By Edward McIntyre
Macbeth and Duncan were returning from court when Clyde Tabbit caught up with them.
“Macbeth, got a question. Got a minute?”
“Here’s our building. Let’s go up to the office.”
“Really shouldn’t take long. Just a quick ‘yes’ or ‘no’ —”
“You never know, Clyde. Come, join us.”
When the trio were seated in Macbeth’s conference room, Sara joined them.
“Now we’re all here. OK, Clyde, what’s the quick question?”
“Well, I keep getting strange requests from a couple of clients.”
“Proceed.”
“So, I represent a guy who moved to Italy years ago. Permanently. But still has a business here. As well as in Italy and other places.”
“We get the picture. What’s the issue?”
“Well, he keeps making these flaky demands on me to identify all the information I’m ‘storing’ — Clyde used air quotes — on him. On his companies. Getting more and more insistent. I’ve blown him off. But he won’t stop.”
“Let me see if I understand. He resides in Italy. A citizen there?”
“Yep, dual. Some family connection.”
“You provide legal services to him?”
“Of course. He’s my client. Both him and his businesses. There and here. Why?”
“Have you noticed all the ‘privacy updates’ you’ve been getting recently? From social media sites and other internet providers?”
“Come to think of it, yeah. Keep getting one from CNN about terms of service and privacy and stuff. Annoying. Even from some law firms. Can’t figure why.”
“Likely GDPR compliance. I suspect that’s what’s triggered your Italian client’s requests.”
“GDPR?”
Macbeth nodded to Sara.
“The General Data Protection Regulation. Enacted in 2016, but effective May 25, 2018. The GDPR’s purpose is to provide a uniform law governing the protection of personal data across the European Economic Area. That’s the EU plus three other European countries. It replaces the individual national laws passed under the 1995 Data Protection Directive. The GDPR is intended, among other things, to clarify, strengthen and modernize data protection. Especially in light of the changes in how companies collect and process personal information.”
“So what. I’m not in Europe.”
“You provide services to a European citizen, living there. Some of the services related to his businesses there. Does he pay you in euros or dollars?”
“Euros. Conversion costs me money every time. But I’m here, not there.”
Sara continued. “The GDPR applies to any organization collecting or processing anyone’s personal information. Think ‘personal data.’ If that collection or processing is done in relation to activities of the organization established in the EU. No matter where the collection or processing takes place.”
“See, I’m not an ‘organization established in the EU’ — more air quotes. Doesn’t apply.”
“I understand your point. But if a U.S. firm offers services to EU residents, then the firm is subject to the GDPR. It’s a fact-based analysis whether a company is offering services to EU residents, but services payable in euros likely would be.”
“Ouch. Does that include my clients in France and Sweden, as well?”
“France is part of the EU; Sweden, joined the EEA. So, yes.”
“What does all this mean?”
“Essentially, it requires greater transparency by those who collect or process data to the owners of the data — among a lot of other things. Very stiff penalties for non-compliance.”
Clyde looked to Macbeth. “What does this mean for me?”
“From a professional responsibility viewpoint, two things come immediately to mind.”
“OK —”
“First, you have an ethical obligation under Rule 3-500 to respond to reasonable client inquiries. Given the effective date of GDPR and your transparency obligations, you have a duty to respond to your client’s questions.”
“All of them?”
“I’ll let Sara spend time with you about the GDPR requirements. She’s our expert. Ethically, the requirement is to keep the client ‘reasonably informed’ about significant developments in the representation. I think a change in law this significant to a client’s rights would be considered a ‘significant development.’”
“Other advice?”
“But be sure to remind your client that you, as a lawyer, are duty-bound — new Rule 1.6, former Rule 3-100, and section 6068(e)(1) — to keep all the client’s information confidential. ‘At every peril to yourself.’ You don’t share it. That should address some of the client’s legitimate data privacy concerns.”
“Good idea. Anything else?”
“Our duty of competence requires us to have or acquire the requisite skill and learning, or consult with a competent lawyer who has them, when representing a client. A COPRAC formal ethics opinion, and amendments to two ABA Model Rules, suggest the duty of competence applies to knowledge about technology. I think a lawyer representing clients in Europe has a duty to understand those clients’ GDPR rights. And the lawyer’s GDPR obligation toward those clients.”
“Even if we practice in the United States?”
“A small world just got a lot smaller, my friend. Spend some time with Sara in the conference room. She’ll walk you through all the new GDPR data privacy requirements, including the right to ‘be forgotten’ and what that might mean to our duty to former clients and conflicts, and such.”
“Wow!”
“Wow it is, my friend.”
Macbeth and Duncan started to leave, Macbeth humming the tune from “It’s a Small, Small World.”
Editor’s Note: The COPRAC opinion to which Macbeth referred is Formal Opinion 2010-179.
See also comments to ABA Model Rules 1.1 and 1.6, competence and confidentiality. New and revised Rules of Professional Conduct become effective November 1, 2018.
Edward McIntyre is an attorney at law and co-editor of San Diego Lawyer.
No portion of this article is intended to constitute legal advice. Be sure to perform independent research and analysis. Any views expressed are those of the author only and not of the SDCBA or its legal committee.
This article was originally published in the Sep/Oct 2018 issue of San Diego Lawyer.