May 23, 2018
Although law firms in the United States have always had an ethical obligation to maintain the confidentiality of their clients’ information (and have increasingly been subject to state-specific data privacy laws in recent years), the legal requirements for managing a law firm have traditionally been somewhat limited.
For law firms that have clients in the European Union (or that have clients with EU citizenship residing in the United States), this is changing on May 25, 2018.
While law firms practicing data privacy law have been preparing for the GDPR for years, many attorneys at other types of law firms are unaware of the GDPR’s requirements and its potential implications for law firms in the United States.
Even though the GDPR is an enactment of the European Union, it applies to U.S.-based businesses (including law firms), and all indications are that E.U. regulators will be aggressively pursuing penalties against violators in Europe and abroad.
Enacted in May 2016, the General Data Protection Regulation (GDPR) replaces the current data protection law in the European Union, known as Data Protection Directive 95/46/EC, which has been in effect since 1995. The GDPR brings sweeping changes for companies that process E.U. citizens’ “personal data” – a term that has a much broader definition in the E.U. than it does in the U.S.
It also imposes severe penalties – up to four percent of annual worldwide revenue or €20 million (approximately $23.5 million), whichever is greater.
Since the GDPR applies to all businesses that control and process E.U. residents’ personal data regardless of their geographic location, many law firms in the U.S. will be subject to the GDPR’s requirements.
Law firms that are subject to the GDPR will have obligations including, but not limited to:
Under the GDPR, law firms may only collect E.U. citizens’ personal data under certain specific enumerated circumstances. Collection of personal data is permitted only if:
With regard to clients, most law firms will likely receive authorization by consent.
However, in order to satisfy the GDPR, this consent must be freely given, and may not be inferred from a failure to opt-out online. As a result, limiting collection from prospective clients through website contact forms may present more of a challenge, and law firms that could potentially receive inquiries from E.U. citizens must ensure that their websites comply with the GDPR’s disclosure, affirmative consent, and recordkeeping requirements.
Speaking of recordkeeping, the GDPR’s general recordkeeping requirements are likely to present some of the most onerous burdens for law firms and other businesses in the United States.
Law firms that collect E.U. citizens’ personal data must maintain records that serve as proof of:
Law firms that store and process clients’ personal data will also need to have documented data privacy and security measures in place, and they will need to be prepared to demonstrate their internal compliance measures if called upon to do so.
It may also be necessary for some firms to appoint a Data Protection Officer (DPO) and/or designate a local compliance representative within the European Union.
The GDPR gives data subjects a number of rights with regard to the use, transfer, and destruction of their personal data. Law firms with E.U. clients must carefully observe these rights, and this will mean satisfying a number of affirmative obligations. At a minimum, these firms will likely be required to:
Finally, in the event of a data breach, law firms that are subject to the GDPR will need to respond appropriately in order to avoid exposing themselves to regulatory sanctions.
The extent of firms’ data breach response obligations will be contingent upon the volume and nature of the personal data exposed, and firms will need to carefully assess their responsibilities promptly upon discovering a breach.
The GDPR represents a sweeping change to the data security landscape for law firms that do business with clients in the E.U. Those that have not yet adopted compliance measures will need to do so promptly, and they will need to continually reassess their compliance efforts as businesses around the world learn more about the GDPR.
Attorneys interested in learning more about their firms’ obligations under the GDPR can review these additional resources: