The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world.  Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: Is a law firm required to distribute a privacy notice to all data subjects about whom it has personal data?

Answer: No. Most law firms collect personal data in five contexts – they collect (1) data about their employees, (2) data about potential clients, (3) data about current clients, (4) data received from a client relating to a representation, and (5) data received from third parties related to a representation.  As is discussed below, the context in which the data is collected impacts whether a privacy notice should be provided.

1. Employee data. Law firms should generally provide a privacy notice to employees whose information may be subject to the GDPR.
2. Potential clients. Whether a law firm is required to provide a privacy notice to a prospective client about whom it has researched information (e.g., obtained information from a website or a public directory), depends largely upon whether doing so would “prove[] impossible” or would “involve a disproportionate effort.”[1]  For example, if a law firm utilized a public directory in order to find the names and educational background of the senior management of a prospective client the firm might argue that it would be impossible to provide the individuals with a copy of the firm’s privacy notice as the firm does not have contact information for each data subject.  Alternatively, even if contact information was publicly available (e.g., was within the same public directory) a firm might argue that notifying each individual whose name appears in a public report would involve a disproportionate effort that would interfere with the practical ability for the firm to conduct public research.  To the extent that a firm intends to rely upon either an argument of impossibility or disproportionate effort the firm should consider steps to reduce the potential privacy impacts upon the data subjects by considering “measures to protect the data subject’s rights, freedoms and legitimate interests.”[2]  One such measure would be making its privacy notice “publicly available” and limiting how the information that it obtains is used.[3]
3. Current clients.  Whether a law firm is required to provide a privacy notice to a current client (assuming the client is a natural person) depends upon whether the client “already has the information” contained within the notice.[4] Where a law firm’s practices would be expected and understood by a client, the law firm could argue that the distribution of a privacy notice is not required.
4. Data received from a client as part of a representation. When a client provides a law firm with information about other people, a law firm is not obligated to provide those other people with a copy of its privacy notice if doing so would violate “an obligation of professional secrecy regulated by Union or Member State law,” be impossible (e.g., where the law firm does not have contact information for the third parties), or involve disproportionate effort.[5]
5. Data received from third parties related to a representation.  When a law firm receives information about third parties during the course of representing a client, the law firm is not obligated to provide those third parties with a copy of its privacy notice if doing so would violate “an obligation of professional secrecy regulated by Union or Member State law,” be impossible (e.g., where the law firm does not have contact information for the third parties), or involve disproportionate effort.[6]  So, for example, if a law firm interviewed a witness to a dispute and that witness provided the names of additional witnesses that might be relevant to the dispute, the law firm may not have to provide a privacy notice to those additional people if doing so would necessarily violate an obligation of professional secrecy to its client, if it lacked contact information for the additional data subjects, or if contacting the additional data subjects would be unduly burdensome.

1. GDPR, Article 14(5)(b).

2. Article 29 Working Party, WP260Rev.01 “Guidelines on transparency under Regulation 2016/679,” at 31.

3. Id.

4. GDPR, Article 13(4), 14(5)(a).

5. GDPR, Article 14(5)(b), (d); Article 29 Working Party, WP260Rev.01 “Guidelines on transparency under Regulation 2016/679,” at 33.

6. GDPR, Article 14(5)(b), (d); Article 29 Working Party, WP260Rev.01 “Guidelines on transparency under Regulation 2016/679,” at 33.

[View source.]