This article was written by Kiril Waite and Liam Ryan.
Most practitioners will read Al-Masarir v Kingdom of Saudi Arabia [2026] EWHC 119 (KB) as a case about state-sponsored espionage. It is. But read again, and Saini J’s judgment earlier this year) does something rather more consequential: it purports to settle, in a single authoritative passage, three questions about covert surveillance and the Protection from Harassment Act 1997 that had, until now, been addressed only obliquely. Taken together, those answers open a substantial new front in civil litigation. One in which the defendant need not be a foreign state, and the claimant need not be a political dissident. Could this decision have wider consequences in domestic litigation such as personal injury and employment?
The case (in a nutshell)
The Claimant, a Saudi national granted asylum in the UK in 2018, is a prominent YouTube satirist and critic of the Saudi Royal Family. In June 2018, two of his iPhones were infected with Pegasus — commercial spyware sold by NSO Group, which extracts stored data, intercepts calls, activates microphones and cameras, and tracks location. Digital forensic evidence placed the infected devices in sustained contact with Pegasus command-and-control servers between 23–28 July and 23 August–18 September 2018. The KSA having disengaged from the proceedings, Saini J entered summary judgment in the sum of £3,025,662.83 for misuse of private information, harassment, trespass to goods and assault. The harassment analysis, at paragraphs [70]–[75], is what should interest every civil practitioner.
Three propositions
1. Discovery is the trigger. The tort is not complete until the victim learns of the conduct.
Adopting the analysis of Richard Spearman QC in Gerrard v Eurasian Natural Resources Corporation Ltd [2021] EMLR 8, Saini J held at [72] that Kellett v DPP [2001] EWHC 107 (Admin) is authority for the proposition that “the offence (or tort) of harassment is only complete when the victim learns of the harassing conduct”. Before discovery, there are no harmful effects to complain of. After discovery, the full weight of the Act is engaged.
2. Covert sustained surveillance is a “course of conduct”.
The Defendant might have argued that covert surveillance, however intrusive, is conceptually a single act. Saini J rejected that at [74]. On the evidence, the KSA had used Pegasus to monitor the Claimant “over an extended period and by multiple acts”: repeated contact between the infected devices and command-and-control servers over two distinct periods; the infection of two devices; the multiple functionalities deployed; and the KSA’s documented interest in the Claimant. Those features “plainly amounted to a course of conduct”. The statutory requirement of conduct on at least two occasions was comfortably satisfied.
3. Secrecy is no defence. Concealment is part of the wrong.
Section 1(2) PHA 1997 asks whether a reasonable person in the Defendant’s position would know the conduct amounted to harassment. Following Gerrard, Saini J held at [72] that “calculated” bears an objective sense — “likely to produce a result” — with “likely” meaning “sufficiently likely in all the circumstances”, not “more likely than not”. It is no answer for a perpetrator to say that he hoped, intended or planned that the target would never find out. At [75], the conduct was “akin to the most severe form of ‘stalking’, a wrong which the PHA was specifically intended to address”.
Why this matters — the pipeline of claims now within reach
The doctrinal shift looks narrow. Its litigation consequences are not. Once it is accepted that (a) harassment crystallises on discovery, (b) covert surveillance operating over days or weeks is a course of conduct as a matter of ordinary inference, and (c) the perpetrator’s plan that the victim should never learn is irrelevant, a very wide range of fact patterns becomes actionable under the PHA 1997 — with its attractive features of a six-year limitation period running from discovery, damages for anxiety (s.3(2)), and costs consequences that reflect the statute’s origin in the criminal law.
The cases one can readily foresee include:
Employer monitoring gone wrong. An employee discovers that keylogging, webcam or screen-capture software has been silently installed on a work-issued laptop, or that a “bring-your-own-device” policy has been used to access personal data beyond anything the employment contract could justify. Before Al-Masarir, the remedy map was fragmented — data protection, perhaps a breach of contract, possibly the Investigatory Powers Act. Now, a freestanding harassment claim sits alongside those.
Stalkerware and domestic abuse. Commercial spyware marketed to “check on” partners and ex-partners behaves, technically, very much like Pegasus on a smaller budget. The tort is complete when the victim finds the app. Each category of access — location, messages, camera, microphone — is available as conduct on multiple occasions.
Landlord and letting-agent intrusion. Hidden cameras, covertly installed smart-home devices, and unauthorised use of the agent’s remote access to a managed property are all familiar complaints. Where the conduct is sustained and discovered, the statutory threshold is now clearly met.
Corporate and private-investigator surveillance. Gerrard itself concerned commercial surveillance instructed during litigation. Al-Masarir confirms the direction of travel: sustained covert monitoring of a litigant, journalist or whistleblower will cross the Majrowski threshold and will rarely attract a reasonableness defence under s.1(3)(c).
Third-party data breaches involving covert access. Where a hack involves persistent access rather than a single exfiltration event — and increasingly, they do — the course-of-conduct requirement is satisfied on the face of the forensic report. The harassment claim sits alongside the UK GDPR claim, and extends the remedy to non-data harms.
The common feature is that every one of these fact patterns has, historically, produced client inquiries that solicitors struggled to package into a single viable cause of action. Al-Masarir provides that package.
Two points of caution
First, the Majrowski threshold is not cosmetic. Conduct must still be “oppressive and unacceptable”, of an order which would sustain criminal liability. A one-off, narrow or short-lived intrusion will not do — as Saini J’s careful reasoning at [74] on the duration, repetition and multi-faceted nature of the Pegasus deployment makes clear. The threshold works hard; it is not a formality.
Second, the statutory defences under s.1(3) — prevention of crime, legal authority, reasonableness — retain real work. Al-Masarir disposed of them summarily because the KSA had none to advance. Employers, investigators and regulators will be in a very different position, and reasonable-cause arguments will be live in most workplace and investigative cases.
Conclusion
Al-Masarir will be cited for many things, and the human rights commentary has already begun. The quieter, and more far-reaching, consequence is that practitioners advising individuals who discover they have been watched — by an employer, an ex-partner, a letting agent, a corporate adversary, a careless IT contractor, or a criminal hacker — now have a clear, settled and powerful claim in harassment. The tort is complete on discovery. Concealment aggravates rather than excuses. And a course of conduct will, on the ordinary facts of sustained digital surveillance, be established as a matter of inference.
Solicitors should expect their inboxes to reflect that shift.
