State sponsored hacking and harassment

Introduction

The Court of Appeal has handed down judgment in the long-awaited appeal: Shehabi v The Kingdom of Bahrain [2024] EWCA Civ 1158. Whilst the appeal was primarily concerned with the international law, jurisdiction and the application of state immunity, nonetheless it is of significant interest to those practising in the fields of data and privacy law and in particular where it is claimed by an individual that he/she has sustained psychiatric injury consequent to being spied on.

?

Background Facts

The Defendant appealed the High Court’s decision denying it state immunity from a harassment claim brought by two Claimants who were pro-democracy activists and had sought asylum in the United Kingdom.

?

The Claimants alleged that since September 2011, the agents of The Kingdom of Bahrain had remotely hacked their computers, using “FinSpy” spyware, and that they were subject to surveillance by Bahraini authorities while resident in the UK.

?

They alleged that this amounted to harassment under the Protection from Harassment Act 1997. Both claimed to have suffered psychiatric injuries upon discovering that they had been hacked; which they argued qualified as personal injury under the State Immunity Act 1978. The expert evidence before the Court indicated that as far as the injury stood the first Claimant developed an adjustment disorder; and the second Claimant experienced a worsening of a pre-existing condition.

?

The Appeal

The Defendant argued before the Court of Appeal that:

?

a.?????? The act of infecting a UK computer from abroad should be considered an act occurring outside the UK;

b.????? That the immunity exception in s. 5 of the State Immunity Act 1978 required that all acts leading to personal injury must have happened in the UK; and

c.?????? Psychiatric injury did not fall under the definition of “personal injury” as understood at the time when the State Immunity Act 1978 was enacted in 1978.

?

Decision

The Court of Appeal unanimously dismissed the Defendants’ appeal, with Males LJ delivering the lead judgment.

?

Whether the act of infecting a UK computer from abroad should be considered an act occurring outside the UK?

Firstly, the Court determined that remotely hacking a computer located in the UK constitutes an act within UK territory. As the Defendant’s agents had acted both in the UK and abroad it was incorrect to separate the actions as solely occurring abroad. As set out paragraph 40 of the Judgment; “Because the hacking by a foreign state of a computer located in this jurisdiction is an interference with the territorial sovereignty of the United Kingdom, as already noted. For this purpose it makes no difference where the agents of the foreign state are located”.

?

He summed up the position at paragraph 43 by acknowledging that in “modern terms, the hacking of a person's computer is equivalent to burglars breaking in and stealing the contents of their safe. Just as the latter is an act within the United Kingdom, so too is the former”.

?

The language used by the court is to be welcomed here. The breaking down of the intangible concepts of electronic data theft into simpler and ready to understand terms, will go some way to demystifying the law and how a court should view the actions of hackers. It is also one of the clearest examples that could be given of the seriousness with which a court is likely to approach cases of data theft and hacking.

?

Did the immunity exception in s.5 of the State Immunity Act 1978 require that all acts leading to personal injury must have occurred in the UK?

Secondly, it was determined that under s.5 State Immunity Act 1978, a state is not immune from UK jurisdiction for personal injury resulting from acts in the UK, even if some acts occurred abroad. Paragraphs 54 – 55 of the judgment makes it clear that. “The language of section 5 is clear and unambiguous in this respect. A foreign state does not have immunity for personal injury caused by an act in the United Kingdom, even if other causative acts take place abroad. Since the language of the section is clear and unambiguous, there is no scope to arrive at a different interpretation…

… Once again, a foreign state which hacks a computer located in the United Kingdom interferes with the territorial sovereignty of the United Kingdom even if some of the acts in question take place abroad. Legislation which is broadly similar to the State Immunity Act 1978 has been enacted in numerous jurisdictions and there are international conventions to similar effect, even if such legislation does not (or does not yet) represent customary international law. Accordingly, if State A interferes with the territorial sovereignty of State B by doing an act in State B which is liable to cause death or personal injury to persons in State B, it takes the risk that it will be subject to civil proceedings in State B. Such proceedings are in accordance with principles of international comity”.

?

Psychiatric injury did not fall under the definition of “personal injury” as understood at the time of the State Immunity Act 1978 enactment in 1978.

Finally, the court concluded that s. 5 State immunity Act 1978 ?should be interpreted to include psychiatric injuries since as a general principle of statutory interpretation, a statute was not frozen in time at the date of its enactment, but had to be interpreted taking into account changes that had occurred since its enactment (see News Corp UK and Ireland Ltd v Revenue and Customs Commissioners [2023] UKSC 7).

Paragraphs 92, 95 and 105 when read together make the court’s stance entirely unambiguous.

“I see no reason to suppose that?section 5 State immunity Act 1978 was intended to be 'tied to an historic or frozen interpretation'. On the contrary, it was recognised that the law of state immunity was undergoing a process of development. The position might be different if there had been a settled understanding in international law that personal injury did not include standalone psychiatric injury, but (as discussed below) there was no such understanding….

…As it is common ground that, whatever the position in 1978, English law now regards psychiatric injury as falling within the term 'personal injury',?section 5?should be interpreted in this way unless there are compelling reasons to the contrary.

It is therefore highly probable that when Parliament used the term 'personal injury' in the?State immunity Act 1978, that term was understood to include standalone psychiatric injury, at any rate in the absence of a settled contrary meaning in international law”.

?

This outcome was to be expected, especially considering the line of authorities from Page v Smith [1996] AC 155 onwards, but it to be welcomed as once again reinforced the court’s modern approach to the consequences of tortious acts.

?

Conclusion

There are some progressive points of principle that can be identified in the judgment. ?Such as the application of the Protection from Harassment Act 1997 in a claim of this nature, where the victim of the harassment has no knowledge of the unlawful act at the time when it is committed against them. One must ask, where does this leave claims brought under the Protection from Harassment Act 1997 in general?

?

A corner stone of the act has always been the need to demonstrate a course of conduct, and that this conduct was known to be causing, or likely to cause alarm and distress.

?

Warby LJ, at paragraphs 120 and 121 of the judgment summed up the novelty of the proposition with “A claim for damages for harassment by spying is unusual. At first sight it seems paradoxical. A course of conduct cannot amount to harassment of another unless it comes to their attention and has an impact upon them. Commonly, that is what the perpetrator intends. Spies, on the other hand, typically act surreptitiously, hoping and intending that their activities will go undetected by the target. But such a claim is not unprecedented… this appeal is not about the viability of the claim but about the court’s jurisdiction over it”.

?

In many regards, the judgment is welcome to victims of hacking and data theft since it appears to open the door (in certain cases) to a cause of action and remedy under the Protection from Harassment Act 1997.? In any event, the Shehabi is likely to prove to be another invaluable stepping stone in the development of the law of privacy and data protection.

?

LIAM RYAN

KIRIL WAITE