Although law firms in the United States have always had an ethical obligation to maintain the confidentiality of their clients’ information (and have increasingly been subject to state-specific data privacy laws in recent years), the legal requirements for managing a law firm have traditionally been somewhat limited.
For law firms that have clients in the European Union (or that have clients with EU citizenship residing in the United States), this is changing on May 25, 2018.
While law firms practicing data privacy law have been preparing for the GDPR for years, many attorneys at other types of law firms are unaware of the GDPR’s requirements and its potential implications for law firms in the United States.
Even though the GDPR is an enactment of the European Union, it applies to U.S.-based businesses (including law firms), and all indications are that E.U. regulators will be aggressively pursuing penalties against violators in Europe and abroad.
What is the GDPR?
Enacted in May 2016, the General Data Protection Regulation (GDPR) replaces the current data protection law in the European Union, known as Data Protection Directive 95/46/EC, which has been in effect since 1995. The GDPR brings sweeping changes for companies that process E.U. citizens’ “personal data” – a term that has a much broader definition in the E.U. than it does in the U.S.
It also imposes severe penalties – up to four percent of annual worldwide revenue or €20 million (approximately $23.5 million), whichever is greater.
What are U.S. Law Firms’ Obligations Under the GDPR?
Since the GDPR applies to all businesses that control and process E.U. residents’ personal data regardless of their geographic location, many law firms in the U.S. will be subject to the GDPR’s requirements.
Law firms that are subject to the GDPR will have obligations including, but not limited to:
1. Limiting Use of E.U. Citizens’ Personal Data
Under the GDPR, law firms may only collect E.U. citizens’ personal data under certain specific enumerated circumstances. Collection of personal data is permitted only if:
- The E.U. citizen (referred to as a “data subject”) has consented to the collection;
- Use of the personal data is necessary to the execution or performance of a contract with the data subject;
- Use of the personal data is necessary to satisfy a legal obligation or to perform a task in the public interest;
- Use of the personal data is necessary to protect the “vital interests” of the data subject or another person; and/or
- Use of the personal data is necessary “for the purposes of legitimate interests” pursued by the law firm or a third party, unless such interests are overridden by the data subject’s interests or rights.
With regard to clients, most law firms will likely receive authorization by consent.
However, in order to satisfy the GDPR, this consent must be freely given, and may not be inferred from a failure to opt-out online. As a result, limiting collection from prospective clients through website contact forms may present more of a challenge, and law firms that could potentially receive inquiries from E.U. citizens must ensure that their websites comply with the GDPR’s disclosure, affirmative consent, and recordkeeping requirements.
2. Recordkeeping and Proof of Compliance
Speaking of recordkeeping, the GDPR’s general recordkeeping requirements are likely to present some of the most onerous burdens for law firms and other businesses in the United States.
Law firms that collect E.U. citizens’ personal data must maintain records that serve as proof of:
- How personal data was collected;
- How and when consent was obtained (if applicable);
- How use of personal data is necessary if consent is not obtained;
- How and where personal data is stored;
- How and when data subjects have been informed of their rights; and,
- How, where, and when personal data has been used.
Law firms that store and process clients’ personal data will also need to have documented data privacy and security measures in place, and they will need to be prepared to demonstrate their internal compliance measures if called upon to do so.
It may also be necessary for some firms to appoint a Data Protection Officer (DPO) and/or designate a local compliance representative within the European Union.
3. Observing Data Subjects’ Rights Under the GDPR
The GDPR gives data subjects a number of rights with regard to the use, transfer, and destruction of their personal data. Law firms with E.U. clients must carefully observe these rights, and this will mean satisfying a number of affirmative obligations. At a minimum, these firms will likely be required to:
- Update their privacy policies;
- Ensure that clients’ personal data remain up-to-date;
- Adopt appropriate technical measures for data privacy, security, and transfer;
- Follow appropriate procedures for destroying personal data when necessary (including, but not limited to, upon client request); and,
- Maintain documentation of any agreements, legitimate interests, or legal matters for which it is necessary to maintain clients’ personal data.
4. Data Breach Response
Finally, in the event of a data breach, law firms that are subject to the GDPR will need to respond appropriately in order to avoid exposing themselves to regulatory sanctions.
The extent of firms’ data breach response obligations will be contingent upon the volume and nature of the personal data exposed, and firms will need to carefully assess their responsibilities promptly upon discovering a breach.
Where Can I Learn More about the GDPR?
The GDPR represents a sweeping change to the data security landscape for law firms that do business with clients in the E.U. Those that have not yet adopted compliance measures will need to do so promptly, and they will need to continually reassess their compliance efforts as businesses around the world learn more about the GDPR.
Attorneys interested in learning more about their firms’ obligations under the GDPR can review these additional resources:
- GDPR and Your Law Firm (available as a free download from Wolters Kluwer)
- General Data Protection Regulation Guide (published by Jones Day)
- Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now (published by the United Kingdom Information Commissioner’s Office)
- Questions and Answers – General Data Protection Regulation (published by the European Commission)