Alert April 10, 2020

UK Home Secretary’s Decision to Transfer Data to U.S. found Unlawful under UK Data Protection Act

The UK Supreme Court held, in the case of Elgizouli v Secretary of State for the Home Department [2020] UKSC 10, that the Home Secretary breached the Data Protection Act 2018 (DPA), the UK data protection legislation which incorporates the requirements of the Law Enforcement Directive (Directive (EU) 2016/680), as it facilitated U.S. authorities in their investigation of two alleged Islamic State executioners without ensuring proper safeguards for the transfer of the accused’s personal data. There are some important messages in this judgment that will be relevant to all mutual legal assistance (MLAT) requests that involve the sharing of personal data.

The two alleged Islamic State executioners, Shafee El Sheikh and Alexanda Kotey, were believed to be part of a group of terrorists operating in Syria responsible for extremely grave offences committed against several U.S. and UK citizens. The U.S. authorities made a MLAT request to the UK authorities in connection with the activities of that group. The Home Secretary agreed to provide the information to the U.S. authorities, which contained personal data relating to the alleged executioners.

The Home Secretary’s decision was challenged by way of judicial review by Shafee El Sheikh’s mother. The claim was dismissed by the Divisional Court, asserting two questions: (i) the unlawfulness of facilitating the investigation which may result in the death penalty (especially given the Home Secretary did not obtain an assurance that the provision of information would not be used to facilitate the prosecution which could result in the death penalty); and (ii) whether it is lawful, under the DPA, for UK authorities to transfer personal data to other law enforcement authorities abroad for use in capital criminal proceedings. When the case reached the UK Supreme Court, whilst the upper Court held that it was not unlawful to facilitate the U.S. investigation, the Court was unanimous in holding that the Home Secretary’s decision was unlawful under the DPA.

According to the DPA, UK authorities may provide personal data to the U.S. authorities for “law enforcement purposes”; however, personal data cannot be transferred unless three conditions are met under the DPA. The Court focused on condition 2, which requires the transfer to be based on an adequacy decision of the European Commission, appropriate safeguards recognised by the DPA or exceptional circumstances. The transfer was not subject to an adequacy decision and no appropriate safeguards were put in place. While the exceptional circumstances might have been available, no assessment had been carried out (which is required under the DPA) and so the Court concluded that the decision was based on political expediency, rather than consideration of strict necessity under the statutory criteria. It was, therefore, held that this condition was not met and as a result this was a breach of the DPA.

The Court made some comments in passing (obiter dicta), which are not binding. In particular, the Court noted that the DPA states that regard must be had to the rights protected by the European Convention on Human Rights – and the fundamental right enshrined therein of the right to life. This right overrides the public interest. The Court held that regard was not given to the right to life because the transfer of personal data may have resulted in the death penalty. One interpretation here is that the transfer would not be allowed if it were to facilitate a prosecution which could result in the death penalty; a matter which the Home Secretary did not obtain assurance of. In addition, one judge commented that the failure to obtain such an assurance meant that the first and second data protection principles – which require processing of personal data to be lawful and fair – were not met. This point, however, was ultimately tied to the fact that this judge, alone, found that it was unlawful to facilitate the investigation which could result in the death penalty, which the other judges did not agree with. Whilst some of these comments were made in passing, the Court’s comments do provide a degree of insight into what considerations may be taken into account in connection with other MLAT requests, particularly where the requests are held to be unlawful.

An important message here is that where MLAT requests are made, even if to assist international matters of interest, the importance behind the MLAT request will not trump the UK (or even EU) data protection requirements in respect of the sharing of personal data. Authorities must, therefore, ensure that any transfers of personal data made in connection with any MLAT request remain strictly necessary and appropriate measures are put in place to safeguard such transfers. Rushing politically driven decisions to share personal data, without ensuring such safeguards are in place, could run the risk of being held unlawful by local courts in the UK and EU.

Authors:
Gretchen Scott, Curtis McCluskey, Luke Nauth

Goodwin’s Key privacy team members include Gretchen ScottCurtis McCluskey, Federica De Santis, Jackie Klosek and Eric DiIulio

One of the longest-standing of any Am Law 50 firm, Goodwin’s Chamber and legal 500 ranked, global, Privacy & Cybersecurity team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include a former Chief Privacy Officer of the U.S. Department of Homeland Security in the Obama Administration and Legal 500 Recommended Lawyer; a Legal 500 “Leading Lawyer;” and a “Next Generation Lawyer” in Cyber Law and Data Breach Response, as well as three other; Legal 500 Cyber Law ranked partners; several former federal prosecutors; and multiple GDPR, CCPA, FTC, HIPAA, and COPPA experts. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe