In Phones4U Ltd (In Administration) v EE Ltd and others, the Court of Appeal had to consider (as Sir Geoffrey Vos MR put it in opening):
questions as to the jurisdiction and the discretion of the court in relation to disclosure provided under CPR Part 31,1 where senior officers, employees and ex-employees of companies have or may have used their personal electronic devices to send and receive work-related messages and emails.
This was an appeal from a judgment of Roth J in the Competition List of the Chancery Division. The Disclosure Pilot does not apply to this list, so Part 31 CPR applied.
Reduced to its essentials, the judge had done his best to find a proportionate approach which recognised that non-party individuals had or may have had documents and data on private devices which perhaps ought to be disclosed, while acknowledging that their employer did not strictly have that material (if it existed) in its control. The judge’s aim was to cut through the expense and complexity of multiple applications in the hope of finding a pragmatic and proportionate course.
Paragraph 2 describes the judgment appealed against:
In the briefest outline, on 11 August 2020, Mr Justice Roth ordered the 2nd to 8th Defendants to write to individuals, described as “Personal Material Custodians” (“Custodians”), to request them to give certain e-disclosure providers (“IT consultants”) engaged by the defendant that had employed them access to their personal mobile telephones and emails. The expressed purpose was to enable those consultants to search for work-related communications relating to the employer’s business that would be passed to the relevant defendant for a disclosure review to be undertaken. The IT consultants were to undertake to the court to search the devices and emails for responsive material, not to disclose any other material to the defendant or its solicitors, and to return the devices and emails to the Custodians, and to delete or destroy any copies.
Paragraph 54 gives the conclusions:
For the reasons given above, we conclude that (a) the judge had jurisdiction to order the defendants to request third-party Custodians voluntarily to produce personal devices and emails stored on them, (b) the judge should not have said in his judgment that the defendants ought not, in making the request, to tell the Custodians that they were entitled to refuse it, and (c) that the mechanism directed by the judge involving the IT consultants was appropriate and proportionate. As mentioned at  above, we think it would have been preferable for the judge to have mentioned in his order that the Custodians and anyone else affected by the order was at liberty to apply to the court for further directions or orders.
In between are interesting discussions about the right of parties to seek disclosure from non-parties or, rather, the duty of parties to give disclosure of documents in their power. The voluntary nature of the order reflects the judge’s hope that a satisfactory conclusion could be reached without disproportionate expense – see paragraph 47:
In these circumstances, if the order the judge made does not result in the disclosure of the disclosable documents, the court will have to respond to further applications. We do not think it useful to speculate on what those might be. We have already mentioned some possibilities. All those possibilities would be far more costly and time consuming than the solution that the judge adopted. For that reason, we do not think that the voluntary nature of the order that the judge made was either wrong, unreasonable or disproportionate. Rather, we think that the order made was pragmatic and sensible even if it did not answer all the questions that may arise further down the road.
I am not convinced that a GDPR purist will approve of the court’s approach to privacy, but proportionate pragmatism is entirely in the spirit of the rules.