English court rules data on personal phones need not be disclosed

The court said the Saudi Arabian Airlines Corporation (Saudia) did not have control over personal mobile devices belonging to its employees, and therefore the airline leasing companies suing Saudia could not force it to disclose data on those phones.

Dispute resolution expert Kristian Grice of Pinsent Masons, the law firm behind Out-Law, said the decision was the latest in a number of recent cases examining whether an organisation which is a party to litigation has within its ‘control’ – and therefore within the scope of its disclosure obligations – work-related data held on personal devices belonging to employees or ex-employees.

For example, in another case earlier this year, the High Court came to the conclusion that the terms of a contractual agreement between a CEO and his company meant material on the CEO’s phone should be disclosed. 

“The fact that these issues arise so often, and with different outcomes, illustrates the complexities involved with the use of personal devices for work-related purposes and to which ‘bring your own device’ [BYOD] policies can give rise when it comes to disclosure, and the importance of ensuring that BYOD and other policies dealing with employees’ treatment of company data are drafted carefully and clearly,” Grice said.

“Determining whether a party to a dispute can or will need to preserve and disclose documents on employee personal devices is likely to be more straightforward if either, at one end of the spectrum, there is a clear and well-enforced prohibition on using personal devices for work purposes, with robust systems whereby all communications are saved to central servers; or, at the other extreme, if use of personal devices is permitted but with strong rights put in place for the business to access work-related data held on such devices,” Grice said.

In the Saudia case, the claimants and the International Air Finance Corporation, a third party to the litigation, applied for disclosure of documents on phones owned and used by Saudia’s chair and former director general, Saleh Al Jasser, and a former Saudia employee, Abdulrahmen Altayeb.

The court decided the data on Al Jasser and Altayeb’s personal phones was not within Saudia’s control. The judge added that the court did not have jurisdiction to make an order requiring Saudia to exercise its ‘best endeavours’ to extract any relevant documents.

It also said any emails sent using the personal phones would be on the company’s main email servers, and it was unclear how relevant other data, such as WhatsApp messages, would be to the litigation. There would also be challenges associated with extracting Saudia’s data from the phones without prejudicing other data on the devices.

“When a dispute arises, it is important to map out at an early stage where potentially relevant data is held and whether any issues with collecting or disclosing that data may arise, including because it is held on personal devices. Identifying such issues early enables proactive, pragmatic conversations with opponents and the court and so reduces the scope for costly, disruptive satellite disputes over disclosure issues,” Grice said.

The court heard from Saudi Arabian law experts for both sides on issues relating to Saudi law, and the access rights which Saudia had over its employees’ personal devices as a matter of Saudi law.

“From the outset of any dispute involving data in another country, it is extremely important to obtain input from local information law experts. This is necessary not only to help establish the ‘universe’ of data over which the party can be said to have control, but also, more widely, to avoid infringing any national data protection, privacy, secrecy or confidentiality rules which may prevent access to data or impact on how it is handled,” said Pinsent Masons dispute resolution expert Emilie Jones.

Jones said the court’s finding on the ‘best endeavours’ issue was also of note. The judge considered a Court of Appeal decision from earlier in 2021 in a case between Phones 4U and EE, in which an order was made that certain parties should write to employees asking them to provide their personal devices to IT consultants who would search the devices for work-related communications.

The court in the Saudia case explained that the decision in Phones 4U was reached in circumstances where it was common ground between the parties in that case that any work-related emails and messages on the employees’ personal devices were to be regarded as being within the relevant party’s ‘control’. In those circumstances, the court’s order was a practical step towards identifying those documents which fell within the party’s control.

“This is helpful guidance to future courts, and should limit the circumstances in which parties are put in the sometimes difficult position of having to make a request for documents from a third party with which the third party is not actually obliged to comply,” Jones said.

“Overall, this is another interesting case in an area of law and procedure that, against the backdrop of ever-developing and proliferating technology, looks set to continue growing,” Jones said.