Must cases be unfounded to qualify as SLAPPs? What unfoundedness means for GDPR-based SLAPPs

 

 

Léna Perczel, Legal Officer, Political Freedoms Program, Hungarian Civil Liberties Union

 

Photo credit: Dirk Beyer, via Wikimedia commons

 

Countering SLAPPs (Strategic Lawsuits Against Public Participation) has been at the forefront of political, legal and academic discourse over the past two years. The most significant legislative development has been the European Union’s Anti-SLAPP Directive (Directive), backed by a soft law instrument, the Council of Europe’s Anti-SLAPP Recommendation (CoE Recommendation).

But what exactly qualifies as a SLAPP? The Directive, which is limited to cases with cross-border elements, defines the term and treats unfoundedness as a key criterion. In contrast, the CoE Recommendation treats it as just one of several indicators for identifying such lawsuits. While both instruments acknowledge it as a factor, Hungary’s example for General Data Protection Regulation (GDPR) based SLAPP cases suggest it is not necessarily a defining feature. 

In this blog post, I aim to explore—through the lens of this Hungarian case group—whether assessing the SLAPP nature of a case based on unfoundedness could render legal efforts to combat SLAPPs ultimately ineffective. This issue is particularly pressing in Hungary, especially in cases where the press is required to comply with GDPR obligations—yet no benchmark has been established by the European Court of Human Rights (ECtHR, the Court) to date.

 

The GDPR’s burden on the press in Hungary

 

The SLAPP phenomenon gained attention in Hungary when individuals with economic power repeatedly attempted to erase their names and wealth from the media, invoking rights enshrined in the GDPR. This conduct demonstrated that the GDPR can become a powerful tool for SLAPPs when interpreted in a strictly formal manner. By placing the responsibility on data controllers, the GDPR established a rigid procedural framework, obliging them to comply with extensive administrative safeguards. The press becomes a data controller simply by gathering and storing someone’s name, even without publishing it. As a result, a journalist must begin preparing extensive documentation from the moment they start investigating an individual. Unlike commonly used legal remedies against the press, such as press rectification procedures or defamation claims, violations of the GDPR can stand regardless of whether the article is false or reputationally harmful, thus regardless of the journalist’s ethical conduct. Adhering to such duties makes reporting on public matters increasingly difficult. In fact, beyond the administrative burden itself, informing data subjects about articles in preparation can entirely undermine investigative journalism. Data subjects may resort to dismissing evidence or objecting to the data processing, effectively blocking the publication of articles. 

Despite Article 85  of the GDPR, the Hungarian government has not reconciled the GDPR with the freedom of the press, which could have led to exemptions from certain GDPR obligations (such as the strict notification obligations imposed on data controllers, explained below). This lack of reconciliation has created a constitutional loophole: a legal grey zone that reflects the state's failure to fulfil its positive obligation to protect the press. In the absence of clear legal provisions, and due to this unresolved tension, the responsibility has fallen on those applying the law to balance the competing rights of freedom of expression and data protection. 

The Hungarian National Authority for Data Protection and Freedom of Information (DPA) was the first forum in Hungary to detail these obligations, requiring data controllers to inform each data subject preliminarily, proactively, and individually about the data being processed and its legal basis—recognizing only legitimate interest under Article 6(f) of the GDPR as a valid ground for processing. This was despite Forbes’ argument that publishing on public matters falls within the constitutional duty of the press, thus the ground for processing should be public interest (Article 6(e) of the GDPR). This means that journalists, whose work consists primarily of processing personal data, must notify each data subject in advance while conducting their reporting, including during initial research. Compliance is required regardless of whether the data subject has initiated any procedure, making this an even more effective SLAPP tool. In its decision, the DPA entirely failed to consider how such a disproportionate workload could stifle the press. Had public interest been accepted as a legal basis for processing, these notification obligations would not have been imposed on journalists.

 

The manifestation of GDPR-based SLAPPs through legal proceedings against Forbes

 

In 2019, the owners of a Hungarian energy drink company—a family business that gained prominence partly through public funding—initiated proceedings after Forbes included them in its annual wealth rankings. Their inclusion prompted GDPR-based claims.

First, they argued that the press lacked a legal basis for publishing their personal data, and that the data processing therefore constituted a violation of their rights (primary claims). Second, they contended that even if legitimate interest were accepted as the legal basis, the press had failed to meet its procedural obligations—such as informing the data subjects about the legitimate interest assessment (ancillary claims).

Both GDPR-based claims proceeded in parallel before the civil court and the DPA. Initiating multiple proceedings simultaneously by the same claimant is a typical characteristic of SLAPPs, intended to increase pressure on the target. 

In this blog post, I will focus on the DPA case. However, it is important to illustrate the SLAPP nature of these proceedings by noting that, in the civil case, the claimants requested a preliminary injunction—which the court granted (The Metropolitan Court ordered the interim measure in its decision no. 25.Pk.23.297/2019/17-I. The Appellate Court and the Supreme Court upheld the decision in their decisions 2.Pkf.25.030/2020/2. and Pfv.IV.20.395/2020/4 respectively. The decision of the Supreme Court is currently before the EctHR).

As a result, until the court ruled on the merits of the case whether Forbes had a legal basis for processing the data, the magazine was prohibited from publishing any information about the family members—amounting to de facto censorship for more than four years (The interim measure was repealed by the first-instance court’s non-final decision, decision no. 25.P.21.067/2023/21).

It was in the DPA procedure initiated by this claimant that the authority first established a formal interpretation of the GDPR, as explained above. Although the DPA’s decision was challenged in the administrative courts—emphasizing the claimants’ economic position and the press’s constitutional duty—the Supreme Court, while acknowledging that “it is of particular importance to inform the public about the use of public funds for the development of private enterprises,” and that such reporting falls under the press’s watchdog role, nevertheless found no grounds for exempting the press. It affirmed that the press is required to fulfill notification obligations when relying on legitimate interest as a legal basis for data processing.

 

The definitions’ cornerstone: unfoundedness

 

Effectively countering SLAPPs requires clear definitions. This section examines those offered by the Directive and the CoE Recommendation, which both include unfoundedness. Unfoundedness has been central to debates over the Directive’s initial draft. Many still argue that it imposes an unnecessary limitation on what constitutes a SLAPP, potentially hindering the effectiveness of action.

The CoE Recommendation describes unfoundedness as one of several indicators that could help in recognizing SLAPPs, allowing a broader margin of appreciation for legal interpreters. In contrast, the Directive’s scope is limited to unfounded claims.

According to its title, the Directive operates within a dichotomy, providing safeguards against (a) manifestly unfounded claims or (b) abusive court proceedings. While it does not define “manifestly unfounded” or “unfounded”, it expands the definition of “abusive court proceedings against public participation.”

According to the definition, “‘abusive court proceedings against public participation’ mean court proceedings which are not brought to genuinely assert or exercise a right, but have as their main purpose the prevention, restriction or penalisation of public participation, frequently exploiting an imbalance of power between the parties, and which pursue unfounded claims”. Although the title and scope of the Directive suggests (a) and (b) as alternating categories (as indicated by the conjunction “or”), the definition of abusive court proceedings introduces “and,” requiring unfoundedness as part of both categories. This raises the question of whether the two are truly alternatives. (Note: most interpretations suggest that (a) and (b) are indeed alternatives, however, that contradicts the grammatical interpretation.)

One understanding could be that the Directive places “manifestly unfounded” claims and “abusive court proceedings” on a spectrum—with “manifestly unfounded”, as ab ovo unfounded at one end and “abusive” cases, potentially less clearly unfounded, further along that continuum. However, this interpretation creates additional uncertainty for courts in determining where to position a given case on that spectrum.

An interpretation aligned with paragraph 29 of the Directive’s preamble—which provides context for its operative definitions—suggests that only proceedings that are either fully or partially unfounded can be classified as abusive. If this is accepted, the Directive effectively collapses its own dichotomy, making unfoundedness the sole defining element and rendering the distinction between the two categories functionally meaningless. 

This distinction becomes most relevant when determining the appropriate safeguards. Defendants facing manifestly unfounded claims benefit from an early dismissal mechanism, whereas those facing abusive court proceedings—though still partially unfounded—must endure the full process and may only seek reparation after proceedings conclude. The legal uncertainty leaves the court’s decisions subject to accusations of cherry-picking. 

Despite earlier debates over elements of the definition and criticism of the distinction between manifestly unfounded claims and abusive court proceedings in terms of available remedies, this differentiation has persisted, along with the ambiguity surrounding 'unfoundedness.' The lack of a clear definition has left stakeholders in a state of legal uncertainty.

 

Unfoundedness in the context of GDPR-based SLAPPs

 

When examining what unfoundedness means for GDPR-based SLAPPs in Hungary, it is essential to continue distinguishing between the primary claim and the ancillary claims.

As discussed previously, the family members raised two distinct claims: the primary claim, namely the lack of legal basis for processing personal data, and the ancillary claims, concerning the failure to adhere to its procedural obligations.

First, let us examine the primary claim. The family argued that, in the absence of a legal basis, Forbes had no right to publish their personal data. The courts ultimately held that the press had a legitimate interest in reporting on the family members, given their receipt of public funds. However, as the GDPR was a relatively new legal instrument and no relevant precedent existed at the time, the legal question was considered unsettled until a final judgment had been delivered. Consequently, until then, the possibility of classifying such claims as unfounded could not have been seriously contemplated.

And although this decision enabled the press to report on the family in these circumstances, the publication of the family members’ personal data in other contexts will likely continue to be assessed on a case-by-case basis, meaning such claims may not be considered ab ovo (manifestly) unfounded. The case illustrates that unsettled legal questions are inherently difficult to classify as unfounded, allowing SLAPP proceedings to persist and continue imposing a burden on the press.

Second, when examining the ancillary claims, defining "unfoundedness" becomes even more ambiguous. Article 85 of the GDPR states: “Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information.” From a legal positivist perspective, the absence of implementing legislation under Article 85 of the GDPR has significant consequences. Since no national laws have been adopted to clearly define the boundaries of such reconciliation (for example, by exempting the press from the obligation to preliminarily, individually, and proactively inform data subjects, that is required of other data controllers like big companies), individuals may lawfully invoke GDPR provisions even in ways that restrict journalistic activities or the freedom of the press. As a result, legal claims based on alleged violations of GDPR obligations by the press cannot automatically be deemed unfounded. Therefore, under the Directive’s definition, such claims cannot be classified as SLAPPs.

However, the legal positivist approach is problematic, as it completely disregards context and fundamental rights aspects. From a fundamental rights perspective, it is contrary to freedom of the press to require full compliance with all GDPR-based duties, as it significantly hinders the press’s constitutional role. The lack of reconciliation in Hungary therefore constitutes a constitutional loophole, and exploiting such a loophole should never constitute a well-founded claim: applying the law in a way that contradicts the state’s positive obligations to protect the press and disproportionately hinders its operation is inherently problematic. It also disregards the state’s obligations stemming from the GDPR itself, as it uses mandatory language.

Furthermore, at the European level, the varying degrees of reconciliation between freedom of the press and data protection under Article 85 make it increasingly difficult and uncertain to draw a consistent line around unfoundedness.

 

The European interest

 

While the lawsuits against Forbes will most likely fall outside the Directive’s scope—due to their domestic nature and the fact that the procedure based on the DPA’s decision is administrative—interpreting the Directive’s definition remains relevant, particularly for future cross-border cases that do fall within its scope. Furthermore, the Directive sets only a minimum standard, meaning that national transpositions can expand its scope to include domestic cases, where unfoundedness would still be a determining criterion. Additionally, early-dismissed cases will likely reach the ECtHR, whether brought by the press or the claimant—ultimately forcing the Court to engage with the Directive’s interpretation. The relevance of interpreting the definition of the Directive extends beyond GDPR-based SLAPPs, as other claims that lack precedent or exploit constitutional loopholes can fall outside the scope of the Directive due to the definition. 

As the CoE Recommendation’s scope is not limited to cross-border claims, assessing the current cases from its perspective is highly relevant. In fact, since the ECtHR was established by the Council of Europe, the CoE Recommendation remains an important interpretive source when the Court rules on SLAPP-related cases.

These GDPR-based cases highlighted that the prolonged proceedings and ongoing legal uncertainty drain press resources and have already created a chilling effect. However, within the Directive’s framework, GDPR-based SLAPPs may not even fit the definition of “abusive court proceedings”. Even if they do, it is unlikely they would qualify as “manifestly unfounded,” placing them outside the scope of the early dismissal mechanism. As a result, the Directive might fail to effectively combat SLAPPs, especially the ones emerging in legal grey zones—even when defendants (the press) ultimately win. To put it more bluntly, the narrow definition could completely thwart the objective of the Directive and jeopardize its long-term legitimacy.

While broadening the definition of manifestly unfounded claims carries risks, it is unlikely that the drafters intended early dismissal to apply only in rare cases. The CoE Recommendation’s approach appears to offer a more suitable reference point for identifying SLAPPs. But let us wait and see what the ECtHR has to say. Until then, legal uncertainty continues to shield SLAPPs under the guise of procedural compliance. 

 

Acknowledgements: I would like to sincerely thank Beatrix Vissy and Tivadar Hüttl for their valuable insights and contributions.

Podchasov v. Russia: the European Court of Human Rights emphasizes the importance of encryption

 

 

 

Mattis van ’t Schip & Frederik Zuiderveen Borgesius*

*Both authors work at the iHub and the Institute for Computing and Information Sciences, Radboud University, The Netherlands - mattis.vantschip[at]ru.nl & frederikzb[at]cs.ru.nl

Photo credit: Gzen92, on wikimedia commons 

 

In a judgment from February 2024 in the case Podchasov v. Russia, the European Court of Human Rights emphasised the role of encryption in protecting the right to privacy. The judgment comes at a time where encryption is central to many legal debates across the world. In this blog post, we summarise the main findings of the Court and add some reflections.

Summary

Podchasov, the applicant in the case, is a user of Telegram. Russia listed Telegram as an ‘internet communication organiser’ in 2017. This registration meant that Telegram, according to Russian law, had to store all its communications data for one year, and the contents of communication data for six months. The obligation concerns all electronic communications (e.g., textual, video, sound) received, transmitted, or processed by internet users. Law enforcement authorities could request access to that data, including access to the decryption key in case communications are encrypted (para 6 of the judgment).

Telegram is a messaging app that users often employ because of its end-to-end encrypted messaging. For instance, Telegram is an important communication channel for Ukrainians to receive updates about the current war. End-to-end encryption means, roughly summarised, that only the sender and the intended recipient can access the content of the encrypted data, in this case Telegram messages.

In July 2017, the Russian Federal Security Service (FSB) required Telegram to disclose data that would allow the FSB to decrypt messages of suspects of ‘terrorism-related’ activities (para 7 of the judgment). Telegram refused. Telegram said that it was impossible to allow the FSB to access encrypted messages without creating a backdoor to their encryption that malicious actors might also use. Because of Telegram’s refusal, a District Court in Moscow ordered the nation-wide blocking of Telegram in Russia. The applicants challenged the disclosure order, but their challenge was dismissed across several Moscow courts. Meanwhile, Telegram remains operational in Russia today. Finally, the applicants lodged their complaint with the European Court of Human Rights. They complained that Russia violated their right to private life in Article 8 of the European Convention on Human Rights (ECHR).

Russia is not a member of the Council of Europe anymore. The Council of Europe stopped Russia’s membership in March 2022, in response to Russia’s invasion of parts of Ukraine. Six months later, on 16 September 2022, Russia ceased to be party to the European Convention on Human Rights. Nevertheless, the Court gives this judgment. The Court says that it has jurisdiction over this case, as the alleged violations occurred before the date that Russia ceased to be a party to the Convention.

The Court quotes several documents that are not directly related to the ECHR, including surveillance case law of the Court of Justice of the European Union, a report on the right to privacy in the digital age by the Office of the United Nations High Commissioner for Human Rights, a statement by Europol and the European Union Agency for Cybersecurity, and an Opinion of the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB).

The surveillance scheme before the European Court of Human Rights resembles earlier Russian surveillance schemes, which the Court held as a violation of providing adequate and sufficient safeguards to protect against indiscriminate breaches of the right to private life in Article 8 ECHR. Earlier holdings thus also apply in the underlying case. Unlike in previous judgments about surveillance in Russia, the Court discusses the role of encryption in protecting the right to private life.

On encryption, the Court holds that the underlying case only concerns the encryption scheme of ‘secret chats’. Telegram offers ‘cloud chats’ by default with ‘custom-built server-client encryption’, but users can also decide to activate ‘secret chats’ which are end-to-end encrypted (para 5 of the judgment). The Court explicitly excludes any considerations of so-called ‘cloud chats’ in the case, as the complaints only concern the ‘secret chats’. The scope of the Court’s holdings is therefore limited to only end-to-end encryption as used for secret chats.

The applicants and several privacy-related civil organisations say that decryption of end-to-end encrypted messages would concern all users of that system, in this case Telegram, as technical experts can never create an encryption backdoor for a specific instance, case, or user. The Russian government did not refute these statements. The Court therefore holds that the Russian authorities interfered with right to private life of Article 8 ECHR. The Court then investigates whether the Russian authorities can justify this violation, for instance because the violation is necessary in a democratic society. The Court analyses encryption in this light.

The Court emphases that encryption contributes to ensuring the enjoyment of the right to private life and other fundamental rights, such as freedom of expression:

[T]he Court observes that international bodies have argued that encryption provides strong technical safeguards against unlawful access to the content of communications and has therefore been widely used as a means of protecting the right to respect for private life and for the privacy of correspondence online. In the digital age, technical solutions for securing and protecting the privacy of electronic communications, including measures for encryption, contribute to ensuring the enjoyment of other fundamental rights, such as freedom of expression (…) (para 76).

The Court adds that encryption is important to secure one’s data and communications:

Encryption, moreover, appears to help citizens and businesses to defend themselves against abuses of information technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information. This should be given due consideration when assessing measures which may weaken encryption. (para 76)

The Court observes that legal decryption obligations cannot be specific or limited to certain circumstances: once a messaging provider creates a backdoor, there is a backdoor to all communications on the messaging platform:

Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications. Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users’ electronic communications. The Court takes note of the dangers of restricting encryption described by many experts in the field. (par 77)

Based on the above-mentioned arguments, the Court holds that the requirement to decrypt communication messages cannot be ‘regarded as necessary in a democratic society.’ (para 80 of the judgment) The Court concludes that Russia breached the right to private life, protected in article 8 ECHR.

Comments

The Podchasov case follows a long debate about the value of end-to-end encryption in democratic societies globally. As the Court mentions, end-to-end encryption is valuable for privacy as it enables people to communicate in such a way that third parties cannot access the communication. In this context, experts herald end-to-end encryption for its capacity to support, for instance, journalists in performing their work safely, or historically marginalised groups to express themselves freely.

At the same time, some law enforcement agencies consider end-to-end encryption a threat to public safety, as malicious actors can benefit from the privacy provided by secure messaging and similar methods, such as data encryption, too.

For instance, the FBI is in a long battle with Apple over the encryption of iPhones, which several suspects employed to keep their phone information and data private. On each occasion, Apple refused to offer decryption keys or software to the FBI, citing security concerns that can stem from enabling such backdoors.

The battle between security and privacy is, of course, long-standing. Encryption is now central to this debate. The EU Commission recently joined the debate with a proposal for a Child Sexual Abuse Material Regulation (CSAM proposal). Roughly summarised, the proposal would require communication providers (such as Telegram or WhatsApp) to analyse people’s communications to find, block, and report child sexual abuse materials, such as inappropriate pictures. Experts agree that communication providers can only do so if they do not encrypt communications, if they include a type of backdoor, or if they analyse communications on people’s devices before they are encrypted. Experts warn that such on-device analysis can be seen as a kind of backdoor of encrypted communications too. Many civil organisations, technical experts, and academics oppose the CSAM proposal. Opponents of the CSAM proposal can be expected to cite his judgment. 

The European Court of Human Rights is clear about the role of end-to-end encryption for the right to private life. In one paragraph, the Court states that end-to-end encryption is vital to privacy. The Court bases its reasoning partly on an opinion of the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) which discusses encryption in the context of the above-mentioned CSAM proposal. The Court also refers to responses from civil society organisations, who can present their views to the Court as amici curiae. The Court follows the reasoning of the EDPS, the EDPB, and privacy organisations regarding the conclusion that once encryption is broken, the entire system is no longer secure for its users.

The Court also mentions that encryption is vital to security of users. Consider, for instance, the importance of data protection in the current privacy context. Without adequate data encryption, people cannot be sure that the data they store in, for instance, cloud storage, is accessible to only them. Encryption therefore also helps against hacking, identity fraud, and data theft (para 76 of the judgment).

The Podchasov case is straight-forward: encryption is vital to the protection of the right to privacy. The Court’s clear statements will influence ongoing encryption debates, but the end of the debate is not in sight.

The Dillon Judgment, Disapplication of Statutes and Article 2 of the Northern Ireland Protocol/Windsor Framework

 

 

Anurag Deb, PhD researcher, Queens University Belfast, and Colin Murray, Professor of Law, Newcastle Law School

Photo credit: Aaronward, via Wikicommons media

Extensive provisions of an Act of Parliament have been disapplied by a domestic court in the UK for the first time since Brexit. That is, in itself, a major development, and one which illustrates the power of the continuing connections between the UK and EU legal orders under the Withdrawal Agreement. It is an outcome which took many by surprise, even though we have argued at length that the UK Government has consistently failed to recognise the impact of Article 2 in rights cases. So here is the story of this provision of the Withdrawal Agreement, the first round of the Dillon case, and why understanding it will matter for many strands of the current government’s legislative agenda.

Article 2 of the Windsor Framework, as the UK Government insists on calling the entirety of what was the Northern Ireland Protocol (even though the Windsor Framework did nothing to alter this and many other provisions), is one of the great survivors of this most controversial element of the Brexit deal. Whereas other parts of the Brexit arrangements for Northern Ireland have been repeatedly recast, the wording of this provision has remained remarkably consistent since Theresa May announced her version of the Brexit deal in November 2018 (although it was Article 4 in that uncompleted version of the deal).

The provision was tied up relatively early in the process. Indeed, it suited the UK Government to be able to claim that rights in Northern Ireland were being protected as part of the Withdrawal Agreement, to enable them to avoid claims that Brexit was undermining the Belfast/Good Friday Agreement of 1998. Although the 1998 Agreement makes limited mention of the EU in general, it devotes an entire chapter to rights and equality issues, and EU law would play an increasing role with regard to these issues in the years after 1998.   

The UK Government made great play of explaining, in 2020, that its Article 2 obligations reflected its ‘steadfast commitment to upholding the Belfast (“Good Friday”) Agreement (“the Agreement”) in all its parts’ (para 1). Even as it appeared ready to rip up large portions of the Protocol, in the summer of 2021, the Article 2 commitments continued to be presented as ‘not controversial’ (para 37). It might more accurately have said that these measures were not yet controversial, for no one had yet sought to use this provision to challenge the operation of an Act of Parliament. In a powerful example of Brexit “cake-ism”, the UK Government loudly maintained that Article 2 was sacrosanct only because it had convinced itself that the domestic courts would not be able to make much use of it.

Little over a month ago, the Safeguarding the Union Command Paper all-but sought to write the rights provision out of the Windsor Framework (para 46):

The important starting point is that the Windsor Framework applies only in respect of the trade in goods - the vast majority of public policy is entirely untouched by it. … Article 2 of the Framework does not apply EU law or ECJ jurisdiction, and only applies in the respect of rights set out in the relevant chapter of the Belfast (Good Friday) Agreement and a diminution of those rights which arises as a result of the UK’s withdrawal from the EU.

Article 2 is a complex and detailed provision, by which (read alongside Article 13(3)) the UK commits that the law in Northern Ireland will mirror developments in EU law regarding the six equality directives listed in Annex 1 of the Protocol and, where other aspects of EU law protect aspects of the rights and equality arrangements of the relevant chapter of the 1998 Agreement, that there will be no diminution of such protections as a result of Brexit. But notwithstanding the complexity of these multi-speed provisions, by no construction can it be tenable to suggest that ‘the Windsor Framework applies only in respect of the trade in goods’.

The Dillon judgment marks the point at which the Government’s rhetoric is confronted by the reality of the UK’s Withdrawal Agreement obligations, and the extent to which they are incorporated into domestic law by the UK Parliament’s Withdrawal legislation. The case relates to the controversial Northern Ireland Troubles (Legacy and Reconciliation) Act 2023, heralded by the UK Government as its vehicle for addressing the legal aftermath of the Northern Ireland conflict. This Act, in preventing the operation of civil and criminal justice mechanisms in cases relating to the conflict, providing for an alternate body for addressing these legacy cases (Independent Commission for Reconciliation and Information Recovery) and requiring this body to provide for immunity for those involved in causing harms during the conflict, has provoked widespread concern within and beyond Northern Ireland.

The Act has been the subject of challenges under the Human Rights Act 1998 and an inter-state action against the UK launched before the European Court of Human Rights by Ireland. In the interest of brevity, however, this post will explore only the challenges under the Protocol/Windsor Framework. This is not the first case to invoke Article 2 (see here and here for our analysis of earlier litigation to which the UK Government should have paid more attention), but this remains the most novel element of the litigation, testing the operation of this element of the Withdrawal Agreement. It is also offers the most powerful remedy directly available to those challenging the Act; disapplication of a statute to the extent that it conflicts with those elements of EU law which this provision preserves.

These requirements are explained by the operation of Article 4 of the Withdrawal Agreement, which spells out that elements of the Withdrawal Agreement and the EU law which continues to be operative within the UK as a result of that Agreement will continue to be protected by the same remedies as applicable to breaches of EU law by Member States. Section 7A of the European Union (Withdrawal Act) 2018 reflected this obligation within the UK’s domestic jurisdictions, as accepted by the UK Supreme Court in the Allister case (see here for analysis). For Mr Justice Colton, his task could thus be summarised remarkably easily; ‘any provisions of the 2023 Act which are in breach of the WF [Windsor Framework] should be disapplied’ (para 527). All he had to do, therefore, was assess whether there was a breach.

The rights of victims are a prominent element of the Rights, Safeguards and Equality of Opportunity chapter of the 1998 Agreement. These rights were, in part, given protection within Northern Ireland Law through the operation of the Victims’ Directive prior to Brexit and, insofar as this EU law is being implemented, through the operation of the EU Charter of Fundamental Rights with regard to its terms. The key provision of the Victims’ Directive is the guarantee in Article 11 that applicants must be able to review a decision not to prosecute, a right clearly abridged where immunity from prosecution is provided for under the Legacy Act. The breach of this provision alone was therefore sufficient to require the application of extensive elements of the Legacy Act (sections 7(3), 8, 12, 19, 20, 21, 22, 39, 41, 42(1)) (para 608):

It is correct that article 11(1) and article 11(2) both permit procedural rules to be established by national law. However, the substantive entitlement embedded in article 11 is a matter for implementation only and may not be taken away by domestic law. The Directive pre-supposes the possibility of a prosecution. Any removal of this possibility is incompatible with the Directive.

The UK Government cannot claim to have been blindsided by this conclusion. They explicitly acknowledged the specific significance of the Victims’ Directive for the 1998 Agreement commitments in their 2020 Explainer on Article 2 (para 13). Moreover, in the context of queries over the application of Article 2 to immigration legislation, the UK Government insisted that in making provisions for victims the 1998 Agreement’s ‘drafters had in mind the victims of violence relating to the conflict in Northern Ireland’. Exposed by these very assertions, the Government hoped to browbeat the courts with a vociferous defence of the Legacy Act (going so far as to threaten consequences against Ireland for having the temerity to challenge immunity arrangements which raised such obvious rights issues).

The strange thing about the Dillon case, therefore, is not that the court disapplied swathes of the Legacy Act. This outcome is the direct consequence of the special rights protections that the UK agreed for Northern Ireland as part of the Withdrawal Agreement. The strange thing is that Mr Justice Colton arrived at this position so readily, in the face of such a determined efforts by the UK Government to obscure the extent of the rights obligations to which it had signed up. In the context of the UK’s full membership of the EEC and its successors, it took many years and many missteps to get to Judicial Committee of the House of Lords applying the remedy of disapplication of statutory provisions which were in conflict with EU law (or Community law, as it then was) in Factortame (No. 2). The Northern Ireland High Court was not distracted from recognising that these requirements remain the same within Northern Ireland’s post-Brexit legal framework when it comes to non-diminution of rights as a result of Brexit.

Indeed, the Court could not be so distracted. As we set out above, once Colton J determined that relevant sections of the Legacy Act had breached the Victims’ Directive, the judge had no discretion in the matter of disapplying the offending sections. This marks perhaps one of the strangest revelations to emerge from Brexit. Disapplication of inconsistent domestic law (of whatever provenance) as a remedy extends across much of the Withdrawal Agreement, covering any and every aspect of EU law which the Agreement makes applicable in the UK. This fact – spelled out in the crisp terms of Article 4 of the Withdrawal Agreement – was nowhere to be found in the 1972 Accession Treaty by which the UK became part of the (then) EEC. This is unsurprising, considering that the primacy of Community law over domestic law was then a relatively recent judicial discovery. In the decades since then, however, the principle of EU law primacy and the requirement that inconsistent domestic laws be disapplied have become a firm and irrevocable reality. Small wonder then, that the UK Government accepted it as a price to pay for leaving Brussels’ orbit without jeopardising the 1998 Agreement – no matter how it has since spun the notion of “taking back control”.

Where the government might have its own interests in attempting to obscure the clarity of Article 2 and its attendant consequences, Dillon is by some measure a wake-up call for Westminster. The report of the Joint Committee on Human Rights’ scrutiny of the Bill which became the Legacy Act contained no reference to the Windsor Framework, notwithstanding consistent work by the statutory Human Rights and Equality Commissions in Northern Ireland (the NIHRC and ECNI) to highlight the issue. Dillon marks not only some of the most extensive disapplication of primary legislation ever enacted by Parliament, but also the first such outcome after Brexit. But Dillon is only the beginning. It will be followed in the weeks to come by a challenge to the Illegal Migration Act 2023 by the NIHRC, where there are clear arguments that relevant EU law has been neglected. The Government, and Westminster in general, have not woken up to the legal realities of the Brexit deal. Dillon makes clear that Parliament needs to pay far greater attention to the Windsor Framework; not as a legal curio that only occasionally escapes its provincial relevance, but as a powerful source of law which impacts law-making and laws which are intended to apply on a UK-wide basis.

  

Judicial control over alleged breaches of fundamental rights in the implementation of Eulex Kosovo and Advocate General’s Ćapeta's Opinion in Joined Cases C-29/22 P and C-44/22 P

 

Antje Kunst*

Photo credit: Sharon Hahn Darlin, via Wikimedia Commons

Advocate General (‘AG’) Ćapeta delivered her Opinion in Joined Cases C‑29/22 P and C‑44/22, KS and KD, on 23 November 2023. She proposed that individuals may bring an action for damages against the EU before the EU Courts based on alleged breaches of fundamental rights in the implementation of an EU Common Security and Defence Policy (‘CSDP’) mission, Eulex Kosovo, and, related to the investigations that were carried out, during that mission, into the disappearance and killing of the applicants’ family members in 1999 in Pristina (Kosovo).

Introduction

In this case before the Grand Chamber, the main question is to what extent there is a limitation on the jurisdiction of the EU Courts in the Common Foreign and Security Policy (‘CFSP’), which includes CSDP missions, provided for by provisions of the EU treaties, and whether the Court of Justice of the European Union (CJEU) has jurisdiction to hear actions for damages allegedly caused by breaches of fundamental rights committed in the implementation of the Eulex Kosovo. This was a novel question before the Court.

The case concerns two individuals, KS and KD, who lost their direct family members in 1999 in the aftermath of the Kosovo conflict. Their murders and disappearances remain unsolved. In 2008, Eulex Kosovo was established as a CSDP mission, and one of its tasks was inter alia to investigate such crimes.  

This blog post concludes that in sensitive cases like the case of KS and KD involving an EU body, Eulex Kosovo, which carries out executive functions vis-à-vis individuals, it is imperative that EU Courts do not hide behind the ‘CFSP’ limitations. At stake are the rights of individuals whose family members' disappearances were not adequately investigated by the European Union.

Human Rights Review Panel to review complaints against Eulex Kosovo

The executive mandate of Eulex Kosovo, acting in part like a state, made it necessary to establish a body to review fundamental rights breaches by the mission. A year after Eulex Kosovo became operational, the Council established a Human Rights Review Panel (‘HRRP’) to review complaints of alleged human rights violations committed by Eulex Kosovo in the performance of its executive mandate.  The HRRP’s findings and recommendations were non-binding, and the Panel could not adopt a recommendation of monetary compensation.

Regarding KS, the HRRP determined that Eulex Kosovo had breached her rights under the ECHR by failing to conduct an effective investigation into the disappearance of her husband. Concerning KD, the HRRP concluded that Eulex Kosovo's inquiry into the abduction and killing of her husband and son was inadequate, leading to a violation of her rights under the ECHR.

In both cases, the HRRP made several (non-binding) recommendations to the Head of Mission of Eulex Kosovo. In the follow-up to the implementation of its recommendations, the HRRP essentially declared that the Head of Mission had only in part implemented its recommendations, but nonetheless decided to close the cases.

Decision to establish a review panel lacking the authority to enforce its rulings

Before the EU General Court in Case T-771/20, the case under appeal before the Court of Justice, the applicants contended that their action, brought on account of a breach of fundamental human rights, pertained to matters of a policy or strategic nature. In other words, they were related to defining Eulex Kosovo’s activities, priorities, and resources; as well as to the decision to establish a review panel lacking the authority to enforce its rulings or offer redress for identified breaches.

In the applicants’ view, the breaches of their fundamental rights arose from a lack of prioritisation, or a lack of the necessary resources, or appropriate personnel to enable Eulex Kosovo to carry out its executive mandate and thus fulfil the EU’s legal obligations. The breaches did not arise from malfunctions on the part of Eulex Kosovo, in those particular cases (para. 23 of the Order of the EU General Court in Case T-771/20).

The General Court held that it did not have jurisdiction ‘to review the legality of such acts or omissions, which relate to strategic choices and decisions concerning the mandate of a crisis management mission set up under the CSDP, which is an integral part of the CFSP, nor can it award damages to applicants who claim to have suffered harm as a result of those acts or omissions’ (para. 27 of the Order of the EU General Court).

Effective judicial protection requires review of CFSP decisions

AG Ćapeta in KS and KD, on appeal at the Court of Justice, observed that the inclusion of the CFSP in the EU constitutional framework means that the basic principles of the EU legal order apply to all activities of the EU undertaken within that policy, including in the area of the CFSP. The rule of law in the EU legal order required that the EU Courts ensure the lawfulness of the actions of EU institutions and bodies when they implement the CFSP (para. 83 of the Opinion).

To ensure the effective judicial protection of individuals who claim that their fundamental rights have been infringed by EU institutions or bodies in the exercise of the CFSP, the EU Courts must, in principle, have jurisdiction to hear such claims (para. 84 of the Opinion).

AG Ćapeta found that the provisions in the EU Treaties excluding the CFSP from the jurisdiction of the EU Courts can and should be interpreted as not applying to actions for damages for the alleged breach of fundamental rights resulting from a CFSP measure (para. 93 of the Opinion).

She considered that the EU Courts must interpret the EU Treaties in conformity with the principle of effective judicial protection. In this respect, she relied on the Opinion of AG Bobek in SatCen v KF, (Case C‑14/19 P, EU:C:2020:220), para. 69): ‘…Article 47 of the Charter does not allow the Court to rewrite the Treaties, but it does require the Court to interpret the existing provisions so that they can achieve their full potential to provide judicial protection to anyone concerned by acts of EU institutions and bodies’ (paras. 100 and 101 of the Opinion).

Judicial review of strategic decisions related to EU international missions

AG Ćapeta noted that there are strategic decisions over which the EU Courts lack jurisdiction. She elaborated on this in greater length in her Opinion in Neves 77 Solutions (delivered on the same day). Specifically, the EU Courts could not evaluate whether the EU should establish a mission in a particular part of the world. However, once a political decision to involve the EU in a specific country or conflict is made, the EU Courts must have the authority to scrutinise whether the implementation of such a decision is designed and executed in a manner that interferes disproportionately with human rights (para. 118 of the Opinion).  

In respect of the broad approach AG Ćapeta took, she clarified that some of those strategic decisions require more deference to the reasons put by the Council or other responsible body. The availability of funding for a particular mission might affect the rights of individuals whose family members’ disappearances were inadequately investigated. She then pointed out that the EU Courts must weigh such considerations against the broader financial and staff capacity of the EU, which manages missions globally and faces decisions on resource allocation. However, in her view, this did not entirely preclude the jurisdiction of EU Courts; instead, questions of deference and the intensity of scrutiny arise after jurisdiction is established (para. 119 of the Opinion).

Political and strategic decisions can never be in breach of fundamental rights

In situations where political or strategic decisions have the potential to violate fundamental rights, according to AG Ćapeta, the EU Courts should have the capacity to consider an individual's complaint. In this respect, the AG pointed out that the EU Courts are likely to show deference to the Council's reasons when assessing whether these decisions constitute a breach of fundamental rights (para. 120 of the Opinion). In light of her reflections, AG Ćapeta found that EU institutions and bodies are always bound by fundamental rights, and the choice to infringe those rights is not an available political or strategic choice, including in the area of the CFSP. There is a limit imposed on political and strategic decisions, as they can never be in breach of fundamental rights (para. 124 of the Opinion).

Comment

The accountability of EU international missions, like CSDP missions, has long been a concern. For the CJEU to decline jurisdiction for an action for damages brought by individuals based on an alleged breach of fundamental rights by the EU on the basis that EU law limits the jurisdiction of the EU Courts is problematic, especially considering this concern of lack of accountability. As a whole therefore, the Opinion of AG Ćapeta is a step in the right direction.

The case of KS and KD was also, previously, before a UK court and it was of the view that it did not have jurisdiction itself, given that in its view, the jurisdiction lay with the EU Court. To leave individuals in these type of cases without a judicial remedy, i.e. a national court and the EU Courts declining jurisdiction, is not acceptable. The essential entitlement to judicial protection for individuals affected by acts of EU institutions and bodies underscores the imperative to assert jurisdiction in these cases, just like the Court did in SatCen v KF.

Especially in sensitive cases like the case of KS and KD involving an EU body, Eulex Kosovo, which performs executive functions vis-à-vis individuals, it is crucial that EU Courts do not hide behind the ‘CFSP’ limitations. At stake are the rights of persons whose family members’ disappearances were not successfully investigated. AG Ćapeta correctly finds that only exceptionally, the constitutional role of the EU Courts can be limited.

EU law should be read as requiring respect for fundamental rights in all EU policies, and that it must be adhered to, and subject to judicial review. To assume jurisdiction in KS and KD-like cases ensures, in the words of AG Ćapeta, that CFSP decisions affecting individuals do not cross ‘red lines’ imposed by fundamental rights.

 

Comments were gratefully received from Prof. Graham Butler who has published an excellent analysis on the Opinion: https://eulawlive.com/op-ed-jurisdiction-of-the-eu-courts-in-the-common-foreign-and-security-policy-reflections-on-the-opinions-of-ag-capeta-in-ks-and-kd-and-neves-77-solutions-by-graham-butler/

 

*Antje Kunst is an international lawyer and a member of Pavocat Chambers advising and representing individuals in a wide range of matters in the field of the EU’s Common Foreign Security Policy (CFSP) and takes instructions from individuals challenging a wide range of decisions including EU employment cases to EU and UN sanctions before the EU courts and international bodies.

She was Counsel for KF before the Court of Justice of the European Union in Case C-14/19 P (SatCen v KF) and worked as a senior lawyer for the UN Mission in Kosovo.

 

Migration in Europe and the Problems of Undercriminalisation

 

By Amanda Spalding, Lecturer in Law, University of Sheffield

Photo credit: Gzen92, via wikicommons media

Introduction

As five million refugees enter Europe having fled Ukraine, Denmark and the UK prepare for off-shore processing of asylum applications and Frontex tells us that in the first half of 2022 irregular entries to the European Union are up 84%, it is difficult to keep up with rapid and ever-changing laws and policies on migration. However, it is important to continue to reflect on the broader legal context that these developments are situated within, especially the human rights framework that will be crucial in providing some level of protection. This protection, though, is far from robust and subject to being increasingly undermined by other trends in the law.

The following blog post summarises some of the main themes of my new book, The Treatment of Immigrants in the European Court of Human Rights.

The Criminalisation of Immigration

The criminalisation of immigration has long been noted by scholars across Europe and beyond. The criminalisation of immigration – sometimes called ‘crimmigration’- refers to the increased entwining overlap of the criminal justice system and the immigration system. This entwining takes multiple different forms including the law. The legal framework surrounding immigration increasingly draws on the criminal law by creating a huge number of immigration offences. This includes the criminalisation of the most basic immigration offences such as irregular entry or stay which is widely criminalised in Europe with varying levels of seriousness (see the Country Profiles by the Global Detention Project). For example, the level of fine for such an offence can be relatively low such as in the Czech Republic and Estonia where maximum fines are below €1,000 whereas in countries such as Austria, Cyprus, Italy and the UK maximum fines exceed €4,000. Most European states, including the UK, Sweden, Norway, the Netherlands, Ireland, Germany, France, Finland and Denmark, set the maximum prison term for these types of crime at between six months to one year. In practice though some states such as Germany and Finland rarely use imprisonment whereas in others such as Bulgaria and the Czech Republic there is evidence of extensive inappropriate use of imprisonment against asylum seekers.

Criminalisation is not confined to migrants themselves but also affects those who facilitate their irregular entry and stay. Article 1(1)(a -b) of the EU Facilitation Directive requires Member States to create appropriate sanctions for those who deliberately assist irregular entry to or stay in a Member State with Article 1(1)(b) requiring the imposition of sanction on anyone who does so for financial gain. The aim of these measures was, at least in part, to tackle organised crime. Article (1)(2) of the Facilitation Directive does allows Member States to provide exceptions for those who provide such assistance for humanitarian reasons but it does not require them to do so. Thus, there are varying standards across Europe as to when the facilitation of entry or stay is a punishable offence with some countries allowing for broad criminalisation including situations of humanitarian assistance. The prosecution of individuals providing help such as Lisbeth Zornig Andersen in Denmark, the criminalisation of rescue where those who aid migrant boats in distress as sea have faced criminal charges and extensive criminalisation of NGO organisations providing asylum and humanitarian assistance have all been incredibly controversial. Many states have also gone further and criminalised other interactions with migrants such as the letting of accommodation to those with irregular status.

Immigration and criminal law have become further entwined by the increased use of immigration measures as a consequence of criminal conviction. Although public security has long been a ground for deportation in many European countries, its use in recent years have become increasingly punitive and severe. Over the last twenty years states such as the UK, Denmark and Germany have all passed laws that make deportation an automatic result of many criminal convictions and the UK and Norway now have separate prisons to hold foreign national prisoners.

There has also been a significant increase in the immigration detention estate across the EU with varying types and uses as explored by Elspeth Guild in her ‘Typology of different types of centres in Europe’ for the European Parliament. There has also been a huge increase in surveillance of migration. The EU has created a ‘plethora of systems’ regarding border control including the EURODAC database which holds migrant fingerprint data, the Visa Information System (VIS) which stores the biometric information on all third country nationals who apply for a visa in the Schengen area and Eurosur which is a surveillance system which uses drones, sensors and satellites to track irregular immigration. The use of fingerprint and other surveillance technology in immigration control in and of itself has connotations with the criminal law but this is further compounded by Europol (European Police Office) and national law enforcement agencies being given access to some of this data.

The Problem of Undercriminalisation

There are thousands of other elements to the criminalisation of immigration trend, not least the rhetoric surrounding migration in many European states, but there is a possibility that focusing too much on criminalisation is actually a bit of red herring. The complex powers and systems in immigration law and policy mean that much of the stigma and severity of the criminal law is being endured by migrants but often without the concurrent procedural safeguards that the criminal law provides. The problem for immigrants may be then conceptualized as a problem of ‘undercriminalisation.’ Ashworth and Zedner offer a clear definition of this practice: “undercriminalisation can be said to occur when the state sets out to provide for the exercise of police power against citizens in alternative (non-criminal) channels which are subject only to lesser protections inadequate to constraining an exercise of power of the nature and magnitude involved… undercriminalisation occurs where the failure to designate a preventative measure as criminal deprives the citizen of what is due to her, in view of the substance of the restrictions on liberty and possible sanctions involved in the ostensibly preventative measure.”

Thus, in a perverse way, immigrants might be better off if the whole system was being criminalised as they’d benefit from far more procedural safeguards and judicial oversight than they do now. It is also possible that this is not simply ‘undercriminalisation’ but the beginnings of a two-tier system in both criminal justice and human rights. The intersection of these two can already been seen in the UK government’s proposed Bill of Rights Bill which seeks to severely limit certain human rights for migrants, particularly foreign national offenders.

The ECtHR and Migration

In order to appreciate the risk of this two-tier system, it is important to understand how the European Court of Human Rights has responded to the increasingly harsh immigration system and where there are significant gaps in protection. For example, the lack of a proper necessity and proportionality test when considering the arbitrariness of immigration detention means it has the lowest level of protection of any form of detention and as Professor Costello put it: has been left “in its own silo.” Likewise the failure of the Court to apply the right to a fair trial contained in Article 6 to immigration decisions has barely been discussed by academics and advocacy organisations despite the fact that this is an incredibly powerful and fundamental right that would serve as a crucial check on state power. The fact that immigration decisions and detention are becoming increasingly bound up with the criminal law means that we should be especially careful to scrutinise the legal approach to such issues, with many criminological and sociological scholars challenging the long-held legal conception of immigration measures as non-punitive.

Finally, it is important to continuous reflect on the fact that the criminalisation phenomenon is part of a wider trend of very harsh immigration regimes in Europe and the two are often related. The criminalisation phenomenon may increase the harshness with which immigrants are dealt with and exacerbate existing issues, but it is not always the root problem in the failure of the Court to protect migrants fully.  As already demonstrated in depth by others such as Professor Costello and Professor Dembour, there are significant issues with how the European Court of Human Rights approaches migrants’ rights and that to truly understand the treatment of immigrants in Europe, the criminalisation of immigration framework may be insufficient. This is a trend that must be subject to rigorous scrutiny. Beyond the clear moral issues with having a two-tier human rights and criminal justice system, the Court’s approach poses other dangers. The general failure of the Court to engage in proper scrutiny of state immigration power and policies means that it may allow racial discrimination to go unchecked. The approach of the Court to immigration matters may also seep into other areas of its case-law and mean a general erosion of rights for everyone, immigrants and citizens.

 

 

 

Data protection, the death penalty and mutual legal assistance in criminal law: Elgizouli v Secretary of State for the Home Department [2020] UKSC 10

Lorna Woods, Professor of Internet Law, University of Essex

Introduction

Elgizouli is the first UK Supreme Court judgment on the Data Protection Act 2018 (DPA).  The headline news is that ‘substantial compliance’ with the requirements set down in the Act is insufficient to make data transfers to third countries lawful. The judgment concerns Part Three, which implements the Law Enforcement Directive (Directive (EU) 2016/680) and focusses on procedural protections, but in terms of approach may have implications for the UK courts’ approach to the DPA and General Data Protection Regulation (GDPR) more generally, especially as it relates to the protection of individual rights found in the European Court of Human Rights (ECHR).

Facts

Eligizouli’s son was implicated in the murder in Syria of UK and UK citizens. As part of its investigations into the group responsible for the murders, the US made a mutual legal assistance (MLA) request to the UK, asking for information to be transferred. Theresa May, as Home Secretary, requested that the information would not be used either directly or indirectly in a prosecution that could lead to the imposition of the death penalty, an assurance the US did not give. Nonetheless, Sajid Javid, a subsequent Home Secretary, agreed to provide the information.

Eligizouli brought an action for judicial review, raising two questions: (1) whether the common law precluded the Secretary of State from exercising his or her powers in this way; and (2) whether such a transfer was lawful under the DPA understood in the light of EU law.  Specifically, the appellant argued that the Home Secretary’s decision was an unlawful breach of:

1)      the first data protection principle in section 35 of the Act;

2)      the second data protection principle in section 36;

3)      the provisions governing international transfers of personal data for law enforcement purposes in sections 73 to 76; and

4)      the special processing restrictions in section 80.

It was further argued that the Home Secretary had paid no regard to the duties imposed on him by the DPA. At first instance, the Divisional Court had held that the Home Secretary had demonstrated “substantial compliance” with the Act and that “special circumstances” could be relied on in relation to the transfer.

Judgment

The Supreme Court (by a majority) found that the common law had not evolved to a point where it recognised a principle prohibiting the provision of MLA that would facilitate the death penalty.  The Court was, however, unanimous in holding that the Home Secretary’s decision was unlawful under the DPA, specifically as regards the conditions under which data can be transferred to another jurisdiction and the leading judgment was given by Lord Kerr (although he was in  the minority on the common law point). Lady Hale’s judgment constitutes, in her words, a ‘short guide to the judgments’ [2].

There was agreement between all parties that Part 3 was in issue – that is, that there would be processing of personal data for a “law enforcement purpose” by a controller which is also a “competent authority” for the purposes of the Part 3 of the DPA.  It was also common ground that the Home Secretary did not expressly consider his duties under the DPA.

The main focus of the judgment was the conditions surrounding the transfer of the data to the US; the relevant provisions are found in ss. 73-76. Specifically, data cannot be transferred unless the three conditions in s 73(1)(a) are met. The first, in s. 73(2), is that “the transfer is necessary for any of the law enforcement purposes”. Section 73(3) contains the second condition. It lists three circumstances in which a transfer may take place:

1)      when it is based on an adequacy decision (simplifying data transfers) as set out in s. 74;

2)      if there is no such adequacy decision, then there are appropriate safeguards in accordance with s. 75; or

3)      if neither (1) nor (2) apply, is based on special circumstances in accordance with s. 76.

The third condition relates to the recipient of the information. 

The Court was agreed that the Home Secretary’s decision was not based on an adequacy decision, nor were there appropriate safeguards in the sense of s. 75. As Lady Hale remarked, “[t]his transfer was not based on an adequacy decision or on there being appropriate safeguards, because there were none” [10]. The issue of whether the decision was lawful would therefore depend on whether special circumstances existed; the Court did not consider whether special circumstances could only be relied on if neither of the other two categories apply. Section 76(1) specifies that special circumstances will apply if the transfer is necessary for one of five listed purposes:

1)      to protect the vital interests of the data subject or another person;

2)      to safeguard the legitimate interests of the data subject;

3)      for the prevention of an immediate and serious threat to the public security of a member State or a third country;

4)      in individual cases for any of the law enforcement purposes, or

5)      in individual cases for a legal purpose.

Section 31 DPA defines the law enforcement purposes. It would seem that s. 76(1)(d) and (e) are relevant here, but they are subject to a further control. Section 76(2) specifies they “do not apply if the controller determines that fundamental rights and freedoms of the data subject override the public interest in the transfer”. Further, according to s 76(3), the transfer must in all cases be documented.

Special circumstances, according to the Court, requires a specific assessment of whether these conditions are satisfied. The Court stated that the purpose of section 73 was to “set out a structured framework for decision-making, with appropriate documentation” [219] and, as the ICO submitted, requires:

 ‘conscious and contemporaneous’ consideration of the statutory tests prior to any transfer taking place. Further, the record-keeping requirement, including the requirement to set out the ‘justification for the transfer’ … cannot sensibly be read as requiring no more than ex post cosideration of whether a transfer was justified [218].

This was lacking here and the fact that the Home Secretary did not have regard to his duties as data controller meant that the special circumstances basis for transfer was not available [158]. Lord Carnwath sugggested here that the decision was based on political expediency rather than strict necessity as required by the statute [227] – Lord Kerr took a similar view.

There was a further question about impact of ‘fundamental rights and freedoms’ in s 76(2) – this per Lady Hale includes right to life in Art 2 ECHR. She argued, albeit obiter dicta, that this points towards an interpretation of s 76(2) so as to preclude a transfer of personal data to facilitate a prosecution which could result in the death penalty [26]. Lord Carnwath states that a failure to consider the point is a further reason that the Home Secretary’s decision cannot stand [228]; Lord Hodge sees the force of this point but as it was not fully argued reserves his position.

Lord Kerr took a different view, arguing that the processing (ie through the transfer of data as part of the MLA) was not lawful and fair – ie did not comply with the data protection principles in s. 34 DPA. He came to this conclusion because he, alone out of the judges, had taken the view that the common law would prevent the Home Secretary from acting in this way.

Comment

On one level the judgment could be seen as narrow; providing protection only through procedural mechanisms, leaving the Home Secretary free to make the same decision again, having directed her mind to the issues. Similarly, in its approach to the common law and the need for incremental development, the court is showing deference to the primacy of the legislature (see paras 170 and 233), especially in the context of the exercise of prerogative powers.  However, in its interpretation of the DPA and more particularly in the way it approached how the provisions should be interpreted, the judgment has a broader significance.  Indeed, its approach is in marked contrast to that of the lower courts, which may now change direction.

The Supreme Court here is emphasising the importance of data controllers actively engaging with the requirements imposed by the DPA; here the concerns stemmed from the fact that the Home Secretary “did not address his mind to the 2018 Act at all” [6]. So it seems that to be able to use any of the gateways in s. 73, consideration must be given to the protections in place, whatever the mechanism used. In terms of both the gateway based on appropriate safeguards and that which requires special circumstances, Lord Carnwath makes an important distinction between a decision which takes factors into account and one which is based on there being appropriate safeguards or special circumstances [219]. This distinction operates to raise the threshold of the standards required. The Supreme Court did not address the question of whether the three gateways operate in a hierarchy; that is each must be considered and discounted before moving on to the next. This would, as the respondents argued, place an additional burden on them.

The Supreme Court also confirmed the approach to understanding ‘necessary’ in s. 76(1) regarding the objectives in relation to which special circumstances may arise, which should be understood in the light of recital 72 to the LED. While the Divisional Court had used recital 72 to try to justify seeing this particular case as not being problematic (the recital gives the example of mass surveillance), The Supreme Court emphasises that any transfer must be ‘strictly necessary’ (rather than ‘necessary’ as in the DPA). Lady Hale referred to the judgment of Warby J in Guriev v Community Safety Development (UK) Ltd ([2016] EWHC 643 (QB)) who said

The test of necessity is a strict one, requiring any interference with the subject’s rights to be proportionate to the gravity of the threat to the public interest” (para 45)

While this may leave questions about the meaning of necessary and proportionality and their relationship to one another (a common question), it is clear that the scope of s. 76 is to be narrowly interpreted – as indeed is the general approach under EU law to derogations – and that the proportionality of the transfer must be considered.

Lady Hale’s obiter views on s 76(2) DPA (which the rest of the Court accepted had force) also indicate that the Supreme Court is taking a strict approach to compliance here.  Her argument accepts that even if a transfer is necessary and proportionate it may still be overridden by the rights of the data subject – as found in a range of instruments, including the ECHR. These rights are not limited to data protection and privacy rights but include any of the rights so protected. Lady Hale expressly identifies the right to life (Art 2 ECHR). This means that the protection awarded is not just procedural but could include an assessment of the substance of the rights. Significantly, she made the point that fundamental rights are protected whatever the person’s nationality or place of residence and, implicitly, that these protections may have an extraterritorial effect. That is, they protect not just the rights of data subjects who remain within the jurisdiction once their data are transferred but possibly also those data subjects who are outside the jurisdiction when their data are transferred by a controller within the jurisdiction.

The judgment is clearly important for the transfer of data under the LED, but the provisions on data transfer in that context bear some similarity to the structure to that of Art 49 GDPR dealing with transfers in specific situations. It is not hard to imagine that a similar analytical methodology could be applied by the British courts if confronted with such a case.

The final question is what impact, if any, might this decision have on the possibility of a data protection adequacy decision for the UK from the EU Commission after Brexit (which would simplify the transfer of data from the EU to the UK). On the one hand, this shows that the administration got things very wrong, which might count against an adequacy decision; conversely, the approach of the Supreme Court might provide reassurance that there is effective oversight of data protection rights by independent courts in the UK. It could then come down to how the Government reacts to the Supreme Court’s judgment.

Photo credit: David Iliff, via Wikicommons