Much has already been written about the new General Data Protection Regulation (GDPR) and how it applies to organizations that collect or otherwise access the personal information of EU residents, irrespective of whether those organizations maintain a physical presence in the European Union. However, much less if anything, has been written about our own obligations as lawyers under the GDPR whenever our activities lead us to collect the personal data of EU-residents directly or through our U.S.-based clients. This is the purpose of this article.
Before I dive into the core obligations of law firms under EU law, I would like to make a couple of quick clarifications for those of you – U.S.-based attorneys – who are not necessarily versed in EU data protection law, and in the GDPR in particular:
1 – the definition of “personal data” under EU law includes names and business email addresses. It also includes IP addresses and/or mobile IDs of EU-based user equipment.
2 – EU regulators take the view that lawyers that process personal data of EU residents in connection with the legal assistance they provide to clients are data controllers and not data processors under the law. For more understanding of what these terms mean under the GDPR we invite you to consult our GDPR Glossary.
Let’s highlight a number of points of the GDPR as they pertain to our activity as lawyers.
The importance of the GDPR in the client – lawyer relationship
The client / lawyer relationship is one that is based on trust. As lawyers we routinely access very personal information of or about our clients, even more so if we assist clients on personal matters, e.g. on immigration-related matters, in connection with personal injury files, criminal investigations, or litigation matters. When that information relates to EU residents, our use of the data is directly subject to the GDPR. Any loss or misuse of that data could have significant personal adverse effects for our clients. Our ethical duties as lawyers obligate us to protect our clients’ data and to make sure our use of that data is in accordance with applicable law. In regards EU personal data, applicable law includes the GDPR.
GDPR – The extra-territorial reach
A law firm can find itself within scope of the GDPR in two situations.
1 – if it is established in the European Union (EU). This includes U.S.-based law firms with offices in any countries of the EU. If your law firm has established offices in Europe, those offices have a direct obligation to comply with the GDPR; and/or
2 – if it offers its services to “natural persons in the EU”.
In essence, this means that the processing must concern individuals that are located in the EU at the time the offering of the services takes place. In order to determine whether an organization is offering services to individuals in the EU, a number of factors are taken into account, amongst which:
– the international nature of the organization’s activity, for instance if it offers to help EU-based companies launch their activity in the U.S., if it helps EU-based individuals with their visa application in the U.S., or if it routinely helps its U.S. clients negotiate contracts with companies in the EU, even if such contracts are governed by U.S. law;
– the language used on the organization’s website, i.e. does the website include content in any European language other than English;
– directing website visitors to local telephone contact information or including international codes for individuals calling in from the EU;
– using a regional EU in-country top-level domain name, e.g. .uk, .eu;
– indicating EU payment currencies for the services, e.g., GBP or EUR.
If any of the above factors apply, then your services as a firm would constitute services covered by the GDPR and your firm, as the service provider, would be directly subject to the obligations and provisions of the GDPR.
The obligations provided by the GDPR
The following constitute some of the primary obligations under the GDPR:
1. Under the “accountability” principle, you have an obligation to document your compliance and to be able to demonstrate your compliance in case of any enquiry by an EU-based individual whose data you process for purposes of your services, or by any EU regulator;
2. Under the “privacy by design” and “privacy by default” concepts, you should take into account the issue of data protection as an integral part of your day to day practice from the very moment you collect or otherwise access the personal data of EU residents;
3. You should maintain a register of your data processing activities in connection with services you offer to clients;
4. You should make data security an absolute priority for your firm;
5. You should notify immediately the EU authorities and the affected individuals of any data breach affecting EU residents of which you become aware;
6. You should perform an impact assessment of each processing activity you undertake within your firm, in particular if such activity is likely to involve the processing of data in large numbers, or if you use social media as an integral part of your marketing strategy;
7. You should consider appointing a data protection officer (DPO) or manager, whose mission would be to manage your ongoing compliance with GDPR and other EU data protection laws (please note that in more than 50 areas of the GDPR – aka the “national derogations” – the GDPR is being supplemented by national legislations in the EU as it applies to the data of their residents. This DPO position does not have to be a full time position and can be outsourced under a services agreement);
8. You should ensure that any subcontractor or vendor you retain in the U.S. or any other location outside the EU as part of your operation has signed GDPR mandated data processing clauses with your firm if they access the data of EU residents.
The GPDR also provides that you have to designate a representative in the EU if you have no physical presence in the EU but you offer services to individuals located in the EU.
This rule does not apply if your processing is occasional, not on a large scale, and does not concern sensitive data. If some of your clients are based in the EU, it is likely that you process data more than occasionally.
The individuals’ rights in regards to their personal data
The GDPR confers to the individuals the following 8 rights:
– The right to give their explicit consent to the processing of their data, or to object to such processing.
– The right to be informed of the data processing
– The right to access their data
– The right to rectify their data
– The right to have their data erased (aka the “right to be forgotten”). Please note that the obligation to erase the data upon an individual exercising this right goes beyond the mere deletion of the data
– The right to data portability, which allows your clients to obtain the data you have collected from or about them, and to transfer that data to another firm of their choosing.
– The right to oppose the existence of automated decision making, including for profiling purposes.
The steps to undertake in order to comply
In order to comply with your obligations as a data controller the following practical steps can be used as guidance:
1 – Create training materials for your staff on GDPR and, if your size allows it, set up a dedicated project team to review the privacy implications of any processing activity contemplated by your firm. In some situations, the GDPR imposes the appointment of a data protection officer. While many law firms consider this requirement not to apply to them on the basis they do not process personal data on a large scale, it is however recommended to appoint a data protection manager at the very least – whether internally or by operation of a services agreement with an external DPO – to ensure you remain on top of your obligations as a data controller under the GDPR and other EU laws.
2 – Perform a mapping of your data processing activities. You should be able to know whose personal data you process, how you process such data, why you process it, and in which location(s). This will allow you to have an overview of how your firm processes data in general.
3 – Identify which actions to prioritize. You should determine which of the above 8 rights you are able to enforce.
4 – Depending on the type of data you are processing and the type of processing you carry out you may have to perform a Data Protection Impact Assessment (DPIA). A DPIA consists of:
– A detailed description of the processing operations you carry out;
– An assessment, of the necessity to process this data, which would include the purposes for the processing, the applicable data retention periods, etc.; and
– A study of the risks in regard to confidentiality, integrity and availability, and their potential impact on privacy.
5 – In order to ensure a high level of protection for the data, implement a privacy by design / by default approach to data protection within your firm, taking into account all events that may occur during any particular processing operation. This means minimizing as much as possible the amount of data being processed and implementing an internal process to respond to individuals’ requests to exercise their rights under the GDPR.
This article was drafted with the collaboration of Marie-Victoire Wickers