The dynamic nature of information technology in the 21st century presents enormous challenges. As the global legal profession is using the latest IT to its full advantage, the risks are greater than ever.
ACS:Law is being investigated by the UK’s Information Commissioner’s Office (the ‘ICO’) over allegations of breaches of data protection laws after a list of thousands of alleged web pirates, who it said illegally shared adult films, appeared on the internet. The firm had been instructed by companies such as Sky Broadband to claim compensation from the individuals on their behalf.
This well-publicised, disastrous state of affairs in which ACS:Law found itself in Autumn 2010 helped bring the risks attached to data storage to the fore. All businesses, even the most visible and well-policed organisations, can inadvertently be at risk of breaching data protection laws. In January, for example, the UK’s House of Lords said a database used by the Serious Organised Crime Agency ‘does not comply fully’ with the Data Protection Act 1998 (the ‘DPA’) or the Human Rights Act because too many organisations could access it.
An ICO spokesperson says: ‘For the last financial year the ICO received 33,234 individual requests for advice and complaints under the Data Protection Act. Of these, over 9,000 cases were considered as potentially breaching the Act. Of the complaints received in the last financial year, 1.25 per cent were complaints about solicitors or barristers. The ICO has issued four monetary penalties so far, however it is only where we come across a case that meets the necessary criteria we will issue a penalty. So far no law firms have received a monetary penalty. However, this does not mean that organisations from this sector will not do so in the future if we find the criteria to have been met.’
But the risks exist for law firms worldwide. Fabrizio Cugia di Sant’Orsola, partner at Rome-based law firm Cugia Cuomo & Associati is Vice-Chair of the IBA’s Communications Law Committee. He warns that most law firms make use of several internet-based IT facilities that represent a ‘continual menace of data leaking’. He says: ‘Applicable regulation should focus on this, providing a security framework which is, at the same time, viable for the operators, in terms of costs and overall impact on the professional service, and reassuring for clients.’ He points out that intellectual and industrial property law, IT law, corporate law and criminal law are the most at risk areas of practice.
In the United States there is no comprehensive law on data protection and privacy issues comparative to the UK’s DPA. Lisa Sotto, of New York firm Hunton & Williams, explains that there is a ‘patchwork quilt’ of privacy requirements with well over 100 state privacy laws and about 12 federal privacy laws. She says: ‘A comprehensive federal law will likely be on the agenda for the next session of Congress. In the present lame duck session, there were two bills presented that would have imposed a more comprehensive standard than is currently in place.’ But she says that with a financial privacy law and health privacy law already in place, a law that would regulate privacy on an omnibus scale and replace those laws is ‘unlikely’.
Sotto adds: ‘The proposals will likely focus on online behavioural advertising, which has been a hot-button issue in the US for a couple of years.’ She says this issue has become well-known to lawmakers and is ripe for legislation. The question is whether there is a real need for comprehensive data protection in the States. Edward McNicholas, a partner at Washington law firm Sidley Austin is clearly doubtful and says it may actually be the opposite of what is needed in terms of advancing technologies. He explains: ‘New technologies will have profound impacts on our sense of personal autonomy, social boundaries, and privacy – both for the better and the worse. In this environment there is a risk that a comprehensive privacy law could lead to incentives that diminish innovationon the internet and unnecessarily chill the freedom of speech.’
‘The approaches of the EU and the US to privacy and data protection could not be more different and the US needs to eradicate this divergence in approach’
McNicholas continues: ‘The uncertain promise and peril of future technologies suggests that we should move cautiously and in a manner that responds to specific issues in specific sectors. Indeed, the common law method of creating rules not by grand administrative announcement but rather by the thoughtful accumulation of reflections on a multitude of specific cases may produce a superior result here.’
Europe has just celebrated ‘European Privacy Day’, 30 years after the Council of Europe signed the first regional convention on privacy and data protection, which the EU justice commissioner has described as the ‘backbone of privacy laws in Europe’. EU legislation has followed including, notably, the EU Data Protection Directive, which is designed to protect the privacy and protection of all personal data collected on EU citizens – particularly as it relates to processing, using or exchanging such data. Under the Directive, unless a country’s data protection laws are deemed by the EC to be adequate, extra restrictions are placed on transferring any personal data or allowing it to be processed in that country.
The Directive takes into account the key elements of Article 8 of the European Convention on Human Rights (ECHR) in relation to the individual’s rights of privacy and requires that personal data should not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory provides for an adequate level of data protection. In February 2011, for instance, Israel was formally added to the roster of seven countries whose data protection laws are considered by the EC to be adequate for companies there to receive and process personal data from companies in the European Union.
Unsurprisingly, breaches of data protection still occur in European jurisdictions. For instance, last year the Spanish Data Protection Agency levied a €30,001 fine on a Spanish law firm for sending e-mail spam.
back to top
The lack of a comprehensive law in the US has created simmering tensions between the US and Europe. But this is being tackled proactively with the EC and the US attempting to overcome their differences with a proposed police and judicial cooperation privacy agreement, which, says the EC, will guarantee a certain number of basic rights for those whose data is gathered, enabling them to take legal action in Europe or the US against abuses of those rights.
Daradjeet Jagpal, an IT lawyer at Scottish firm Harper Macleod, believes a single, bilateral arrangement that consolidates the existing, and sometimes divergent, framework is overdue. He says the US is widely recognised as offering one of the lowest levels of privacy and data protection globally. ‘The approaches of the EU and the US to privacy and data protection could not,’ he adds, ‘be more different and the US needs to eradicate this divergence in approach. The US needs to have stronger levels of binding data protection standards.’
McNicholas says the proposed agreement ‘may’ work in the US: ‘Common ground certainly exists between Europe and the US that should allow agreements on enforceable privacy rights. Indeed, the US regime has placed far more emphasis on the enforcement of rights for some time, such as through the availability of class actions and significant fines for information security breaches.’
McNicholas continues: ‘That being said, the fundamental US cultural, legal and social significance of the freedoms of speech and association will need to be taken into account in any effort to guarantee privacy rights. Rights to privacy often involve not merely allowing people to choose not to disclose information. Rights to privacy can also involve using the coercive power of governmental authorities to restrict the way companies and people use information that they already possess. Any workable solution must grapple with this basic tension. Any approach that considers privacy to be the only basic right at issue cannot lead us to a workable solution.’
However, the jurisdictional reach and varying legal regimes involved means a workable agreement could be tricky and Cugia says there are grounds for scepticism. He explains: ‘Personal data protection boosts the rank of fundamental human rights within the European framework, whereas no comparable explicit constitutional right exists in the US. These different philosophies cannot be integrated into one unified and coherent data protection system without a “less is best” result being the probable outcome. I believe that the agreement will contain a minimum set of rules and rights and a long list of exceptions to personal data protection.
Cugia continues: ‘Presently, the workability of the proposed data processing agreement cannot be effectively assessed. Much will depend on how the US will concretely implement the objectives set forth in the future instrument and on how such implementation will impact the freedom US authorities have enjoyed until today in dealing with the terrorism issue. The EU, for instance, intends that the agreement applies to any existing (such as the “Passenger Name Record” and “Terrorist Finance Tracking Program”) and future EU/US agreements that regulate transfers and processing of personal data when cooperating on criminal matters. What if the proposed agreement would somehow be capable of impairing and limiting the effects of the TFTP?’
Also, Cugia warns that the US could ‘call a halt and rethink everything from scratch’.
back to top
McNicholas says law firms in the US share strong traditions of extensive professional regulation to ensure confidentiality. Also, state bar associations have examined each new technology, from mobile phones to cloud computing, to ensure clients’ private information remains secure. But he adds: ‘That being said, US law firms possess significant, valuable personal and confidential information, and they often represent clients who may be unpopular with certain groups.
‘It will be important for law firms to remain at the forefront of efforts to protect themselves and their clients’ information from cyber security threats, including so-called advanced persistent threats (APTs), so that the internet attacks and alleged information leakage involving ACS:Law remain a rare event.’ APTs are major and sophisticated, long-term and specifically targeted cyber security attacks aimed at stealing confidential data from governments and businesses. A key feature of APTs is their malevolent ability to move by stealth from one compromised host to another without detection.
Sotto says law firms in the US appear to be ‘behind the curve’ in considering privacy and data security in their own backyards. She adds: ‘While there is a handful of firms in the US that understand their obligations pursuant to global data privacy and security requirements, I suspect that many do not have a strong sense of the rules and are, for example, transferring EU data to the US without having a data transfer mechanism in place to legally accomplish such a transfer. Law firms have strong confidentiality obligations, so I suspect many US lawyers think that these obligations suffice.’
‘For the last financial year the ICO received 33,234 individual requests for advice and complaints under the Data Protection Act.’
Cugia warns that the risk for law firms and lawyers in Europe with respect to data protection issues is ‘most real’. He explains: ‘At the very base of our profession lies a sense of confidence and confidentiality. Professionals are committed to a most stringent obligation to adequately secure the data they process and specific data protection laws apply to this effect. In Italy, for example, the national authority for data protection issued a detailed resolution on the declination of general Italian data protection laws when applying to lawyers and law firms.’ Cugia continues: ‘On the one side, the privacy of clients is thereby ensured by a number of practical measures, mostly pertaining to paper documents and files. On the other side, the procedures for the gathering of express consent to data processing and retention by professionals have been materially simplified, with a view to streamlining the activity.’
During the last IBA Conference in Vancouver, a significant number of working sessions focused on privacy issues. Cugia says: ‘In the near future, most enterprises will be able to have full and effortless access to a vast number of consumers’ preferences, likings, whereabouts and commercial habits. This is fact. Now the question is if – and to what extent – this massive gathering of data should and could be limited, regulated or remedied? ‘The remote-processing of data (often, personal data) on virtual servers, both dedicated and user-operated also represents a material risk for operators (in terms of liability) and users. All data moving on the internet is capable of being monitored, at some point or the other, and data encryption has more and more proved to be a quantitative remedy to a qualitative problem.’
Cugia continues: ‘Lawyers can play a significant role in defining best practices, at this peculiar point in time, when regulators are still one step behind the most recent IT developments. The IBA is seriously interpreting its role in this sense and committees are working to divulge knowledge and create awareness for its members to offer a more valuable service to both sides of the table, operators and users.’ In the UK, the ICO says it regularly provides advice and guidance for organisations to ensure they remain compliant with both the DPA and relevant regulations. It says: ‘Organisations should not only have the right policies in place, for example around the encryption of portable storage devices, but also make sure that these policies and accompanying procedures are regularly monitored to ensure they are being effectively carried out by their staff. Any policies and procedures introduced to guard against potential data breaches should also be regularly reviewed and updated to ensure they successfully meet the requirements of the DPA as well as the changing nature of the organisation itself.’
McNicholas warns: ‘We should remain mindful that we are still in the infancy of the information age and it will take great foresight to craft legislation that can protect both innovation and privacy. That being said, some of the proposed more general privacy bills on Capitol Hill are trying to address these concerns and it is possible that the right legislation here could be helpful, as some of the leading technology companies have indicated.’ McNicholas concludes: ‘But this will be unlikely to result in an omnibus, Europeanstyle data protection law.’ Whatever the nature of future US legislation, and a final EU/US bilateral agreement, the fact remains that law firms must continue to be alert to the data protection risks of running their business – or face the consequences, both financial and to their reputations.
back to top
UK regulatory powers
Under the DPA, if you hold and process information about your clients, employees or suppliers you must:
only collect what you need for a specific purpose;
keep it secure;
ensure it is relevant and up to date;
hold as much as you need only for as long as needed; and
allow the individual concerned to see it on request.
The ICO, based in the UK, is an independent official body responsible for administering the provisions of the DPA and the Freedom of Information Act 2000. Firms guilty of breaching the DPA can be fined up to £500,000 by the ICO. According to the ICO, in January 2011, 80 per cent of people were concerned about the safety of their personal details that were online.
No comprehensive data protection legislation exists in the United States.
A sectoral approach, with a mix of legislation, regulation and selfregulation, is used in the absence of comprehensive legislation.
The US is a signatory to the 1981 OECD Guidelines, but has not implemented them domestically. In 2000, the US Department of Commerce developed the Safe Harbour Program (SHP) in consultation with the European Commission, which offers a method by which US organisations can comply with the Directive.
Under the SHP, where US businesses in receipt of EU citizens’ personal data undertake to comply with the SHP, then the US recipient business in question can be considered as providing ‘adequate safeguards’ for the protection of EU citizens’ personal data in terms of the EU Data Protection Directive. The business is therefore entitled to have the relevant personal data transferred to it.
The SHP has not, says Daradjeet Jaqpal, been used as much as was initially anticipated. He says: ‘Businesses have instead been more content to rely on data protection clauses in commercial agreements in the form approved by the European Commission, and subsequently adopted by national data protection regulators across the EU.’
European Union/US Cooperation
A possible police and judicial cooperation agreement between the European Parliament (EP) and the US is under consideration. At the EP’s Civil Liberties Committee hearing in October 2010 an EP representative said the Americans ‘will have to be as flexible as possible, because we shall not be easy partners’.
The agreement, as currently envisaged by the Commission, will guarantee a certain number of basic rights for those whose data is gathered to enable them to take legal action, in Europe or the USA, against abuses of these rights. A key issue is recognition that EU citizens possess the same rights as Americans under the Privacy Act.
Nicola Laver is a freelance journalist and can be contacted at firstname.lastname@example.org.
Back to top