UK held to have breached data protection laws over alleged Islamic State members

Viewpoints
March 27, 2020
1 minutes

In an interesting data protection case, the UK Supreme Court has held that the UK Government breached data protection laws in passing information to US authorities following a mutual legal assistance (MLA) request that could involve the US seeking the death penalty for two men.  The men are alleged to have been members of a terrorist group operating in Syria involved in the torture and murder of hostages.

At first, the UK Government had refused to provide the requested information, which included certain personal data, without assurances that the men would not face the death penalty in the US, but eventually agreed to the US authorities’ request in 2018.  Although not all elements of the appeal in this case were successful, the Supreme Court found that the decision to share personal data was unlawful under Part 3 of the Data Protection Act 2018 (DPA), which concerns the processing of personal data for law enforcement purposes. 

Under the DPA, data controllers cannot transfer personal data to third countries or international organisations for law enforcement purposes unless certain conditions are met.  The Supreme Court held that the data transfer was not based on appropriate safeguards or an adequacy decision and did not fulfil the special circumstances requirements set out in the DPA.  Certain of the data protection principles set out in the DPA relating to fair and lawful processing were also found to have been breached.

It will be interesting to see what further steps the UK Government will now take in this case.  Appropriate consideration will also need to be given to relevant data protection issues in similar cases in the future.