Recently a wealthy and high profile entertainer has gone all the way to the Supreme Court in a successful attempt to prevent publication of an account of their private life. The unnamed claimant was relying on basic human rights to privacy.

It is well-established that, in certain circumstances, companies can assert human rights too.  But the question of whether the law of privacy is only relevant to private individuals, or whether businesses are also entitled to assert a right to privacy, and if so what the extent of that right should be, remains unaddressed.

We consider there to be a credible case to argue that businesses have a right to privacy, that this right should be recognised as having wider application than is currently the case, and that there is a range of practical steps businesses can take to enhance their legal protection as a result.

The core issue

The public is used to wealthy, high profile sportspeople and entertainers applying to the courts for"super-injunctions" to bar the media from publishing details of their private lives or their identity.  To date (as far as we are aware), it has always been private individuals who have sought such legal protection. Discussion about the application of the law of privacy in the UK has therefore revolved around the extent to which it is right for private individuals to be able to protect their reputations by way of injunctions even though full details of the relevant events may already have been published outside the jurisdiction.  In recent times, the question of whether or not UK law should continue to permit the grant of super-injunctions has become a debate as much about the effectiveness of such orders in a digital age as about the legal principle of whether or not private individuals and their families are entitled to such legal protection in the first place.

If businesses are entitled in certain circumstances to assert a right to privacy, the key questions are:

  1. in what circumstances they should do so;
  2. whether such an assertion would provide any useful added legal protection above and beyond that already afforded to businesses by the law of confidence; and
  3. if it would, in what ways businesses should look to secure that protection in practice.

The recent judgments of the Court of Appeal and the Supreme Court in the case of PJS (Appellant) v News Group Newspapers Ltd (Respondent) [2016] UKSC 26 provide the opportunity to contemplate whether privacy law should be seriously considered by commercial lawyers as having a wider impact and, if so, in what ways this could be given meaningful effect.

The legal framework for a law of privacy

The first limb of article 8 of the European Convention on Human Rights (ECHR) provides that:

"(1) Everyone has the right to respect for his private and family life, his home and his correspondence."

This creates a legal protection under human rights law for four distinct things: "private life""family life","the home" and "correspondence".

Article 7 of the European Charter of Fundamental Rights replicates limb 1 of article 8 save that it refers to "communications" rather than just "correspondence". This is arguably intended to emphasise that the protection is meant to go beyond hard copy correspondence to cover all forms of information exchange in a digital age.

Businesses and human rights

It is clearly established in English law that companies are in law individuals and, as such, are entitled to assert that they have human rights under the European Convention on Human Rights.  The same is now true of limited liability partnerships.  In the case of ordinary partnerships, the partnership has no legal personality in its own right. It is made up by the individuals who are partners, each of whom is entitled, in an appropriate context, to assert their human rights. The same is true of all other forms of unincorporated association including joint ventures and other forms of business relationship that fall short of being a full partnership.  It follows that all forms of business will either be entitled to assert human rights on their own account or will be made up of individuals who can do so. The more vexed question is when, in the context of businesses, those human rights will be found to have been engaged and to what effect.

Businesses and Article 8

It is common sense that no business can have a "family life".  There is, however, authority for the proposition that a business's premises may be considered to be its "home". It has also been determined in a number of cases that businesses can have "correspondence" and "communications" and are consequently entitled to the private information in such material being protected.  To date, most of the case law relating to the application of Articles 7 and 8 to businesses has arisen in the context of challenges to the seizure of internal documents in the context of dawn raids.

The European Court of Human Rights has ruled that wholly generalized document seizures during dawn raids conducted by the French Department for Competition, Consumer Affairs and Fraud Prevention (DGCCRF) violated the fundamental rights of both Vinci Construction and GTM Génie.  In a ruling dated 2 April 2015, the European Court of Human Rights stated that the inspections and seizures carried out by the DGCCRF violated Article 8 because the indiscriminate nature of the seizures was disproportionate and interfered with rights to respect for home, private life and correspondence under Article 8 of the Convention. The principle that businesses can assert a right to protection of their rights under Article 8 in the face of disproportionate interference has therefore been established. But what should the ambit of that protection be in the case of businesses?

Businesses and the guiding mind

In Edgington v Fitzmaurice, Bowen L.J  opined that:

"The state of a man's mind is as much a fact as the state of his digestion. It is true that it is very difficult to prove what the state of a man's mind is, but, if it can be ascertained, it is as much a fact as anything else."

In the case of private individuals, the state of their thoughts is entirely private. Unless they express those thoughts orally or in writing they remain private and cannot be ascertained or used in evidence against them. In contrast, in the case of businesses (with the narrow exception of owner-managed businesses) the process by which those who make up the guiding mind of the organisation evolve and then finally make decisions cannot be wholly internalised and must involve the creation of communications or correspondence between those involved. The process by which businesses "think" is therefore inevitably  a matter of internal record. There are plenty of cases that show that attempts to avoid recording potentially sensitive discussions in written form will often be treated with suspicion.

As a result, it can often be difficult for the management of businesses to think really radical thoughts, even if such thoughts are then discounted or materially revised, because such material may then be leaked into the public domain. Often leaking is a tactic of last resort by a minority in a business who are opposed to a particular course of action or wish to embarrass their organisation. The fact that a business cannot have complete confidence in the integrity of its internal policy development and decision-making processes can lead to a damaging contraction of the inner circle within which policy is developed and may undermine the breadth and quality of internal debate. This can  especially be the case for partnerships and many unincorporated associations, where decision-making is often meant to be undertaken on a more diffuse and de-centralized basis.  

An analogy with the Freedom of Information Act

The question that arises is whether a distinction can be drawn between (a) those documents and communications generated within a business that relate to the development of a policy and the making of a decision by the guiding mind (i.e. the corporate thought process), and (b) those documents that follow, which implement a decision and hence evidence the actions of the business having made up its mind how to proceed.

The actions and communications of a company once a decision has been made may still be confidential, but the character of such activity is clearly very different from the process that leads to the making of a decision to act in the first place.

The Freedom of Information Act (FOIA) provides a useful analogy. Sections 35 and 36 make it clear that Central Government has reserved to itself the right to keep wholly private any information that would come under the heading of policy development and thus reflect the internal thought processes of Government leading up to a decision. Section 35 applies to government departments or the Welsh Assembly Government and exempts from access information relating to the formulation or development of government policy, communications between ministers, advice from the law officers, and the operation of any ministerial private office.  However (and subject to all the other controls and restraints in the FOIA) FOIA does allow access to information relating to the implementation of policy once developed.

This provision is clearly designed to ring-fence the inner workings of the guiding mind of Government. It therefore shows that the distinction we are seeking to draw is considered to be valid and sustainable in that context.

Does Article 8 provide a credible basis to argue that UK law should now recognise a similar distinction in the context of businesses?

Proportionality and the public interest

The dividing line between material that is simply confidential in a business context and material that is both private and confidential remains unclear.   

However, can it really be said that there is a legitimate and overriding public interest in placing in the public domain material that relates not to a decision of a business but the internal "thought processes" that might lead to such a decision being made or strategy adopted? If the thought process relates to a potential decision to do something unlawful or otherwise unconscionable then the answer might be "yes". However if the internal dialogue, even if it might ultimately lead to a controversial decision (such as to close various UK production plants with significant job losses due to adverse economic conditions), is purely internal and hypothetical in nature then it is hard to see what public interest could be maintained in putting such material into the public domain.

If no decision is made, then clearly no public interest will have been engaged. If a decision is made and acted upon, then at that point any wider public ramifications will become clearer and may be the subject of external comment.

The principal counter argument would appear to be that those potentially opposed to a decision being made in the first place should be allowed to short circuit the internal decision making functions of the business by placing the matter under consideration into the public domain for resolution before the "court of public opinion".  Trade unions opposed to plant closures might, for example, seek to "leak" the fact that such action is even being contemplated by a business in advance of any decision to try to put external pressure on management not to go down that route. However, the threat of such leaks occurring can lead to important decisions being rushed through and being taken by a small group of senior management  without  proper internal consultation or fuller analysis of all the possible options. The result is that the quality of the decision making can be materially undermined. 

Why does this matter?

If businesses can legitimately assert a right to privacy to protect their internal decision-making processes, they may obtain a benefit over and above the existing protection provided to them by the law of confidence.

The law of privacy is still at a very nascent stage in the UK. However, it appears that the practical protections afforded by privacy law may be more extensive and more durable than those provided by the law of confidence. Achieving such protection could be well worth pursuing from a business perspective.

In  PJS v News Group Newspapers Ltd  [2016] UKSC 26 Lord Mance, who gave the lead judgment, cited with approval the Court of Appeal:

"In its judgment of 18 April 2016, the Court of Appeal in a judgment given by Jackson LJ, with which King and Simon LJJ agreed:

(i) accepted that claims based on confidentiality were to be distinguished from claims based on privacy, in that, while "claims for confidentiality generally fail once information has passed into the public domain", the law "extends greater protection to privacy rights than rights in relation to confidential material" (paras 35-36);

(ii) concluded that "a claim for misuse of private information can and often will survive when information is in the public domain…….it depends on how widely known the relevant facts are. In many situations the claim for misuse of private information survives, but is diminished because that which the defendant publishes is already known to many readers."

In court applications for breach of confidence there is often a significant "stable door" problem. Once information has started to leak into the public domain, the confidence in that information has been lost and hence the legal justification for blocking further dissemination has largely gone. In many cases, this rule has triggered a cynical rush to publication. Businesses have then been left without any meaningful legal recourse, as they do not have feelings that can be hurt and it is often not possible to measure in financial terms the damage to their business as a result of the publication.

 On the basis of Lord Mance's judgment above, it now seems clear that where information is not just confidential but is also private, then although the stable door problem is not eliminated, there is likely to be more scope to argue that the initial publication of private material should not of itself finally determine whether or not further or wider publication would nonetheless be intrusive (and thus damaging) and hence should be blocked. In a privacy context, the question will involve an assessment of the proportionality of blocking further publication as against any other competing factors such publication.

The case for continued legal protection for private material will, for example, be stronger if it can be shown that repeated or wider publication of private information would cause incremental loss or damage. In such a case, the original publication does not necessarily reduce or eliminate the intrusion caused by re-publication. In Douglas v Hello! Ltd (No 3) [2006] QB 125, para 105, the Court of Appeal explained, for example, that insofar as a photograph does more than simply convey information, and intrudes on privacy by enabling the viewer to focus on someone's intimate personal detail, there will be a fresh intrusion of privacy when each additional viewer sees the photograph, or even when one who has seen a previous publication of the photograph is confronted by a fresh publication of it. In the context of a business the same argument would presumably hold good every time different competitors were able to, for example, access board papers detailing alternative potential pricing strategies under consideration and then use them to their advantage. Whilst the context is very different, the principle would appear to be the same.

Finally, there is a distinct but potentially important point that could be significant for businesses. Lord Toulson in his dissenting judgment concluded with the following remark:

"As to damages, I would not regard Eady J’s decision in Mosley v News Group Newspapers Ltd [2008] EWHC 1777 (QB), [2008] EMLR 20, that exemplary damages cannot be awarded in an appropriate case for breach of privacy, as the final word on the subject. Proportionality is essential, but I would not rule out the possibility of the courts considering such an award to be necessary and proportionate in order to deter flagrant breaches of privacy and provide adequate protection for the person concerned."

Lord Toulson's comments were directed at trying to afford enhanced legal protection for private material through damages, so that damages for an invasion of privacy become a more effective deterrent to publishing such material in the first place, thus obviating the need to seek an injunction. It remains to be seen whether his remarks gain traction but the threat that exemplary damages may be an appropriate remedy will afford businesses a materially higher level of legal protection than they currently enjoy if they can bring themselves within scope.

The American context

Federal Communications Commission v. AT&T Inc., 562 U.S. (2011), was a United States Supreme Courtcase which addressed certain aspects of corporate personality. The court held that the exemption from Freedom of Information Act disclosure requirements for law enforcement records which "could reasonably be expected to constitute an unwarranted invasion of personal privacy" did not protect information related to corporate privacy. The court rejected the submission that because the definition of "person" in the US legislation extends to corporations that the concept of "personal privacy" as defined should also extend to corporations.

The question of whether US law should recognise a constitutional right to corporate privacy has also been the subject of some academic debate (see e.g. "A Corporate Right to Privacy" by Elizabeth Pollman, Associate Professor of Law, Loyola Law School Los Angeles, Minnesota Law Review 99:27 [2014] pages 27-88) but the US approach to this issue is strongly coloured by the primacy afforded by US constitutional law to freedom of speech and a focus not on whether the corporation has a right to privacy in its own right but whether the individuals working within or through the corporation may have a right to privacy that should be protected in certain circumstances.

It follows that apart from demonstrating that the issue clearly requires material consideration in a UK context, the US experience is of little value in informing how the issue should be resolved here.

Practical consequences for businesses

There are a series of quite simple and low cost steps that we consider businesses could and should start to take which would enhance their ability to protect their privacy rights:

  1. Amend confidentiality provisions in key documents such as contracts of employment, internal governance rules and guidance, shareholders agreements, partnership deeds and joint venture agreements to assert a right to privacy for the business and to define what material within the business would qualify as being private.
  2. Mark key internal papers and reports leading to the making of key policy/strategy decisions as being both confidential and private. In the past this may have been done, but with no clear understanding of what additional protection an assertion of privacy might afford.
  3. Define the directors and key senior executives (and their staff) who form the guiding mind for a business on any given issue. This is analogous to the requirement in the context of legal privilege of defining on a case by case basis which individuals within a business represent a lawyer's clients and hence are entitled to receive legally privileged material without triggering a waiver of that privilege. Clearly, the wider the dissemination of sensitive material within a business, the harder it will be to assert that it was intended to be private.

Conclusion

There is an irony that many of the celebrities who invoke privacy law are in reality businesses and they only go to court to protect the damage to their brand as a result of the publication of sensitive material. Brand damage may in turn damage their revenue from sponsorship deals, or undermine their ability to earn additional revenue through licensing the publication of the relevant material  themselves.

It follows that, in truth, there is already a very strong business context to privacy law and the question is how the courts will allow that law to develop in the wider context of businesses. For the reasons we have outlined, we think there is a cogent case to assert that the law should evolve to provide a fair and uniform protection for information within businesses that is legitimately "private". If this is done in a balanced way then such protection may serve to enhance corporate governance and decision making and may also help to enhance the attractiveness of the UK as a base for corporates seeking to do business in Europe.