The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world.  Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: Is a law firm required to respond to a data subject erasure request?

Answer: Yes. To the extent that a law firm is considered a controller of data, it is responsible for responding to a data subject that requests the “erasure of personal data” that is held by the law firm.¹  Such a request might originate, for example, from an employee of the law firm, a former employee of the law firm, a client, an adversary in litigation, or a witness in litigation.

It is important to note that the obligation to respond to a request for erasure does not mean that a law firm must always delete the information that it holds about an individual.  Rather the right to be forgotten exists only in the following six limited situations:

1. A law firm must delete data upon request if that data is no longer necessary.  If personal data that was collected by a law firm about an individual is “no longer necessary in relation to the purposes for which [it was] collected,” the firm typically must honor a right to be forgotten request.² On some level, however, the right to be forgotten in this context may be redundant to other requirements found within the GDPR.  Specifically Article 5 of the GDPR independently requires that a law firm keep data in a personally identifiable form “for no longer than is necessary for the purposes for which the personal data are processed.”³  As a result, if a law firm properly complies with Article 5 of the GDPR there may be few, if any, situations in which a right to be forgotten request that is premised on the fact that the data is no longer necessary requires that the firm take any additional action.
2. Law firms must delete data upon request if the data was processed based solely on consent.  The GDPR recognizes that law firms may process data based on six alternate lawful grounds.⁴ One of these is where a person has “given consent” to the processing for a specific purpose.⁵  If a law firm’s sole basis for processing data is the consent of an individual, the firm is typically required to honor a right to be forgotten request, which might for all practical purposes be viewed as a revocation of that consent.  Conversely, if processing is based on an additional permissible purpose (g., performance of a contract) the right to be forgotten request does not necessarily have to be granted.
3. Law firms must delete data upon request if the data was processed based upon the controller’s legitimate interest, and that interest is outweighed by the data subject’s rights.  One of the other grounds upon which a law firm can process data is to further the firm’s “legitimate interest.”  When processing is based upon a firm’s legitimate interest, a data subject has a right to request deletion unless the interest of a controller or a third party is demonstrably “overriding.”⁶ So, for example, if a law firm uses an individual’s’ email address for direct marketing, and the individual requests that his information be deleted, the firm may have to honor that request as it would be difficult for it to demonstrate that its interest in direct marketing overrides the individual’s interest in having his information erased.  On the other hand if a firm has collected personal data in order to advise its client, or to defend a client, its legitimate interest in carrying out a core function of its legal, ethical, and professional duties arguably overrides the interest that most individuals would have in their information being deleted.
4. Law firms must delete data upon request if data is being processed unlawfully.  The GDPR states that a right to be forgotten request must be honored if the processing of the personal data is (or has become) unlawful.⁷ Here, too, the obligation to honor a deletion request may be redundant of other obligations within the GDPR.  Put differently, if a law firm is complying with the other requirements of the GDPR its processing would presumably be lawful and there may be few, if any, situations in which a right to be forgotten request would require that the firm take any additional actions.
5. Law firms must delete data upon request if erasure is already required by law.  The GDPR states that a right to be forgotten request must be honored if the data is required to “be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.”⁸ This requirement also appears redundant to other legal obligations.  If a firm is required to erase data pursuant to another Member State law and is complying with that requirement, there may be few, if any, situations in which additional action would be necessitated by a right to be forgotten request.

Even if one of the situations described above is present, a law firm does not always need to honor a right to be forgotten request.  For example, a law firm could choose to decline such a request if honoring it would interfere with a legal obligation imposed on the firm to maintain the data.⁹   The GDPR also provides an exception to the right of erasure if the data controller is using information establish, exercise, or defend a legal claim. [10]  While this exception arguably applies to situations in which a law firm is using data to help a third party (e.g., its client) establish, exercise, or defend a claim in litigation, little regulatory guidance exists concerning the application of this exception to law firms.

1. GDPR, Article 17(1).

2. GDPR, Article 17(1)(a).

3. GDPR, Article 5(1)(e).

4. GDPR, Article 6(1)(a)-(f).

5. GDPR, Article 6(1)(a).

6. GDPR, Article 17(1)(c).

7. GDPR, Article 17(1)(d).

8. GDPR, Article 17(1)(e).

9. GDPR, Article 17(3)(b), (e).

10. GDPR, Article 17(3)(b), (e).

[View source.]