This week one of the longest running data protection sagas concluded. Interestingly, the first major data protection case to reach the UK's Supreme Court did not involve GDPR, but the Data Protection Act 2018 (DPA 2018). It demonstrated that the applicability of the DPA 2018 had not been understood by the very body which had drafted it. The case concerned the notorious so-called ISIS Beatles (on account of their British accents), who were alleged to have kidnapped and murdered 27 people of which three were Americans and two were British.

The case is interesting for a number of reasons as follows:

  1. It reveals the pervasive nature of data protection legislation, as it impacts all areas of law and data sharing.
  2. It shows that the ignorance of data protection issues can be much wider that might be expected. One would have assumed that the body which actually passed the legislation, aka the British government, may have considered its impact when making critical decisions.
  3. Most importantly, the case demonstrates that the UK courts will demand rigorous adherence to data protection legislation. While this case concerns Part 3 of the DPA 2018 (which applies to law enforcement processing), companies must still take scrupulous care in relation to international data sharing and indeed with compliance with data protection legislation in general.

The American government, having captured the ISIS Beatles in Syria, requested that the UK government share the evidence which had been obtained investigating their crimes. But the American government demanded, almost uniquely, that the evidence be shared without any restrictions. Normally it is the case that if the UK government shares evidence there will be an assurance provided that no death penalty be sought. But this was not acceptable to the Trump administration. Instead they demanded that evidence be shared without any such restrictions and the UK government acceded without any restriction.

This was challenged by lawyers for the mother of one of the alleged ISIS Beatles. It turned out that when making a decision to share the evidence with the United States that the Home Office had wholly failed to consider the DPA 2018 and had not envisaged that it would apply to the sharing of evidence overseas. The UK Supreme Court considered the case and found that the sharing was not lawful. This was because the sharing was an international transfer and as such had to be governed by the DPA 2018. Due to the protections that the European Union afforded in respect of the death penalty the circumstances of this matter did not permit sharing without assurances.

It was after this that the American government conceded that the death penalty would not be imposed. But that was not the end of the matter. Instead the mother of one of the ISIS Beatles again challenged the data sharing with the Americans. It was stated that the sharing was not strictly necessary, in part as a domestic prosecution was viable. This was roundly rejected by the Administrative Court this week. Finally it was accepted that sharing was permitted and the evidence has now been provided to the US Department of Justice.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.