Law firms are not immune from the challenges posed by big data and digital technology, including dealing with the European Union’s new General Data Protection Regulation (GDPR).
This regulation includes the so-called “right to be forgotten,” which may conflict with an attorney’s duty to preserve client information. An opinion from the Maryland State Bar Association’s Committee on Ethics provides guidance to law firms for navigating conflicting data rules and suggests steps to comply with state ethics rules while protecting client’s information and limiting exposure to data breaches.
A New Right to Be Forgotten
The GDPR’s right-to-be-forgotten refers to an EU citizen’s right to require an organization with information about that person to delete the data, stop sharing the data, and potentially stop using the data. Personal data includes any information related to a natural person that could be used to identify them, including names and addresses. The GDPR applies to data used outside the EU where the data user is offering services within the EU. Thus, law firms with EU citizen or resident clients, or former clients, should consider how they are using and storing their clients’ personal information.
Data Retention Issues
The Maryland ethics committee first noted that while the GDPR may prevent an attorney from maintaining certain records, nothing in the GDPR relieves that attorney of their general responsibility to avoid conflicts of interest unless the conflict is one that is waivable and the attorney has actually obtained a waiver. “Law firms should look carefully at ways to harmonize their information retention policies with their obligations under the GDPR and state ethics rules so that they do not find themselves having to choose whether to comply with the one or the other,” urges Alexander R. Bilus, cochair of the ABA Section of Litigation’s Privacy & Data Security Committee.
The committee next recognized that when a former client asks the firm to delete their personal data—and the GDPR would require the attorney to delete that data—the former client can be said to have waived any conflict that would have been discovered if the data were kept. But this waiver only applies when the firm advises the client, in writing, about the potential conflict and where none of the attorneys working on the case has actual knowledge of a conflict. The opinion also raised the possibility that law firms subject to the GDPR include a discussion of the right-to-be-forgotten in their engagement letters, and include information on how the firm deals with potential conflicts when clients request their data be deleted.
“The fact that a law firm has deleted a former client’s personal data does not end all obligations to the former client where attorneys at the firm have retained some knowledge of the past representation. While the opinion leaves open the possibility that such an attorney could be screened from representing the current client, firms should look carefully at local rules and their own policies for screening conflicted attorneys,” explains John M. Barkett, Miami, FL, cochair of the Section of Litigation’s Ethics & Professionalism Committee.
The opinion decries any attempt to determine whether exceptions to the GDPR would apply to the circumstances presented. And the opinion is clear that if such exceptions did apply, retention would be required. “The key exception under the GDPR is for information necessary to defend against legal claims. Retaining enough information to run a conflicts check may very well be permissible under this exception,” reasons Bilus.
The Changing Implications of Big Data
At a time when the potential scope of liability for data breaches is growing, the opinion highlights the need for law firms to take another look at policies related to their data retention. “It is generally considered a best practice to attempt to minimize the amount of data collected and the amount of time for which the information is retained in order to limit exposure in the event of a data breach. This opinion is a helpful reminder that firms should review those policies to ensure they are not retaining unnecessary information,” explains Bilus.
But the opinion may raise more issues than it resolves. “The opinion relies on several assumptions that may prove not to be the case. Firms potentially subject to the GDPR should look more carefully at the regulation and the specifics of their situation before deciding how to handle data retention,” cautions Barkett.
Stephen Carr is an associate editor for Litigation News.
Hashtags: #gdpr #privacy
- General Data Privacy Regulation, European Union.
- David Manek, Brian Segobiano, Kenric Tom & Emily Cohen, “Five Keys to a Successful GDPR-Readiness Program,” Mass Torts Litigation (Aug. 1, 2018).
- Yuri Mikulka, “GDPR and Overcoming Challenges to Obtaining Digital Discovery from European Entities,” Litigation (Spring 2018).
- Catherine M. Chiccine, “Attorney Error Results in Massive Leak of Privileged Client Data,” Litigation News (Jan. 22, 2018).
- Angela Foster, “Data Breaches: Who’s Minding Your Data?,” Litigation News (Jan. 12, 2016).
- Onika Williams, “EU and United States to Quell Uncertainty after Safe Harbor Invalidation,” Litigation News (March 24, 2016).
Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).