It surprises me that technology has taken so long to be a profound influence on the legal profession and its work. After all, we have been using mobile phones and email for over 20 years, and all the rest – iPads, smartphones, online selling – have followed in its wake. But it is only now, it seems to me, that we are really getting to grips with the serious consequences.
I was reminded of this at a meeting held by my organisation, the Council of Bars and Law Societies of Europe (CCBE), earlier this month. On the most trivial level, the use of laptops at our meetings has become almost universal, a noticeable change over the last few years. It was not long ago that secretaries printed off vast piles of paper for their bosses to bring to the meeting (and some still do it that way). But the agenda this time also contained several important issues brought on by technology: data protection, cloud computing and electronic identity.
The European Commission has come up with a new data protection reform package (COM(2012) 11 and COM(2012) 10). Data protection often has to deal with its opposite – lack of data protection – and that is when our alarm systems sound, since we need to make sure client confidentiality is protected. In new legislation, it is that core value which we most often have to protect, since the mighty state, at European or national level, never thinks of it.
Sure enough, there are problems with the new package. Article 14 of the draft General Data Protection Regulation – which is the one numbered 11 above – sets out the principle that a data subject shall be informed about the fact that their data are being collected. There are exceptions to this rule, but not a specific provision for lawyers, who may therefore be required to provide a client’s opposing party with information and then grant this party access to their data, provided the lawyer has recorded the data. This would clearly be unacceptable, and would violate the duty of confidentiality by supplying client- and case-related data to the other side in a case.
We have other concerns about the reform package. Read our position paper. Then we come to cloud computing. As is well known, that is the storing and processing of data and software remotely in a third party’s data centre, accessed via the internet. It is growing in use all the time, and often lawyers are not even aware they are using the cloud, since some devices use it automatically and without notice. What are lawyers to do about this? Some in Europe would like to ban its use for lawyers – again because of the threat to our old friend, client confidentiality, and the general uncertainty over long-term access to the data – while others recognise its inevitability and want to control it. The CCBE has come up with some very useful guidelines.
The paper identifies threats to lawyers’ practices under various headings:
- Confidentiality – is the particular cloud reliable? Is clients’ consent necessary? Is unauthorised access to the data possible?
- Extraterritoriality – is the data stored in a country with fewer safeguards than the EU? Are there local rules which require the data to be handed over in certain circumstances? Is this the case even if the data is stored in the EU but by a foreign-owned company (there have been fears in this regard relating to the US Patriot Act)?
- Contracts with providers – who owns the data? Is it backed up adequately? Is it permanently available? Is it encrypted? Will you be told of security breaches? For how long will it be stored? What happens if you want it transferred elsewhere? What happens if the provider goes out of business? What happens if the technology to access the data changes?
You can read the full guidance here.
And so we come to the final topic I mentioned, electronic lawyer identity. This is important because cross-border legal practice, which already takes place on a massive scale in the real world of airports and offices, is now possible in the virtual world as well. The European Commission is funding a large-scale project (called e-CODEX) to link up the EU’s national e-justice systems, which will in due course enable a solicitor to register a company in Italy or file court proceedings in Latvia, without leaving the office or appointing an agent.
The challenging question is how to recognise that the person conducting the cross-border transaction is a lawyer. The CCBE is proposing to use its existing electronic lawyer directory (also developed using EU money) so that data in the directory generates the necessary and secure digital certificate to allow the transaction to proceed. I believe the technology is not complicated, but the path to success is littered with complicated policy questions. For instance, should the bars issue the requisite certificates (obvious, because they own the data)? Or should the CCBE do it (cheaper, because only one entity has to develop the necessary IT infrastructure)? There are pros and cons to each solution, and the CCBE is feeling its way to the answer, which has to be reached rather quickly. The choices made may govern lawyers’ e-practice for years to come.
I assume the share and importance of IT matters on the CCBE’s – and the bars’ – agenda will continue to grow. The above items are not the only ones: there are comparison websites, virtual law firms, online legal advice, and more. So much of our life takes place online nowadays. The only surprise is that it has taken so long to catch up with lawyers.
Jonathan Goldsmith is secretary general of the Council of Bars and Law Societies of Europe, which represents around a million European lawyers through its member bars and law societies. He blogs weekly for the Gazette on European affairs