In the recent case of Shehabi v Kingdom of Bahrain[1], the Court of Appeal addressed whether a foreign state, whose agents remotely installed spyware on the computers of individuals in the UK, causing psychiatric injury, is entitled to immunity from civil proceedings under the State Immunity Act 1978. Not only is the case unusual, given the allegations of harassment by spying, which some may consider to be paradoxical, it highlights how traditional legal principles, such as state immunity, are being tested and adapted in this digital age.
Key issues and decision
Section 1(1) of the State Immunity Act 1978 provides:
“A State is immune from the jurisdiction of the courts of the United Kingdom except as provided in the following provisions of this Part of this Act...”
Section 5 of the State Immunity Act 1978 provides:
“A State is not immune as respects proceedings in respect of– (a) death or personal injury; or (b) damage to or loss of tangible property, caused by an act or omission in the United Kingdom.”
The Court of Appeal examined three issues:
- whether the remote installation of spyware on UK-based computers by agents operating from outside the UK, constitutes an act within the UK for the purposes of section 5 of the State Immunity Act 1978
- whether an exception to state immunity requires all the acts to take place in the UK (not just partly committed in the UK)
- whether psychiatric injury is “personal injury” within the meaning of section 5 of the State Immunity Act 1978
The court held that remote manipulation from abroad of a computer located in the UK, is indeed an act within the UK. Lord Justice Males stated that “In modern terms, the hacking of a person’s computer is equivalent to burglars breaking in and stealing the contents of their safe. Just as the latter is an act within the United Kingdom, so too is the former.”
In relation to the second issue for consideration (whether all acts causing the injury must occur in the UK for the exception to immunity to apply), the court concluded that it is sufficient if an act causing personal injury occurs in the UK, even if other causative acts take place abroad.
Finally, the court also addressed whether psychiatric injury alone constitutes “personal injury” under section 5 of the State Immunity Act 1978. It affirmed that psychiatric injury is included within the meaning of personal injury under section 5 of the State Immunity Act 1978.
Implications
This case is a landmark decision that addresses complex issues arising from the evolving nature of jurisdictional reach (in the context of state immunity), particularly in light of the development of digital and remote technologies, thereby potentially having an impact on future cases involving cross-border cyber activities.
The decision highlights the delicate balance between respecting state sovereignty and ensuring accountability for actions that infringe on the rights of individuals within another state’s territory. It serves as a reminder of the need for a robust legal framework to address cyber intrusions that increasingly cause harm within the UK, and the importance of comprehensive evidence to establish jurisdiction and causation.
[1] [2024] EWCA Civ 1158
/Passle/611cdc4cfac91e0bc434389f/SearchServiceImages/2024-12-19-13-05-02-651-676419fe3e67bad811f6c40b.jpg)
/Passle/611cdc4cfac91e0bc434389f/SearchServiceImages/2024-12-18-17-43-50-041-676309d63e67bad811f529b4.jpg)
/Passle/611cdc4cfac91e0bc434389f/SearchServiceImages/2024-12-18-16-41-42-147-6762fb46d05ecaccc10bf87c.jpg)