What types of information do law firms collect that may be subject to the GDPR?
Law firms typically collect personal data subject to the GDPR in the following five contexts:
-
Employee data. If a law firm has employees in the European Union, the human resource data that it collects about those employees is most likely subject to the GDPR. Such data may also be subject to national employment privacy regulations of the relevant Member State.
-
Data about potential clients. Most law firms collect personal information about potential or prospective clients. Such data is typically used to target potential clients, plan pitches, tailor responses to requests for proposals, or send direct marketing. Personal data about prospective clients may be subject to the GDPR if it is processed in the context of an establishment in Europe (e.g., a European office of a law firm), or if the data is used to market to individuals located within Europe. Furthermore, direct marketing activities to potential or prospective clients in Europe may also fall under the application of the EU ePrivacy Directive 2002/58/EC, which imposes additional consent requirements.
-
Data about the law firm’s clients. Most law firms collect personal information about their clients, or about individuals that work for their clients. Such data is typically used by a law firm for a variety of purposes including running conflicts, sending out invoices, collecting money owed to the law firm, transmitting marketing, and communicating with clients about projects and engagements. Personal data about existing clients may be subject to the GDPR if it is processed in the context of a European establishment of the law firm (e.g., if the matter is handled out of a European office of the firm) or if the client (to the extent that the client is an individual, such as a private client) is located within Europe.
-
Data received from clients to be used in a representation. Clients often transmit to their law firm personal data that is relevant to a particular matter or representation. For example, if a client retains a law firm to defend it in conjunction with a sexual harassment lawsuit brought by an employee, the client might transmit information about the employee, her supervisors, or her colleagues. Such data will be subject to the GDPR if it is processed in the context of a European establishment of the law firm (e.g., if the matter is handled out of a European office of the firm). It is also possible that if a private client (e.g., an individual as opposed to a corporation) that is located in Europe transmits information about themselves to be used in a representation, that data is also subject to the GDPR. So, for example, if a client provides personal information about a third person to their European attorney in relation to a potential crime, contract violation, or request for legal advice, that information would be governed by the GDPR.[1]
-
Data from other sources to be used in a representation. Attorneys often receive personal data from third parties that may be relevant to a particular representation. For example, in the United States an attorney may serve a document request on an opposing party or a subpoena on a third party that asks for personal data that may be relevant to litigation. Such data may be subject to the GDPR if it is processed in the context of a European establishment of the law firm (e.g., if the matter is handled out of a European office of the firm).
Are law firms considered “processors” or “controllers” of the personal data that they receive from clients as part of a representation?
It depends.
Many lawyers (and clients) incorrectly assume that attorneys must be processors because they are service providers of their clients. In some situations, a service provider has a role in determining the purposes and means of processing; when that occurs the service provider is, like its client, considered a “controller” or a “joint controller.”
The Article 29 Working Party took the position that if a service provider has a “traditional role and professional expertise” that required it to determine the purpose and means of processing, that independent expertise could convert the service provider into a controller. They specifically noted that in situations in which a “barrister represents his/her client in court, and in relation to this mission, processes personal data related to the client’s case” the barrister is a controller.[2] Their logic appears to be that the instruction that a client provides to their attorney is not necessarily to process data, but, rather, to represent the client’s interest before a court. Because the processing of data is an ancillary function that is wholly (or partially) determined by the attorney independent from the client, the attorneys’ processing should be conceptualized as that of a controller.
The UK ICO – the supervisory authority for the United Kingdom – reached a similar conclusion in the context of discussing whether a solicitor would be a processor or a controller. The ICO suggested that a solicitor/attorney should be considered a controller in the following situations:
-
Advising clients as to legal rights vis-a-vis data subjects. An attorney should be considered a controller when he or she receives personal data about a third party in order to advise the client concerning its rights vis-a-vis the third-party data (e.g., a client shares personal data about a former salesman that stole client information).[3]
-
Client defers to attorney concerning use of data. An attorney should be considered a controller when a client has “little understanding of the process the solicitors will adopt or how they will process the personal data” during the course of providing a representation.[4]
The view of the ICO was echoed by The Bar Council of England and Wales, which stated in a memorandum that “[f]or the avoidance of doubt, self-employed barristers are data controllers of their client’s data. They are not data processors.”[5]
In Germany, the national Council of Data Protection Commissioners (Datenschutzkonferenz) have taken a similar approach and confirmed that attorneys are acting as controllers when processing personal data of their clients.[6]
The guidance of the Article 29 Working Party, the UK ICO, the UK Bar Council, and the German Council of Data Protection Commissioners leaves open the possibility that in some situations an attorney could, however, act as a processor and not a controller. For example, if a client retained a law firm for the express purpose of processing data (e.g., conducting document review or hosting a document room), and provided specific direction and control regarding how the data was to be processed (e.g., the client selected or approved the type of software that would be used during a document review and how the documents would be stored and processed) an argument could be made that the attorney is, in fact, functioning as a processor and not as a controller. Even in situations in which it appears that a client has provided specific directions and retains a large degree of control, a law firm may still find itself acting as a controller with regard to data if it is required to process data outside of those client instructions in order to comply with regulatory or professional obligations.[7] For example, an argument could be made that a law firm acts as a controller of data if it is required to (i) carry out internal conflicts and other regulatory checks on new client matters or to undertake appropriate client due diligence in accordance with anti-money laundering laws; (ii) subject to duties of confidentiality and privilege, cooperate with regulators and other public authorities (including by responding to regulatory requests for information; undertaking internal investigations and complying with reporting and other professional obligations), or (iii) disclose personal data over a client’s objection to a court during the course of litigation.
If a law firm is a controller of the personal data that it receives from a client as part of a representation is it a “separate controller” or a “joint controller?”
A joint controller is defined within the GDPR as “two or more controllers” that “jointly determine the purposes and means of processing.”[8]
There is considerable ambiguity surrounding what it means to “jointly determine” the purpose and means of processing. While regulatory authorities have not offered guidance as to whether the term does, or does not, apply to attorneys/solicitors/barristers when they perform services on behalf of a client, the Article 29 Working Party has suggested in the context of barristers that they may view a joint controller relationship as unlikely, referring to them as “independent” controllers.[9] Similarly the UK ICO – the supervisory authority for the United Kingdom – also implied as part of a discussion of data subject rights that attorney solicitors may not be joint controllers by stating that a client and a solicitor “each have their own data controller responsibilities.”[10]
One of the defining practical characteristics of joint controllers is that they allocate “their respective responsibilities for compliance” with the GDPR between and among themselves.[11] Put differently, when two companies are separate controllers, each company is responsible for independently fulfilling all of the requirements imposed by the GDPR. When two companies are joint controllers, the companies can agree by contract to allocate and distribute those responsibilities so that the entities when viewed together address all of the GDPR obligations, but if the entities were viewed in isolation one, or both, might be out-of-compliance. As a practical matter, therefore, whether a law firm and its client are separate controllers or joint controllers may be determined by whether the law firm is relying upon its client to satisfy an obligation of the GDPR on the law firm’s behalf, or whether the client is relying upon the law firm to satisfy an obligation of the GDPR on its behalf. As an example, if the law firm’s processing of personal information is premised upon the client having a lawful purpose, or the law firm intends to rely upon a record of processing kept by a client (e.g., the law firm does not intend to keep its own record of processing), the law firm and client may be acting as joint controllers. Conversely if the law firm’s processing of personal information is premised upon its own lawful purpose (e.g., the law firm’s legitimate interest in representing its client), and the law firm has processes in place to comply in its own regard to the obligations of the GDPR (e.g., maintaining its own record of processing) its actions would be consistent with those of a separate controller.
Are barristers and solicitors “separate controllers” or “joint controllers?”
A joint controller is defined within the GDPR as “two or more controllers” that “jointly determine the purposes and means of processing.”[12]
There is considerable ambiguity surrounding what it means to “jointly determine” the purpose and means of processing. Legal professional organizations in some countries have indicated that barristers and solicitors rarely function as joint controllers when involved in the representation of a matter. For example, The Bar Council in the UK has taken the following position:
Article 26 applies only where “two or more controllers determine the purpose and means of processing”. Other than in exceptional circumstances, this will not be the case in relation to a barrister and their instructing solicitor concerning a typical set of instructions or a typical brief. Instead, the barrister will (and will be professionally obligated to) form their own opinion as how the personal data should be used, hand and where it should be stored, and as to the period for which it should be retained. The barrister and the solicitor will therefore be processing a pool of data “independently of each other”, and will not be joint controllers.”[13]
While situations in which a barrister and a solicitor may be joint controllers “are likely to be rare” they are, however, not inconceivable.[14] For example, it may be possible that if a barrister or a solicitor are jointly involved in the “drafting of letters or witness statements,” they form a joint controller relationship. Even in that situation, however, if one of the parties may need independence concerning the use, retention, or deletion of the data a joint controller relationship is unlikely to form. [15]
Are law firms considered “processors” or “controllers” of the personal data that they collect from third parties as part of a representation of a client?
A law firm will most likely be considered a controller when processing personal data from third parties as part of a representation of a client (e.g., when collecting information from a witness).
While it is theoretically possible that a law firm may function as a processor by collecting personal data from a third party on behalf of a client, in most situations in which law firms are retained the firm determines (either independently or jointly with its client) the type of data that should be collected, how it will be used, and how it will be processed. That level of control would likely be viewed by most supervisory authorities as indicating that a law firm is functioning as a controller.
[1] See, UK Information Commissioners Office, Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are (2014) at ¶¶ 40-43. Note that while this guidance predated the GDPR, the application of the underlying principle as it impacts processing in the context of a lawyer’s establishment in Europe is consistent with the territorial scope of the GDPR.
[2] Article 29 Data Protection Working Party, WP169: Opinion 1/2010 on the concepts of ‘controller’ and ‘processor” at 28 (Feb. 16, 2010).
[3] UK ICO, “Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are” at 12-13.
[4]Id.
[5]See Memorandum issued by UK Bar Council on April 2018 (last viewed 8 October 2020).
[6]See Datenschutzkonferenz, Kurzpapier Nr. 13, Auftragsverarbeitung, Art. 28 DS-GVO (16 January 2018), p.4.
[7] For example, while a barrister that is on secondment at a solicitor’s firm might in some instance be considered a processor of the solicitor, The Bar Council of the UK has cautioned that the barrister may still need to “exercise their independence” either to perform their work or to comply with their obligations under their professional code of conduct. As a result, even while under secondument a barrister may still be considered a “data controller.” See Memorandum issued by UK Bar Council on April 2018 (last viewed 8 October 2020).
[8] GDPR, Art. 26(1).
[9] Article 29 Data Protection Working Party, WP169: Opinion 1/2010 on the concepts of ‘controller’ and ‘processor” at 28 (Feb. 16, 2010) (emphasis added).
[10] UK ICO, “Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are” at 13.
[11] GDPR, Art. 26(1).
[12] GDPR, Art. 26(1).
[13] See Memorandum issued by UK Bar Council on May 2018 (last viewed 8 October 2020).
[14] Id. at ¶ 7.
[15] Id.