No injunction to enforce legal professional privilege – High Court’s decision in Glencore highlights the extreme risks of data breach

The High Court has in Glencore v Commissioner of Taxation[1] determined unanimously that legal professional privilege is not a legal right that is enforceable by way of an injunction when confidential documents enter the public domain, even as a result of theft. Privilege remains a fundamental right but it is only an immunity from complying with compulsory processes that would otherwise require the production of confidential and privileged information.

This decision clarifies for regulators that they can use all information received in an investigation and need not, artificially, ignore it where it would have been privileged but for a data breach and puts into sharp relief the risks companies face from cyber-attacks.

Takeaways

• Stolen privileged documents that have been made public cannot be recovered by the privilege holder through legal action based on privilege claims.
• In a data breach situation companies face serious risks of being exposed to legal and regulatory actions based on their privileged communications with their lawyers, which would have been otherwise unknown or lacking in evidence.
• The ATO (and, likely, all Australian regulators) will use privileged documents that are stolen from private parties against those parties where they have been made public.

Background

In 2017 a cyber-attack on Bermudan law firm Appleby resulted in journalists releasing copious confidential client document, known as the “Paradise Papers”. Glencore was among Appleby’s clients whose documents were taken. Whereas the ‘fundamental common law right’ of legal professional privilege would normally have kept them hidden from (in particular) Australian regulators, the ATO obtained numerous documents containing Glencore’s legal advice.

There was no question that: (i) the Glencore documents had entered into the public domain following a data breach involving theft from a law firm (although there was no evidence of the ATO’s conduct or knowledge of the origin of the Glencore documents), (ii) Glencore had no intention of waiving privilege or (iii) Glencore had taken no action to lose its privilege claims.

But for the data breach, the documents would have been confidential and privileged.

Glencore asked the ATO to return the documents and to provide an undertaking that they will not be referred to or relied upon. The Commissioner declined and Glencore applied directly to the High Court, in its original jurisdiction, for an injunction to restrain the use of those documents against Glencore.

Glencore’s submissions

Glencore submitted that the Court should grant it an injunction to return the documents and restrain the use of them against Glencore in order to protect its fundamental common law right to legal professional privilege.

Not to grant the injunction, Glencore submitted, would deny legal professional privilege its status as a fundamental right and the fact that it has ordinarily been recognised as an immunity from compulsory production should not preclude the Court ordering an injunction to protect a right to privilege only lost as a result of wrongdoing by a third party.

Glencore highlighted the weighty public policy rationale that underpins privilege and has led in previous cases to privilege being treated as, in effect, sacrosanct. That is, privilege is considered fundamental to the administration of justice through the fostering of trust and candour in the relationship between lawyer and client. The High Court has previously held, for example, that “the proper functioning of our legal system depends upon a freedom of communications between legal advisers and clients“[2].

High Court decision

The Court unanimously rejected Glencore’s case finding that it rested on an incorrect premise, namely that legal professional privilege is a legal right which is capable of being enforced. The Court instead held that it is only an immunity from the exercise of powers which would otherwise compel the disclosure of privileged communications.

It is not, the Court determined, possible to discern from the case law that privilege, while being a fundamental common law right, is an actionable right. It is a right to resist compulsory production or disclosure of certain confidential information.

The rationale for legal professional privilege is that the rule promotes the public interest because it assists and enhances the administration of justice by facilitating the representation of clients by legal advisers. That public interest has been found to prevail over other matters of public interest, like the fair conduct of litigation with the benefit of all relevant documentation available. The Court found that the public interest behind privilege is, however, sufficiently secured through its operation as an immunity.

The Court held that it is not sufficient to warrant a new remedy to say that the public interest which supports the privilege is furthered because communications between client and lawyer will be perceived to be even more secure.

Glencore’s case was distinguished from the High Court’s 2013 decision in Expense Reduction[3] where the Court ordered the return of and restrained the use of privileged documents disclosed by mistake in litigation to a party that had reviewed the documents and wished to use them against the privilege holder. In that case no equitable injunction was required and the Court relied on its case management powers.

Significance of the decision

The decision opens the door to Australian regulators to use a person’s privileged material against them in circumstances where that material was stolen from them by a third party.

It is difficult to predict the full impact of this decision (the Court noted that without ‘further facts it is not possible to say whether the plaintiffs are without any possibility of a remedy‘[4]) but in the coming months it is reasonable to expect the following:

1. Regulators will use evidence which, but for wrongdoing, would be privileged and off-limits to them

The prospect of using a company’s stolen documents against it was welcomed by the ATO on the day of the judgment. Second Commissioner Jeremy Hirschhorn is quoted as saying:

“Today’s decision is not just a win for the ATO; it’s a win for the Australian community who rightly expect the ATO to use all information available to ensure large corporations and those who seek to hide money overseas are paying the right amount of tax … The critical importance of the case was confirming that the ATO can use leaked copies of documents like contracts, board minutes and banking details.“[5]

There can be little doubt that Australian regulators can and arguably are bound to use evidence against companies and citizens despite having information suggesting that they only have that evidence as a result of criminal acts by third parties.

2. In assessing data breach risks and cyber security, companies may consider it prudent to revisit how they engage with their legal advisers

Particularly in light of this regulatory approach, a question arises as to whether companies will take a different view of the protections afforded to them by legal professional privilege in light of the increased risk of cyber-attack.

While not dealt with in the Court’s judgment, the ACC Australia (which represents in-house lawyers) seeking to intervene as amicus curiae in support of Glencore’s submissions submitted a concern that without the availability of an injunction to restrain the use of privileged documents Australia risked becoming a desirable place for hackers to leak stolen privileged documents.

The risk of disclosure of advice to Australian regulators or the risk of an active threat of that disclosure once documents are stolen, would in ACC Australia’s submission to the Court undermine client candour to lawyers.

Given the strong protection legal professional privilege generally affords a client, it is difficult to predict whether the risk of data breach will lead to a chilling of the openness clients routinely have with their lawyers but the question should now be considered open.

3. Regulators are likely to be emboldened to challenge privilege claims made in investigations and Court proceedings more aggressively

Regulators, particularly the ATO and ASIC, have expressed concern about the validity of privilege claims routinely asserted by the subjects of their investigations and the defendants in the proceedings they commence. Regulatory investigations routinely involve consideration of thousands to millions of documents, which are dealt with electronically and assessed for privilege quickly by persons of varying degrees of expertise in privilege claims. A perception has arisen that parties may be over-claiming.

This year ASIC challenged privilege claims by AMP and ASIC in Court and achieved the disclosure of documents originally the subject of a privilege claim by way of a ‘surrender’[6].

The Commissioner’s win in the Glencore case is likely to serve only to encourage Australian regulators to be bolder in their challenges to privilege claims.

[1] Glencore International AG v Commissioner of Taxation [2019] HCA 26

[2] Baker v Campbell (1983) 153 CLR 52 at 128 per Dawson J

[3] Expense Reduction Analysts Group Pty Ltd v Armstrong Strategic Management and Marketing Pty Ltd (2013) 250 CLR 303

[4] Glencore at [42]

[5] ATO media release High Court confirms ATO can use information from data leaks, 14 August 2019: https://www.ato.gov.au/Media-centre/Media-releases/High-Court-confirms-ATO-can-use-information-from-data-leaks/

[6] ASIC Media Release 19-052MR AMP and Clayton Utz surrender in ASIC court battle over failure to produce documents, 11 March 2019: https://asic.gov.au/about-asic/news-centre/find-a-media-release/2019-releases/19-052mr-amp-and-clayton-utz-surrender-in-asic-court-battle-over-failure-to-produce-documents/