UK court ruling highlights privilege and disclosure issues relating to emails in corporate IT systems

The ruling concerns an application made by a claimant in ongoing complex and high-value Commercial Court proceedings The claimant, Jinxin, applied for a declaration that the relevant defendants were not entitled to claim privilege over any data and documents that were held on or collected from the computer systems of a company and its subsidiaries and associated entities.

Jinxin seeks to rescind a share purchase agreement (SPA) it entered into in 2016 to acquire a 65% stake in MP & Silva Holding SA (MPS) for more than US$661 million, or to claim damages. It alleges that some of the defendants (the ‘tort defendants’) induced it to enter into the SPA by making fraudulent misrepresentations. From 2018, MPS and its subsidiaries went into a variety of insolvency proceedings leading to many of the group’s companies being bankrupt or wound up.

The key issue the court had to decide in relation to the application was whether the tort defendants could assert privilege as against Jinxin over information and documents held on corporate IT systems of MPS, including email servers and other computer drives. This included email mailboxes and other documents stored on the MPS group’s systems that had been used by several individual tort defendants who were, respectively, the chief executive officer of MPS and ultimate beneficial owners of companies which held shares in MPS (the ‘group directors’).

The data had been provided to Jinxin in September 2018 after MPS passed board resolutions approving this.  Jinxin used keyword searches to identify and “quarantine” documents in which the tort defendants might claim privilege, but sought a declaration that none of the tort defendants could claim privilege in relation to documents on MPS’s systems, so that Jinxin could proceed to review all relevant documents.

Jinxin argued that the group directors had no reasonable expectation of privacy as against MPS in the data and documents stored on servers controlled by MPS. Because the reasonable expectation of privacy was, they argued, the touchstone of confidentiality, the data and documents in question were not confidential as against the MPS – nor, therefore, as against Jinxin – and could not be privileged.

Handing down his judgment on 1 November Simon Salzedo KC, sitting as a deputy judge of the High Court, refused Jinxin’s application.

Litigation expert Emilie Jones of Pinsent Masons said the ruling contains a number of important lessons on privilege and disclosure, particularly in the context of complex commercial litigation but also for businesses’ general information governance.

“The judgment provides a reminder that confidentiality is an essential ingredient of legal professional privilege, the loss of which causes privilege to be lost too – so that businesses and individuals must be very careful to protect the confidentiality of their sensitive information in order to avoid any privilege attaching to it being lost,” said Jones.

“That said, the decision reiterates that whether material is confidential or not is not a binary issue: material may, for example, be confidential as against certain people but not others. As a result, it is possible to share privileged material with a third party on a confidential basis without that material losing its quality of confidentiality, and therefore of privilege, against the rest of the world. Any such sharing of privileged material must, however, always be approached with great caution and appropriate safeguards put in place. As this case illustrates, whether information is and remains confidential is fact-sensitive,” she added.

The case also deals with the common question of businesses’ rights, in the context of litigation, to access information which directors or employees have created or stored using corporate IT systems. This issue often arises in relation to employees’ personal and potentially privileged communications, said Caroline Hearn of Pinsent Masons.

“In seeking to establish that communications by the group directors using MPS systems were not confidential as against the company, Jinxin relied on MPS’s staff handbooks. In essence, as interpreted by the judge, these permitted staff to use company systems for private communications, but subject to a right for the business to monitor and access material ‘where necessary’, including to detect misconduct or for other legitimate business purposes. Jinxin argued that, as a result, employees’ personal communications on MPS’s servers were not confidential as between the staff in question and the company,” she said.

However, the judge pointed out that confidentiality is not a binary concept. He explained that even if staff were aware that MPS could access their data on its servers if required for monitoring or other business purposes, they would not reasonably have understood that MPS was entitled to search for individual staff members’ private information “with a view to using that information for any purpose whatsoever, including collateral gain”.

The judge continued to say that, in the circumstances of this case, “the reasonable person would assume that the company’s right to monitor and access data on its servers would not extend to locating and exploiting otherwise privileged material for the benefit of a person with an adverse interest to the owner of that privilege, even if that person was a majority shareholder of the company.” Therefore, it could not confidently be said that MPS must reasonably have understood that it was entitled to pass such information on to Jinxin.

“This is a complex and fact-sensitive area,” said Hearn. “Businesses considering harvesting information from employees’ personal mailboxes and folders on corporate systems, for the purposes of their use or disclosure in litigation, must consider carefully, with the benefit of specialist legal advice and based on the particular circumstances of the case, the extent of their rights to do so; as well as what practical steps or solutions are necessary to respect any privilege or data privacy rights employees may have in respect of any documents.”