The practice of law has become ever more global and seamless in the 21st century. But the worlds that counsel must span when gathering information about people and organizations have become more complex.
Member states of the European Union (E.U.) and many other countries, including the United Kingdom (U.K.), Canada, Russia, and Brazil, have developed, and are developing, legal privacy protections for their citizens and residents that are significantly broader than those in the American legal system. When gathering personal information of individuals and organizations located in other parts of the world, counsel must be mindful of those laws to avoid peril for themselves and their clients.
For now, let’s include the U.K. when we refer to the E.U., because as a former member of the E.U., the U.K. passed and enforces the Data Protection Act, which implements the General Data Protection Regulation (GDPR). We’ll also look separately at U.K. legislation and law, as the U.K. is a common-law jurisdiction that shares many American legal principles and practices.
One of the most significant differences between the United States and the E.U. is their starting points. Under the GDPR and its implementing statutes, there is no presumption that gathering personal information—even publicly available personal information—is legally permitted. Rather, those laws require that there be a legitimate interest in gathering personal information or that knowing consent be obtained.
Furthermore, those laws generally require that the subject be notified of the collection of his or her information; be able to access, obtain, and transfer it; and, in appropriate circumstances, even be permitted to require its deletion. All of these are relatively new laws, still largely untested in the courts. Precedent is just developing. Much of that precedent, including that coming from other countries that have similar privacy laws modeled after the GDPR, sets high standards.
No counsel wants to be cut by these bleeding edges. But does an American lawyer in Cleveland fall under the jurisdiction of these laws?
The asserted jurisdiction of the GDPR and its implementing laws is broad. To start, those laws apply to any “controller” of data (which can include lawyers and their staff gathering and handling personal information) or “processor” of data (such as the provider of an email service) who (1) has an establishment (think office or business presence); (2) in the E.U.; and (3) who processes personal data in the course of its activities, regardless of where the processing takes place (even outside the E.U.).
Controllers or processors may be individuals, companies, or other entities. This first situation does not necessarily implicate the American lawyer in Cleveland, Ohio, unless, for example, counsel is at a firm with an office in the E.U. or the U.K.
But the GDPR also applies where a data controller or processor has no E.U. presence, if that controller or processor is monitoring the behavior of individuals in the E.U. or offers goods or services (think legal services) within the E.U. That is where the American lawyer in Cleveland may be implicated, even if that lawyer’s firm has no offices in the E.U.
It’s tricky, though. The law is far from settled. One could argue that, as a practical matter, if that American lawyer in Cleveland collecting publicly available personal information in the E.U. has no firm offices there or other substantive connections, such as regular or steady work the firm is performing in the E.U., then the long arm of the GDPR will likely not reach the American lawyer.
Yet, many E.U. authorities hold an aggressive view of the scope of their jurisdiction. The Cleveland lawyer should be aware of those risks, however remote they seem.
So what does this mean for American lawyers?
Basics About E.U. Information
As a starting point, there are a few basics that counsel should understand when working on a matter that involves handling information on E.U. individuals or organizations, or information maintained in the E.U.
First, we must understand the scope of these laws. The GDPR regulates “personal data,” but what makes data “personal”? Personal data are any information related to an identified, or identifiable, natural person—addresses, birth date, telephone numbers, internet addresses, financial information, and even opinions about that person.
There is also a subcategory of personal data known as “sensitive” personal data. Sensitive personal data are even more tightly regulated. Sensitive personal data may not be collected, released, or otherwise handled, unless the subject has knowingly consented or made public the information or unless it is necessary for establishing, exercising, or defending legal rights. Sensitive personal data include criminal records, religious affiliation, ethnic background, political views, and union membership. Note the difference from the United States, where criminal records are generally considered part of the public record.
Second, we must understand when we are permitted to gather and use personal data. Essentially, we must have obtained informed consent to do so. “Informed consent” requires specific knowledge. The subject must be aware of who is gathering and using the data and the purpose for which the data are being gathered and used. That consent should be documented.
Absent consent, counsel may collect personal data only if an alternative “lawful ground” of processing, of those listed in the GDPR, applies. The lawful ground most commonly used by counsel and the investigators they retain is that a “legitimate interest” exists for the use of the data.
Under Article 6(1)(f) of the GDPR, counsel must consider and satisfy three tests to rely on the legitimate interests ground: (1) the purpose test—a legitimate interest must be identified; (2) the necessity test—the processing of the data is necessary to achieve that legitimate interest; and (3) the balancing test—the interests, rights, and freedoms of the subject must have been considered and balanced against the legitimate interests being pursued. In the U.K., this is referred to as the Legitimate Interests Assessment.
Circumstances under which the legitimate interests exception has been deemed to apply include supporting legal proceedings; obtaining legal advice; performing a contract; complying with a legal obligation; detecting and preventing crime or fraud; and establishing, exercising, or defending legal rights.
Although this may seem like broad permission, counsel should not be over-reliant on it. The U.K.’s data processing authority—the Information Commissioner’s Office (ICO)—states:
Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
Even when a legitimate interest to collect personal data exists, counsel may have to notify the subject of the use of the data and promptly respond to the subject’s requests for access. The only exception is when notice would render impossible or seriously impair the objectives of the representation, and either the data are necessary (to prevent or detect crimes; in connection with legal proceedings, to obtain legal advice; or to establish, exercise, or defend legal rights) or the data consist of information potentially covered by a legal professional privilege. The same facts used in the legitimate interest test can be used to support a legal basis excusing notice to the subject.
The Rules in Practice
How does this play out in a practical setting?
Let’s say that a client, in connection with a corporate deal, has asked you to conduct due diligence on the principal of your client’s U.K. counterparty. Or let’s assume that, in connection with an investigation in support of litigation, a key witness in your case has moved to France.
Regardless of the specific client or situation, you must undertake the multistep GDPR analysis before gathering information. Is there a legitimate basis for gathering the information? Do you need to notify the subject? Or does an exception to notification apply?
That detailed evaluation should be performed in every instance when the GDPR is implicated. And you as counsel would be well advised to reach agreement with your client about the analysis and the conclusions, and memorialize the reasoning for the approach taken. The documentation, which can be relatively short and straightforward, should set forth the legitimate interest being pursued, the necessity for gathering the information, and the balancing of those factors against the subject’s interests. That documentation demonstrates compliance with the GDPR and can be relied on if a regulator inquires or if the subject later asserts there was noncompliance or a breach.
The GDPR has strict requirements for the handling of personal data, as well. You should ensure that your team, and anyone else working at your direction, has the proper structure and governance to collect, process, and transfer personal information between jurisdictions; encrypts and properly protects the information from theft or improper disclosure; maintains a process to promptly handle subjects’ access requests; and keeps records of the data-processing activities.
How real are the consequences of not complying?
According to a complaint filed recently with the European Commission, data protection agencies remain understaffed, and referrals and resources intended to focus on enforcement of the GDPR lag far behind.
But that does not mean lawyers should be careless in their compliance. While they may not do all they should, data protection authorities continue to pursue the misdeeds of firms that improperly collect and process personal data. For example, the ICO (which is one of Europe’s larger data protection enforcement staffs) regularly responds to complaints about violations of applicable privacy laws and has pursued breaches through civil and criminal actions.
To name just a few cases, the ICO has prosecuted investigators for purchasing from police and government employees personal information contained in government computer systems. The ICO also has secured convictions against an insurance adjuster and private investigators for illegally obtaining the bank information of a claimant. This is especially noteworthy because the liability does not necessarily end with the direct investigator; it can extend to whoever (the attorney or the client) hired the investigator.
A subject who learns that a party is collecting and processing its personal information can send a data subject access request to the data collector or processor to obtain all the information collected and processed and an explanation of what it was used for and to whom it was provided. Those requests can be made in almost any form, including orally, and must be answered promptly, within a month of receipt.
Unless a lawful basis exists to exempt counsel or the investigator from responding, the investigation file and the use to which it has been put may have to be disclosed. And information obtained from those requests can be used to file a complaint in court with a privacy regulator. That means that the investigator, and even counsel for whom the investigator is working, can be held legally responsible for failing to notify the subject and for not responding to any access requests.
The risks of civil liability are real. Subjects of investigations have sued, alleging violations of the GDPR and applicable privacy laws. Those lawsuits often also allege related common-law torts. Many of the factual allegations on which those claims are based involve misleading and deceptive behavior or actual trespass.
Damages from violations of privacy may be hard to calculate, but the legal fees necessary to defend those claims and regulatory investigations are not. And even without the risks of liability, if counsel have been collecting personal information in violation of these privacy laws, it is possible a court may hold that the information is inadmissible, thus rendering the whole exercise moot and perhaps resulting in a very unhappy client.
Ignorance of the law is always a risky proposition. As described, the legal requirements for gathering and handling personal information in foreign jurisdictions are dramatically different from those in American jurisdictions. Counsel need only appreciate the difference enough to ask the right questions and heed the right answers.