In Jinxin Inc v Aser Media PTE Ltd and others, the High Court ruled that directors’ personal emails and documents on a company’s computer system were confidential. The company had argued that the directors could not have any reasonable expectation of privacy in data and documents stored on the corporate computer systems and such data and documents were accordingly not confidential as against the directors.
The court said it is a mistake to describe the reasonable expectation of privacy as being a touchstone of confidentiality. Although the tests for both confidentiality and privacy are objective, and may lead to the same answer on the same facts, they do not always run together and they have been developed in relation to different causes of action (breach of confidence and misuse of private information) which rest on different legal foundations and protect different interests. Both tests involve a similar objective element based on reasonable expectations, but privacy and confidentiality are not to be equated.
The question of whether the information was imparted in circumstances importing an obligation of confidence, like the question whether a party had a reasonable expectation of privacy, required an intensive focus on the facts to assess what a reasonable person in the position of the party seeking to use the information (or in a three party situation the person from whom that party obtained the information) would have understood from all the circumstances in which the information was received. An important similarity between the objective assessment that is required by both the privacy and confidentiality tests is that neither is limited to a binary outcome.
With that in mind, the court said that any corporate executive would have expected to be provided with corporate email and document storage facilities, and only the most fastidious would have implemented a full segregation between work and private use of such facilities. It was also common practice that IT professionals employed by the corporate group had the ability to access these facilities, and if they chose, to read the data stored there. Staff would have been aware that data on the servers could be accessed if required for monitoring or other business purposes. They would not reasonably have understood that the company was entitled to search the data on their servers for private information belonging to individual staff members with a view to using that information for any purpose whatsoever, including collateral gain. In addition, the court said that a reasonable person would be taken to know of the strong policy of the law in favour of legal privilege as a substantive right which is rarely overridden. The reasonable person would assume that the company’s right to monitor and access data on its servers would not extend to locating and exploiting otherwise privileged material for the benefit of a person with an adverse interest to the owner of that privilege, even if that person was a majority shareholder of the company.
In the second case of FKJ v RVT & Ors [2003] EWHC 3 (KB), an unfair dismissal claim, there were some 18,000 WhatsApp messages in the Employment Tribunal’s bundle, some of which were used against the claimant FKJ and she lost her case. FKJ argued that there had been misuse of private information. She said that RVT hacked into her WhatsApp messages by setting up the computer-based “WhatsApp Web” and using her smartphone to scan the QR code generated, which operated as the only authorisation required by the site. He was thereby able to capture all her WhatsApp messages. FKJ alleged that setting up WhatsApp Web was the work of a few moments and that RVT would have had numerous opportunities to use (or misuse) her smartphone in this way.
RVT said that a substantial quantity of messages were found on FKJ’s work laptop when he ‘reviewed the contents of the laptop to establish why the claimant was attempting to login after she was dismissed and to ensure that the laptop could be safely passed to another member of the firm and did not contain personal information of the claimant.”
The court refused RVT summary judgment to strike out the claim as an abuse of process. For the bulk of the messages, there was no relevance to the Employment Tribunal proceedings and no justification for their retention or use. Given their obvious privacy and given the absence at that time of any proceedings to which the messages might be relevant, RVT would have come under an immediate duty to notify the claimant and deliver up the messages to her. But he did not do so.
It was unrealistic for RVT to submit that this claim revealed “no real or substantial wrong” or that “litigating the claim will yield no tangible or legitimate benefit to the claimant proportionate to the likely costs and use of court procedures”. The court said that it was so unrealistic as to call into question whether the defendants had any genuine or honest belief in this being a proper basis for strike-out due to the scale of the hacked data and the nature of the material. They had tried to argue that the fact that FKT had not sought to exclude the WhatsApp messages from the evidence at tribunal level was ground for an abuse application. The court rejected this, saying that she could not make a claim for misuse of private information in the Employment Tribunal as it had no jurisdiction.