The decision represents a significant development in the interpretation of state immunity laws in the context of digital surveillance. The Court of Appeal considered Bahrain’s appeal from Justice Julian Knowles’ decision ([2023] EWHC 89 (KB)) to address whether Bahrain could claim state immunity under the SIA in relation to allegations of cyber espionage against two Bahraini nationals residing in the UK.

Background:

The claimants, Dr. Saeed Shehabi and Moosa Mohammed, are Bahraini pro-democracy activists residing in the UK. They allege that Bahrain’s agents remotely installed spyware (FinSpy) on their computers while they were in the UK, allowing Bahrain to access personal data, track locations, intercept calls, and eavesdrop using their devices’ microphones and cameras. They argued that this act had tangible effects within the jurisdiction, particularly with respect to their personal injury as understood within section 5 of the SIA, in the form of psychiatric harm.

In contrast, the Kingdom of Bahrain argued that state immunity applied in this case because the alleged acts of surveillance were carried out by its agents outside the UK. Bahrain contended that the physical location of the agents carrying out the surveillance was critical, and that the actions did not meet the threshold of an unlawful act within the UK. Bahrain also asserted that psychiatric injury did not qualify as “personal injury” under the SIA, maintaining that personal injury refers solely to physical harm.

In summary, three issues (grounds of appeal) were framed by Bahrain:
1. Does the remote installation of spyware on the computers of individuals located in the UK, by agents of a foreign state who are located abroad, qualify as an act by the foreign state in the UK?
2. Is immunity only lost if all the acts by agents of the foreign state take place within the UK, or is it sufficient if only some acts occur within the UK?
3. Is psychiatric injury ‘personal injury’ within the meaning of section 5?

Court’s Decision:

The Court of Appeal found in favour of the claimants on all three grounds:

Firstly, the court found that the remote installation of spyware constitutes an act within the United Kingdom, even if the agents were physically located abroad. This interpretation expands the traditional understanding of jurisdictional boundaries in cyber-related cases. Crucially, the Court of Appeal determined that the claimants had proven, on the balance of probabilities, that their computers were infected by Bahrain’s agents, following the standard established in JH Rayner (Mincing Lane) Ltd v Department of Trade and Industry [1989] Ch 72.

Secondly, regarding the SIA, the court interpreted Section 5 to apply in this case, rejecting Bahrain’s claim to immunity. The judges considered psychiatric injury resulting from surveillance discovery to fall within the definition of “personal injury” under Section 5 of the Act. It noted that that: “if State A interferes with the territorial sovereignty of State B by doing an act in State B which is liable to cause death or personal injury to persons in State B, it takes the risk that it will be subject to civil proceedings in State B. Such proceedings are in accordance with principles of international comity”. The court also framed the case under the tort of harassment, drawing on established legal principles from cases such as Hayden v Dickenson [2020] EWHC 3291 (QB) and Thomas v News Group Newspapers [2002] EMLR 4. While acknowledging that the circumstances differed from typical harassment scenarios, the court maintained that the allegations, if established, could potentially entitle the claimants to a remedy under the Protection from Harassment Act 1997.