GDPR Compliance and Data Transfers for the Legal Profession

First of all, what are the specificities of the legal professions in this regard and who are we targeting?

All legal experts, lawyers, bailiffs or notaries.

All professionals dealing with the law, in the service of justice, one of the major pillars of our democracy.

They are legal technicians, they are well qualified to read and interpret laws and regulations. They know how to write and handle legal technical terms, as well as the rights and obligations that applies.

They are bound by professional secrecy or client attorney privilege.

They are entrusted with personal data of all kinds, often of a sensitive nature or, to use the exact terminology introduced by the RGDP, “  Special category personal data   ” Article 9 RGDP. Imagine a divorce file, the documents exchanged include the entire personal, family, professional, financial, medical,… information related to the entire life of the couple. It goes from birth certificates, family record book, bank accounts, notarial deeds of all kinds, pay slips, etc. Everything will be handed over to the lawyer, some documents will be shared with the notary or the bailiff.

We will leave aside the jurisdictions.

It therefore includes the personal data of children, certain members of the family and when a testimony is entered in the file, the certificate will be accompanied by the witness’s identity document to be valid.

The issue of the transmission of personal data.

The lawyer communicates with the courts via a RPVA key giving access to a secure platform. A new RPVA2 platform has just been set up.

However, when it comes to communicating with clients, notaries or bailiffs, nothing is planned.

Most often, parts will be sent by email attachment.
Some will use file transmission modes, especially when the volume of parts requires it.

The transmission of personal data within the European Union extended to the EEA, the European Economic Area.

Any collection or processing of personal data must comply with the principles of the GDPR, in particular the principles set out in Article 5, namely lawfulness, loyalty, transparency, limitation of purposes, minimization of data, limitation of storage, accuracy of information, and above all, the integrity and confidentiality of data.

The definition of the processing of personal data in Article 4 of the GDPR is quite broad, it includes

”  Any operation or set of operations carried out or not using automated processes and applied to data or sets of personal data, such as collection, recording, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, limitation, erasure or the destruction ;  “

The legal professional, like any personal data controller, must display a privacy policy, or information notice, defining the methods, lawfulness, or duration of the processing. The information notice must be presented before the data is collected – in accordance with article 13 RGDP – in simple and understandable language for all. The purposes of the data processing, the retention periods, the contact details of the data controller and, if applicable, the contact details of the Data Protection Officer, for the largest structures processing a larger volume of data, must be mentioned therein. Information on the rights of access, the right of modification, the right of erasure as well as the right of complaint as defined in detail in articles 13 to 20 of the GDPR will be recalled in this notice. In addition, the National Commission for Information Technology and Freedoms, CNIL,Privacy Impact Assessment to verify the compliance of processing with the GDPR.

Although court officers are protected by professional secrecy on the content of the data entrusted to them, they remain required to respond, without infringing professional secrecy, to any request for access or information which is theirs. sent under Article 15 of the GDPR as soon as possible and at the latest within one month. This will be the case, for example, of a customer or any other person legitimately wishing to know the processing of his personal data, as well as the retention period, the subcontractors accessing the data, the means of security, any transfers outside the EU. , etc …

Pay attention therefore to the methods and duration of storage and the identity of third parties with whom the data is shared, this information, which must be mentioned in the information notice, must be communicated to all persons who request it.

Also beware of requests for abusive identity checks. The communication of the identity document is not always necessary and moreover, it remains in itself a personal data whose treatment will be subject to the regulations. If you ask for an identity document and then answer that you do not have any personal data, you have omitted the identity document which burns your fingers.

The definition of ”  personal data  ” is quite broad and includes

“  Any information relating to an identified or identifiable natural person  ”.

Identifiable when the identity of the person can be revealed by the combination of scattered information. The man in the bowler hat is not named, but his presence noted on a guest list identifying a single hatchet makes him identifiable.

Some European countries have opted for the extension of protection to the deceased. This is not the case with France. However, it is possible that data of deceased persons involve survivors, in which case protection will apply.

An important limit to the obligation of communication article 15 RGDP comes up against the data of third parties. This information cannot be communicated and must therefore be extracted from the transmission.

It should be noted that the GDPR is not limited to digitized data. Classified manual processing is also covered. According to the terms of article 2 paragraph 1 of the RGDP, the material field extends

“The  processing of personal data, automated in whole or in part, as well as the non-automated processing of personal data contained or required to appear in a file  “.

It will therefore be necessary to ensure the integrity of the data accumulated in the files n, in particular limiting access to customer files. Think of the cocktail parties organized, opening the doors of the premises to third parties. The paper files must be kept under lock and key.

What remains crucial are the methods of data retention and restricted access by third parties. Remember that a processing agreement must be signed with all subcontractors. This includes IT services. This contract may include a confidentiality clause.

Archiving of resolved cases, offline or in a secure location is essential. Data minimization encourages the return of parts without delay. For current cases, the computer system should be regularly updated, protected by strong passwords.

If the Panamapapers scandal could explode, it is precisely thanks to a poorly protected and not updated computer system.

Cyberattacks and ransomware, or in the barbaric term, ransomware , have seen a marked upsurge during this pandemic period. The European security agency, ENISA, has released the latest official cyberattack figures. A second ENISA document explains the growing number of email attacks.

The European Union Agency for Cyber ​​Security (ENISA) has published its annual report on data breaches (January-April 2020). Highlights:
 (i) 54% increase in the total number of violations by mid-2019 compared to 2018;
 (ii) 71% of data breaches were motivated by financial reasons. Almost 25% had long-term strategic objectives (nation-state / espionage);
 (iii) 32% of data breaches involve phishing activity . Email is the primary method of distributing malware (94%) in a chain of events leading to a data breach;
(iv) 52% of data breaches involved hacking. The other tactics used are social attacks (33%), malware (28%), and errors or mistakes (21%). Since 2016, hacking has been the leading cause of data breaches in the healthcare industry. In 2019, almost 59% of reported violations were caused by hacking;
 (v) 70% of data breaches expose emails. Although the username / email and passwords (i.e. credentials) are easily changed relative to personal details (such as date of birth), the emphasis is mainly put on these in data breaches.

We mentioned earlier the case of very often used file transfer links. However, the free WeTransfer service is not encrypted. WeTransfer has been the subject of email-deflecting computer attacks or more recently a phishing attack , the link having been corrupted. “  Finally, continues Jean-Marc Boursat, CIOs must urge employees to be cautious about using public cloud solutions such as Dropbox or WeTransfer. Very popular for exchanging confidential documents and projects, these solutions nonetheless present a certain vagueness on the accommodation locations and their data confidentiality conditions. “. Very often if the informed user had read the terms of use of these services, he would quickly have turned around. Only the paid version offers the guarantee of encryption. Only, the recipient does not know what service it is.

Encryption of transfers is absolutely essential to guarantee their integrity. There are several solutions on the market. Do not neglect security or you risk damaging your reputation or the sustainability of your business.

Recently, the Paris Judicial Court, law firms and the Ministry of Justice were again victims of computer attacks. A judicial inquiry has been opened. It is no longer IF an attack occurs, it is when it will happen, we will have to be ready. The responsibility is heavy, the fines of the CNIL can go up to 20 million Euros or 4% of the total income in the event of non-compliance. In the event of a data leak or computer attack, the CNIL and / or the individuals affected when their data is at risk must be notified without delay and at the latest within 72 hours, in accordance with article 33 of the RGDP. This period runs even if the professional is on leave. 72 hours at the latest suggests that one or two managers have been identified in advance to be the point of contact with the CNIL 24/24 and 365/365.

Data transfers to countries outside the EEA.

There are two main categories of destinations outside the EEA: countries that have concluded adequacy agreements with the European Commission, there are currently 11, the latest being Japan.

The rest of the world is considered a country of inadequate protection. In principle no personal data should be transferred there without appropriate guarantees.

Until this summer, the United States benefited from a Protection Shield or Privacy Shield agreement . At the end of a long and very expensive legal battle, the Privacy Shield was invalidated by a judgment of the ECJ of July 2020, Schrems-II against Facebook.

From now on, no personal data can be transferred to the United States, but also to China, Russia, India and all countries outside the EEA or the group of 11 benefiting from an adequacy agreement. The notion of transfer has not been defined in the GDPR. The CNIL recently clarified in its observations to the Council of State in the case of the transfer of DataHub medical data to Microsoft, that a transfer took place when the data was placed in the hands of a company governed by American law such as than Microsoft.

The ECJ’s position stems from Edward Snowden’s revelations on US government interceptions, including FISA Section 702, Executive Order 12333, and DP98. The US Cloud Act authorizes the US government to claim data wherever it is located and regardless of the location of computer servers. This American interference is accompanied by a lack of guarantee of the rights of European subjects who do not have sufficient rights of recourse, at least equivalent to the rights conferred on them by the RGDP, for judicial redress in the United States.

Since the Schrems-II judgment and pending the resolution of a probable new negotiation between the European Commission and the American government, any transfer of data to the United States or any country without an adequacy agreement must be suspended. The Standard Contractual Clauses , or Standard Clauses of Data Protection, and Binding Corporates Rules , or Binding Company Rules , heavier and more expensive instruments, in principle maintained, must be the subject of increased protection measures and a risk analysis and of adequacy on a case by case basis. The Commission’s SCC models pre-date the GDPR, these clauses, the Commission promised, will need to be modernized by the end of the year.

Cases of derogations have been provided for. They are listed in article 49 RGDP.

Subject to transparency and information to the persons concerned on the risks incurred due to the lack of an adequacy decision and appropriate guarantees – attention this may be the client himself or any person whose data is transferred or even the opposing party – in the case of explicit consent from the interested party (s) or when the transfer is necessary for the performance or conclusion of a contract.

But be careful, these exceptions do not apply:

”  That if this transfer is not of a repetitive nature, affects only a limited number of data subjects, is necessary for the purposes of the overriding legitimate interests pursued by the controller over which the interests or the rights and freedoms of the data subject, and whether the controller has assessed all the circumstances surrounding the data transfer and has offered, on the basis of this assessment, appropriate guarantees with regard to the protection of personal data. The controller informs the supervisory authority of the transfer. In addition to providing the information referred to in Articles 13 and 14, the controller informs the data subject of the transfer and of the overriding legitimate interests he pursues  ”.

These exemptions, you will understand, are very strictly supervised. The case of the public interest does not seem to adapt within the framework of the activities of the auxiliaries of justice.

The assessment of the circumstances of the transfer is very important in all cases of transfer of sensitive personal data of which the judicial officers may be the holder. Encryption and the use of strong passwords are absolutely essential. In short, the exporter must ensure that the importer will guarantee a level of protection equivalent to the European protection guaranteed by the GDPR.

Personal data collected on websites.

More and more law firms, notaries or bailiffs have a website to represent their Officine on the net.

These websites often feature small file cookies that collect data from visitors and can track their web browsing . They facilitate site navigation by retaining usage parameters. They are also used to profile and target users.

There are two main forms, first party cookies which collect data directly for the site manager, and third party cookies which collect data by third parties, such as the best known, Google analytics, Facebook or YouTube when videos are imported. .

The regulations that apply to cookies derive from the ePrivacy directive currently under revision. There has recently been some back and forth between the Commission Nationale Informatique et Libertés, the CNIL, and the Council of State having partly invalidated the recommendations of the CNIL.

A recent judgment of the European Court of Justice, CEJ, Planet 49, fixed the rules of validity of the tracers, they can be cookies, or any other tracers like Pixels, Java Script, Fingerprint, etc…. Any tracing and collection of personal data presupposes transparency prior to any collection and the collection of consent. Consent must be expressed by a positive act. The principles of Privacy by Design and by default require that by default no data be collected without the express and informed consent of visitors. The obligation of transparency requires the presence of an information notice as mentioned above, accessible from all pages of the site.

The recommendations of the CNIL limited the retention period of cookies to 13 months. This period should be reduced to six months. In addition, the consent must be entered in a consent register and can be withdrawn at any time. The CNIL suggests ways to prove consent.

If the regulation of cookies and trackers depends on the ePrivacy Directive , the standard and the consent requirements must comply with articles 4 (11) and 7 of the GDPR, the European Regulation on Personal Data.

”  It must therefore be free, specific, enlightened, unambiguous and the user must be able to withdraw it, at any time, with the same simplicity as he has granted it  “.

Remember to always include an unsubscrive option to unsubscribe, if you distribute newsletters by email. ”  The CNIL adopted guidelines on September 17, 2020, supplemented by a recommendation aimed in particular at providing examples of practical methods of obtaining consent  “. These provisions have been transposed into French law in article 82 of the Data Protection Act.

The site manager must ensure compliance with these two texts. He has the obligation, according to GDPR art 28, to sign an agreement with all subcontractors, ensuring their compliance with the GDPR, which will also apply to the web designer.

He will not be able to hide behind a simple promise of conformity. A compliance audit is required.

It should be noted that when the site shares data with companies incorporated under American law, such as Google, YouTube or Facebook, this access to the data of site visitors should be considered as transfer to the United States. NOYB, the association created by Max Schrems, did not fail to file a complaint against 101 American companies, including the latter.

Following the decision of the ECJ, FashionID, it was judged that the website manager who authorizes access to personal data to a third party, becomes Co-controller with it, without the need to demonstrate that he would exercise control over this processing. This judgment made Co-controller, and thereby co-responsible, a Facebook page administrator with Facebook for the processing of personal data of its members. This principle will naturally be extended to the site manager who allows the collection of data by third party cookies .

The CNIL specifies, as an indication, that cookies which require the prior consent of users: All cookies not having the sole purpose of allowing or facilitating electronic communication or not being strictly necessary for the provision of an online communication service at the express request of the user requires the prior consent of the user. Among the cookies requiring prior information and the prior collection of the user’s consent, we can cite in particular:
 cookies related to operations relating to personalized advertising;
 social network cookies, in particular generated by their share buttons.

With regard to tracers not subject to consent, we can mention:
 tracers retaining the choice expressed by users on the deposit of tracers;
 tracers intended for authentication with a service, including those intended to ensure the security of the authentication mechanism, for example by limiting robotic or unexpected access attempts;
 trackers intended to keep in memory the contents of a shopping cart on a merchant site or to invoice the user for the product (s) and / or service (s) purchased;
 user interface personalization plotters (for example, for the choice of language or presentation of a service), when such personalization constitutes an intrinsic and expected element of the service;
 the tracers allowing load balancing of the equipment contributing to a communication service;
 plotters allowing paid sites to limit free access to a sample of content requested by users (predefined quantity and / or over a limited period);
 certain audience measurement tracers as long as they meet certain conditions.

Beware of cookie banners which either place cookies even before having received the visitor’s consent or which, despite the refusal of cookies, install them on the user’s terminal.

On the use of videoconferencing applications.

These apps can also transfer data outside of EEA and also carry security risks for their users. We invite you to read a previous article analyzing the question of their use by lawyers.

If these rules may seem restrictive, they are no less justified by digital globalization, the ease of intercepting, accumulating and the successful business of personal data. Digital technology has brought many facilities to the simplified processing of documents and the work of the lawyer. Gone are the days when assignments were typed one by one with a typewriter, each fault forcing to hand over the task. The modern lawyer has at his disposal means of performance allowing him a greatly increased efficiency. The downside, which is compliance with basic security rules and data protection, is a lesser evil.

The CNB has produced practical factsheets for law firms. However, the practice is still far from the required and necessary conformity.
Encryption is an absolute necessity. Cookie control should be strengthened as we approach the end of the grace period left by the CNIL.

The national control authorities are overwhelmed, of course, if you have been able to escape their control, there remains, in addition to individual remedies, the action of associations for the defense of rights such as NOYB, la Quadrature du Net, Privacy International , and others. Class actions are now allowed.

Above all, the legal professional, bound by professional secrecy which is so dear to him, and enamored of rights and freedoms, must comply with the regulations which are imposed on everyone.

To finish and to complete the picture, a last article on the Why of Respect for Privacy:  [ 1 ] .