Beginning May 25, a new European privacy law known as the General Data Protection Regulation takes effect in Europe and, possibly, around the world.
The GDPR is significantly more demanding than U.S. law, creating new privacy rights and compliance obligations unknown on this side of the Atlantic — all backed up by the threat of crushing government fines and direct enforcement actions by aggrieved individuals.
With the stakes this high, U.S. lawyers should take stock of their firm’s information collection and storage processes and consider carefully whether they have a legal obligation to comply with the GDPR.
The GDPR’s extraterritorial reach
For U.S.-based lawyers serving clients in the 28 member countries of the European Union, the answer is easy. Yes, they are clearly obligated to provide their European clients with all of the privacy rights spelled out in the GDPR.
For lawyers that market their services to client prospects in the European Union, the answer again is yes. Data subjects whose personal information is contained in email distribution lists or client alert mailing lists are entitled to the protections outline in the GDPR.
Less clear, however, are the obligations of lawyers who do not have clients in the European Union and are not targeting their marketing toward the European Union. While many privacy experts have opined that the GDPR protects only “EU citizens” or “EU residents,” these hopeful interpretations are not conclusively supported by the text of the GDPR.
Article 3(2) of the GDPR defines a covered “data subject" as follows:
"This Regulation applies to the processing of personal data of data subjects who are in the Union.”
Some privacy experts, pointing to the phrase “in the Union,” believe that the GDPR governs data collection and processing activities involving anyone physically in the European Union at the time of collection. They say that, until European privacy regulators issue a limiting interpretation, the GDPR covers citizens of any country if they are “in Europe,” or even flying over Europe, at the time their personal information is collected.
Because law firms cannot know with certainty that their online visitors are not protected by the GDPR, the safest course of action is to become GDPR-compliant.
Anne P. Mitchell, attorney, GDPR consultant, and chief executive officer at the Boulder, Colorado-based Institute for Social Internet Public Policy, holds this view. Mitchell says that it would be unwise — even unlawful — for lawyers to rely on technology to sort European from non-European online visitors.
“You really have no way of knowing whether someone with whom you are interacting online is actually in the EU or not,” Mitchell said. “IP address geolocation is not only not reliable, but it is also prohibited by GDPR in the prohibition against using automation to determine certain information about a data subject, including location.”
GDPR textual interpretations and technology shortcomings aside, there is yet a final reason why cautious U.S. lawyers might want to align their data collection and processing activities with the GDPR’s dictates: the price of non-compliance could be very high.
While European privacy regulators likely will not bring enforcement actions for minor violations committed by U.S. businesses, the GDPR’s creation of a private right of action introduces a wild card into the compliance risk calculation. Under the GDPR, any person who suffers "material or non-material damage" as a result of a GDPR violation has the right to file a claim for compensation against the data controller or processor. Some observers believe the GDPR authorizes enforcement actions to be maintained even in the absence of financial loss.
Fundamental Rights of Data Subjects
The GDPR provides individuals (known as “data subjects”) with strong privacy rights, many of which do not have a counterpart in U.S. law. These rights are, in summary:
1. Information. Data subjects have the right to know how their personal data is being used by the data controller.
2. Access. Data subjects have a right to free access to their personal information.
3. Correction. Data subjects have the right to demand corrections to inaccurate or incomplete personal information.
4. Erasure. Data subjects have a right to demand that data controllers delete their personal information (the so-called “right to be forgotten”).
5. Control. Data subjects have the right to demand that data controllers cease processing their data.
6. Portability. Data subjects have the right to obtain a copy of their personal information in order to enable reuse on other services.
7. Limits. Data subjects have the right to object to the data controller’s use of their personal information for profiling, direct marketing or research.
8. Fairness. Data subjects have the right not to be subjected to unfair means of automated decision making.
Law firms are clearly data controllers and, in many cases, data processors as well. In order to be GDPR-compliant, law firms must take steps to ensure that their information systems can provide data subjects all of their GDPR rights.
GDPR Compliance Highlights
Alexander P. Woollcott, chair of the Global Sourcing & Strategic Transactions Practice at Atlanta-based Morris Manning & Martin LLP, said that many law firms have yet to understand the relevance of GDPR to their practices and fewer still have taken steps to come into GDPR compliance.
“The implications to U.S. law firms – from both a legal compliance and an operational standpoint – will be significant,” Woollcott said, “For example, law firms will not have free reign to keep data of a European client if the client exercises his or her right under GDPR to require that the firm delete the client’s data.”
This article is not intended to provide a comprehensive list of steps lawyers must take to comply with the GDPR. Nevertheless, U.S.-based lawyers can get most of the way there by improving their information-handling practices in at least the following five areas:
1. Obtain informed consent. Under the GDPR, data processing is lawful if the data subject has given informed consent. Consent must be a freely given, specific, informed and unambiguous indication of the data subject’s wishes that, by a statement of a clear affirmative action, signifies agreement to the processing of personal data.
Law firms collecting email addresses and other information to be used for marketing purposes cannot rely on pre-checked boxes, and firms must spell out in detail how the data subject’s information will be processed.
Mitchell says that law firms should consider carefully all foreseeable uses of a data subject’s information before they seek consent.
“If you get a client's email address, stating that you will use it for communications between the client and their lawyer, that is the only thing for which you may use that email address,” Mitchell said. “You can't put it on a newsletter mailing list or use it to search for them on social media.”
Requests for consent should be prominently displayed, and not intertwined with website terms and conditions. The law firm must preserve a record of the data subject’s consent, and it must provide a means for the data subject to withdraw consent at a later date.
2. Amend privacy policies and retainer agreements to explain how data subjects can assert their GDPR rights. The firm’s data-handling practices must be spelled out in detail; data subjects must be told what they need to do to view their data, how to request corrections or deletions.
3. Store data securely. Once collected, law firms must protect the data subject’s information under stringent GDPR standards. Inquiries should be made with the firm’s technology providers to ensure that client data is securely stored. Morris Manning’s Woollcott believes that the GDPR’s data security standards are likely more demanding than legacy data security measures at U.S. law firms.
4. Plan now for data breaches. The GDPR requires data controllers to notify authorities of data breaches within 72 hours. This requirement is a relatively short deadline, one that will likely not be met in the absence of advance planning by firms.
5. Revise contracts with vendors. The GDPR requires that contracts between data controllers (e.g., law firms) and data processors (.e.g., marketing technology providers, email providers, web hosting companies) explicitly state that the data processor is GDPR compliant. Because the GDPR imposes liability on data controllers for activities of their data processors, law firms that pass to data processors their clients’ data should have an indemnification clause build into those contracts.
Mitchell advises law firms to squeeze value out of their GDPR compliance efforts by publicizing them in marketing communications.
“Being able to say you are GDPR compliant — putting it right there on your website and in your marketing messages — is a huge plus in terms of giving clients peace of mind,” she said.
“All else being equal, which firm would you choose? One that says right up front that they are GDPR compliant? Or one that doesn't mention it at all?”