Wednesday, 29 April 2020

Data protection, the death penalty and mutual legal assistance in criminal law: Elgizouli v Secretary of State for the Home Department [2020] UKSC 10






Lorna Woods, Professor of Internet Law, University of Essex

Introduction

Elgizouli is the first UK Supreme Court judgment on the Data Protection Act 2018 (DPA).  The headline news is that ‘substantial compliance’ with the requirements set down in the Act is insufficient to make data transfers to third countries lawful. The judgment concerns Part Three, which implements the Law Enforcement Directive (Directive (EU) 2016/680) and focusses on procedural protections, but in terms of approach may have implications for the UK courts’ approach to the DPA and General Data Protection Regulation (GDPR) more generally, especially as it relates to the protection of individual rights found in the European Court of Human Rights (ECHR).

Facts

Eligizouli’s son was implicated in the murder in Syria of UK and UK citizens. As part of its investigations into the group responsible for the murders, the US made a mutual legal assistance (MLA) request to the UK, asking for information to be transferred. Theresa May, as Home Secretary, requested that the information would not be used either directly or indirectly in a prosecution that could lead to the imposition of the death penalty, an assurance the US did not give. Nonetheless, Sajid Javid, a subsequent Home Secretary, agreed to provide the information.

Eligizouli brought an action for judicial review, raising two questions: (1) whether the common law precluded the Secretary of State from exercising his or her powers in this way; and (2) whether such a transfer was lawful under the DPA understood in the light of EU law.  Specifically, the appellant argued that the Home Secretary’s decision was an unlawful breach of:

1)      the first data protection principle in section 35 of the Act;
2)      the second data protection principle in section 36;
3)      the provisions governing international transfers of personal data for law enforcement purposes in sections 73 to 76; and
4)      the special processing restrictions in section 80.

It was further argued that the Home Secretary had paid no regard to the duties imposed on him by the DPA. At first instance, the Divisional Court had held that the Home Secretary had demonstrated “substantial compliance” with the Act and that “special circumstances” could be relied on in relation to the transfer.

Judgment

The Supreme Court (by a majority) found that the common law had not evolved to a point where it recognised a principle prohibiting the provision of MLA that would facilitate the death penalty.  The Court was, however, unanimous in holding that the Home Secretary’s decision was unlawful under the DPA, specifically as regards the conditions under which data can be transferred to another jurisdiction and the leading judgment was given by Lord Kerr (although he was in  the minority on the common law point). Lady Hale’s judgment constitutes, in her words, a ‘short guide to the judgments’ [2].

There was agreement between all parties that Part 3 was in issue – that is, that there would be processing of personal data for a “law enforcement purpose” by a controller which is also a “competent authority” for the purposes of the Part 3 of the DPA.  It was also common ground that the Home Secretary did not expressly consider his duties under the DPA.

The main focus of the judgment was the conditions surrounding the transfer of the data to the US; the relevant provisions are found in ss. 73-76. Specifically, data cannot be transferred unless the three conditions in s 73(1)(a) are met. The first, in s. 73(2), is that “the transfer is necessary for any of the law enforcement purposes”. Section 73(3) contains the second condition. It lists three circumstances in which a transfer may take place:

1)      when it is based on an adequacy decision (simplifying data transfers) as set out in s. 74;
2)      if there is no such adequacy decision, then there are appropriate safeguards in accordance with s. 75; or
3)      if neither (1) nor (2) apply, is based on special circumstances in accordance with s. 76.

The third condition relates to the recipient of the information. 

The Court was agreed that the Home Secretary’s decision was not based on an adequacy decision, nor were there appropriate safeguards in the sense of s. 75. As Lady Hale remarked, “[t]his transfer was not based on an adequacy decision or on there being appropriate safeguards, because there were none” [10]. The issue of whether the decision was lawful would therefore depend on whether special circumstances existed; the Court did not consider whether special circumstances could only be relied on if neither of the other two categories apply. Section 76(1) specifies that special circumstances will apply if the transfer is necessary for one of five listed purposes:

1)      to protect the vital interests of the data subject or another person;
2)      to safeguard the legitimate interests of the data subject;
3)      for the prevention of an immediate and serious threat to the public security of a member State or a third country;
4)      in individual cases for any of the law enforcement purposes, or
5)      in individual cases for a legal purpose.

Section 31 DPA defines the law enforcement purposes. It would seem that s. 76(1)(d) and (e) are relevant here, but they are subject to a further control. Section 76(2) specifies they “do not apply if the controller determines that fundamental rights and freedoms of the data subject override the public interest in the transfer”. Further, according to s 76(3), the transfer must in all cases be documented.

Special circumstances, according to the Court, requires a specific assessment of whether these conditions are satisfied. The Court stated that the purpose of section 73 was to “set out a structured framework for decision-making, with appropriate documentation” [219] and, as the ICO submitted, requires:

 ‘conscious and contemporaneous’ consideration of the statutory tests prior to any transfer taking place. Further, the record-keeping requirement, including the requirement to set out the ‘justification for the transfer’ … cannot sensibly be read as requiring no more than ex post cosideration of whether a transfer was justified [218].

This was lacking here and the fact that the Home Secretary did not have regard to his duties as data controller meant that the special circumstances basis for transfer was not available [158]. Lord Carnwath sugggested here that the decision was based on political expediency rather than strict necessity as required by the statute [227] – Lord Kerr took a similar view.

There was a further question about impact of ‘fundamental rights and freedoms’ in s 76(2) – this per Lady Hale includes right to life in Art 2 ECHR. She argued, albeit obiter dicta, that this points towards an interpretation of s 76(2) so as to preclude a transfer of personal data to facilitate a prosecution which could result in the death penalty [26]. Lord Carnwath states that a failure to consider the point is a further reason that the Home Secretary’s decision cannot stand [228]; Lord Hodge sees the force of this point but as it was not fully argued reserves his position.

Lord Kerr took a different view, arguing that the processing (ie through the transfer of data as part of the MLA) was not lawful and fair – ie did not comply with the data protection principles in s. 34 DPA. He came to this conclusion because he, alone out of the judges, had taken the view that the common law would prevent the Home Secretary from acting in this way.

Comment

On one level the judgment could be seen as narrow; providing protection only through procedural mechanisms, leaving the Home Secretary free to make the same decision again, having directed her mind to the issues. Similarly, in its approach to the common law and the need for incremental development, the court is showing deference to the primacy of the legislature (see paras 170 and 233), especially in the context of the exercise of prerogative powers.  However, in its interpretation of the DPA and more particularly in the way it approached how the provisions should be interpreted, the judgment has a broader significance.  Indeed, its approach is in marked contrast to that of the lower courts, which may now change direction.

The Supreme Court here is emphasising the importance of data controllers actively engaging with the requirements imposed by the DPA; here the concerns stemmed from the fact that the Home Secretary “did not address his mind to the 2018 Act at all” [6]. So it seems that to be able to use any of the gateways in s. 73, consideration must be given to the protections in place, whatever the mechanism used. In terms of both the gateway based on appropriate safeguards and that which requires special circumstances, Lord Carnwath makes an important distinction between a decision which takes factors into account and one which is based on there being appropriate safeguards or special circumstances [219]. This distinction operates to raise the threshold of the standards required. The Supreme Court did not address the question of whether the three gateways operate in a hierarchy; that is each must be considered and discounted before moving on to the next. This would, as the respondents argued, place an additional burden on them.

The Supreme Court also confirmed the approach to understanding ‘necessary’ in s. 76(1) regarding the objectives in relation to which special circumstances may arise, which should be understood in the light of recital 72 to the LED. While the Divisional Court had used recital 72 to try to justify seeing this particular case as not being problematic (the recital gives the example of mass surveillance), The Supreme Court emphasises that any transfer must be ‘strictly necessary’ (rather than ‘necessary’ as in the DPA). Lady Hale referred to the judgment of Warby J in Guriev v Community Safety Development (UK) Ltd ([2016] EWHC 643 (QB)) who said

The test of necessity is a strict one, requiring any interference with the subject’s rights to be proportionate to the gravity of the threat to the public interest” (para 45)

While this may leave questions about the meaning of necessary and proportionality and their relationship to one another (a common question), it is clear that the scope of s. 76 is to be narrowly interpreted – as indeed is the general approach under EU law to derogations – and that the proportionality of the transfer must be considered.

Lady Hale’s obiter views on s 76(2) DPA (which the rest of the Court accepted had force) also indicate that the Supreme Court is taking a strict approach to compliance here.  Her argument accepts that even if a transfer is necessary and proportionate it may still be overridden by the rights of the data subject – as found in a range of instruments, including the ECHR. These rights are not limited to data protection and privacy rights but include any of the rights so protected. Lady Hale expressly identifies the right to life (Art 2 ECHR). This means that the protection awarded is not just procedural but could include an assessment of the substance of the rights. Significantly, she made the point that fundamental rights are protected whatever the person’s nationality or place of residence and, implicitly, that these protections may have an extraterritorial effect. That is, they protect not just the rights of data subjects who remain within the jurisdiction once their data are transferred but possibly also those data subjects who are outside the jurisdiction when their data are transferred by a controller within the jurisdiction.

The judgment is clearly important for the transfer of data under the LED, but the provisions on data transfer in that context bear some similarity to the structure to that of Art 49 GDPR dealing with transfers in specific situations. It is not hard to imagine that a similar analytical methodology could be applied by the British courts if confronted with such a case.

The final question is what impact, if any, might this decision have on the possibility of a data protection adequacy decision for the UK from the EU Commission after Brexit (which would simplify the transfer of data from the EU to the UK). On the one hand, this shows that the administration got things very wrong, which might count against an adequacy decision; conversely, the approach of the Supreme Court might provide reassurance that there is effective oversight of data protection rights by independent courts in the UK. It could then come down to how the Government reacts to the Supreme Court’s judgment.

Photo credit: David Iliff, via Wikicommons

No comments:

Post a comment