The protections afforded by the GDPR and the UK’s 2018 Data Protection Act (‘DPA’) are not naturally associated with efforts to frustrate and restrict the use of the death penalty internationally. However, the recent Supreme Court judgment, Elgizouli v. Secretary of State for the Home Department  UKSC 10, exemplifies how data protection law may have far wider effects than one would naturally anticipate. The case concerns the UK Government’s decision to provide mutual legal assistance to the United States in connection with a US investigation into Shafee el Sheikh, the Appellant’s son, suspected of committing various atrocities as an ISIS militant. Some of those offences carried the death penalty. Breaking with its customary protocol, the UK Government transferred material to the US without obtaining assurances that he would not be subject to the death penalty.
The appeal (from the Divisional Court) was brought on two separate grounds. First, that there existed a common law that the Government would not provide any mutual legal assistance which risked leading to the use of the death penalty.1 Second, that the UK Government’s decision to provide the information was unlawful under the DPA, specifically Part 3 which relates to the processing of data in the context of law enforcement.
Ultimately the Appellant was unsuccessful on the first ground. The majority view of the Court (Lord Kerr dissenting) was that the common law prohibition had not yet developed to encompass all assistance. However, the Court held unanimously for the Appellant on the second ground, finding that the Home Secretary had failed to meet the required conditions under the DPA, on which any transfer had to be predicated. The decision unequivocally emphasises the significance of the procedural requirements under the DPA, specifically the need for any transfer to be preceded by a conscious and contemporaneous assessment of how the transfer meets each element of the statutory framework. To that extent, it has implications not only for state authorities seeking to transfer data to their international counterparts, but also for private data controls generally, particularly in the context of investigations.
Background to the Home Secretary’s decision
El Sheikh is accused of membership of a group of British Isis militants known as ‘the Beatles’, responsible for the brutal murder of a number of western hostages. El Sheikh was a British national, but in 2014 he had been stripped of his citizenship by the UK. Government. The US had made an MLA request to the UK, for information and documents to assist its investigation of El Sheikh, as early as June 2015. Initially, the UK Government’s response was clear and unequivocal: no MLA would be provided in the absence of assurances that the US DOJ would not seek to impose the death penalty, and, if it was imposed, would not carry it out. There was nothing unusual about that precondition; it reflected the UK's longstanding approach. At that time no agreement was reached. The request was revisited after El Sheikh had been captured and detained by the Kurds in Northern Syria in January 2018. The ensuing game of diplomatic ping-pong was eventually won by the US Government. The information sought was transferred to the US despite its refusal to provide full death penalty assurances. It is not necessary to detail the UK’s reason for resiling from its customary (and initial) position. Suffice to say that political expediency was central and no express consideration was given to its obligations under the DPA.
The relevant statutory framework
The statutory framework for processing data for law enforcement purposes is set out at Part 3 of the DPA.2 Under section 73 three conditions must be met before a transfer can be made. The satisfaction of Condition 1 (the transfer is necessary for the purposes of law enforcement) and Condition 3 (the intended recipient is a competent authority) were not the focus of the appeal, which was Condition 2. That condition requires the transfer to be based on either: 1) an adequacy decision; 2) there being appropriate safeguards in place; or 3) “special circumstances” being present.3 The level of protection offered by the US has not been assessed as adequate by the European Commission. Accordingly, the appeal rested on whether the Government had either put appropriate safeguards in place or could show that “special circumstances” existed.
Section 75 sets out the preconditions for making a transfer of data on the basis that there are appropriate safeguards. Absent a specific legal instrument setting out the safeguards by which the receiving state is bound, the UK Government must, “assess  all the circumstances surrounding transfers of that type of personal data” (emphasis added) before concluding that appropriate safeguards exist to protect the data. Ultimately, the Court ruled that no such safeguards had been in place. The decision to transfer the data clearly fell foul of the EU’s corresponding Law Enforcement Directive which requires the data controller to take into account that the personal data “will not be used to request, hand down or execute a death”.4
Irrespective of the merits of the issue, the Court found that the Home Secretary had not met the procedural requirements. It accepted the position advanced by counsel for the Information Commissioner’s Office (ICO), that the statutory conditions required “conscious and contemporaneous” consideration before any transfer was made. An ex post facto assessment is not enough. Furthermore, the Home Secretary had failed to document the justification for the transfer (as required by the DPA), including the basis on which appropriate safeguards were considered in place. The judgment stresses that Condition 2 is only satisfied where the decision on transfer is actually based on one of the three stipulated circumstances (i.e. adequacy, appropriate safeguards or special circumstances). Merely taking these matters into account in not enough.
Section 76 sets out what amount to “special circumstances”. They include – as relied upon by the Home Secretary in this case – transfers, in individual cases, which are necessary for any of the law enforcement purposes or for a legal purpose.5 A qualifying ‘legal purpose’ includes prospective legal proceedings relating to law enforcement. However, as apparent from the LED, these provisions must be interpreted restrictively.6
The Court found that the UK Government had failed to satisfy the test either substantively or procedurally. It was apparent that the transfer decision was actually driven by political expediency, rather than a strict necessity under the statutory criteria. Moreover, the same procedural requirements, as mentioned in the context of appropriate safeguards, similarly applied. In truth of course, no assessment had even been performed and consequently no effort to document how the transfer met the statutory requirements was made.
The facts of Elgizouli will prove uncommon if not unique. Furthermore, the Government is unlikely to repeat the same mistakes, even if, in the future, it sought to break again from its customary (and long-standing) position of obtaining full death penalty assurances. However, the judgment underlines the approach to be taken both by the Courts and the ICO as to the significance of the procedural requirements contained within the GDPR and UK domestic legislation. The view that a transfer (and by extension processing generally) will be rendered lawful by an after-the-fact application of the merits has been unequivocally dismissed. That was indeed how the Divisional Court had got it wrong.
However, procedural requirements are not only central to the obligations imposed upon state authorities in the context of law enforcement activities. They are central to the data protection framework more generally, particularly the requirement for transparency7 and importance of record keeping8. For example, the provisions which govern the overseas transfer of data by private data controllers largely mirror the requirements which were scrutinised by the Supreme Court. Article 49 sets out a series of derogations, similar to the “special circumstances” contained in Part 3 of the DPA. Data controllers are required to document their decisions. That can only be achieved if a contemporaneous and conscious assessment has been performed.
Similarly, a central feature of data protection is the test of necessity. Here the facts count. Scrutiny of why any data transfer was necessary will first consider the actual and underlying motivation. A justifiable claim that a transfer was necessary for ‘reasons of public interest’ or ‘the defence of legal claims’ will mean little if those reasons did not in fact drive the decision. As the Supreme Court clarifies, at least in the context of Part 3 of the DPA, there is a distinction between a matter forming the basis of a decision, rather than simply being considered. The judgment therefore serves as a powerful reminder that, in respect of data protection, it’s not where you end up, but how you get there.
In the appeal of R v Elgizouli, David Rundle represented Christof Heyns, an interested party in the Supreme Court case. This article first appeared on Law360.
1 The Appellant argued that this prohibition was no longer restricted only to the deportation or extradition of a person to a state where they would be at risk of execution.
2 “The law enforcement purposes” are the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (section 31).
3 The US is not considered to ensure an adequate level of protection of personal data.
4 See Recital 71 of the Directive. Whilst the Court accepted that this was no more than an interpretative aid, its mandatory and clear language left little room for discretion.
5 The other categories of circumstances are where the transfer is necessary: to protect the vital interests of the data subject or another person; to safeguard the legitimate interests of the data subject; to prevent an immediate and serious threat to public security.
6 Recital 72 of the LED.
7 Transparency is data processing principle (Article 5 of the GDPR).
8 Article 30 sets out the requirements to keep records of processing activities.