It was a lawsuit unlike any other. On August 25 2023, just days before he resigned as UK defence secretary, Ben Wallace asked judges in London for an injunction to keep a historic national security debacle secret.
The Ministry of Defence had recently discovered that 18 months earlier a British soldier had mistakenly released a highly sensitive dataset identifying thousands of Afghans who had worked with the UK before the Taliban retook power, and were now at risk of reprisals.
Whitehall only learned about the leak after someone posted on Facebook extracts from the list, which featured details of about 25,000 people.
If the Taliban obtained the dataset, the consequences would be dire. Thousands of people in Afghanistan could face torture and death. Wallace wanted the High Court to intervene to conceal the โdata incidentโ.
The judge who heard Wallaceโs application, Mr Justice Knowles, granted the injunction after the MoD argued successfully that the threat to life justified it.
Knowles took the exceptional further step of issuing a โsuper-injunctionโ, not only preventing anyone from revealing the data had been breached but making it unlawful to mention even that the restrictions themselves existed.
On several levels, the gagging order was without precedent. Its imposition was a genuine landmark in English legal history.
For a start, the super-injunction was the first ever to be obtained by the UK government. It has allowed ministers first in Rishi Sunakโs Conservative government and then in Sir Keir Starmerโs Labour administration to take decisions concerning the safety of tens of thousands of people โ and plan to spend as much as ยฃ7bn to relocate those affected โ without public scrutiny.
It was also the first super-injunction to be issued โcontra mundumโ โ against the world. The uniquely potent combination gave the MoD the power to stop anyone speaking of either the data breach, or the existence of the restrictions.
Though the MoD initially sought only โtime-limitedโ restrictions, it went on to make repeated extension requests under both the Conservative and Labour governments. The courts would acquiesce, keeping the super-injunction in place for almost two years, before it was finally lifted on Tuesday.
Throughout much of the period the reporting blackout was in place, the UK government vacillated over its policy response to the data breach. Even in recent weeks โ nearly two years on โ the number of victims who should be allowed to seek sanctuary in Britain has been the subject of Whitehall review.
Last month, the government sharply changed direction. An internal policy review had concluded the danger was much less acute than previously assessed.
โRather than being a defining factor in an individual being targeted, it is likely that public knowledge of the dataset would be simply another factor in exacerbating a personโs existing vulnerability,โ the review concluded.
Was one of the most extensive court orders in English legal history based on a false premise?
Super-injunctions are known for more frivolous cases, deployed by celebrities to prevent tabloids from publishing stories about their personal lives. Past examples include the case of footballer John Terry in 2010 and broadcaster Andrew Marr in 2008, who later said he was โembarrassedโ about obtaining it.
Such cases prompted critics to warn that court suppression orders were creating a secret justice system. Former prime minister David Cameron in 2011 said he was โuneasyโ about such wide-ranging restrictions on freedom of speech. In May that year, Lord Neuberger, a senior judge, told his colleagues to issue them only in โthe rarest casesโ.
In his initial application to the court, Wallace said that while extracts of the dataset had appeared on Facebook โ posted by an anonymous user who threatened to release the entire spreadsheet โ disclosure so far had been โvery limitedโ. The social media platformโs owner Meta had removed the messages after four days. But wider publication of the breach โwould create a real and immediate risk to the life and safetyโ of those identified, Wallace said.
Officials had assessed that the Taliban did not currently have the list. But they believed โ for reasons the MoD has not disclosed โ that if the Islamist movement knew the dataset had been released erroneously, it was โhighly likely to succeedโ in obtaining it.
The MoD told the court that keeping the incident secret would buy it time to โimplement protective measuresโ. Nina Cope, a senior MoD official, estimated in a witness statement that it could take โin the region of four monthsโ for โall reasonable mitigationsโ to be put in place.
Knowles accepted the MoDโs assessment, and ordered that a super-injunction be imposed until December 2023. In his September 2023 ruling, the judge acknowledged the restrictions were โexceptionalโ. But he said they were justified in the โparticular and exceptional circumstances of the caseโ.ย
The super-injunction was initially served on two media groups โ Daily Mail publisher Associated Newspapers, and Global Media, owner of The News Agents podcast. In the following months, journalists at five other outlets who learned of the breach were also subjected to the gag order, including, earlier this year, at the Financial Times.
The seven media groups have challenged the restrictions during protracted injunction proceedings. All the court hearings were heard in โprivateโ, excluding the public and wider press, while some were โclosedโ โ a tighter set of restrictions that, for reasons of national security, excluded the media organisations involved in the case.
A โspecial advocateโ, Tom Forster KC, was appointed by the court to represent the interests of the media during closed hearings, but the defendants were not informed about what the advocate, a security-cleared barrister, argued on their behalf, nor what the judge heard from the government.
As a result, basic details about the data breach โ including whether the soldier who committed the original blunder has faced any disciplinary action, and to whom they mistakenly sent the dataset โ remain secret.
Mr Justice Chamberlain, to whom the case was transferred from Knowles, ruled in November 2023 in favour of maintaining the restrictions. Evidence he heard behind closed doors suggested there was a โreal riskโ that the Taliban would be able to obtain the list if it knew it had been mistakenly released.
โMany thousands whose details are included could be killed or injured and the UK government would have no realistic way of safeguarding them,โ the judge said.
Even at this stage, though, Chamberlain made clear he had big reservations. โThe grant of a super-injunction to the government is likely to give rise to the understandable suspicion that the courtโs processes are being used for the purposes of censorship,โ he said.
Gagging the media through the courts was just one step the government needed to take to keep the extraordinary episode under wraps.
One big risk of exposure was parliament. Previous super-injunctions have been rendered ineffective after MPs used parliamentary privilege to override the court restrictions.
They include the case of Trafigura, the commodity trading group, which obtained a super-injunction through law firm Carter-Ruck in 2009 to prevent The Guardian from disclosing a report about waste dumping.
Labour MP Paul Farrelly tabled a written parliamentary question the following month that revealed the existence of the super-injunction.
Several parliamentary questions about the Afghan Relocations and Assistance Policy (Arap), the resettlement scheme under which those on the compromised database had applied, had been scheduled for September 7 2023.
To prevent the data breach potentially being revealed, government officials alerted Sir Lindsay Hoyle, Speaker of the House of Commons, who has the power to veto questions, and his counterpart in the Lords, John McFall, to the super-injunction.
โMinisters considered it appropriate to notify the Speakersโ so they โcould make informed decisions as to how matters should be handledโ, said Deana Rouse, a senior MoD official, in a witness statement that October.
Sunakโs Conservative government kept the then-Labour opposition in the dark for months โ even though in the UK the leadership of the main opposition party typically receives classified briefings on important national security matters, and despite civil servants recommending that selected Labour figures should be kept in the loop.
Grant Shapps, Wallaceโs successor as defence secretary, told officials in November that the opposition should not be briefed. Parliamentโs intelligence and security committee and the Commons defence select committee were also kept in the dark.
โI would not widen [the] circle by briefing others,โ said Shapps, according to a civil service memo dated November 2023.
In an update about the super-injunction prepared for Shapps later that month, civil servants warned the defence secretary that the judge, Chamberlain, had expressed โserious concernโ that the gagging order โhas the effect of completely shutting down mechanisms of public and parliamentary accountabilityโ.
โWe ask whether, in light of the judgeโs latest judgment, this [decision against informing the opposition] could be reconsidered,โ they added, suggesting that Starmer, then leader of the opposition, and some shadow ministers be informed in confidence.
The MoD also decided against briefing the chair of an ongoing public inquiry into allegations of extrajudicial killings in Afghanistan by members of the UK special forces, accusations that โ if proven โ could further fuel the Talibanโs desire to exact revenge on Afghans who collaborated with the British.
โThe democratic process remains in the deep freeze,โ said Forster, the special advocate, in written submissions to the court onย November 30. Ministers were able to โoperate behind the cloak of the injunction and are wholly unaccountable. That they will, one day, have to account for their actions is nothing to the point. What is critical is that there is challenge to the system now.โ
John Healey, then-shadow defence secretary, was finally briefed on December 12.
The next day, Healey asked Shapps in parliament about data breaches at the MoD. A minister responded the following week to say there were โtwo live ICO investigations into incidents within the Ministry of Defence. We do not provide further detail on live investigations.โ
The secrecy endured throughout a general election campaign and after Labour took power in July 2024. In December โ a year after he put the MoD data breach question to Shapps โ Healey, the recently appointed defence secretary, made a statement of his own to parliament about Afghan relocations.
Ministers were โfixing the foundations of a complicated systemโ, he said, by โreforming our internal organisationโ and โdrawing together a single pipelineโ for resettlements. Healey mentioned there would be more arrivals of โapplications that were previously considered ineligibleโ.
The blandly worded written statement, which received little press coverage, made no reference to one of the main reasons it was being made โ the data breach.
Natalie Moore, a senior official at the MoD, had told the court in October that a parliamentary statement was being prepared that would โhelp to provide cover for the numbers arrivingโ under a secret immigration scheme that had been set up for those on the compromised dataset, known as the Afghan Response Route (ARR).
Arrivals under the scheme had been slow. By October 2024, only 332 Afghans, who were priorities for resettlement, had arrived in the UK. Still, immigration statistics, released each quarter by the Home Office, did not reveal them. Arrivals under the secret ARR scheme were โnot recordedโ in the figures released in August and November 2024, said Dominic Wilson, a Cabinet Office official, in a witness statement last month.
The decision not to report them had been taken for โcontainment reasonsโ and the number of arrivals were โlowโ at the time the statistics were released, Wilson said.
The volume was expected to pick up, though. Despite the anticipated influx of thousands of additional immigrants, local councils โ which play a central role in settling new arrivals to the UK in these circumstances โ had not been told.
The purpose of the parliamentary statement was to update MPs on the โscale of the challenge on resettlementโ, Wilson said in a witness statement in January. โIt was also to enable engagement with local authorities to commence, as they are a vital delivery partner for Afghan resettlement.โ
Councils โneed to be publicly provided with reasonable planning assumptions around numbersโ, Wilson said. But โat present there are no plans to inform local authorities about the data incidentโ, he added.
โThe continued arrival in the UK of Afghan families could become a matter of public debate leading to questions about HMGโs [the governmentโs] relocation efforts that could be difficult to answer publicly,โ Wilson said.
Jude Bunting KC, representing the media, argued in February that Healeyโs parliamentary statement had been โmisleading by omissionโ. It โdoes not explain why there will be greater numbers of relocations from Afghanistanโ.
Cathryn McGahey KC, for the government, said parliament had not been misled. She told the court that the announcement enabled โthe ARR [the secret immigration scheme] to be delivered without revealing the fact of the data incidentโ. She added: โIt was made with the parliamentary authorities and opposition aware of the context.โ
The impact of the data breach on already-strained UK public finances has also been kept from public view.
Officials presented differing cost projections depending on arrival numbers. Last October they estimated between ยฃ6.27bn and ยฃ7.23bn, based on a โtotal resettlement cohortโ of 36,000.
The costs of ARR had been included in the MoDโs annual report but had not been specified, Wilson said in his January witness statement. It was โreported against the relevant expenditure which was incurred, for example workforce or purchase of goods and servicesโ.
Officials also massaged the MoDโs annual report, which required disclosure of data incidents that had been reported to the Information Commissionerโs Office, as this one had.
The MoD had reached an understanding with the National Audit Office, the public spending watchdog, for a more โlimitedโ description of the incident than usual to be included in the accounts, Wilson told the court.
But the published report, released last July, omitted even the agreed formulation. โUnfortunately, for reasons that are unclear to meโ.โ.โ.โthe report itself did not replicate the agreed approach,โ Wilson said. The intention, he said, was โfor this deficiency to be remedied in the next annual accountsโ.
More recently, officials decided it was โno longer tenableโ not to report the additional Afghan arrivals in the immigration statistics. ARR arrivals are now included โunder the Arap subsetโ, Wilson said last month.
Another body that had to be kept in line was the ICO, which was preparing to fine the MoD for a smaller data breach in September 2021. In that incident officials sent three mass emails to Arap applicants using the โToโ field instead of โBlind Carbon Copyโ, exposing 265 email addresses to the whole distribution list. An ICO representative was issued with the super-injunction before making the other incident public in December 2023.
As the months wore on, Chamberlain became increasingly concerned that the super-injunction was threatening the safety of those it was supposed to protect. The government decided in early 2024 to relocate to the UK only a minority of the data breach victims. Ministers concluded that the total number of people affected โ as many as 100,000 โ was so large it would be impossible to move them all.
โThe government has decided to help only a very small proportion of those whose lives have been endangered,โ Chamberlain said in a ruling in February 2024. Yet the super-injunction meant victims could not be told even though they were stuck in Afghanistan, which may leave them โeffectively unableโ to take precautions.
Outside scrutiny might lead ministers to respond differently, the judge said. โThe media and public would have the opportunity to put pressure on the government to increase the number of people to whom relocation would be offered,โ Chamberlain said. He once again maintained the super-injunction, but called for the MoD to provide more evidence to support its case for the extraordinary restrictions.
In May last year, the judge decided the time had come to โgrasp the nettleโ and lift the super-injunction. By then, Chamberlain had concluded there was a โpossibilityโ that the Taliban knew the data had been compromised.
Arap campaigners long disputed the MoDโs assertion that the Taliban did not have access to the database. One of them had told the MoD that โthe number of arrests and abductions reported since August 2023 makes it likelyโ that it was being used to hunt people. An activist assisting Arap applicants also provided evidence to the MoD in September 2023 that an Afghan had received a threatening call from Taliban intelligence on a number they had only supplied in their Arap application.ย
In his May 2024 ruling, Chamberlain noted that by that point the breach had occurred almost two years earlier. Someone had already posted about it on Facebook on a group with 1,300 members, some of whom may well have been Taliban infiltrators. And UK government officials in Islamabad who learned of the breach soon after the Facebook posts had alerted about 1,800 applicants in Pakistan that some of their personal details had been compromised.
The rest of the victims โwould be better off learning of the data breach from the UK government than a knock on the door from the Talibanโ, Chamberlain said.
Even if the Taliban did not yet have access to the list, the judge said it was likely they would do so in coming months or years. The โenormous sums of public moneyโ being committed in responding to the data compromise were โbound to attract attentionโ, he said.
This was the โsort of money which makes a material difference to government spending plans and is normally the stuff of political debate. There is a real question about the feasibility (let alone the desirability) of keeping the reasons for such expenditure secret.โย
The ruling was appealed by the MoD, however, and Chamberlainโs decision was reversed by the Court of Appeal by Sir Geoffrey Vos, Lord Justice Singh and Lord Justice Warby sitting privately in July 2024.
Last October, the media organisations argued that the governmentโs position had โradicallyโ evolved, from seeking a temporary injunction to wanting to, as the defence secretary said in a paper to cabinet colleagues the same month, โmaintain control of the narrativeโ and implement a โrobust public comms strategyโ. This would involve setting out the โscale (but not the cause) of the challengeโ posed by relocating Afghans en masse to the UK, an approach that amounted to โactively misleading the publicโ, the court heard.
Bunting told the court the following month that the government had โcreated, through its own data breach, an asserted risk to life for close to 100,000 people. The claimant now intends to manage that risk through a secret scheme, without any parliamentary or legal oversight in individual cases.
โThe prospect for error, both legal and factual, in deciding who should and should not be offered assistanceโ.โ.โ.โis significant. Yet those people do not know that these decisions are being taken about them and have no means of challenging them.โ
In May the court heard, via a parallel legal action, that more than 665 Afghan nationals โ of whom over 150 were in Afghanistan โ were preparing to sue the MoD over the data breach, suggesting knowledge of the episode was spreading in the country.
Until now, the class action effort has been impeded because Barings Law, the firm representing the Afghans, has also been subject to the super-injunction.
The pivotal turning point came last month. After arguing in court for almost two years that those on the list were in mortal danger, requiring thousands of Afghan nationals to be relocated in secret, the court was told a government-commissioned review had concluded that the dangers were not in fact as grave as previously thought.
The review by Paul Rimmer, a retired deputy chief of defence intelligence, concluded that even if the Taliban acquired the dataset it would be โunlikely to substantially change an individualโs existing exposureโ. This was partly because the Taliban already had extensive records available to it about western collaborators from other sources.
The government acknowledged that the extraordinary restrictions could no longer be justified.
In his judgment on Tuesday, Chamberlain said Rimmerโs conclusions โfundamentally undermine the evidential basisโ for the courtsโ earlier decisions to prolong the super-injunction.
โThere is no tenable basisโ to extend it further, the judge said, citing โserious interferenceโ in freedom of the press and the โright of the public to receive the information they wish to impartโ.
Even now, though, restrictions persist through a new, โcontra mundumโ interim injunction imposed for another week that prevents reporting the full severity of the data breach. Chamberlain said the latest restrictions were โmuch narrower than those sought by the MoDโ and would โpermit full reporting of almost all the relevant circumstancesโ.
One of the most restrictive court orders in English legal history is likely to have a lasting legacy.
Chamberlain on Tuesday said that the assessments in Rimmerโs report were โvery different from those on which the super-injunction was sought and grantedโ โ eroding the foundations that underpinned nearly two years of official secrecy.
โIt will be for others to consider whether lessons can be learned from the way the initial assessments in this case were prepared and whether the courts were, or are generally, right to accord such weight to assessments of this kind.โ
