In July 2020, Schrems II (case C-311/18) saw the European Court of Justice rule that the ‘Privacy Shield’ was invalid. This is a framework agreed between the UK and US to allow for the free flow of personal data across the Atlantic
What we can take from the article and case is that its quite possible that the bank are not acting within the law when “loans” are securitised and sold off in America.
There may be a massive case of data breach happening every day. This is something we will be actively investigating and will post more once we find anything more substantial to add.
In July, Schrems II (case C-311/18) saw the European Court of Justice rule that the ‘Privacy Shield’ was invalid. This is a framework agreed between the UK and US to allow for the free flow of personal data across the Atlantic in a way which was, at the time, believed to be compliant with EU data protection law. In its ruling the ECJ was concerned about US authorities’ wide-ranging powers to access the personal data of EU residents and the impact on privacy.
In April, part 3 of the Data Protection Act 2018 (DPA) was also involved in a case about the transfer of personal data to the US. Part 3 is similar to GDPR but only regulates the processing of personal data for law enforcement purposes by competent authorities, which include (among others) government departments and the police.
Elgizouli (Appellant) v Secretary of State for the Home Department (Respondent)  UKSC 10 is interesting because it is the first case involving the application of part 3’s rules about international transfers, which are identical to GDPR. The Supreme Court ruled that the UK acted unlawfully by sharing personal data with the US that could lead to the execution of two British citizens accused of being part of an Islamic State murder squad known as ‘The Beatles’.
Shafee Elsheikh and Alexanda Kotey are currently in US custody in Iraq having been linked to 27 murders in Syria carried out by ‘The Beatles’. In June 2015, the US made a mutual legal assistance (MLA) request to the UK in relation to an investigation into the activities of that group. Home secretary Sajid Javid requested an assurance that any information the UK supplied would not be used by the US, directly or indirectly, in a prosecution that could lead to the imposition of the death penalty on the two men. The US refused to provide this assurance and, in June 2018, Javid agreed to provide the information anyway.
Elsheikh’s mother, Maha Elgizouli, challenged (by judicial review) the decision to share that information with the US, not to prevent him from being prosecuted and jailed, but to protect him from the death penalty. Her claim was dismissed by the High Court, which certified two legal questions of public importance for the Supreme Court to answer:
1. Whether it is unlawful for the secretary of state to exercise his power to provide an MLA so as to supply evidence to a foreign state that will facilitate the imposition of the death penalty in that state on the individual in respect of whom the evidence is sought.
2. Whether (and if so in what circumstances) it is lawful under part 3 of the DPA, as interpreted in the light of relevant principles of EU data protection law, for UK law enforcement authorities to transfer personal data to law enforcement authorities abroad for use in capital criminal proceedings.
The Supreme Court allowed the appeal. Most of the justices dismissed the challenge brought under the common law (question 1) to the home secretary’s decision, but they unanimously held that the decision failed to comply with part 3 of the DPA (question 2). Data protection professionals, especially those in law enforcement agencies, will be particularly interested in the court’s analysis of the rules relating to international transfers, as set out in chapter 5 of the DPA.
Section 73 of the DPA, like article 49 of the GDPR, prohibits transfers of personal data to a third country unless certain conditions are met. Condition two is that the transfer:
‘(a) is based on an adequacy decision (see section 74),
(b) if not based on an adequacy decision, is based on there being appropriate safeguards (see section 75), or
(c) if not based on an adequacy decision or on there being appropriate safeguards, is based on special circumstances (see section 76).’
The court noted that the transfer was not based on an adequacy decision; nor was it based on appropriate safeguards which are set out in section 75(1). The lawfulness of the transfer therefore stands or falls on the ‘special circumstances’ condition. This will only apply, according to section 76, if the transfer is necessary for any of the following five purposes:
‘(a) to protect the vital interests of the data subject or another person,
(b) to safeguard the legitimate interests of the data subject,
(c) for the prevention of an immediate and serious threat to the public security of a member State or a third country,
(d) in individual cases for any of the law enforcement purposes, or
(e) in individual cases for a legal purpose.’
The court ruled that a transfer on the basis of special circumstances can only occur following an assessment of what is strictly necessary. Such an assessment was not made by the home secretary before sharing the information with the US. Hence the transfer was unlawful. Lord Carnwath said: ‘The decision was based on political expediency, rather than consideration of strict necessity under the statutory criteria.’
Furthermore, in relation to the special circumstances gateway, section 76(2) states: ‘Subsection (1)(d) and (e) do not apply if the controller determines that fundamental rights and freedoms of the data subject override the public interest in the transfer.’
Lady Hale found that these ‘fundamental rights and freedoms’ include the rights protected by the European Convention on Human Rights, the most fundamental of which is the right to life. This points towards an interpretation of section 76(2) which, even if an assessment had been made, would not allow the transfer of personal data to facilitate a prosecution which could result in the death penalty for UK citizens.
There must now be a further court decision over what the UK must do to comply with the law, including potentially asking the US to return the shared information. This could lead to the two individuals in question not being extradited to the US. Of course, the UK government can still bring them back to the UK to face justice.
The ECJ’s decision in the Schrems case has been hailed by privacy advocates as a victory for all EU citizens. The Elgizouli case should also be welcomed for confirming that data protection laws play an important role in protecting human rights.