If you think you understand how the DPA 2018 has implemented EU law in the shape of the GDPR (Part 1) and the Law Enforcement Directive (“LED”) (Part 3), and that is that, you may want to think again. What the DPA does not just depend on the language and the Part, but may also require consideration of the scope of EU law. R (El Gizouli) v Secretary of State for the Home Department [2019] EWHC 60 (Admin) is such a case. Indeed, it is the first decided case of significance to consider the DPA 2018 at all.
There is nothing funny about the context, concerning as it does the provision of mutual legal assistance (“MLA”) by the UK Government to a foreign State in support of a criminal investigation, where that State might prosecute the individual for an offence carrying the death penalty, without there having been any assurances given that the death penalty would not be sought. In the case of Ms El Gizouli, the State was the USA, which was investigating her son (“MES”) for membership of ISIS and involvement in terrorism and murder of American nationals. Is the provision of MLA in such circumstances contrary to the DPA 2018?
The UK had sent some material to the USA after 25 May 2018 and wishes to send more. The Divisional Court did not see that material, but there was no dispute that it would include personal data of MES, and likely others, as well as non-personal data produced in the course of a police investigation into alleged criminal acts. There was also no dispute that the context was a Part 3 DPA case because any transfer to the US was processing for law enforcement purposes within the meaning of section 31.
The Divisional Court made some important comments on the nature the remedies in relation to Part 3 of the DPA. It noted, at [158], that a breach of the third country transfer restrictions in sections 73ff were not matters to which the right to seek a compliance order from a court applied under section 167; instead that was a matter left to the powers of the ICO. There was no claim for damages under section 169 (and of course the claimant was not the affected data subject). The Court agreed that were a data subject to rely on judicial review when sections 167 or 169, or using the ICO, were available permission would be likely to be refused on alternative remedy grounds: at [162]. That should shape any approach to relief in judicial review. The Court agreed that the claim was not inadmissible, but considered that unless the DPA precluded transfer in a death penalty context, relief ought not to be granted for “technical breaches”: at [165].
Not surprisingly, reliance was placed on the Charter on the substantive issue. That failed, and if you thought the structure of the DPA was complicated enough you may have forgotten that the UK is not subject to the LED because of its opt-outs in freedom, security and justice treaty measures. A transfer of data to the USA does not take place under any EU or police and criminal justice measure, but under a bilateral treaty between the US and UK, and so occurs outside the scope of EU law and the LED: at [174]. Following? But the DPA still applies, because although Part 3 implements the LED it does not do so in terms, under section 1(4), restricted to the scope of the LED itself. This is the same as under the DPA 1998; the issue is only relevant where it is said that the domestic law provisions must be read in a particular way in line with the Directive and/or Charter. This point was dodged in Lin v Commissioner of Police of the Metropolis [2015] EWHC 2484 (QB), because Green J held that a materially similar standard of proportionality review, or something akin to it, applied at common law anyway.
The Divisional Court did not avoid the issue. It accepted that Parliament was not to be taken to have legislated in contradiction to the scope of the UK’s opt-outs, and that if the point mattered, in this context Part 3 was not within the scope of EU law and should not be analysed by reference to the Charter: at [178]. The legislation might, as a result, have different meanings and different effects depending on the underlying facts and scope of EU law, which is odd but not dissimilar to the different rules governing inquests depending on whether or not the ECHR is engaged.
As is the usual judicial way, the Divisional Court then went on to explain why, even if EU law applied, it did not help. Recital (71) to the LED appears to require some degree of higher standard if a transfer is in a death penalty context. But it is not, as the Court emphasised, a clear prohibition in mandatory terms and it is only a recital: at [182]. In addition, the Charter does not apply to such a case because, applying Article 52(3) (and earlier analysis in the judgment which does not concern the DPA and therefore is of no interest to the narrow laser-like focus of readers here), it is not within the scope of the ECHR: at [185]. So no grand blocking assistance is obtained through seeking to use the DPA to apply EU law.
The Divisional Court then considered the ‘technical breach’ arguments advanced, and the interesting points of note can be bullet-pointed:
- Fairness in the context of section 35, on the first data protection principle under Part 3, is a data protection concept and a subject of a criminal investigation cannot be expected to be told about law enforcement sharing of his data: at [187].
- Lawfulness encompasses illegality of any type, but not a breach of the DPA itself: at [189].
- Sensitive personal data is not defined by section 35 to include criminal allegations or offences, and data as to religious beliefs is not to be interpreted to include extreme religious or political belief: at [192].
- There was no breach of the second principle in section 36, because the police obtaining the data do not make the ultimate prosecutorial decisions, and it was likely that some foreign prosecution was envisaged. It was not incompatible with the collection for a domestic investigation to transfer it to support a foreign prosecution of those offences, and that was the only way in which MES would be brought to justice: at [196]-[197].
- When considering transfers to a third country and the safeguards in place, under section 75, the controller is not required to have expressly considered all the requirements in advance, so long as appropriate safeguards in fact existed: at [202].
- Section 75(2), requiring the ICO to be informed, does not mean she must be informed prior to transfer or in relation to a particular data subject, and not having done so does not undermine the transfer: at [204].
- Documentation of the transfer under section 75(3) need not be done in a single specific document, so long as it is documented and recorded: at [205].
- Such a transfer fell within the special circumstances exception under section 76, because it was necessary in an individual case for law enforcement purposes: at [207]. Neither section 76 nor the LED prevented transfer in a death penalty context on a special circumstances basis: at [210].
- Section 80 could not be used as a mechanism by which the UK obliged a third State to adopt (or not adopt) particular criminal sentences: at [215].
Ultimately then, the DPA did not assist. But it is an interesting – and another controller-friendly – decision which considers for the first time some of the Part 3 provisions and, despite the very serious context, makes little attempt to read down or even interpret narrowly the restrictions and obligations contained in Part 3. Plus, it adds to the confusion about what scheme is being applied and when. What more could one want?
Christopher Knight