The EU’s General Data Protection Regulation — which applies to US law firms that represent EU citizens or companies or hold data about EU citizens — allows EU citizens the right to have their data erased in certain circumstances. But the GDPR’s “right to be forgotten” could potentially butt heads with legal ethics requirements, which as a practical matter, necessitate the retention of former clients’ personal data to enable the firm to run conflicts checks.
Responding to a law firm’s request, the Maryland State Bar Association Committee on Ethics addressed the potential smackdown between legal ethics and the GDPR in Ethics Docket No. 2018-06. The Committee began by explaining that “there may be exceptions in the GDPR that would permit an attorney to retain sufficient information” to run conflicts checks and if that were true, then the GDPR would not raise an ethics issue.
The Committee went on to say that ethics issues would arise if GDPR required an attorney to delete all information about a former client – because doing so could preclude an effective conflicts check. Thus, the Committee concluded that
if a lawyer or law firm gives the client a full explanation of the consequences if a client exercises its “right to be forgotten,” including an explanation of the reasons why a law firm or attorney tracks client and matter information, and the client nevertheless gives written instruction to delete all of its data, we believe that the client has waived any conflicts that may arise in the future with respect to other clients and that may have been avoided by use of the deleted data.
However, the ethics experts quoted in a Bloomberg story suggested that the question of whether the GDPR could interfere with lawyers’ need to preserve data to avoid future conflicts was hypothetical at best. Steven Puiszis, a partner at Henshaw & Culbertson opined that “retaining personal information in a conflicts database necessary to run a conflicts check fits easily within that exemption [to the GDPR]” A second expert agreed that [T]he GDPR recognizes that a lawyer may keep information that is collected in furtherance of the law firm’s ‘legitimate interest.”
Still, even though the GDPR and ethics rules can be reconciled in this scenario, it’s only a matter of time that they collide, as I’ve been predicting for some time . And when that happens, lawyers will have to find a way to adapt because legal ethics will have to give way to real law.