Privilege: Privacy and Confidentiality Are Not to Be Equated

In Jinxin Inc v Aser Media PTE Ltd & Others[1], the High Court of England and Wales determined that directors’ personal emails and documents on a company’s computer system were confidential, despite the company’s ability to monitor and access them. In reaching that decision, the judge stated that the parties were mistaken in describing the reasonable expectation of privacy as a touchstone of confidentiality: while the tests for both confidentiality and privacy are objective and may lead to the same answer on the same facts, they should not be equated as they have been developed on different legal foundations and protect different interests. The key element for a claim for confidentiality in information that has been shared with a third party is whether the information was shared in circumstances importing an obligation of confidence on that third party.   

Background

In 2016, Jinxin purchased a majority shareholding in MP & Silva Holdings SA (‘MPS’). From 2018 onwards, MPS and its subsidiaries entered into a variety of insolvency proceedings, and many have been declared bankrupt or wound up. Jinxin issued a claim for rescission of the sale agreement, or damages in the alternative, on the grounds that it was induced to purchase the shares by fraudulent misrepresentations.

When Jinxin became aware of MPS’s financial difficulties, it sought to collect and preserve data that would enable it to investigate the causes of those difficulties. In accordance with the terms of the shareholders’ agreement, MPS provided extensive information to Jinxin including MPS’s email servers and other computer drives. This included the email mailboxes of, and other documents saved on MPS’s computer systems by the fifth, ninth and tenth defendants, who were all directors of MPS group companies (the ‘Group Directors’). 

Jinxin originally agreed that keyword searches should be carried out to identify documents in which the defendants might claim privilege and that any documents so identified would be quarantined and not reviewed by Jinxin pending the case management conference. However, approximately half of the documents collected were identified as documents in which the defendants might claim privilege, which meant that Jinxin had a substantial number of documents in its possession that it was prevented from reviewing for disclosure.

The application

To overcome the obstacle to the disclosure process, Jinxin made an application that none of the defendants could in fact claim privilege in relation to any documents that were held on MPS’s computer systems.

The basis for the application was as follows: to claim privilege in a document, that document must be confidential; the touchstone of confidentiality is a reasonable expectation of privacy; the defendants could not have had a reasonable expectation of privacy in respect of emails and documents on MPS’s computer systems; accordingly, those documents were not confidential and were, therefore, not privileged.

Jinxin argued that the defendants could not have had a reasonable expectation of privacy in respect of emails and documents on MPS’s computer systems because MPS had unrestricted access to them and was free to pass them to Jinxin equally free of restrictions. In support of this argument, Jinxin relied on the following (among other things):

  • the Group Directors’ email accounts were provided to them by MPS for business use;
  • they all had personal email accounts for personal, private or non-MPS business;
  • the email accounts were hosted on servers controlled by MPS and its IT director; 
  • the Group Directors could have used encryption to protect their information but had generally not done so;
  • one of the Group Directors had shared his password with his personal assistants; and
  • the staff handbook included provision for MPS to monitor all email and internet activity by employees.

The High Court’s decision

Confidentiality a prerequisite for privilege

The judge started his analysis of the law by noting the established principle that confidentiality is an essential prerequisite for a claim to privilege.

In the event privileged information has been shared with a third party, the confidentiality will be lost unless ‘that information has been imparted in circumstances importing an obligation of confidence’. The test for this is whether a person in the position of the recipient of the information would have reasonable grounds to think the information was being given in confidence.

Confidentiality and privacy

The judge noted that the test for establishing confidentiality set out above ‘chimes well’ with recent case law on the right to privacy. However, he stated that privacy and confidentiality are not to be equated and it was a mistake to describe the reasonable expectation of privacy as being a touchstone of confidentiality: ‘although the tests for both confidentiality and privacy are objective, and may lead to the same answer on the same facts, they do not always run together and they have been developed in relation to different causes of action (breach of confidence and misuse of private information) which rest on different legal foundations and protect different interests.’ 

The judge therefore rejected the argument that the information on MPS’s computer systems could not be confidential because the defendants allegedly had no expectation of privacy in respect of them.

Circumstances importing an obligation of confidence

The judge then went on to consider whether the Group Directors had shared their personal emails and documents with MPS in circumstances that would be reasonably understood as importing an obligation of confidence.

In considering this point, the judge emphasised that the confidentiality test is not limited to a binary outcome. In other words, information can be confidential as against certain (but not all) persons, and in relation to certain (but not all) uses of it. Confidentiality, the judge explained, may be viewed as ‘a relationship between information, persons and uses.’ In seeking to identify the nature of the relationship, the court must consider all the circumstances which would indicate to a reasonable person what, if any, kinds of use that person is or is not entitled to make of the information.

One obvious factor to be taken into account when considering whether the circumstances imported an obligation of confidence is the content of the documents. However, as there was very little evidence before the court regarding the content of the quarantined documents, the judge was not able to undertake a detailed analysis in this regard. He therefore proceeded on the assumption that at least some of the documents contained privileged material. 

In terms of the use MPS was able to make of the documents, the judge concluded that MPS’s entitlement to monitor and access data on its servers was limited to the provision of IT services, the detection or policing of potential misconduct, and for other legitimate business purposes. He observed that it was commonplace for executives to use corporate IT facilities for private purposes from time to time, and for them to trust their employees (particularly personal assistants and IT teams) to have access to their confidential information. They would not reasonably consider that by doing so they were giving up all rights to protection of their information.

The judge reasoned that if Jinxin was correct in its contention that MPS had unfettered access to any information on its servers, it could use the Group Directors’ personal information for any purpose whatsoever, including selling it to a tabloid newspaper in return for payment. In his view, this demonstrated that the contention could not be right: ‘a reasonable executive would not believe that the company could sell his private information merely because it was left on the corporate server, nor would a reasonable company believe that.’

Having concluded that the circumstances imported some obligations on MPS not to misuse the Group Directors’ emails and documents, the next question was whether the circumstances imported a specific duty on MPS not to pass any putatively privileged material that might be on its servers to a shareholder who was in dispute with the relevant employee or executive. The judge concluded that, on the basis that a reasonable person would be taken to know of ‘the strong policy of the law in favour of legal privilege as a substantive right which is rarely overridden’, they would assume that MPS could not pass on that putatively privileged material.

Having determined that any privileged information contained in the quarantined documents had not lost its confidentiality (and therefore its privilege) by the mere fact of being on MPS’s computer systems, the judge dismissed Jinxin’s application.

Takeaway

As the judge observed, in a perfect world all the information on corporate computer systems would be confidential to the corporation alone. But that is not a common reality. Given the widespread (albeit ill-advised) personal use of corporate IT facilities, this decision will have been met with considerable relief. However, the decision must not be taken as providing more comfort than it actually does. Questions of confidentiality are acutely fact specific and while the policy in favour of legal privilege being rarely overridden is undoubtedly strong, it is not without limit. It must be kept in mind that any third-party access to privileged documents creates a risk that confidentiality and therefore privilege will be lost.    


[1] [2022] EWHC 2856 (Comm)

Contributors

Alex Radcliffe

Victoria Barlow