The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Is a law firm required to comply with an erasure request from a former client?
Answer: Not always. A company – including a law firm – is not always required to comply with a right to be forgotten request. Specifically a law firm may continue to keep personal data that it maintains about a client unless one of the following six situations applies:
- Data is no longer necessary. If personal data that a law firm collected about a client is “no longer necessary in relation to the purposes for which [it was] collected,” the firm typically must honor a right to be forgotten request.1 On some level, however, the right to be forgotten in this context is redundant to other requirements found within the GDPR. Specifically Article 5 of the GDPR independently requires that a law firm keep data in a personally identifiable form “for no longer than is necessary for the purposes for which the personal data are processed.”2 As a result, if a firm properly complies with Article 5 of the GDPR there may be few, if any, situations in which a right to be forgotten request that is premised on the fact that the data is no longer necessary requires the firm to take any additional action. On the other hand the existence of the right to be forgotten exposes a law firm that is not complying with Article 5 to potential civil liability vis-à-vis the former client that seeks to enforce his or her right.
- Data was processed solely on consent. The GDPR recognizes that law firms may process data based on six alternate lawful grounds.3 One of these is where a person has “given consent” to the processing for a specific purpose.4 If a law firm’s sole basis for processing data is the consent of an individual, the firm is typically required to honor a right to be forgotten request, which might for all practical purposes be viewed as a revocation of that consent. Conversely, if processing is based on an additional permissible purpose (g., performance of a contract, or the legitimate intersts of the law firm) the right to be forgotten request does not necessarily have to be granted.
- Data was processed based upon the law firm’s legitimate interest, and that interest is outweighed by the data subject’s rights. One of the other grounds upon which a law firm can process data is to further the firm’s “legitimate interest.” When processing is based upon a firm’s legitimate interest, a data subject has a right to request deletion unless the interest of the firm or of a third party is demonstrably “overriding.”5 So, for example, if a law firm uses a former client’s email address for direct marketing, and the client requests that his information be deleted, the firm may have to honor that request as it would be difficult for it to demonstrate that its interest in direct marketing overrides the former client’s interest in having his information erased. Conversely, if a law firm maintains former client information as part of its conflicts database to help prevent the law firm from inadvertently violating professional obligations to avoid conflicts of interest, the law firm would have a strong argument that in most (if not all) situations its interest in maintaining an accurate conflicts database outweighs its former clients interest in being forgotten.
- Data is being processed unlawfully. The GDPR states that a right to be forgotten request must be honored if the processing of the personal data is (or has become) unlawful.6 Here, too, the obligation to honor a deletion request may be redundant of other obligations within the GDPR. Put differently, if a law firm is complying with the other requirements of the GDPR its processing would presumably be lawful and there may be few, if any, situations in which a right to be forgotten request would require that the company take any additional actions. Framing this as an individual’s right, however, opens up a possible source of civil liability for the law firm toward its former client.
- Erasure is already required by law. The GDPR states that a right to be forgotten request must be honored if the data is required to “be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.”7 This requirement also appears redundant to other legal obligations. If a law firm is required to erase data pursuant to another Member State law and is complying with that requirement, there may be few, if any, situations in which additional action would be necessitated by a right to be forgotten request.
- Personal data is collected from a child as part of offering an information society service. The GDPR requires the deletion of information when requested where the information was “collected in relation to the offer of information society services” to children under 16.8 It is extremely unlikely that most law firms would be considered to have collected personal data from a child under 16 as part of offering an information society service.
Even if one of the situations described above is present, a law firm does not always need to honor a right to be forgotten request. For example, a firm can choose to decline such a request if honoring it would interfere with a European legal obligation imposed on it to maintain the data, or if the data is needed to establish, exercise, or defend a legal claim.9
The net result is that if a former client requests that a law firm erase information that it has about the client, it is possible that some portion of that information should be erased. For example, if the law firm has information that was relevant to a particular representation (e.g., exhibits used at trial or notes relating to the representation) and the representation has concluded the law firm may determine that it no longer has a purpose for maintaining the information. On the other hand, it is extremely unlikely that a law firm would be required to delete all of the information that it maintains about a former client. For example, a law firm has a legitimate interest in retaining information concerning the name of a former client and the nature of the firm’s representation as part of operating a robust conflicts database. In the vast majority of situations, the law firm’s interest in being able to avoid potential conflicts arguably outweighs any interest that the client has in the erasure of the data.