Risk Update

Law Firm GDPR Compliance — Information Governance in Depth

David Zetoony, Co-Chair of Greenberg Traurig’s U.S. Data, Privacy and Cybersecurity Practice presents an excellent, in-depth analysis: “GDPR: Law Firm Information Collection; Processors or Controllers?” —

  • “Are law firms considered ‘processors’ or ‘controllers’ of the personal data that they receive from clients as part of a representation? It depends.”
  • “Many lawyers (and clients) incorrectly assume that attorneys must be processors because they are service providers of their clients. In some situations, a service provider has a role in determining the purposes and means of processing; when that occurs the service provider is, like its client, considered a ‘controller’ or a ‘joint controller.'”
  • “The Article 29 Working Party took the position that if a service provider has a ‘traditional role and professional expertise’ that required it to determine the purpose and means of processing, that independent expertise could convert the service provider into a controller. They specifically noted that in situations in which a ‘barrister represents his/her client in court, and in relation to this mission, processes personal data related to the client’s case’ the barrister is a controller.[2] Their logic appears to be that the instruction that a client provides to their attorney is not necessarily to process data, but, rather, to represent the client’s interest before a court. Because the processing of data is an ancillary function that is wholly (or partially) determined by the attorney independent from the client, the attorneys’ processing should be conceptualized as that of a controller.”
  • “The UK ICO – the supervisory authority for the United Kingdom – reached a similar conclusion in the context of discussing whether a solicitor would be a processor or a controller… The view of the ICO was echoed by The Bar Council of England and Wales, which stated in a memorandum that ‘[f]or the avoidance of doubt, self-employed barristers are data controllers of their client’s data. They are not data processors.'”
  • “The guidance of the Article 29 Working Party, the UK ICO, the UK Bar Council, and the German Council of Data Protection Commissioners leaves open the possibility that in some situations an attorney could, however, act as a processor and not a controller. For example, if a client retained a law firm for the express purpose of processing data (e.g., conducting document review or hosting a document room), and provided specific direction and control regarding how the data was to be processed (e.g., the client selected or approved the type of software that would be used during a document review and how the documents would be stored and processed) an argument could be made that the attorney is, in fact, functioning as a processor and not as a controller.”
  • “Even in situations in which it appears that a client has provided specific directions and retains a large degree of control, a law firm may still find itself acting as a controller with regard to data if it is required to process data outside of those client instructions in order to comply with regulatory or professional obligations.[7] For example, an argument could be made that a law firm acts as a controller of data if it is required to (i) carry out internal conflicts and other regulatory checks on new client matters or to undertake appropriate client due diligence in accordance with anti-money laundering laws; (ii) subject to duties of confidentiality and privilege, cooperate with regulators and other public authorities (including by responding to regulatory requests for information; undertaking internal investigations and complying with reporting and other professional obligations), or (iii) disclose personal data over a client’s objection to a court during the course of litigation.”