Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The Court of Appeal (“CoA”) has recently confirmed the disclosure expectations on a litigant where its own documents might be held on a third party’s (such as an employee’s) personal accounts and devices, including mobile phones.
In a recent decision the CoA upheld an order requiring the Serious Fraud Office (“SFO”) to write to 55 disclosure custodians – who are not parties to the litigation – and ask them to voluntarily deliver up their personal electronic devices for the purpose of the SFO’s disclosure searches. The list of custodians includes current and former SFO Directors, and other members of the SFO’s senior management team. In another vindication for our client, ENRC, the CoA found that it was “a sound evidential basis” for making this order that at least some of the SFO’s custodians had used personal devices for work purposes. That was sufficient to justify the interference with individuals’ privacy rights.
The disclosure obligation is limited to searching for documents that are (or were) in a party’s “possession or control”. If your opponent in litigation is a corporate entity, the risk is that the most critical documents in your case will not be found on the company’s servers, but on the personal devices of your opponent’s directors and employees – but what right does a company have to obtain these documents, which are contained in another party’s property?
Generally, under employment law and agency principles, a company will have a right to call for documents that its employees created in connection with their work, even if those might be held on personal devices. However, in practice, getting disclosure of these documents depends on directors and employees owning up to the fact they hold them on their devices. This may not be of much comfort to a party that has brought claims involving dishonesty against a company, such as fraud claims. If employees have acted unscrupulously in their conduct, what prospect can there be that they will openly admit to the existence of incriminating documents?
At a case management hearing at the end of February 2023, Eurasian Natural Resources Corporation (“ENRC”) sought and obtained an order requiring the SFO to write to a number of its custodians requesting that they voluntarily deliver up their personal accounts and devices (including personal email accounts, messaging applications and personal mobile phones) to a third-party IT consultant for the purpose of running disclosure searches (ENRC v (1) the Director of the SFO, (2) John Gibson and (3) Antony Puddick (Claim No CL-2021-000035)). The SFO had proposed that it would only write to these custodians, and ask whether they used their personal devices or accounts for work purposes before taking any further action.
The order was sought on the basis of a relatively novel jurisdiction, established by the High Court (and affirmed by the CoA) in the case of Phones 4U Limited (In Administration) v EE Limited and others [2020] EWHC 1921 (Ch) (upheld on appeal: [2021] 1 WLR 3270) – in which this firm also acted. We refer below to this type of orders as “Phones 4U orders”.
The SFO sought to appeal the order (which was made at first instance by Mrs Justice Cockerill), but in April 2023 the CoA refused to grant permission to appeal, confirming that (i) the Judge had jurisdiction to make the order in question; (ii) there was “a sound evidential basis” for making the order even though disclosure had yet to take place; and (iii) the order “struck a careful balance” which respected the custodians’ privacy and data protection rights.
Roth J in Phones 4U and Cockerill J in the ENRC v SFO case have emphasised that the nature of the claim and the allegations in issue are highly material factors in deciding whether an order requesting access to custodians’ personal accounts and devices should be made.
In both cases the Court found that communications relevant to those allegations were inherently unlikely to be found on custodians’ work email accounts or employer-issued devices. In these cases, a reasonable and proportionate disclosure search would need to extend to the data stored on custodians’ personal accounts and devices.
In seeking permission to appeal, the SFO argued that in order for the Court to make a Phones 4U order there needed to be reasonable grounds for suspecting that each of the custodians affected by order had used personal accounts and/or devices for work purposes.
The evidence before Mrs Justice Cockerill fell short of that, although ENRC was able to point to evidence that at least the SFO’s current director, the Third Defendant and another senior SFO Officer had used their personal mobile phones to communicate with external parties, and that the Second Defendant – a former Case Controller at the SFO – had used the “highly secretive” messaging application Signal to communicate with a journalist.
The CoA found that this amounted to “a sound evidential basis” for the making of the order sought, even if it was not possible to say whether all of the 55 affected custodians had used personal accounts / devices for work purposes or to identify which had done so and which had not. The CoA also noted that “it would be unrealistic to require ENRC to prove more than this” (the order was sought in this case prior to disclosure having been given by the parties).
In Phones 4U, the order was made only in respect of four custodians for each defendant. By contrast, in the ENRC case, the Court was persuaded that it would be proportionate to make the order in respect of two groups of custodians, comprising around 55 individuals in total. This shows that the mere fact that the order would affect a relatively high number of custodians is not itself a bar to the order being granted, in an appropriate case.
The second group of custodians included the current SFO director, two former SFO directors, the current and former General Counsel and relevant Heads of Division. In addressing the SFO’s objections about the inclusion of this class of custodians, Mrs Justice Cockerill noted that it could not be concluded that “because people are more senior they are more trustworthy – or indeed that their memories are less prone to fault”. The Judge noted that it would be “derogatory” towards more junior custodians if they were asked to produce their personal devices, but the same order were not made in respect of more senior custodians.
In many respects, the Phones 4U and ENRC cases have not fundamentally changed the law: ‘work’ emails held on personal devices have always been properly disclosable.
What these decisions have done is to establish a new practical method for conducting searches over these devices. In essence, instead of relying on the individual custodians to recall whether they used their devices and run their own searches over it, in appropriate cases, a company can now be ordered to ask custodians (albeit voluntarily) to hand over their entire device or account for searching, even though that will require the custodians to surrender their own personal data (which will almost certainly be held together with their work emails). This in turn may remove the need for parties to take steps directly against the individual custodians (e.g. by way of third-party disclosure applications).
This is the second endorsement by the CoA of orders of the kind first made in Phones 4U. Going forward, litigants can expect orders for access to custodians’ personal accounts and devices to be sought more often at case management conferences and as part of applications for specific disclosure, particularly in cases which involve allegations of fraud, dishonesty or collusion.
As a result, the time has come for corporates to give active (and pre-emptive) consideration to the risk that their employees may be using personal devices and/or accounts (including personal emails and messaging applications) in connection with their work. Corporations should be mindful of the implications this could have in the event the company finds itself embroiled in litigation and subject to disclosure obligations, usually several years down the line. Accordingly, it may be prudent for corporations to give advance thought to the policies they have in place regarding the use of personal accounts and devices, and revisit these as necessary.
Corporates with US links may also wish to take note of the Department of Justice’s (“DOJ”) recent changes to its “Evaluation of Corporate Compliance Programs” (“ECCP”). Under the revised ECCP, when evaluating a corporate policy for detecting and investigating potential misconduct and violations of the law, DOJ prosecutors will now consider, amongst other things, the corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications. For more information on this, please see our article here.
Authored by Alex Riposi and Edward Hickman.