The European Union’s General Data Protection Directive and U.S. Law Firms by Alan F. Blakley, Esq.
Many people in the United States believe that the European Union’s General Data Protection Directive (GDPR) did not come into effect until May 25, 2018. However, from the time the previous “safe harbor” between the United States and the European Union was declared invalid by the European Court of Justice, on October 6, 2015, United States’ companies were on notice that something more strict was coming.[i] Moreover, in December 2015 – almost three years ago – the European Parliament, European Council and European Commission, reached an agreement on a more far ranging and strict privacy regulation.[ii] The GDPR was adopted in 2016. So, what happened in May 2018? The GDPR got its teeth.
Much as electronic discovery was largely ignored in litigation in United States litigation prior to the Zubulake cases beginning with Zubulake v. UBS Warburg LLC, 217 F.R.D. 309 (S.D.N.Y. 2003) and the changes in the Federal Rules of Civil Procedure in 2006, the GDPR has been generally ignored by law firms and companies until May 2018 when it began being enforced in earnest. But why would a law firm that practices exclusively in the United States care about GDPR? After all, it only applies to information of European Union citizens.First, two points. Irrespective of what the isolationists in the United States want people to believe, this is a global economy and the United States is part of an international system. It is almost impossible to imagine a product, even one made in the United States, that does not have at least one component from another country. Consequently, a law firm representing a business, likely has information on individuals from another country. For instance, a company in Houston may have an engineer on loan from a United Kingdom company who is a citizen of France. The company in Houston no doubt has the employee’s personal information.
And, what is personal information under GDPR? Personal information can include anything from a person’s name to date of birth, telephone numbers, email addresses, citizenship status, the person’s location at a particular time, biographic and demographic information, marital status – essentially, “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.”[iii]
Not only businesses that have employment information, but litigators with witness information may be in possession of such “personal data.”[iv] If the law firm has processed this data. Note that “processed” does not just include manipulating data – what many usually believe that “processing” is, but includes information the firm has collected, recorded, organized, stored or done anything with this data[v] is subject to the requirements of the GDPR for processing the data. So, for instance, a litigator who collects information about witnesses, or a business lawyer who collects information about a company’s employees for whatever purpose, may be liable under the GDPR.
Failure to comply with the GDPR can expose a violator to fines of up to €20,000,000 or 4% of annual global revenue – whichever is higher.[vi] Now a bit of good news, Elizabeth Denham, the information commissioner for the European Union has said that she is more interested in a good faith effort to comply with the GDPR than she is in levying fines.[vii]
To make that good faith effort, the law firm needs to understand the rights of the individual data subjects. Basically, the individual has the right to access information that is collected, to correct incorrect data, to have data erased if it is no longer needed for its original purpose, to receive copies of all data collected, to object to direct marketing to them, and to be informed (without small print) of policies. The entire list is available in Articles 12 – 23 of the GDPR.
What should a law firm do? Awareness and education are the most important first steps. A large law firm with an information technology department or data officer should appoint that person or some other knowledgeable person as the data protection officer. A smaller law firm may wish to designate a paralegal or an attorney as the data protection officer. The obligations of the data protection officer may be found in GDPR Art. 39. One of the primary obligations is to educate the people in the firm. At the very least, they should be educated and reminded periodically, to identify when they have acquired personal information, of any kind, of a citizen of the European Union. Employees should immediately notify the data protection officer of the existence of that fact. At that point it becomes the data protection officer’s obligation to ensure compliance with the GDPR.
Developing an education plan may include creating policies and disseminating them. Employees should be reminded often of their obligations. Engagement letters need to be updated to include information about privacy and records retention. If a firm has practice groups, each practice group should be encouraged to create specific guidelines that are relevant to that group. Finally, the firm should update its privacy policies and make sure existing clients and new clients understand those policies – and, not policies hidden in small print or on a “click through” on a website that no one ever reads. While the GDPR applies only to European Union citizens, many companies and law firms are finding it easier and more responsible to treat all persons the same.
There are two elements of good news. First, the “subject” may give consent to the “processing” of personal data. The GDPR contains express conditions for the consent in its Article 7. But, the consent may be withdrawn at any time. Second, the data subject’s right to have information erased is limited. For instance, if information is maintained for the exercise or defense of legal claims, the data subject may not have it erased so long as it is still necessary.[viii] Moreover, employment information may be maintained as long as required by law. However, disseminating the information to others or using the information for solicitation, may still be prohibited. And, solicitation may be something as simple as contacting people by email to ask if the lawyer can call them to get their witness statements.
Finally, the law firm needs to audit the information that it already has to ensure that any personal data of European Union citizens must be maintained for a legitimate purpose. The audit should be complete and documented. While it is unlikely that the EU Information Commissioner will target a law firm doing business exclusively in the United States, the privacy of personal information should be a priority of all lawyers. Having a documented audit can protect the firm from future enforcement actions. This brief article merely sets out some of the requirements of the GDPR. It is intended as a starting point. The GDPR contains 99 Articles and 173 Recitals. Someone in each firm needs to become familiar with it.[ix] Many articles address these issues in greater depth, as well. In addition, the EU Information Commissioner has released a twelve step plan for businesses.[x] This plan is appropriate for law firms as well as businesses. Complying with this twelve step plan probably will ensure that the firm will not be targeted by the Information Commissioner. Law firms may also wish to inform their clients of their potential obligations and liabilities.
[i] For the full opinion, http://curia.europa.eu/juris/document/document.jsf?docid=169195&doclang=en (last visited 12 July 2018).
[ii] In general, see the timeline on https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en (last visited 12 July 2018).
[iii] GDPR, Art. 4 (1) (emphasis added).
[iv] This article specifically does not address issues in interviewing witnesses in European countries and whether that is considered witness tampering, nor does it address issues of trying to depose a European Union citizen when that deposition may elicit personal data. See, e.g., Alfadda v. Fenn, 149 F.R.D. 28 (E.D.N.Y. 1993).
[v]
GDPR, Art. 4 (2).
[vi] GDPR, Art. 83, 84 (and individual state adoptions).
[vii]See, e.g. https://www.computerworlduk.com/data/information-commissioner-elizabeth-denham-dispels-gdpr-myths-3676726/ (law visited 12 July 2018).
[viii] GDPR, Art. 17, 3 (e).
[ix] It is available at https://gdpr-info.eu/ (last visited 12 July 2018).
[x] https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf (last visited 12 July 2018