(Transcript prepared without the aid of documentation)
MRS JUSTICE STEYN:
- This is a claim brought pursuant to the Data Protection Act 1998 ('the 1998 Act') and the Data Protection Act 2018 ('the 2018 Act'). The defendants apply for an order striking out the claim pursuant to CPR 3.4(2)(a) on the grounds the particulars of claim disclose no reasonable grounds for bringing the claim and/or seek summary judgment pursuant to CPR 24.2 on the basis that the claimant has no real prospect of success. The defendants contend the claim is totally without merit. The defendants' application is supported by a witness statement made by Ms Eleanor Awath-Behari, a lawyer in the National Security and Counter-Terrorism Division of the Government Legal Department (GLD). The claimant has complained that the court has allowed GLD to respond rather than the defendants, but Ms Awath-Behari's statement has been filed on behalf of the defendants and represents their evidence.
- The claim form, incorporating the claimant's particulars of claim, was issued on 25 April 2023. The claimant seeks an order that the defendants provide her with her personal data as requested in her subject access requests ('SARs'). She states that she has made SARs to MI5 (the security service), MI6 (the secret intelligence service or SIS) and GCHQ (the Government Communications Headquarters) "since 2017, 2022, 2023" and received "neither confirm nor deny" (NCND) responses to each request. The claimant relies on s. 7 of the 1998 Act insofar as her personal data may have been processed under the 1998 Act and s. 94 of the 2018 Act insofar as it may have been processed under that Act. In addition, the claimant seeks an award of "compensation to me and my family if they were ever processing our personal data."
Hearing In Public
- The claimant had indicated in her written submissions that she wished for the hearing to be held in private. At the outset of the hearing, I invited the claimant to make any submissions she wished to in support of that application. She did initially seek a hearing in private but then withdrew that application whilst reserving the right to renew it later in the hearing. In the event, the claimant did not renew that application and so this hearing has been held in public. I note that CPR 39.2(3) provides:
"A hearing or any part of it must be held in private if, and only to the extent that, the court is satisfied of one or more of the matters set out in sub-paragraphs (a) to (g) and that it is necessary to sit in private to secure the proper administration of justice. …
(b) It involves matters relating to national security."
- For the avoidance of doubt, it seems to me clear that it would be contrary to the principle of open justice and it is not necessary to secure the proper administration of justice for this application to be heard in private. As the defendants have said, the claim engages national security only at a level of generality. The statutory provision, the certificates of exemption, and the principles which are in issue, are all a matter of public record. There is no closed evidence before me and there is no closed element to the defendant's application for strike out or summary judgment.
- The defendants have been represented before me by Miss Rosalind Earis and the claimant has appeared in person.
Procedural History
- The claimant sent a pre-action protocol letter to MI5 and MI6 (but not GCHQ), dated 11 March 2023 (although it was not received by MI6 until 24 March 2023). GLD responded on behalf of the defendants on 27 April 2023 repeating the NCND response to her request and stating that the claim would be without merit given the existence of the exemption certificates.
- On 12 April 2023, the claimant made an urgent pre-claim without notice application to the High Court for an order against the three agencies that the claimant's personal data be provided under s. 7 of the 1998 Act and s. 94 of the 2018 Act. That application was dismissed by Lambert J who noted:
"The applicant asserts that for many years since leaving her employment at the FT, she has been followed by persons unknown. She fears that her food and drink has been contaminated. She reports other 'weird things' have happened to her. She has told me that she suffers from a mental illness in the form of a delusional disorder. She has made a personal data request of the various defendants seeking information as to whether any one of those agencies has been following her or contaminating her food and drink."
Mrs Justice Lambert observed that her concerns appeared to be without foundation and that there was no urgency to the application.
- The claim, which is the subject of the dismissal application, began in the County Court at Clerkenwell and Shoreditch on 25 April 2023 (claim no. K01EC754). On 25 April 2023, District Judge Bell ordered that:
"The claimant must file an amended claim form, particulars, an N16A that brings the claims against the Secretary of State of the relevant government department covering the agencies referred to and stipulate the address for service as the Treasury Solicitors and their address."
- On 4 May 2023, the claimant filed an amended claim form naming the Secretary of State for the Home Department as the first defendant in respect of the claim against MI5 and the Secretary of State for Foreign, Commonwealth and Development Affairs as the second defendant in respect of the claim against both MI6 and GCHQ, as well as naming the data controllers of the agencies as the Third, Fourth and Fifth Defendants. The amended claim form duly gave the address of the Treasury Solicitor/GLD.
- On 5 May 2023, the claimant emailed unsealed copies of the claim forms directly to each of the defendants. She emailed GLD providing a Drop Box link which GLD was unable to open and which GLD informed the claimant they could not open.
- Given that unsealed claim forms had been sent to each of the defendants directly, on 13 June 2023 GLD made enquiries of the County Court to ask if a claim had been issued. On 20 June 2023, the County Court responded that the claim had been issued and posted to GLD on 19 May 2023. However, Ms Awath-Behari states, and I accept, that it was never received by GLD. The County Court also informed GLD on 20 June 2023 that the matter was listed for an interim injunction application the following day. Meanwhile, on 19 June 2023, the claimant had applied for judgment in default of acknowledgement of service.
- The hearing on 21 June 2023 was before District Judge Sterlini. Although the defendants only discovered a claim had been issued and that the hearing was happening the day before, GLD instructed counsel to attend. District Judge Sterlini transferred the claim to the High Court. In doing so, he accepted the defendants' submission that pursuant to s. 94(13) of the 2018 Act, the County Court has no jurisdiction to deal with the claim insofar as it relates to SARs made under the 2018 Act. District Judge Sterlini adjourned the application for an interim injunction sine die. He also refused an oral application made by the claimant for disclosure of any of her personal data under CPR 25.
- On 28 July 2023, the claimant made a request for further information, setting out ten numbered requests for information. All ten of these are requests to receive any personal data, either generalised or particularised, processed by the defendants. GLD responded on 7 August 2023 that the request amounted to a repetition of the underlying claim.
- On 9 September 2023, the claimant filed an application (i) for further information under CPR Part 18, which was in identical terms to the request for information made on 28 July 2023; (ii) for an injunction to compel disclosure by the defendants under CPR Part 25; and/or (iii) for pre-action disclosure under CPR 31.16.
- By an order sealed on 12 September 2023, Mrs Justice Hill gave directions for the defendants to file and serve a response to the claimant's applications by 4 p.m. on 3 October 2023 and directions for the claimant's applications to be listed for hearing.
- The defendants applied on 3 October 2023 for an extension of time for compliance with the order of 12 September 2023. By order dated 5 October 2023, Nicklin J extended time for the defendants to file and serve a response to the claimant's applications until 6 October 2023. He also ordered the claimant to file a sealed copy of the claim form, demonstrating that it had been issued by the court, by 4.30 p.m. on 13 October 2023 and he revoked para. 2 of the order of Hill J of 12 September 2023. He stated that none of the claimant's applications would be listed for hearing until she had complied with the order to file a sealed copy of the claim form. Once she had done so, she could reapply for directions to list her applications.
- On 6 October 2023, the defendants made the application which is listed before me for the claim to be struck out and/or summarily dismissed. That application was supported by the statement of Ms Awath-Behari dated 6 October 2023, which was filed with the application. Ms Awath-Behari's statement also includes the defendants' response to the claimant's applications. I note that the claimant has alleged the defendants failed to comply with Hill J's order of 12 September 2023. That is incorrect. They complied with that order, as amended by the order of 5 October, on 6 October 2023.
- On 8 November 2023, the claimant filed with the High Court a copy of the sealed claim form issued by the County Court at Clerkenwell and Shoreditch.
- On 14 November 2023, the claimant filed an application notice seeking an interim injunction and witness summonses to be issued.
- On 16 November 2023, Nicklin J gave directions for the hearing of the defendants' strike out and summary judgment application. Paragraphs 3 and 4 of his order state:
"3. At the Hearing, if necessary, the Court will give directions in relation to the Claimant's Application. The Claimant's Application (and any other applications the Claimant has issued) will not be dealt with at the Hearing.
4. Without obtaining the permission of the Court, the Claimant must not issue any further applications in this claim until the Court has heard and determined the Dismissal Application."
- In his reasons, Nicklin J stated:
"(A) Now that the Claimant has provided a sealed copy of the claim form, the claim can proceed. The first matter that needs to be dealt with is the Dismissal Application. I have given directions to fix a one-day hearing in the new year.
(B) The Court is not going to deal with any other applications issued by the Claimant until the Dismissal Application has been heard and determined. That is because, if the claim is dismissed, no further applications will need to be heard.
(C) The Claimant must concentrate on the Dismissal Application. She must not issue any further applications without getting the Court's permission.
(D) I have directed sequential exchange of skeleton arguments because the Claimant is a litigant in person and that is the fairest way of ensuring that (a) she knows and fully understands the basis of the Dismissal Application well in advance of the Hearing; (b) she has a proper opportunity to prepare for the Hearing."
- On 6 December 2023, the claimant made an application for "an injunction with a power of arrest … for the data controllers at MI5, MI6, GCHQ" as well as seeking an order for compensation and costs ('the further injunction application'). By order dated 6 December 2023, Nicklin J refused the further injunction application. He noted that the claimant had not obtained permission of the court before issuing it and the order of 16 November 2023 had made clear how the court was going to deal with the case. He observed:
"(C) I have made clear how the Court is going to deal with this case. At the hearing on 14 February 2024, the Court will consider the Dismissal Application. If the Dismissal application is successful, the claim will, subject to any appeal, be at an end. If the Dismissal Application is unsuccessful, the Court will give directions for the hearing of the Application previously filed on 14 November 2023 seeking an interim injunction (and other orders).
(D) The Claimant has breached the order of 16 November 2023 by issuing the Further Injunction Application without obtaining the permission of the Court. As I have noted, the Claimant has already issued an interim injunction application. Directions have been given for how the court will deal with that application. Issuing the Further Injunction Application is duplicative and simply wastes the parties' and the Court's time and resources. For those reasons, I have simply dismissed it. If the Claimant issues further applications in breach of paragraph 4 of the Order of 16 November 2023, they are likely to suffer a similar fate. The Court is also likely to certify them as totally without merit."
- The claimant states that she wishes to have Nicklin J's order dismissing her further application revoked and sent to a Master. Any application to vary or discharge Nicklin J's order of 6 December 2023 was required to be made by application notice issued, filed and served by 4.30 p.m. on 13 December 2023. No such application was made. In any event, her further injunction application was merely repetitive of her earlier injunction applications. Nicklin J did not dismiss the earlier applications but made clear that the defendants' application would be considered first. That was the obvious, logical course as, if the claim falls to be summarily dismissed or struck out, that will be the end of the matter.
- On 29 January 2024, the defendants applied for the hearing listed on 14 February 2024 to be re-listed to accommodate the availability of their counsel. I refused that application the same day.
- The claimant did not attend the hearing on 14 February 2024. I adjourned the hearing in circumstances where the claimant was absent. She had requested the hearing be adjourned and the defendants had failed to comply with the directions given by Nicklin J, with the result that the claimant had only received the defendants' skeleton argument and the hearing bundle at 4 p.m. on the day before the hearing. In my order dated 14 February 2024, I gave directions for the defendants to file and serve the hearing bundle and skeleton for today's hearing by 10 a.m. on Friday, 16 February 2024 and to file an authorities bundle by 10 a.m. on 1 March 2024. The claimant was required to file and serve her skeleton argument by 10 a.m. on 29 February 2024. Both parties complied with those directions.
The SARs and Responses
- The claim form does not identify the specific dates of any of the SARs that the claimant has made to the defendants and on which she wishes the court to rule, instead identifying only the years in which she has made SARs to each of the three security and intelligence agencies. Ms Awath-Behari states that the claimant:
"… has, over the last six years, made numerous SARS to MI5, MI6 and GCHQ, usually spaced a few months apart. Some of these were made by solicitors acting on her behalf but most were made by the claimant directly. On each occasion, the claimant received a 'neither confirm nor deny' (NCND) response from the relevant defendant save for the supply of data processed in relation to previous SARS or a response stating that insufficient time had elapsed since her previous request."
- Ms Awath-Behari has exhibited copies of some of the SARs and responses from the particular years identified in the claim form. She has not put the full paperwork relating to all the claimant's SARS before the court as "it is voluminous, repetitive and not directly relevant to this application for strike out." Ms Awath-Behari states – and her evidence is supported by material she has exhibited – that each of the claimant's requests seeks information on whether MI5, MI6 or GCHQ have processed her personal data. The motivation for the requests appears to be the claimant's belief that the British State is spying on her, possibly at the request of a group of MPs. She states that she arrived in the UK in 1979, and expresses concern that she may have been subject to interception and surveillance since 1979, at two home addresses as well as other places in London.
- Three examples of the responses provided by the defendants will suffice:
a. On 31 October 2017, MI6 wrote to the claimant:
"Thank you for your letter dated 3 October 2017 confirming your request for access under s. 7 of the Data Protection Act 1998 for personal data relating to you and providing identifying particulars. The Secret Intelligence Service (SIS) has made a check in its records and it has been determined that SIS holds no personal data or other information to which you are entitled to have access under s. 7 of the Act. Personal data to which you are not entitled may be processed by SIS which is exempt from the subject access provisions of the Act, but this response should not be taken to imply that SIS does or does not hold any such personal data in respect of you."
b. On 16 February 2021, GCHQ wrote to the claimant:
"We note that this subject access request follows other similar recent correspondence, firstly a subject access request sent to us on 24 March 2020 to which we responded on 8 June 2020, the delay being due to Covid 19. Secondly, a subject access request sent on 20 December 2020. We responded to this request for information by informing you that we did not consider a reasonable period of time had elapsed between the two requests. Taking these details into consideration, we still do not consider that a reasonable period of time has elapsed between our previous response to your March 2020 subject access request and your new request."
GCHQ's response then set out s. 95(2) of the 2018 Act which enables a controller to refuse a repeat request where a reasonable interval has not elapsed.
c. On 1 March 2022, MI5 wrote to the claimant:
"I refer to your most recent request for access under s. 94 of the Data Protection Act 2018 to personal data relating to you. The Security Service is established under the Security Service Act 1989 and processes data in pursuit of the following statutory functions:
(a) to protect national security, particularly against threats from espionage, terrorism and sabotage from the activities of agents or foreign powers and from actions intended to overthrow or undermine parliamentary democracy by political, industrial or violent means;
(b) to safeguard the economic well-being of the UK against threats posed by the actions or intentions of persons outside the British Isles;
(c) to act in support of the activities of police forces, the National Crime Agencies and other law enforcement agencies in the prevention and detection of serious crime.
We have conducted a search of Security Service records and have determined that, other than documentation relating to previous subject access requests made by you and by solicitors acting on your behalf, in October 2017, under the Data Protection Act 1998 and May 2018, June 2018, August 2018, June 2019 and February 2021 under the Data Protection Act 2018, the Security Service does not process any personal data within the scope of your request which you are entitled to have under s. 94 of the Act. You should not take this response to imply that the Security Service does or does not hold any additional personal data about you. This reflects the policy of successive governments of applying the principle of neither confirm nor deny with regards to the activities of the security and intelligence agencies in the interests of protecting national security.
We have not provided you with copies of any correspondence sent from or to you in relation to your request for information under the Data Protection Act 2018 on the basis that you will already be in possession of this. Please inform us if you require copies of this correspondence."
The Legal Framework
- The 1998 Act was in force from 1 March 2000 until 25 May 2018, on which date the 2018 Act came into force. Transitional provisions have the effect that processing prior to 25 May 2018 continues to be governed by the 1998 Act.
The 1998 Act
- Section 7(1) of the 1998 Act gives an individual a right of access to personal data of which she is the data subject held by the data controller. The entitlement includes the right to be informed whether her personal data are being processed by or behalf of the data controller (s. 7(1)(a)) and the right to have the personal data communicated to her in an intelligible form. The right is subject to various limitations, exceptions and exemptions.
- Section 7(9) of the 1998 Act provides:
"If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request."
- Section 13 gives an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the 1998 Act an entitlement to compensation.
- The jurisdiction conferred by ss. 7 to 14 of the 1998 Act is exercisable by the High Court or a County Court (see s. 15(1) of the 1998 Act).
- Part IV of the 1998 Act bears the title "Exemptions." Section 27(1) of the 1998 Act provides:
"References in any of the data protection principles or any provision of Parts II and III to personal data or to the processing of personal data do not include references to data or processing which by virtue of this Part are exempt from that principle or other provision."
- Section 7 of the 1998 Act is contained in Part II of the 1998 Act. Section 27(1) makes clear that when s. 7 refers to personal data or to processing those references do not include data or processing which is exempt from that provision.
- Section 28(1) of the 1998 Act provides:
"Personal data are exempt from any of the provisions of:
(a) the data protection principles,
(b) Parts II, III and V, and
(c) section 55,
if the exemption from that provision is required for the purpose of safeguarding national security."
- Sections 7 and 13 are both within Part II of the 1998 Act. The exemption in s. 28(1) is absolute and unqualified. Where it applies, the data subject has no subject access right under s. 7 or right to conversation under s. 13.
- Section 28 continues:
"(2) Subject to subsection (4), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions mentioned in subsection (1) is or at any time was required for the purpose there mentioned in respect of any personal data shall be conclusive evidence of that fact.
(3) A certificate under subsection (2) may identify the personal data to which it applies by means of a general description and may be expressed to have prospective effect.
(4) Any person directly affected by the issuing of a certificate under subsection (2) may appeal to the Tribunal against the certificate.
…
(9) A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under subsection (2) shall in any legal proceedings be evidence … of that certificate."
- Section 28(4) read together with the interpretation provisions and s. 70 of the 1998 Act provides a route of appeal to the Upper Tribunal for any person directly affected by the issuing of a s. 28 certificate. The Upper Tribunal has power to quash a certificate if, applying judicial review principles, it concludes the Minister did not have reasonable grounds for issuing the certificate.
- Ms Awath-Behari has exhibited the following s. 28 certificates. First, a certificate dated 10 December 2001 signed by the Rt Hon David Blunkett MP, then the Home Secretary, providing a national security exemption for MI5 under the 1998 Act. The MI5 s. 28 certificate provides, so far as relevant:
"3. Now, therefore, I, the Right Honourable David Blunkett MP, being a Minister of the Crown who is a member of the Cabinet, in exercise of the powers conferred by the said section 28(2) do issue this certificate and certify as follows:
3.1 that any personal data that are processed by the Security Service as described in Column 1 of Part A in the table below are and shall continue to be exempt from those provisions of the Act that are set out in Column 2 of Part A …
… all for the purposes of safeguarding national security …"
- Column 1 of Part A in the table states:
"Personal data processing in performance of the functions of the Security Service described in Section 1 of the Security Service Act 1989 as amended by the Security Service Act 1996, including recruitment of staff of the Security Service and assisting with the recruitment of staff of the Secret Intelligence Service and GCHQ and vetting of the Security Service's candidates, staff, contractors, agents and others in accordance with the government's vetting policy."
Column 2 of Part A includes at (i) s. 7(1).
- Second, a certificate dated 8 December 2001 signed by the Rt Hon Jack Straw MP, then the Foreign Secretary, providing a national security exemption for MI6. Paragraphs 3 and 3.1 of the MI6 s. 28 certificate is in essentially the same terms as the MI5 s. 28 certificate, save that it refers to Jack Straw MP and to SIS rather than David Blunkett MP and the Security Service.
- Column 1 of Part A in the table states (so far as relevant):
"1. Personal data processed in the performance of the functions of SIS described in section 1 of the Intelligence Services Act 1994 (ISA) or in accordance with section 2 of the ISA …"
Column 2 of Part A again includes reference to s. 7(1)
- Third, a certificate dated 8 December 2001 signed by Mr Straw who, as I have said, was then the Foreign Secretary, providing a national security exemption for GCHQ. The GCHQ s. 28 certificate contains the same wording, other than referring to GCHQ rather than SIS, as para. 3 and 3.1 of the SIS certificate.
- Column 1 of Part A in the table states (so far as relevant):
"1. Personal data processed in the performance of the functions described in section 3 of the Intelligence Services Act 1994 (ISA) or personal data processed in accordance with section 4(2)(a) ISA …"
Again, Column 2 of Part A includes reference to s. 7(1).
- Each of these s. 28 certificates contained no defined period of validity and, as such, remain valid in relation to each of the claimant's requests to the relevant agency made under the 1998 Act. The certificates are, in each case, conclusive evidence of the fact that exemption from s. 7(1) (amongst other provisions) was required in respect of operational information for the purpose of safeguarding national security.
The 2018 Act
- Part IV of the 2018 Act governs the processing of personal data by MI5, MI6 and GCHQ (see s. 82 of the 2018 Act).
- Chapter 3 of Part IV addresses the rights of the data subject. Section 94(1), which is contained in Chapter 3, provides, so far as relevant:
"An individual is entitled to obtain from a controller:
(a) confirmation as to whether or not personal data concerning the individual is being processed, and
(b) where that is the case -
(i) communication, in intelligible form, of the personal data of which that individual is the data subject …"
Like s. 7(1) of the 1998 Act, the right in s. 94(1) is subject to various limitations, exceptions and exemptions.
- Section 94(13) provides:
"If a court is satisfied on the application of an individual who has made a request under subsection (1) that the controller in question has failed to comply with the request in contravention of this section, the court may order the controller to comply with the request."
In England and Wales, the jurisdiction conferred on a court by s. 94 is exercisable only by the High Court.
- Chapter 6 of Part IV contains exemptions. Section 110 contains the national security exemption. Section 110(1) provides:
"A provision mentioned in subsection (2) does not apply to personal data to which this Part applies if exemption from the provision is required for the purposes of safeguarding national security."
The provisions mentioned in subsection (2) include Chapter 3, which is the chapter containing s. 94(1).
- Section 111 of the 2018 Act provides:
"(1) Subject to subsection (3), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions mentioned in section 110(2) is, or at any time was, required for the purpose of safeguarding national security in respect of any personal data is conclusive evidence of that fact.
(2) A certificate under subsection (1):
(a) may identify the personal data to which it applies by means of a general description, and
(b) may be expressed to have prospective effect."
- Section 111(3) and (4) provide in similar terms to s. 28(4) and (5) of the 1998 Act for an appeal on judicial review principles to the Upper Tribunal against a s. 111 certificate. Section 111(9) of the 2018 Act is in essentially the same terms as s. 28(9) of the 1998 Act.
- Ms Awath-Behari has exhibited the following s. 111 certificates. First, a certificate dated 24 July 2019 signed by the Rt Hon Sajid Javid MP, then the Home Secretary, providing a national security exemption for MI5 under the 2018 Act. Unlike the s. 28 exemption, it has an expiry date. It remains valid until 24 July 2024. Paragraph 4 of the MI5 s. 111 certificate provides in material part:
"Now, therefore, I, the Right Honourable Sajid Javid MP, being a Minister of the Crown who is a member of the Cabinet, in exercise of the powers conferred by the said section 111 do issue this certificate and certify as follows:
4.1 that any personal data that is processed by the Security Service as described in Column 1 in the table below is and shall continue to be required to be exempt from those provisions of the Act that are set out in Column 2; …
all for the purposes of safeguarding national security…"
- Column 1 provides:
"(a) Personal data processing in performance of the functions of the Security Service as described in section 1 of the Security Service Act 1989 including but not limited to:
where that processing is:
- for, on behalf of or at the request of the Security Service or in relation to its functions described in section 1 of the Security Services Act 1989, and
- the Security Service is the data controller."
Column 2 refers to, amongst other provisions, s. 94(1).
- Second, Ms Awath-Behari has exhibited a certificate dated 1 July 2019 signed by the Rt Hon Jeremy Hunt MP, the then Foreign Secretary, providing a national security exemption for MI6 under the 2018 Act. Paragraphs 4 and 4.1 are in identical terms to those in the MI5 s. 111 certificate, save for the name of the Minister and SIS replaces the Security Service. Column 1 is also in the same terms as Column 1 of the MI5 s. 111 certificate, save that it refers to the functions of SIS as described in s. 1 of the Intelligence Services Act 1994. The exempt provisions specified in Column 2 include s. 94(1). The MI6 s. 111 certificate is valid until 1 July 2024.
- The final certificate is also dated 1 July 2019 and signed by Mr Hunt. Paragraphs 4 and 4.1 are again in the same terms as I have cited, but it refers to GCHQ. Column 1 is in the same terms as the other s.111 certificates, save that it refers to GCHQ and to the functions of GCHQ as described in s. 3 of the Intelligence Services Act 1994. The exempt provisions specified in Column 2 again include s. 94(1). The GCHQ s. 111 certificate is valid until 1 July 2024.
- The s. 111 certificates are, in each case, conclusive evidence of the fact that exemption from s. 7(1), amongst other provisions, was required in respect of operational information for the purpose of safeguarding national security.
The Defendants' Submission
- The defendants submit that data of the type requested by the claimant would be operational data or data in the performance of the defendants' statutory functions and thus falls within the scope of the exemption certificates signed by the relevant ministers. The defendants have not declined to provide the claimant with details of her personal data where any processing, if it exists, would fall outside operational data - such as data processed in relation to her previous SARs.
- The national security exemption has been conclusively established by the relevant signed certificates. The defendants were therefore justified in giving NCND responses in reliance on that exemption. The claim should therefore be struck out and summarily dismissed.
The Claimant's Submissions
- First, the claimant submits that even if exemptions apply to data under s. 27 of the 1998 Act, s. 7 must still be complied with. I understand her to make the same case in respect of s. 94 of the 2018 Act. This part of her case is based on an analysis of the statutory provisions.
- Secondly, the claimant asserts that no exemptions apply based on her interpretation of the certificates. She submits that they have the effect that no data shall be exempt from s. 7 of the 1998 Act. In addition, she has relied on a proviso in the certificates that data is not exempt where the intelligence agency determines that adherence to the NCND principle or non-communication of personal data or any description thereof is not required for the purpose of safeguarding national security, as showing that there is no exemption from s. 7 or s. 94.
- Thirdly, the claimant contends that ss. 27 and 28 of the 1998 Act and ss. 110 and 111 of the 2018 Act do not apply to her. In this regard, she has relied on what she says she was told by registrars and judges in appeals to the First Tier and Upper Tribunal against responses given by data controllers. She says that she was told that she was unable to appeal to the Tribunal against a response given by a data controller and they did not say to her that a certificate applied. She says that she was told by them that any appeal against a response given by a data controller must be brought in the County Court or the High Court. The claimant says,
"So I presume that there are no exemptions in place under s. 28 or 111 of the Data Protection Act" and she has said that the Treasury Solicitor in handing her certificates saying exemptions may apply "does not make sense to me."
- Fourthly, the claimant says that she has requested information from 1979 and she very much doubts that national security would last that long.
Decision
- As the defendants' case depends not only on an analysis of the claim form and the legislation but also on the exemption certificates that have been adduced in evidence and, as CPR 3.4(2) is not an evidence-based procedure, I consider that summary disposal of this claim falls to be addressed by reference to CPR 24.2. Miss Earis, when I put that point to her, did not dispute that analysis.
- In my judgment, this is an absolutely clear case for granting summary judgment pursuant to CPR 24.2. In essence, the claimant seeks information as to whether she has been the subject of surveillance and interception and, if so, she seeks a copy of all such personal data relating to her. The personal data that she seeks, if it exists, is operational data. It is data processed, if it exists, in the performance of the respective statutory functions of each of the security and intelligence agencies, all within Column 1 Part A of each of the s. 28 certificates and within Column 1 of each of the s. 111 certificates.
- In accordance with the legislative provisions that I have outlined, the court is required to treat those certificates as conclusive evidence that the national security exemption under s. 28 of the 1998 Act applies to such operational data processed under the 1988 Act and that the national security exemption under s. 110 of the 2018 Act applies to such data processed under the 2018 Act until the expiry dates of those certificates.
- The exemptions in ss. 28 and 110 are unqualified. The claimant doubts that safeguarding national security could require the refusal of information dating back to 1979 are nothing to the point. The court cannot go behind the certificates. The only means of challenging the certificates themselves is, as I have said, in the Upper Tribunal.
- The claimant's assertion that, even if exemptions apply, she has a right of access to her personal data, is misconceived. The claimant has no right under s. 7(1) of the 1998 Act or under s. 94(1) of the 2018 Act to the personal data that she seeks because the national security exemption applies. The claimant's interpretation of the legislation and of the certificates has no merit. It is manifest that ss. 7(1) and 94(1) are among the provisions exempted in respect of personal data falling within Column 1, including operational data. The proviso in the certificate is obviously inapplicable. This is not a case where any of the security and intelligence agencies have determined that adherence to the NCND principle of non-communication of personal data is not required. Quite the contrary.
- The claimant's contention that the defendants contravened the data protection legislation has no real prospect of success. Indeed, it is hopeless and bound to fail. There is no compelling reason to allow this claim to go to trial and every reason to dispose of it summarily. Accordingly, I will grant the defendants summary judgment and dismiss the claim pursuant to CPT 24.2.
Other Miscellaneous Points
- The claimant has referred to the NCND response as proof that she has come under surveillance or interception. This is misguided. It is equally appropriate for the defendants to give an NCND response to a data subject in relation to whom they hold no data as it is in relation to someone whose personal data they hold. To do otherwise would render the NCND approach ineffective and defeat its purpose.
- In support of her assertions, the claimant has relied on the terms of the certificates but in doing so she has misinterpreted the clear words. The claimant has also relied on correspondence from Lord Blunkett dated 5 February 2018. However, he made clear that all matters relating to the Security Service need to be addressed to the current Home Secretary and all matters relating to MI6 or GCHQ need to be addressed to the current Foreign Secretary.
- The claimant has expressed concern that no defence has been filed. The answer to that is, first, that a defence was not filed in the County Court because GLD did not receive the sealed claim form. Secondly, in accordance with CPR 3.4(7), the defendants were not required to file a defence before the hearing of their strike out and summary judgment application.
- The claimant has also expressed concern that her applications for further information for witness summonses and for injunctions have not been addressed. That is because, logically, the first question is whether the claim has any real prospect of success. If, as I have found, the claim is hopeless and must be dismissed, then that is the end of the matter. The claimant's applications have all fallen away with the dismissal of her claim.