Trouble in Paradise: No Privilege for Stolen Documents
The Situation: In an era of sophisticated cyberattacks and data leaks, questions have been raised over whether the doctrine of legal professional privilege ("LPP") should be extended to provide clients with a legal right to seek relief, such as an injunction, to prevent a party from using privileged material obtained in an unauthorized fashion.
The Result: The High Court of Australia has unanimously ruled that LPP can only operate defensively as a right to resist powers for the compulsion of document production or testimony. It does not give rise to an independent right of relief and, accordingly, will not come to the aid of a party affected by a data breach unless some other avenue for relief exists (such as an obligation of confidentiality).
Looking Ahead: The decision makes clear that the doctrine of LPP cannot be relied upon (by itself) to prevent the use of stolen or leaked privileged material. It also leaves questions unanswered in terms of whether other pathways for relief (such as the tort of invasion of privacy) could step in to protect a client's right to privilege. The decision is also a timely reminder on the need to exercise caution before widely circulating privileged documents.
LPP is fundamental to the lawyer-client relationship. The doctrine is deeply rooted as a rule of substantive law in Australia, and other common law countries, which serves to protect the confidential character of communications or documents created when a client seeks legal advice. When and where privilege will apply has been the subject of many judicial decisions in Australia, with the result that the borders of LPP have been fairly well defined for some time.
However, one question that has not been addressed is whether privilege (by itself) provides a client with an avenue to seek a remedy, such as an injunction, preventing the use of privileged material that has been obtained by unauthorized means. This question has finally been decided by the High Court in Glencore International AG v Commissioner of Taxation  HCA 26 (delivered on 14 August 2019).
In 2014, global mining group Glencore plc ("Glencore") obtained legal advice on the restructuring of its Australian operations from a law firm based in Bermuda. That advice was subsequently stolen from the law firm's computer systems among millions of other documents, dubbed the "Paradise Papers". Copies were obtained by the Australian Taxation Office ("ATO") and journalists across the globe.
Glencore asserted that the legal advice was subject to LPP. It requested the return of the documents and sought an undertaking that the ATO would not rely on them. The ATO refused. Glencore commenced proceedings in the High Court seeking:
- an injunction restraining the ATO from making any use of any of the documents; and
- an order that the documents be returned.
There was no dispute that the documents were subject to LPP, but in this case, Glencore did not argue that an injunction should be issued on the basis of a breach of confidentiality. The Court noted that there would be difficulties with such an argument in any event, as the Paradise Papers were already in the public domain, the "confidential" nature of the advice may have been lost.
Glencore instead claimed that LPP itself gave rise to a remedy, arguing that it would be unsound for privilege to be recognized as a fundamental right but for confidentiality to be the only basis for its enforcement.
This argument was not accepted. The High Court unanimously held that LPP only provides an immunity against disclosing privileged communications when otherwise legally required (such as the compulsion of testimony or document production). The Court was not willing to transform privilege into an actionable right.
The Court's decision potentially has serious implications for businesses operating in Australia. In refusing to extend the doctrine of privilege, the Court has confirmed the orthodox view that LPP will not (without more) be available as a right of redress for a party that finds the confidentiality of their privileged documents compromised by means outside their control.
This raises issues when it comes to cyberattacks or data leaks. Often, companies have no knowledge of such an event until it has already occurred and will usually have taken no positive steps to waive privilege. Yet, the release of privileged documents may well destroy the company's fundamental right to keep its legal advice confidential.
At the same time, whistleblower protections are being expanded in many jurisdictions which may prevent the deployment of other remedies where private material is shared. For instance, recent corporate and tax law amendments in Australia protect whistleblowers from adverse action where material is disclosed to the ATO or other regulators without consent (for more information on these reforms, see our recent White Paper).
The decision leaves a number of questions open such as:
- whether Glencore could, in fact, have successfully sought an injunction against the ATO on the basis of breach of confidentiality;
- whether any rules of evidence may be invoked in the underlying tax litigation to prevent the privileged material being admitted as evidence; or
- whether sensitive material might be protected through other novel means, such as a tort for unjustified invasion of privacy.
The case also follows a trend of regulators around the world seeking to test the boundaries of LPP. In recent years, the ATO itself has regularly and publicly expressed reservations about privilege claims made on behalf of taxpayers, and while it has threatened to challenge such claims through litigation, it has yet to do so. The UK's Serious Fraud Office conducted a long-running dispute seeking to access privileged documents generated during a whistleblower investigation (see Serious Fraud Office v Eurasian Natural Resources Corp. Ltd  EWCA Civ 2006). Likewise, ASIC's "why not litigate?" approach to enforcement here in Australia is seeing the regulator adopt tougher stances when interrogating claims for legal privilege.
This is an area of law that is likely to keep developing, but in the meantime, the ruling is likely to embolden regulators when it comes to challenging claims for privilege. The Law Council of Australia and Australian Bar Association are currently working on a protocol for dealing with legal professional privilege in the context of taxation investigations.
Five Key Takeaways:
- By a unanimous decision, the High Court ruled that legal professional privilege will only operate to shield a client from being compelled to disclose privileged communications or documents. The doctrine is not enforceable as a "sword" in its own right to prevent other parties from using privileged documents obtained without consent.
- In effect, the Court's decision means that an action for breach of confidentiality is likely to be one of the only means to restrain a party from disseminating or using privileged documents. A client may be left with no rights to seek the return of privileged documents if the character of confidentiality has been destroyed by their release to the world at large, such as by way of a cyberattack or serious data breach.
- Preserving the confidentiality of privileged documents is therefore now more important than ever. Clients should ensure that any privileged communications or documents exchanged with their lawyers are maintained on secure servers and disseminated on a need-to-know basis only to minimize the risk of a data breach revealing sensitive and privileged material.
- Looking ahead, we expect to see regulators continuing to press the boundaries of legal professional privilege when undertaking investigation and enforcement activities. As such, clients faced with notices to produce or other powers of compulsion should take care to ensure that potentially privileged documents are the subject of a robust review, and claims for privilege are made carefully to limit the scope for challenge.
- We may well see other areas of the law develop to come to the aid of parties whose sensitive and privileged documents are leaked by serious cyberattacks and the like (if the quality of confidentiality is not available). For example, the High Court is yet to conclusively rule on whether a tort of unjustified invasion of privacy is good law in Australia. But until that time, this potential gap in the law remains unfilled by the doctrine of privilege.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.