Chapter § 9.06 General Data Protection Regulation (or GDPR)
Jurisdiction | United States |
Publication year | 2020 |
§ 9.06 General Data Protection Regulation (or GDPR)
[1] Introduction
The General Data Protection Regulation (“GDPR”), effective May 25, 2018, replaced the Data Protection Directive95 as the primary law regulating how businesses that fall under the European Union’s (“EU”) jurisdiction for purposes of protecting personal data. The regulation is far-reaching. Not only does it apply to EU-established businesses that handle personal data, but also to entities outside the EU that process data of EU residents in offering goods or services or that monitor the conduct of people in the EU. And it governs virtually every stage and aspect of data collection, storage, and use—including anonymization of data, collection of consent to process data, cross-border transportation of data, and data breach response. The GDPR also imposes a number of unique features, including stringent data breach notification requirements, as well as the requirement that entities appoint a data protection officer (or “DPO”) to oversee GDPR compliance. Law firms in the United States that have European offices or that handle data of EU residents in providing legal services must invest in complying with the GDPR. As discussed below, the penalties and fines for failing to do so can be hefty.
[2] The GDPR’s Application to Law Firms and Their Data
[a] Scope
A key feature of the GDPR is its extraterritorial reach. As noted above, the GDPR applies to U.S. law firms that (i) “process”96 personal data if the firm has an office established in the EU or (ii) satisfy the “targeting criterion” (i.e., they process data of EU residents in offering goods or services, or in monitoring the behavior of people in the EU).97 A firm meets the “offering goods or services” criteria when it displays an express intention to offer such goods or services to people in the EU (regardless of whether the firm requires payment for the goods or services)—but not when its Web site is merely available in the EU or that Web site provides contact information for the firm that is not specifically directed to EU residents.98 In addition, “monitoring” the conduct of EU residents can include a broad range of activities, such as behavioral advertising, geo-localization activities for marketing, video monitoring, online tracking through the use of cookies, or tracking through the provision of online personalized health analytics services, market surveys, or other behavioral studies.99 Law firms should carefully evaluate their activities with respect to the EU residents to resolve whether they are covered by the GDPR.
[b] Personal Data
The GDPR is expansive not only in geographical scope, but also in the data it covers. It regulates personal data, which is defined as “information relating to an identified or identifiable natural person” (i.e., a “data subject”).100 Data relates to an “identifiable” person when someone can use it to identify a person—either directly or indirectly—by “means reasonably likely to” link that person to the data about them.101 Thus, data need not be associated with a person’s name to qualify as personal data; identification numbers, location data, protocol addresses, cookies, and other tracking data may qualify as identifiers.102 The GDPR provides additional protection for certain special categories of data, including data related to race or ethnicity, political or religious beliefs, health or sexuality, or genetic and biometric information.103 Processing of this data is generally prohibited unless one of ten exemptions applies (e.g., explicit consent, employment, and legal proceedings).104 Because certain data that law firms process may qualify as “personal data,” firms should integrate GDPR compliance into their data-processing practices, including intake and billing procedures, as well as day-to-day use of personal data for purposes of representing clients.
[c] Data Controllers and Processors
The GDPR distinguishes between data “controllers” and data “processors.” A law firm acts as a “controller” if it determines the purpose and means of processing personal data. In contrast, a firm acts as a “processor” if it processes personal data on behalf of the controller.105 Data controllers are primarily responsible for ensuring that processors implement proper measures to comply with the GDPR and for protecting data subjects’ individual rights under the GDPR.106 Processors must take reasonable steps to secure data in their possession,107 delete and return all data to the controller at the end of the service contract,108 obtain written permission from controllers before engaging a subcontractor, and assume liability for any GDPR noncompliance by the subcontractor.109 In certain circumstances, the GDPR requires processors to appoint a DPO.110 Given this accountability imposed on controllers and processors, firms should adopt procedures to vet new service providers and ensure GDPR compliance by existing providers.
[3] Principles
The GDPR outlines six foundational principles for all organizations that process personal data within the scope of the GDPR. We discuss each in turn below.
[a] Lawfulness, Fairness, and Transparency
The GDPR requires that law firms process personal data lawfully, fairly, and in a transparent manner.111 To process data lawfully, a firm must identify one of six grounds for doing so112 (i.e., (i) the data subject freely gave consent, or (ii) the data processing is “necessary” to fulfill a contract with the subject, (iii) to comply with legal obligations, (iv) to save a person’s life, (v) to perform a public interest in official functions or (vi) for the legitimate interests of the company or its affiliate).113 Fairness looks at the data subjects’ expectations and if data-processing activities have an unjustified adverse impact on the subjects. Processing of personal data based on consent obtained through deceit, for example, is unlikely to be “fair.” Lastly, the “transparency” principle “requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand.”114 Recognizing that the “technological complexity” of modern data processing makes it “difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected,” the GDPR requires companies to take steps to mitigate that issue.115 The transparency principle also animates the GDPR’s new “right to be informed,” which we discuss below.116
[b] Purpose Limitation
The purpose limitation often goes hand-in-hand with the “lawfulness, fairness, and transparency” principle. It requires that personal data be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”117 In other words, law firms must be clear about the purpose for which they collect personal data, and any use of that data should align with the stated purposes for collection. Thus, if a firm wishes to use personal data for a purpose different from the original disclosed purpose, (i) the new purpose must be “compatible” with the original one (i.e., if no other, lawful basis applies),118 (ii) the firm must obtain the data subject’s explicit consent to the new purpose, or (iii) the firm must have some other lawful basis for the subsequent use (e.g., it must be necessary to serve a “vital interest” or perform a “public function”).119 In practice, the “compatibility” requirement essentially prohibits firms from processing data for an entirely different purpose than that for which the data was collected.
[c] Data Minimization
The GDPR’s data minimization principle requires law firms to identify the minimum amount of personal data necessary to achieve their lawful purpose—and to ensure they are collecting enough to achieve those goals, but no more than is necessary. Firms should conduct periodic review of stored data to ensure that it is still relevant to a firm’s present purposes and that any obsolete data is promptly deleted.120 Note that other aspects of the GDPR (e.g., the accounting principle) require the firm to be able to demonstrate affirmatively that it is collecting and storing only that data which it legitimately needs, thus highlighting the need for firms to adopt clear and justifiable data collection procedures and processes ex ante.
[d] Accuracy
Personal data must be “accurate and, where necessary, kept up to date.”121 Moreover, law firms must take “every reasonable step . . . to ensure that personal data that are inaccurate . . . are erased or rectified without delay.”122 This does not mean, however, that companies cannot keep records of mistakes or errors (for which there may be a legitimate business purpose). Rather, it simply means that erroneous data must be clearly identified as such.
[e] Storage Limitation
The so-called “storage limitation” principle provides that personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” but explicitly permits longer storage for data maintained for archival, scientific, historic, or statistical purposes.123 To ensure compliance with this principle (as well as potentially competing requirements to retain client records for a certain period of time), law firms should review their retention policies and schedules to ensure periodic review and deletion of data that is no longer relevant or accurate, as well as the availability of processes that permit more immediate deletion of data, where appropriate.
[f] The “Security” Principle
The GDPR requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”124 Consistent with other privacy regimes, the GDPR...
To continue reading
Request your trial