Global Litigator. Gathering Personal Information in the Age of the GDPR

• Author: Mark G. Califano, Antoni Spatrikios, Polly Sprenger
• Pages: 11-13

Global Litigator

Published in Litigation, Volume 47, Number 3, Spring 2021. © 2021 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be

copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. 11

MARK G. CALIFANO, ANTONIS PATRIKIOS, AND POLLY SPRENGER

Mark G. Califano and Antonis Patrikios are with Dentons, Washington, D.C., and London, respectively.

Polly Sprenger is with Addleshaw Goddard, London.

GATHERING PERSONAL

INFORMATION IN THE

AGE OF THE GDPR

The practice of law has become ever

more global and seamless in the 21st cen-

tury. But the worlds that counsel must

span when gathering information about

people and organizations have become

more complex.

Member states of the European Union

(E.U.) and many other countries, includ

-

ing the United Kingdom (U.K.), Canada,

Russia, and Brazil, have developed, and

are developing, legal privacy protections

for their citizens and residents that are

significantly broader than those in the

American legal system. When gathering

personal information of individuals and

organizations located in other parts of the

world, counsel must be mindful of those

laws to avoid peril for themselves and

their clients.

For now, let’s include the U.K. when

we refer to the E.U., because as a former

member of the E.U., the U.K. passed and

enforces the Data Protection Act, which

implements the General Data Protection

Regulation (GDPR). We’ll also look

separately at U.K. legislation and law, as

the U.K. is a common-law jurisdiction that

shares many American legal principles

and practices.

One of the most significant differ-

ences between the United States and

the E.U. is their starting points. Under

the GDPR and its implementing statutes,

there is no presumption that gathering

personal information—even publicly

available personal information—is le-

gally permitted. Rather, those laws re-

quire that there be a legitimate interest

in gathering personal information or

that knowing consent be obtained.

Furthermore, those laws generally re-

quire that the subject be notified of the

collection of his or her information; be

able to access, obtain, and transfer it;

and, in appropriate circumstances, even

be permitted to require its deletion. All of

these are relatively new laws, still largely

untested in the courts. Precedent is just

developing. Much of that precedent, in-

cluding that coming from other countries

that have similar privacy laws modeled

after the GDPR, sets high standards.

No counsel wants to be cut by these

bleeding edges. But does an American law-

yer in Cleveland fall under the jurisdiction

of these laws?

It’s possible.

The asserted jurisdiction of the GDPR

and its implementing laws is broad. To

start, those laws apply to any “controller”

of data (which can include lawyers and

their staff gathering and handling personal

information) or “processor” of data (such

as the provider of an email service) who (1)

has an establishment (think office or busi-

ness presence); (2) in the E.U.; and (3) who

processes personal data in the course of its

activities, regardless of where the process-

ing takes place (even outside the E.U.).

Controllers or processors may be indi-

viduals, companies, or other entities. This

first situation does not necessarily impli-

cate the American lawyer in Cleveland,

Ohio, unless, for example, counsel is at a

firm with an office in the E.U. or the U.K.

But the GDPR also applies where a

data controller or processor has no E.U.

presence, if that controller or processor is

monitoring the behavior of individuals in

the E.U. or offers goods or services (think

legal services) within the E.U. That is

where the American lawyer in Cleveland

may be implicated, even if that lawyer’s

firm has no offices in the E.U.

It’s tricky, though. The law is far from

settled. One could argue that, as a prac

-

tical matter, if that American lawyer in

Cleveland collecting publicly available

personal information in the E.U. has no

firm offices there or other substantive

connections, such as regular or steady

work the firm is performing in the E.U.,

then the long arm of the GDPR will likely

not reach the American lawyer.

Yet, many E.U. authorities hold an aggres-

sive view of the scope of their jurisdiction.

The Cleveland lawyer should be aware of

those risks, however remote they seem.

So what does this mean for American

lawyers?