A decade-old spyware operation conducted by Bahrain is now at the centre of a landmark case before the UK Supreme Court. The outcome could determine whether governments may deploy spyware against political exiles abroad while relying on state immunity to evade accountability.
The claim, brought by two Bahraini dissidents who have lived in the UK since 2006, accuses Bahrain of infecting their computers over a decade ago with FinSpy, a surveillance software that allows operators to access files, monitor communications, and enable microphones and cameras for live surveillance. After discovering the intrusion, they described lasting psychological distress and are now seeking damages for personal injury.
This case unfolds against a broader pattern in which authoritarian governments across the Gulf have expanded their use of commercial spyware to target critics and human rights defenders. Such technology has been used to monitor online activity and construct cybercrime or terrorist-related charges against dissidents. Despite the gravity of these practices, accountability has remained elusive.
So far, lower courts in the UK have rejected Bahrain’s argument that it must be protected by state immunity because the alleged hacking did not occur within the UK. Because its operators would have acted abroad, their conduct should fall outside the jurisdiction of British courts. However, to accept this view means conceding that digital repression, precisely because it is borderless, will fall through the cracks of international law.
The Court of Appeal, in contradiction with Bahrain’s argument, held that even if the alleged hacking occurred abroad, the effects were felt within the UK, so much so that the country’s territorial sovereignty suffered interference. The compromised devices, the violation of claimant’s privacy, and the psychological injury took place on British soil. A view that recognizes that territorial boundaries collapse when abuses are carried out digitally.
The legal novelty of this case also stems from the fact that traditional doctrines of sovereign immunity, such as those codified in the UK’s 1978 State Immunity Act, were never crafted with advanced digital technologies in mind. The legal tension between accountability and sovereignty is exacerbated by the fact digital attacks, by their very nature, transcend any border. In this context, the courts must consider the central question of whether a state can inflict harm entirely digitally and then insist that, because the technical action occurred abroad, it cannot be held accountable.
The implications of this case extend far beyond compensating two individuals harmed by surveillance. If Bahrain’s immunity claim were upheld, states could exploit this reasoning to conduct surveillance remotely while avoiding any legal consequence. Conversely, rejecting the immunity claim would open a new avenue for dissidents to challenge digital operations, making civil claims more viable. It may also pressure governments and companies to adopt safeguards, increase transparency around spyware procurement, and affirm that individuals targeted by states have the right to seek justice wherever they reside.
The stakes of this case are high. Its outcome will send a message to governments across the Gulf, and the world at large, about the limits of transnational repression. As this case moves forward, the UK has the responsibility to draw a clear line: digital repression must not become a consequence-free tool of authoritarian states. ADHRB urges UK authorities to affirm that those targeted by foreign governments have the right to seek justice, regardless of where the act originates from. Rejecting Bahrain’s immunity claim is an essential step to ensure that the UK remains a place where the unlawful reach of authoritarian states meets a firm limit.
