[co-author: Patricia Taylor]
Imagine a modern-day meeting room in a bustling corporate office, where executives and employees alike converse in hushed tones, no notes or minutes are taken, and their words disappear almost as quickly as they are spoken. Picture the scene: a CEO dispatches a critical strategy to her team, a manager shares a pivotal decision, an intern whispers about the latest office gossip – all without a trace. But later, no one can remember exactly what was said, or why particular actions were taken.
With ephemeral messaging, we see the same challenge. There is no longer an expectation that communications will be maintained indefinitely. Instead, we delve into the world of ephemeral messaging (EM) – a realm where communications are fleeting. The vanishing act of these messages could leave Sherlock Holmes scratching his head. But fear not, for we shall demystify the enigma of EM and navigate the legal compliance and litigation risks here.
The tangible rise of the ephemeral message
In the rapidly evolving digital landscape, companies are increasingly turning to ephemeral messaging (EM) platforms for business communications. EM messaging software is designed to automatically erase conversations between users. While these tools offer convenience and support data minimisation practices, they also present unique challenges in terms of regulatory and contractual compliance and litigation risks. Businesses must understand these risks and implement strategies to mitigate them.
Regulatory risks and compliance
In the UK and the EU, companies must retain some business records and personal data for regulatory compliance purposes. For example, the FCA requires certain communications to be recorded on business devices for audit purposes, the Companies Act 2006 requires financial records to be kept for six years, and the EU / UK GDPR mandates that data controllers have a record of data processed and prescribe specific retention timelines (e.g. how long should a CV of an unsuccessful candidate be stored in raw form). When acting as a data processor, it is necessary to follow customer instructions which may require the return of all personal data processed at the end of a commercial engagement.
Certain EM software that does not retain data post-communication may conflict with these requirements. As a result, companies run the risk of non-compliance with laws or contracts (to name a few examples) should they adopt an EM platform which does not facilitate the storage of data for the timescales required. US regulators have issued fines for non-compliance with record-keeping requirements, and UK and EU regulators could adopt a similar stance (e.g. where personal data is involved, infringing organisations could be subject to significant fines and reputational damage if there is any public enforcement).
Understanding the litigation risks of EM platforms
The use of EM software can also lead to litigation risks, particularly for the obligation of disclosure. Courts in the US have recognized the potential risks to disclosure posed by EM. In January 2024, the Justice Department and Federal Trade Commission updated the language used in their standard documents to address the increased use of collaboration tools and ephemeral messaging platforms in the modern workplace. This move was underscored by the importance of preserving materials during investigations or litigation.
In England and Wales, parties must take steps, from the point that litigation is contemplated or threatened, to preserve materials that may be relevant to those proceedings (including where those materials do not assist a party’s case). The use of EM platforms, which often feature automatic deletion of messages, may jeopardize compliance with these obligations. Companies must be aware of the differing discovery and disclosure requirements in the jurisdictions where they operate.
Key takeaways to mitigate risks
Governance is key. Develop robust internal policies, deploy staff training programmes, conduct regular audits, and engage with key stakeholders to effectively navigate the complexities of EM software usage.
Set out clear parameters for the use of EM, which can be adopted as an internal policy to help mitigate some of these risks. Policies should be developed collaboratively involving IT, legal, risk and compliance teams and should set out at a minimum:
- what the platform is. Be careful to distinguish between platforms that are truly ephemeral versus those that are end-to-end encrypted;
- the legitimate business needs for EM. Remember that permitting the use of EM for employee personal communications means you have responsibility for the processing under data protection laws which creates additional challenges (e.g. when responding to complex data subject access requests);
- who in the organisation can use the platform / when can it be used. Regulated aspects of a business are likely to be higher risk use cases, e.g. internal tax, legal advice, or communication of key decision-making in respect of personal data processing tracked for accountability purposes. Setting out a clear delineation between what must be communicated via traditional communication platforms such as emails, and what can be discussed and shared on EM can protect companies from compliance failure.
- A “retention trigger point”. Ideally, the EM platform can be configured centrally to address changing retention decisions, but the policy should inform staff when to preserve communications on the EM platform, especially when litigation is a possibility. The US courts have considered the functionality of EM platforms which allow for automatic deletion to be turned off. For example, in Franklin v. Howard Brown Health Ctr., the jury was allowed to consider whether the failure to retain instant messages was deliberate when the auto-delete function could have been disabled. This indicates the potential for a company’s credibility to be called into question when information has been deleted on an EM platform, which later falls under scrutiny. Clear policies can help prevent reputational damage and sanctions for failing to uphold discovery obligations.
- Linking to other relevant policies. The policy should be embedded in an existing network of policies, e.g. acceptable use terms and informing notices outlining an employee’s privacy expectations concerning communications on company devices.
Next steps
The regulatory landscape continues to evolve, and EU / UK regulators are becoming more alive to the potential risks of the widespread use of EM. Lessons learned from the US indicate how companies can respond to, and mitigate against the risks of, EM to allow for its use in a way that enables its full value to be realised. Companies hoping to deploy EM must:
- stay informed and ensure that their use of EM platforms aligns with changing legal, regulatory (and contractual!) obligations. Look out, in particular, for any sector-specific guidance.
- develop a comprehensive governance process, with the input of a diverse range of senior stakeholders, to ensure a joined-up approach that is responsive to the various risks posed by corporate use of EM platforms.
[View source.]
