Boris Karpichkov v The National Crime Agency

The court considered whether the National Crime Agency lawfully disclosed the claimant's current identity and later his UK address to the Latvian SIRENE Bureau in the course of European Arrest Warrant (EAW) and SIS II / SIRENE cooperation. Central legal questions were the interaction between the Schengen / EAW regime (including the SIS II Decision and the SIRENE Manual), the Law Enforcement Directive (LED) and Part 3 of the Data Protection Act 2018 (DPA), and whether disclosures that would infringe fundamental rights could properly be said to be "required" by EU or Member State law for the purposes of Art.1(2)(b) LED and s.80 DPA.

The judge held that the SIS II Decision, the SIRENE Decision and Manual and the EAW Framework Decision create a specific, operational regime for exchange of law‑enforcement information which enjoys a protected status under the LED and s.80 DPA. However, those instruments must be interpreted and applied consistently with fundamental rights (the EU Charter, the 1981 Council of Europe Convention and the ECHR). If, on the facts, disclosure would be contrary to fundamental rights, it would not be strictly "required" under Art.1(2)(b) LED and the executing authority would arguably remain bound to apply the DPA Data Protection Principles and could lawfully restrict or refuse the transfer.

Applying those principles to the present procedural application, the judge concluded that it was arguable that the NCA should have considered whether the disclosures were truly required once fundamental‑rights considerations were taken into account. The legal issues were not suitable for strike out or summary judgment and the NCA's application was dismissed, allowing the claimant's claim to proceed to trial.

Background and parties: The claimant (a former intelligence double agent now living in the United Kingdom under a changed identity) alleges that the National Crime Agency (NCA), as the United Kingdom's competent authority, disclosed his current name to the Latvian SIRENE Bureau on 23 July 2018 and disclosed his UK address on 22 May 2019. He contends those disclosures led to threats and placed his life at risk.

Nature of the claim / relief sought:

• Damages under the Data Protection Act 2018 for breaches of the first, third and sixth Data Protection Principles (s.35, s.37, s.40).
• Damages for misuse of private information (misuse of private information at common law / Article 8 ECHR).

Procedural posture: This was a first‑instance application by the NCA to strike out the claim and/or obtain summary judgment dismissing the claimant's case. The NCA admitted the disclosures but argued they were required and lawful under the EAW / SIS II / SIRENE legal framework and thus compliant with the DPA and common law.

Issues framed:

• Whether the SIS II Decision, the SIRENE Manual and the EAW Framework Decision form a specific code that prevails over general LED / DPA protections so as to require disclosure.
• Whether a disclosure that would be contrary to fundamental rights (ECHR / EU Charter) can be properly regarded as "required" by Union or Member State law for the purposes of Art.1(2)(b) LED and s.80 DPA.
• Whether, on the pleaded facts and available evidence, the claimant has a realistic prospect of establishing breaches of the DPA or misuse of private information so as to defeat a strike out/summary judgment application.

Court's reasoning (concise):

• The EAW Framework Decision and SIS II regime are designed to facilitate mutual recognition and efficient cross‑border surrender; the instruments and the SIRENE Manual are a specific operational code and are protected by provisions in the LED (Art.60, Recital 94 and Art.1(2)(b)) and by s.80 DPA which prevents imposing restrictions on transfers required by those instruments.
• Nonetheless, the instruments themselves refer to and must be applied consistently with fundamental rights (the EU Charter and the 1981 Convention). The LED and the DPA implement and require protection of fundamental rights in law‑enforcement data processing (e.g. LED Art.4 and Recitals 1, 46 and 51).
• Therefore, where a particular transfer would be contrary to fundamental rights, it would not be strictly "required" by Union or Member State law such that the "carve outs" in Art.1(2)(b) LED and s.80 DPA would automatically apply. In that scenario the executing authority would arguably need to apply the DPA Data Protection Principles and could restrict or refuse transfer or require modifications to protect rights.
• On the material before the court it was arguable that the NCA ought to have considered those fundamental‑rights issues given the claimant's history and known risks. That meant the claim was not bound to fail and summary disposal was inappropriate.

Wider context: The judgment emphasises the need to interpret EAW / SIS II cooperation in a way that preserves fundamental rights and that the operational duties of SIRENE bureaux are not immune from rights‑based assessment in exceptional factual circumstances.

The NCA's application to strike out and/or obtain summary judgment was dismissed. The judge concluded that although the SIS II Decision, the SIRENE Manual and the EAW Framework Decision constitute a specific operational code for inter‑state law‑enforcement data exchange and enjoy protected status under the LED and s.80 DPA, those instruments must be interpreted consistently with fundamental rights. If a proposed disclosure would be contrary to the EU Charter or ECHR rights, it would not be strictly "required" by Union or Member State law and the executing authority would arguably remain obliged to apply the DPA Data Protection Principles and could impose restrictions or refuse transfer. On the pleaded facts it was arguable that the NCA should have considered those questions, so disposal at the strike out / summary judgment stage was inappropriate and the claimant's action may proceed to trial.