Skip to content

Hacking claim allowed to proceed against foreign state

Insight

conflict series

This article forms part of the Farrer & Co series "safeguarding your interests in times of conflict". In this series, we discuss the challenges that individuals and businesses face during global instability and what can be done to face them.

In a recent judgment, the English High Court has permitted an individual to continue to pursue phone hacking claims against a foreign government. This is a significant decision because it confirms for the first time that individuals have private rights of action in such cases. However, it is also important to understand the limitations of this decision.

Background

The London-based claimant, Ghanem Al-Masarir, is a critic of the Government of the Kingdom of Saudi Arabia (KSA). He commenced proceedings in the High Court, alleging that KSA hacked his iPhones using (the now well-known) Pegasus software. He also alleged that agents of KSA subsequently assaulted him in a street in London.

It is important to emphasise that at this stage the underlying allegations against KSA have not been determined. Instead, relying on the State Immunity Act 1978 (SIA), KSA invited the court to find that it has no jurisdiction to hear these claims on the basis of state immunity.
The SIA provides for wholesale immunity from the UK courts’ jurisdiction for foreign states, but this is then subject to a list of specific exceptions. One of those exceptions is in Section 5 of the SIA, which provides that a foreign state does not have immunity in relation to claims for personal injury or damage to tangible property caused by an act or omission in the UK.

The Claim

The claimant has tailored his case to allege personal injury and damage to the iPhones in an attempt to bring it within the aforementioned Section 5 exception to state immunity.
In his proceedings, the claimant alleges:

  • Misuse of his private information (based on the covert and unauthorised collection, accessing, retention, disclosure, transfer and use of his private information stored on or communicated or accessible via his iPhones),
  • Harassment founded on a course of conduct which includes each or all of the following:
    • The sending of the malicious text messages,
    • The infection of the iPhones with the Pegasus software,
    • The surveillance of the Claimant,
    • The personal injury arising out of the assault.
  • Trespass to goods based on the unauthorised interference with his iPhones, which altered their functioning, configuration and hardware.

As a consequence, the claimant is claiming damages for personal injury (and the loss consequential on it) comprised of:

  • The physical impact on him caused by the alleged assault; and
  • Psychiatric injury arising out of:
    • Learning that text messages by which the “spyware” was installed were sent by or on behalf of KSA,
    • Learning that he had been subject to surveillance, and
    • The attack on him in London.

The Decision

The judge allowed the claimant’s case to proceed, rejecting KSA's arguments. Two aspects of this decision are particularly important:

  1. KSA argued that allegations of spying and a physical assault by agents of a state on one of its political opponents are inherently sovereign or governmental in nature, ie they are jure imperii. As such, the SIA does not confer jurisdiction on the UK court. KSA said this is different from acts of a state which are private in nature, that is, jure gestionis, over which the UK court does have jurisdiction.

    KSA argued that the exception in Section 5, which would cause a loss of state immunity, should be limited to acts of a private nature and was not intended to catch sovereign or governmental acts.

    The judge rejected this argument by applying rules of statutory interpretation. Part of that reasoning was that if the UK Parliament had intended to make a distinction between sovereign and private acts of a state, then it would have said so in black and white in the legislation (as other parts of the SIA do, but the Section 5 exception does not).

  2. KSA also argued that, for the exception from state immunity to apply and for the English court to have jurisdiction, all of the material acts causing the alleged personal injury or damage to tangible property must occur in the UK. If they occur partly in the UK and partly abroad, then the exception to immunity does not apply and the English court is not seized.

    Again, the judge rejected this argument, finding it sufficient that a substantial and effective cause of the damage (eg the psychiatric injury) occurs in the UK, such as the extraction of private information from the claimant’s phone.

    This finding that a foreign state will not be immune from legal action in the UK for initiating the hacking of devices located in the UK from outside the jurisdiction is very significant.

Limitations

This decision is very important because it opens the door to private actions against foreign states in relation to hacking of individuals in the UK. However, it also has its limitations. The claimant had to focus his claims on damage to property or personal injury by way of psychological harm. That may not be easy to prove in this or other cases. In other cases, simply alleging misuse of private information, breach of confidence and / or breaches of data protection laws will not be enough as they do not fit into the listed exceptions to state immunity.

Significance

Given its importance, we suspect that this case will be appealed to the Court of Appeal. In the meantime, however, the English court has signalled that it will hear cases involving foreign states acting in this way, subjecting those states to a potentially embarrassing level of scrutiny at the very least. Link to the full judgment here.

If you require further information about anything covered in this briefing, please contact Ian De Freitas , Athalie Matthews or your usual contact at the firm on +44 (0)20 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, September 2022

Want to know more?

Contact us

About the authors

Ian De Freitas lawyer photo

Ian De Freitas

Partner

Ian has over thirty years' experience as a litigator. He specialises in disputes involving data, technology and intellectual property. Ian leads the firm’s Data, IP and Technology Disputes team. 

Ian has over thirty years' experience as a litigator. He specialises in disputes involving data, technology and intellectual property. Ian leads the firm’s Data, IP and Technology Disputes team. 

Email Ian +44 (0)20 3375 7471
R

Athalie Matthews

Counsel

Athalie is highly experienced in all aspects of the law surrounding reputation management, particularly from a claimant perspective. Her first career was in journalism where she worked as a reporter on The Mirror, The Daily Mail, The Daily Telegraph and The Independent. She has also worked as an in-house lawyer at The Guardian. She therefore brings a unique perspective to her advice, with clients benefiting not only from her legal expertise but also from her first-hand understanding of the industry and journalistic tactics.

Athalie is highly experienced in all aspects of the law surrounding reputation management, particularly from a claimant perspective. Her first career was in journalism where she worked as a reporter on The Mirror, The Daily Mail, The Daily Telegraph and The Independent. She has also worked as an in-house lawyer at The Guardian. She therefore brings a unique perspective to her advice, with clients benefiting not only from her legal expertise but also from her first-hand understanding of the industry and journalistic tactics.

Email Athalie +44 (0)20 3375 7601
Back to top