Court of Appeal rules that a court order regarding disclosure of personal electronic devices did not violate the GDPR or privacy rights

February 4, 2021

The Court of Appeal has dismissed an appeal in the case of Phones 4U Ltd -v- EE Ltd [2021] EWCA Civ 116. The appeal raised questions about the jurisdiction and the discretion of the court in relation to disclosure provided under CPR Part 31, where senior officers, employees and ex-employees of companies have or may have used their personal electronic devices to send and receive work-related messages and emails.

The appeal arose in the context of a competition law claim brought by Phones 4U, which has been in administration since 2014, against a number of mobile network operators which it accused of colluding to terminate arrangements with it.  

At a previous hearing defendants had been ordered to write to various individuals (so-called Custodians) to request them to give certain e-disclosure providers (the IT consultants) engaged by the defendant that had employed them access to their personal mobile telephones and emails. The expressed purpose was to enable those consultants to search for work-related communications relating to the employer’s business that would be passed to the relevant defendant for a disclosure review to be undertaken. The IT consultants were to undertake to the court to search the devices and emails for responsive material, not to disclose any other material to the defendant or its solicitors, and to return the devices and emails to the Custodians, and to delete or destroy any copies.

The appeal raised the following key issues:

  • Whether the judge had jurisdiction to order a party to request third-party Custodians voluntarily to produce personal devices and emails stored on them (the “jurisdiction issue”).
  • Whether the judge was justified in including a rider in his judgment, but not in his order, that the defendants ought not, in making the request, tell the Custodians that they were entitled to refuse it (the “rider issue”).
  • Whether the mechanism directed by the judge involving the IT consultants was appropriate and proportionate (the “proportionality issue”).

There is also an additional argument raised by Vodafone about the GDPR.

The appeal decision

The jurisdiction issue

The Court of Appeal did not think there was any jurisdictional impediment to the order that the judge made. He was entitled, as a part of directing how standard disclosure was to be given, to direct the defendants to request their own Custodians voluntarily to produce to IT consultants both their personal devices and all the emails stored on them.

The rider issue

The Court agreed that the judge had muddied the waters with the rider issue, although it also said that it would not have been enough to be the subject of an appeal on its own.

The proportionality issue

Whilst the court accepted that the vast majority of the documents on the devices in question will be potentially highly personal, it was the Custodians that would themselves have chosen to use them for business purposes in the first place. Any order relating to the disclosure of business materials mixed with personal materials engaged a number of potentially conflicting interests, which the court has to balance. The need for the due and efficient administration of justice had to be balanced against the individuals’ Article 8 rights of privacy. Any workable solution should be reasonable and proportionate. 

This case concerned an alleged unlawful agreement, which by its nature was likely to be covert. The first instance judge had pointed out that the Court of Appeal called the obvious point that where companies do engage in unlawful, collusive behaviour, the individuals involved may sometimes deliberately avoid using their work email or work devices so that they can conceal their dealings. The court cannot be powerless to ensure that such hidden documents are disclosed to allow the issues to be justly resolved.

The defendants effectively criticised four aspects of the order that the judge made: the fact that it required material to be handed to third parties at all, the involvement of the IT consultants, the fact that it was voluntary, and the lack of privacy protections for the Custodians’ private material and that of their friends, family and contacts. The Court of Appeal rejected these arguments.

The GDPR issue

Vodafone had argued that the order violated the GDPR, but the court said that it was clear that any data processing that is undertaken by the IT consultants would be with the consent of the Custodians as data subjects under Article 6.1(a) of the GDPR, and would be necessary for the IT consultant to undertake “for compliance with a legal obligation to which the controller is subject” under Article 6.1(c).


For these reasons the Court of Appeal dismissed the appeal. In summary, it concluded that:

  • the judge had jurisdiction to order the defendants to request third-party Custodians voluntarily to produce personal devices and emails stored on them;
  • the judge should not have said in his judgment that the defendants ought not, in making the request, to tell the Custodians that they were entitled to refuse it, and 
  • that the mechanism directed by the judge involving the IT consultants was appropriate and proportionate. However, it would have been preferable for the judge to have mentioned in his order that the Custodians and anyone else affected by the order was at liberty to apply to the court for further directions or orders.