether a transfer was justified [218].
This was lacking here and the
fact that the Home Secretary did not have regard to his duties as data
controller meant that the special circumstances basis for transfer was not
available [158]. Lord Carnwath sugggested here that the decision was based on
political expediency rather than strict necessity as required by the statute
[227] – Lord Kerr took a similar view.
There was a further question about
impact of ‘fundamental rights and freedoms’ in s 76(2) – this per Lady Hale
includes right to life in Art 2 ECHR. She argued, albeit obiter dicta, that
this points towards an interpretation of s 76(2) so as to preclude a transfer
of personal data to facilitate a prosecution which could result in the death
penalty [26]. Lord Carnwath states that a failure to consider the point is a
further reason that the Home Secretary’s decision cannot stand [228]; Lord
Hodge sees the force of this point but as it was not fully argued reserves his
position.
Lord Kerr took a different view,
arguing that the processing (ie through the transfer of data as part of the
MLA) was not lawful and fair – ie did not comply with the data protection
principles in s. 34 DPA. He came to this conclusion because he, alone out of
the judges, had taken the view that the common law would prevent the Home
Secretary from acting in this way.
Comment
On one level the judgment could
be seen as narrow; providing protection only through procedural mechanisms,
leaving the Home Secretary free to make the same decision again, having directed
her mind to the issues. Similarly, in its approach to the common law and the
need for incremental development, the court is showing deference to the primacy
of the legislature (see paras 170 and 233), especially in the context of the
exercise of prerogative powers. However,
in its interpretation of the DPA and more particularly in the way it approached
how the provisions should be interpreted, the judgment has a broader
significance. Indeed, its approach is in
marked contrast to that of the lower courts, which may now change direction.
The Supreme Court here is
emphasising the importance of data controllers actively engaging with the
requirements imposed by the DPA; here the concerns stemmed from the fact that
the Home Secretary “did not address his mind to the 2018 Act at all” [6]. So it
seems that to be able to use any of the gateways in s. 73, consideration must
be given to the protections in place, whatever the mechanism used. In terms of
both the gateway based on appropriate safeguards and that which requires
special circumstances, Lord Carnwath makes an important distinction between a
decision which takes factors into account and one which is based on there being
appropriate safeguards or special circumstances [219]. This distinction
operates to raise the threshold of the standards required. The Supreme Court
did not address the question of whether the three gateways operate in a
hierarchy; that is each must be considered and discounted before moving on to
the next. This would, as the respondents argued, place an additional burden on
them.
The Supreme Court also confirmed
the approach to understanding ‘necessary’ in s. 76(1) regarding the objectives
in relation to which special circumstances may arise, which should be
understood in the light of recital 72 to the LED. While the Divisional Court
had used recital 72 to try to justify seeing this particular case as not being
problematic (the recital gives the example of mass surveillance), The Supreme
Court emphasises that any transfer must be ‘strictly necessary’ (rather than
‘necessary’ as in the DPA). Lady Hale referred to the judgment of Warby J in Guriev v Community
Safety Development (UK) Ltd ([2016] EWHC 643 (QB)) who said
The test of
necessity is a strict one, requiring any interference with the subject’s rights
to be proportionate to the gravity of the threat to the public interest” (para
45)
While this may leave questions
about the meaning of necessary and proportionality and their relationship to
one another (a common question), it is clear that the scope of s. 76 is to be
narrowly interpreted – as indeed is the general approach under EU law to
derogations – and that the proportionality of the transfer must be considered.
Lady Hale’s obiter views on s
76(2) DPA (which the rest of the Court accepted had force) also indicate that
the Supreme Court is taking a strict approach to compliance here. Her argument accepts that even if a transfer
is necessary and proportionate it may still be overridden by the rights of the
data subject – as found in a range of instruments, including the ECHR. These
rights are not limited to data protection and privacy rights but include any of
the rights so protected. Lady Hale expressly identifies the right to life (Art
2 ECHR). This means that the protection awarded is not just procedural but
could include an assessment of the substance of the rights. Significantly, she
made the point that fundamental rights are protected whatever the person’s
nationality or place of residence and, implicitly, that these protections may
have an extraterritorial effect. That is, they protect not just the rights of
data subjects who remain within the jurisdiction once their data are
transferred but possibly also those data subjects who are outside the
jurisdiction when their data are transferred by a controller within the
jurisdiction.
The judgment is clearly important
for the transfer of data under the LED, but the provisions on data transfer in
that context bear some similarity to the structure to that of Art 49 GDPR
dealing with transfers in specific situations. It is not hard to imagine that a
similar analytical methodology could be applied by the British courts if
confronted with such a case.
The final question is what impact,
if any, might this decision have on the possibility of a data protection
adequacy decision for the UK from the EU Commission after Brexit (which would
simplify the transfer of data from the EU to the UK). On the one hand, this
shows that the administration got things very wrong, which might count against
an adequacy decision; conversely, the approach of the Supreme Court might
provide reassurance that there is effective oversight of data protection rights
by independent courts in the UK. It could then come down to how the Government
reacts to the Supreme Court’s judgment.
Photo credit: David Iliff, via Wikicommons
No comments:
Post a Comment