Use of a work email account for personal emails did not result in a right to privacy – Brake v Guy

In Brake and Other v Guy and Others,1 the Court of Appeal ruled that an employer could use personal emails that an employee had sent from a work email address.

The circumstances were that the email account in question was the company’s primary business email address, was designed for customer inquiries, and was accessed by other employees. No privacy rights attached to the employee’s personal emails and his claims of abuse of private information and breach of trust were dismissed.

Background

The employees, Mr. and Mrs. Brake, were employed by a company to run a vacation rental and wedding business. Ms. Brake had created three new email addresses for the company, one of which was an account for business inquiries, but which Ms. Brake also chose to use for personal emails.

In 2017, the business was sold to another entity owned by the defendant, Dr. Guy, at which time Mr. and Ms. Brake were terminated from the business following a breakdown in relationship.

Dr. Guy later uncovered alleged wrongdoing in the business email account relating to the rental company’s assets and provided copies of Ms. Brake’s personal emails held on the company’s email account to Ms. Brake’s trustee in bankruptcy.2.

Amid interdependent proceedings between the plaintiffs and some of the defendants, Ms. Brake sought an injunction to restrict the use of personal emails and claimed that by sharing the allegedly private emails with third parties, Dr. Guy abused his private information. and acting as a breach of trust.

Misuse of private information

The House of Lords in Campbell -v- Mirror Group Newspapers Ltd [2004] UKHL 22 has prescribed a two-step test to determine whether there has been misuse of private information. The main criterion for determining whether information is private is:

  1. whether, having regard to the facts disclosed, the person in question had a reasonable expectation of privacy; Where
  2. where there is a doubt as to the privacy of the information, whether disclosure of the information about the data subject would give substantive offense to a person of ordinary sensitivity placed in circumstances similar to this one.

Damage to trust

For a breach of trust complaint to be successful, it must satisfy three elements3:

  1. the information in question must have “the necessary quality of trust in him“;
  2. that this information must have been communicated in circumstances involving an obligation of confidentiality;
  3. there must be an unauthorized use of this information to the detriment of the party disclosing it.

High Court decision

At first instance, the High Court dismissed the claim, finding that a user of a business account holding personal emails could have no reasonable expectation of privacy or confidentiality.

After determining that there was no obligation of confidentiality or reasonable expectation of confidentiality, HHJ Matthews addressed the issue of any misuse of private or confidential information “in case the case goes further4. HHJ Matthews felt it was difficult to see how plaintiffs had suffered”any appreciable damage” with respect to the documents, and concluded that there was no misuse of confidential information or invasion of privacy by passing the information, in confidence, to an attorney or another professional adviser for the purpose of obtaining advice.

The Claimants duly appealed.

Main legal issues on appeal

Misuse of private information

The Court of Appeal upheld HHJ Matthew’s decision that Ms. Brake had failed to establish that there was an objectively reasonable expectation of privacy in the emails disclosed to the trustee in bankruptcy. The business email address in question was used as a general business inquiry account, designed to receive inquiries from potential customers regarding the company’s vacation rental services. While Ms. Brake was the primary user of the account, other company employees also had access to it and often responded to company inquiries.

The allegedly private emails were not stored in a separate folder on the server, were not marked with any sign indicating that they were “private” or “personal” to Ms. Brake, and were not protected by a separate password. In these circumstances, the Court of Appeal concluded that HHJ Matthews was entitled to conclude that there was no reasonable expectation of privacy vis-à-vis the defendants. Simply put, the content of emails could not be expected to remain private to Ms. Brake alone.

Damage to trust

The Court of Appeal ruled that the personal information contained in the business information account was not “communicated in circumstances imposing an obligation of confidentiality“. Furthermore, some emails were proven to contain publicly available information, which means that they could not in any way attract the necessary quality of trust.

Commentary – What is private and confidential?

Whether it is generally true that employees have a reasonable expectation of privacy in emails they send in a work environment (for example, if personal emails are sent containing health data) , the ruling is a helpful reminder that while content is an important determining factor in establishing any claim of privacy, the context and forum in which that information is stored and shared is also equally important.

While employees retain the right to file a misuse of private information complaint and/or a breach of trust complaint if there is a reasonable expectation of confidentiality of the information and/or if the information is sensitive or secret, Companies and their employees should also recognize the importance of demarcating personal and work email accounts and minimizing the overlap between the two in order to fully protect employees’ personal information.

While the brakes had raised a claim for breach of their data protection rights, that claim was not pursued at trial. Still, while claims based on common law privacy torts are available, organizations are facing an increasing number of claims for statutory breaches of UK GDPR and data protection law. of 2018. While the discontinuances have therefore been applied to this privacy action, similar issues are expected to arise in the future, focusing on alleged legal causes of action and violations of data protection laws. .

Comments are closed.