Lawyer data: are you listening?

It has taken a year so far. Slowly but surely the world is beginning to re-orient itself in the wake of the Snowden revelations. The beginnings are modest. My own organisation, the Council of Bars and Law Societies of Europe (CCBE) has just released a Comparative Study on Governmental Surveillance of Lawyers’ Data in the Cloud, available on our website. This looks at EU jurisdictions to see what protections exist from government surveillance.

The report comes to a conclusion which, on reflection, should not be startling. It says that, while strong protections have been built up for searches of a lawyer’s premises (in some countries, a representative of the bar must be present, while in others a judicial warrant is obligatory), there is no similar protection in all countries for electronic surveillance.

‘The CCBE sees it as a fundamental weakness that the regime governing interception of telecommunications is so fundamentally different from (and usually weaker than) the rules governing search and seizure of evidence in physical premises.’ It goes on to say that the overriding principle should be that what protection is granted in the paper world should be granted also in the electronic world. The CCBE is now seeking EU funding for a much more profound study on the subject, with a view to future action.

The European Commission has not been idle. It is a known phenomenon of the Snowden revelations that European competitors of the US internet giants have seen an opportunity to promote themselves. The commission is keen to establish Europe as a trusted region for cloud computing – in their words, ‘building on Europe’s reputation for high standards of data protection, security, and for its handling of public services and transparency issues’.

There is a European Cloud Steering Board, headed by the president of Estonia (a country which leads the way in citizens’ access to electronic services). The board has just released a report called Establishing a Trusted Cloud Europe, which lists legal services along with health services as one of the sectors with special needs. It is conducting a survey on responses to this report, closing on 2 May.

The European Commission has also set up an experts group to develop model contract terms that would regulate a number of cloud computing issues, such as: data preservation after termination of the contract; data disclosure and integrity; data location and transfer; ownership of the data; and direct and indirect liability for change of service by cloud providers and for subcontracting.

Internationally, a sure sign of the legal profession’s anxiety about a topic is the frequency with which it is raised in sessions at legal conferences. A few years ago, it was multi-disciplinary partnerships. Nowadays, it is very often alternative business structures. But coming over the horizon as a hot favourite is cloud computing.

None of this activity goes to the root of the Snowden revelations, which is that governments are spying on citizens, and as a result sweeping up data that is subject to lawyer-client confidentiality. Obviously, there is very little that the legal profession itself can do to ensure the cybersecurity of data which powerful intelligence agencies want to penetrate (other than sticking to typing). As Snowden has shown, the sophistication and reach of the agencies’ IT programs are all but irresistible. Yet ‘very little’ does not mean nothing.

For instance, the American Bar Association (ABA) wrote on 20 February to the National Security Agency (NSA), following Snowden revelations in the New York Times that a law firm had been spied on. The NSA replied on 10 March with a ringing endorsement of its belief in lawyer-client confidentiality.

A sample quote: ‘NSA is firmly committed to the rule of law and the bedrock legal principle of lawyer-client privilege … We absolutely agree that the attorney-client privilege deserves the strong protections afforded by our legal system, and that it is vital that proper policies and practices are in place to prevent its erosion.’

This kind of supportive rhetoric went on for three dense pages. Cynics might doubt the genuineness of the NSA protesting too much. But the ABA is to be congratulated on extracting a statement of such strong principle from the NSA – indeed, for bringing the matter to their attention in the first place. Could not every bar, whether or not there is evidence of domestic spying in the first place, use this correspondence as a springboard for communicating with its own intelligence agency to obtain a similar statement of support for the principle of lawyer-client confidentiality?

This article is only an interim report. Democracies are always slow to react to new and powerful threats. I hope that, as the years go by, firmer and then finally conclusive action will be taken to protect lawyer-client confidentiality from the present mass surveillance.

Jonathan Goldsmith is secretary general of the Council of Bars and Law Societies of Europe, which represents around a million European lawyers through its member bars and law societies. He blogs weekly for the Gazette on European affairs