No sovereign immunity for computer hacking

The English High Court has permitted two individuals to continue to pursue computer hacking claims against the Government of the Kingdom of Bahrain (KOB). This follows an earlier ruling made by the same judge in a claim against the Government of the Kingdom of Saudi Arabia (KSA) where similar conclusions were reached. These significant decisions confirm that individuals have private rights of action against foreign states in such cases. However, it is also important to understand the limitations of these rulings.

The UK-based claimants, Saeed Shehabi and Moosa Mohammed, commenced proceedings in the High Court, seeking damages against KOB for harassment and consequent psychiatric injury. They allege that their laptop computers were infected with spyware (called FinSpy) by KOB which enabled KOB to carry out surveillance on them. They relied on expert reports supporting their claims for psychiatric injury.

It is important to emphasise that at this stage the underlying allegations against KOB have not been determined. Instead, relying on the State Immunity Act 1978 (SIA), KOB invited the court to find as a preliminary issue that it has no jurisdiction to hear these claims on the basis of state immunity.

The SIA provides for wholesale immunity from the UK courts’ jurisdiction for foreign states, but this is then subject to a list of specific exceptions. One of those exceptions is in Section 5 of the SIA, which provides that a foreign state does not have immunity in relation to claims for personal injury or damage to tangible property caused by an act or omission in the UK.

The High Court rejected KOB’s claim to sovereign immunity. The following two aspects of this decision are particularly important:

  • The judge rejected KOB’s assertion that, for the exception in Section 5 to apply, all of the acts underlying the claims had to have been carried out in in the UK. Consistent with the earlier decision in the KSA case, the judge said that it is enough if an act takes place in the UK which is a substantial or effective cause of the personal injury. The judge ruled that the remote manipulation from abroad of a computer located in the UK is to be regarded as such an act;
  • The judge also rejected KOB’s argument that psychiatric injury does not constitute personal injury. Mere distress and anxiety would not be “personal injury”, but both claimants had provided sufficient expert evidence to the court at this stage that the impact on them of KOB’s alleged activities had caused them psychiatric injury.

A third aspect from the earlier KSA case is also important to note:

  • In that earlier case, KSA had argued that allegations of spying and a physical assault were inherently sovereign or governmental in nature, that is they were jure imperii and therefore the SIA did not confer jurisdiction on the UK court. KSA argued that this is different from acts of a state which are private in nature, that is, jure gestionis, over which the UK court does have jurisdiction. The judge rejected that argument on the basis that if the UK Parliament had intended to make a distinction between sovereign and private acts of a state, then it would have said so (as other parts of the SIA do, but the Section 5 exception does not). The judge noted in the KOB case that KOB ran no such argument.

The KOB decision, and the earlier one in the KSA case, are very important because they open the door to private actions against foreign states in relation to hacking of individuals in the UK. However, there are limitations. A claimant has to focus their claims on damage to property or personal injury by way of psychological harm. That may not always be easy to prove. Simply alleging misuse of private information, breach of confidence and/or breaches of data protection laws which lead to distress or anxiety will not be enough.

Share this post on: