Skip to content

Can employers be required to give access to employees’ personal devices?

Insight

As part of disclosure process in litigation, it is becoming increasingly common to seek access to employees’ devices. As working from home is the new norm, it is expected that much more work-related information will find its way onto personal devices. An issue on disclosure is whether the courts will order inspection of employees’ personal devices, bearing in mind that personal data belonging to employees and other third parties will also be held on those devices. Two very recent cases have grappled with this issue and provided valuable guidance. These cases are also interesting because the underlying allegations related to collusion between individuals where the court accepted that if this conduct had occurred it was more likely to be conducted off corporate messaging platforms and on personal devices.

Phones for you?

In the first case of Phones 4U Ltd -v- EE Ltd and Others [2021] EWCA Civ 116, the English Court of Appeal considered the extent to which the court could order disclosure where directors, employees or ex-employees of companies had used personal electronic devices to send and receive work-related messages and emails. The appeal was against an Order made by Mr Justice Roth requiring the Defendants to write to individuals to request them to give IT consultants access to their personal mobile telephones and emails to enable them to search for communications that would then be passed to the relevant Defendant for a disclosure review to be undertaken. The IT consultants were to do this subject to undertakings given to the court to only disclose relevant responsive material to the Defendants, to then return the devices and emails to the individuals, and to delete or destroy any copies. This disclosure Order was made in the context of litigation over allegations that the Defendants had acted in breach of Competition law and unlawfully conspired to injure Phones 4U’s business.

It was common ground that the work-related emails and messages on the individuals’ personal devices were in the relevant Defendant's control for the purposes of disclosure. Mr Justice Roth had also found it persuasive in making his Order that it was more likely that if collusion had taken place then evidence of this would be found on the individuals’ personal devices and on informal communications channels, rather on work devices and work email systems.

Out of Order

The main issue on the appeal was whether the court had jurisdiction to order the Defendants to request the individuals to provide their personal devices to the IT consultants to carry out the search for documents on them. Concerns were expressed by the Defendants that this was contrary to earlier authority and impacted the privacy rights of the individuals as well as other third parties as well as engaging their rights under the General Data Protection Regulation (GDPR). The Defendants said that the individuals were being requested to hand over devices which not only potentially contained relevant work-related material but would also inevitably contain a lot of information that was personal or otherwise confidential. They submitted that an employer has the right to require an employee to hand over work-related material, but not personal documents. 

Mr Justice Roth had accepted that the handing over of personal devices would interfere with the individuals’ rights of privacy. However, this did not mean that the court could not make an Order that the Defendants request the individuals to hand over their devices, provided that this was carried out in a way which interfered with their rights as little as possible. To achieve this, the Judge decided that the devices should be given to a third party, the Defendant's IT consultants, rather than the Defendants, and subject to appropriate undertakings given by the IT consultants to the court. In addition, the Judge directed that Phones 4U would be limited to selecting only four individuals from each Defendant to be requested to provide their personal devices (reflecting a concern that the search could become disproportionate in terms of its extent and impact on the number of individuals if it was wider than this).

The Court of Appeal agreed with the Judge’s approach and rejected the Defendants’ appeal. The Court of Appeal’s reasoning can be summarised as follows: the Judge had decided that the devices may well contain relevant work-related material; that material was within the control of the Defendants; a reasonable search should therefore be carried out for it; the Judge’s Order specified how that was to be done, by whom, and what was to be searched for, bearing in mind the issues about material that was not work-related; and the Order made had been a practical solution to the issues posed by the fact that third parties were likely to have relevant material on their own devices.        

Mr Justice Roth had also pointed out that the Order would not circumvent the rules governing third-party disclosure, because it was not an Order made against the individuals. The Court of Appeal also agreed, noting that it was an Order made against the Defendants to request access to the devices and was a reasonable step in providing documents within the Defendants’ control.

Third party call

The Defendants also attacked the solution that the Judge arrived at by saying that it was plainly inadequate to adopt a mechanism by which the third party IT consultants were left to manage the issue of ensuring that only work-related materials were provided to the Defendants and all other materials belonging to the individuals or other third parties were suitably protected. 

The Court of Appeal said that the Judge could not be criticised for involving a third party. One alternative might have been to simply require the Defendants to disclose the documents held by their employees and ex-employees, but that would have possibly led to satellite litigation between the Defendants and any of those individuals who refused to hand over the material. This would have led to delay and further cost or a situation where those individuals might have concealed relevant information. However, the Court of Appeal indicated that in future cases it might be more appropriate to involve independent solicitors as the filter between the Defendants and the individuals (probably supported by independent IT consultants appointed by those solicitors).

Nor did the Court of Appeal consider it was necessary to point out to the individuals that they should consider seeking independent legal advice before responding to the Defendants’ request to access their devices. The individuals all held or had held reasonably senior positions and would be capable of understanding this for themselves. However, this hints at the possibility in other cases that this might be necessary where the individuals are less senior.  

One area of slight criticism from the Court of Appeal was that the order should have contained an express permission for anyone affected by it (including those other third parties whose information was held on the devices) to apply to the court to challenge it. However, that did not invalidate the Order as a whole.

GDPR

The Court of Appeal also rejected a submission by one of the defendants that the Order violated GDPR. They dealt with this quite shortly by saying that any processing by the IT consultants would be undertaken with the consent of the individuals and/or because it was necessary for compliance with a legal obligation which the IT consultants are subject to. This is one slightly troubling point from the Court of Appeal’s reasoning, because it might be difficult to say that an employee, faced with such a request from its employer, can be truly said to consent when agreeing to it. And the “compliance with a legal obligation” ground is also difficult to reconcile with the fact that the legal obligation in question falls on the Defendants, not the IT consultants. Nor did the Court of Appeal address the need for an additional Article 9 ground for processing if, as seems likely, the devices contained special category data. More promising are the grounds for processing based on the Article 6.1(f) legitimate interests of the IT consultants or those involved in the proceedings, and the Article 9.2(f) basis that the processing is necessary for the establishment, exercise or defence of legal claims. In other words, it may not much matter if the Court of Appeal’s reasoning on this issue is doubtful.

Left hanging

Finally, the Court of Appeal did not have to grapple with the issue of whether the devices themselves were in the defendants’ control, as all parties proceeded on the assumption that they were not. It therefore remains an open question whether a personal device used mainly for work-related matters is in the control of an employer or is itself a “document” within the scope of disclosure rules.

A link to the case is here.

Fertile territory for evidence

The second case is Pipia -v- BGEO Group Limited [2021] EWHC 86 (Comm). This involved a claim by Mr Pipia (P) against BGEO Group Limited (“BGEO UK”) that it had orchestrated an unlawful plan that deprived one of P’s companies of control over a Georgian fertiliser plant purportedly worth hundreds of millions of dollars.

Mr Gilauri (“G”) was the former CEO of BGEO UK, as well as JSC BGEO Group (“BGEO Georgia”) and JSC Bank of Georgia (“BOG”). BGEO UK is the parent company of BGEO Georgia and, in turn, BGEO Georgia is the parent company of BOG. Mr Namicheishvili (“N”) was employed by BGEO Georgia as its Group General Counsel. G and N were central witnesses in the case and P alleged that they were at the heart of the wrongdoing by BGEO UK.

Smoking GuN

The application by P before Mr Justice Cockerill sought disclosure from BGEO UK of materials held by G and N. The most interesting part of the decision for our purposes is that P wanted disclosure of WhatsApp, Viber and SMS messages held on G and N’s personal mobile phones, no doubt in the hope that this would reveal the “smoking gun” evidence of wrongdoing. Both G and N are based outside the UK and neither of them were employed by BGEO UK at the time that disclosure was sought. In addition, G and N were no longer parties to the proceedings, as claims against them personally were discontinued by P at an earlier stage.

An earlier court ruling had held that documents within the control of BGEO Georgia and BOG were also within the control of BGEO UK, such that BGEO UK had an obligation to make reasonable and proportionate specific requests of BGEO Georgia and BOG to produce relevant documents.

There were two critical questions for the court to determine: (i) were the contents of the mobile phones within the control of BGEO UK?; and (ii) if they were within the control of BGEO UK, then is disclosure necessary for the just disposal of the proceedings, as well as reasonable and proportionate?

G is a Go

With regard to G, P argued that G’s service agreement with BGEO UK meant that BGEO UK had direct control over the records and could inspect everything on his three mobile phones, even personal messages, both during and after G’s employment ended. The terms of the service agreement were very wide as it authorised BGEO UK to access any program or data held on any computer used by G in the course of performing his duties. The agreement also included provisions that, on termination of the agreement, G would return to BGEO UK all confidential records belonging to it. On this basis, Mrs Justice Cockerill decided that the content on G’s mobile phones were within the control of BGEO UK, even after termination of G’s contract.

Necessary, reasonable and proportionate?

This left the question of whether disclosure of the material on G’s mobile phones was necessary for the just disposal of the proceedings, as well as reasonable and proportionate. In relation to whether disclosure was necessary, P said that G was central to the dispute, alleging that G had devised the scheme to deprive P of control over the plant in Georgia and had given P false assurances in this respect. On reasonableness and proportionality, P said that in the context of a claim for hundreds of millions of dollars, his request was plainly proportionate. However, the application for disclosure was made close to trial, so the Judge had to weigh this in the balance. The Judge decided to make the order for disclosure against BGEO UK regarding G’s mobile phones. Despite a vast amount of disclosure already, the Judge accepted that WhatsApp and similar messages might have great probative value, given their immediacy to the facts in issue.

N is a No

With regard to N, there was no direct contractual relationship with BGEO UK. However, P relied on N’s contract with BGEO Georgia. This required N to report to BGEO UK’s directors and expressly acknowledged that N owed fiduciary duties to BGEO UK as part of the BGEO Group. However, the Judge refused to order that BGEO UK take any steps to obtain disclosure from N’s mobile phone. N had no contract with BGEO UK and any fiduciary duties he owed were in the context of his contract with BGEO Georgia which was governed by Georgian law, with the Judge having no evidence before her on what that meant in terms of the laws of Georgia.

Having failed on the direct contract argument with N, P then argued that BGEO UK’s control over N’s mobile phones could be established indirectly. P relied on the contract N had with BGEO Georgia arguing that if BGEO Georgia had control over N’s mobile phone through that contract then so did BGEO UK as a result of the earlier court ruling. This was rejected by the Judge. It was too far removed from the question of control by BGEO UK because it effectively required BGEO Georgia to obtain the information from N, who was now a third party independent of BGEO Georgia. These were not materials which BGEO Georgia had in its possession, and what P was effectively trying to achieve was third party disclosure by the back door, which is subject to more stringent rules.

Accordingly, P had no further access to materials held on N’s mobile phone (beyond some redacted records that N had previously provided voluntarily).   

A link to the case is here.

Conclusions

The wide terms of the services agreement was the bridge for P to obtain the material on G’s phones without having to make a more complex third party disclosure application against G. Those terms were also sufficiently wide to deal with the issues of private data held on those devices. Other terms might not be so wide, and a mechanism might therefore be required to deal with this in other cases such as that adopted in Phones4U. The terms of contracts of employment are therefore likely to be of central importance for parties when issues like this arise in the future.

In contrast, the question of control over the information held on the devices was not an issue in Phones 4U. Instead, the issue was how access to that information might be obtained in a way which balanced the competing rights to privacy of the individuals concerned and other third parties. The solution arrived at by Mr Justice Roth, subject to the changes suggested by the Court of Appeal, offers a useful template for the future. In the author’s experience, the courts have often shied away from getting involved in the detail of such arrangements, leaving it to the parties and their advisers to determine a process. The clarification in Phones4U is therefore welcome.  

If you require further information about anything covered in this briefing, please contact Ian De Freitas, or your usual contact at the firm on +44 (0)20 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, April 2021

Want to know more?

Contact us

About the authors

Ian De Freitas lawyer photo

Ian De Freitas

Partner

Ian has over thirty years' experience as a litigator. He specialises in disputes involving data, technology and intellectual property. Ian leads the firm’s Data, IP and Technology Disputes team. 

Ian has over thirty years' experience as a litigator. He specialises in disputes involving data, technology and intellectual property. Ian leads the firm’s Data, IP and Technology Disputes team. 

Email Ian +44 (0)20 3375 7471

More by the authors

Further reading

Related sectors & services

Continue to next section
Back to top