Analysis
10 December 2020

International Bar Association – Cloud computing and the challenges facing professional secrecy

Stéphane de Navacelle, Clémentine Duverne and Sarah Reilly contributors to the International Bar Association Alternative and New Law Business Structures Committee and the Professional Ethics Committee joint newsletter by an article on “Cloud computing and the challenges facing professional secrecy”.

 

During the Covid-19 crisis and the resulting lockdown, the use of telework in France increased considerably, including in law firms.

In light of this, the French National Commission for Data Protection and Liberties (CNIL) published recommendations to better ensure personal data security. Referring to a list of certified productS [1], the CNIL advised that companies equip employee workstations with firewalls, encryption tools, antivirus software and, for cloud usage, protocols guaranteeing the confidentiality of the destination server, authentication mechanisms and regular verifications of access logs to limit the risk of intrusion [2].

These information security considerations are relevant for lawyers, for whom the principle of professional secrecy in relation to client information and correspondence is critical. While professional secrecy was historically ensured in a material fashion, with client information preserved in paper files, client information now extends beyond the realm of the law firm offices, with the prevailing trend of digitalisation of the legal profession.

An enhanced accompanying regulation of cloud computing is thereby necessary to ensure the prevention of loss, theft or leaks of client data and uphold the cornerstone principle of the profession.

 

Cloud computing runs the risk of going against professional secrecy

 

A robust legal and regulatory framework lays the foundations of professional secrecy

On a European level, professional secrecy is enshrined as a fundamental right by the European Court of Human Rights. It is covered by Article 8 of the European Convention on Human Rights on the right to respect for private and family life in that it protects ‘the confidentiality of all “correspondence” between individuals’ and ‘affords strengthened protection to exchanges between lawyers and their clients’ [3].

Article 1.1 of the Charter of Core Principles of the European Legal Profession expressly lists ‘the right and duty of the lawyer to keep clients’ matters confidential and to respect professional secrecy’[4] . Article 2.3. of the Code of Conduct of the Council of Bars and Law Societies of Europe (CCBE) stresses the importance of confidentiality [5] . These provisions showcase the benefit of protection awarded to lawyer-client communications but also the lawyers’ duty to ensure confidentiality and professional secrecy – as do the provisions in France on a national level.

Article 66-5 of the Law of 31 December 1971 provides that ‘in all matters, be it for counseling or litigation […] correspondence exchanged between both parties, or between lawyers […] and all documents in the file are covered by professional secrecy’[6]. Article 2 of the National Internal Rules applicable to lawyers provides that ‘professional secrecy is a matter of public order. It is general, absolute and unlimited in time’ [7].

Lawyers are thereby prohibited from waiving professional secrecy in all circumstances – and this even when permitted to do so by their client – save for expressly limited cases. Indeed, Article 4 of the Decree of July 12, 2005, provides that ‘subject to the strict requirements of their own defense before any court of law and to the cases of declaration or disclosure provided for or authorized by law, lawyers shall not, in any matter, make any disclosure that contravenes professional secrecy’ [8].

Lawyers can be held criminally liable should they breach professional secrecy. Article 226-13 of the Criminal Code provides that ‘the divulgation of information of a secret nature by a person who is in possession of it either by state or profession, or because of a temporary function or mission, is punishable by one year’s imprisonment and a fine of 15,000 euros’ [9].

This marked obligation to maintain professional secrecy in all circumstances warrants heightened scrutiny on the part of lawyers when considering the risks posed by the increasing digitalisation of the profession.

A digitalisation of the profession poses risks to professional secrecy

Many law firms now operate with cloud computing, which can jeopardise professional secrecy if data is lost, stolen, or seized.

Loss and theft of data can be the result of accidental deletion, hacking, or insufficiently secure access to cloud systems. Solutions to mitigate these risks are available, such as user identity control, encryption key changes and agreements with cloud service providers that allow for switchover systems or data recovery. They fall short, however, of alleviating lawyers of their ethical obligations.

Seizure of data on the cloud, while complexifying raid operations in law firms by dematerialisation, can increase the risk of data that is covered by professional secrecy being seized – all the more so when involving foreign investigation and prosecution authorities.

Article 56-1 of the Criminal Procedure Code [10] governs the conduct of raids in law firms or lawyers’ homes and identifies protective measures for professional secrecy. For example:

  • a judge and the head of the Bar (Bâtonnier) must be on-site to oversee the raid;
  • the Bâtonnier can consult the seized documents and contest the seizure of documents before a judge; and
  • the judge must ensure that the raid does not obstruct the exercise of the legal profession.

Some provisions may encroach upon the protections of this article. For instance, in the move towards fighting cybercrime, Article 57-1 of the Criminal Procedure Code on raids [11] was amended to add that investigation authorities can carry out remote information system searches, be they located on-site or in another system accessible via the on-site system.

Article 56-1 of the Criminal Procedure Code does not expressly prohibit remote information system searches [12], thereby creating somewhat of an uncertain legal landscape regarding the extent to which cloud information covered by professional secrecy is protected from raids.

Furthermore, Article 706-102-1 of the Criminal Procedure Code [13] pertaining to crime and organised crime, provides that the investigating judge (juge d’instruction) can decide to set up, in all locations, a technological mechanism that can access, record, store and transmit computer data, without the consent of the persons involved. While Article 56-1 of the Criminal Procedure Code implies that such a mechanism should not be used for automated data processing systems located in a lawyer’s office or home, it is not excluded that it could be used when the location of a data processing service provider, for example for cloud computing, is outsourced by the law firm, in detriment of professional secrecy [14] .

 

Soft law regulates cloud computing, empowering lawyers to provide the necessary safeguards to maintain professional secrecy

 

Ordinal body and administrative agency recommendations guide lawyers

While there is no defined legislative or regulatory framework on cloud computing, recommendations and guidelines have been published on the subject by the CNIL, the CCBE, and the National Council of the Bars (Conseil National des Barreaux (CNB)).

The CNIL issued a dedicated practical guide for lawyers, written from a personal data protection perspective drawn from the law on information technology and freedoms [15]. It states that ‘the lawyer, as the one responsible for processing the information, is bound by a duty of security [and] must take all necessary measures to guarantee its confidentiality’[16] , adding examples of measures and specifying that cloud computing ‘raises issues of the qualification of the parties, the applicable law, the effective exercise of the rights and supervision of international transfers of personal data’[17] .

The CCBE issued guidelines for lawyers using cloud computing, recommending that prior to signing a related contract, lawyers must first conduct a preliminary review of the cloud computing services, including:

  • the applicable data protection professional secrecy legislation to ensure that there is no obligation to disclose data to non-European national authorities;
  • the data encryption procedures;
  • the due diligence performed on the provider;
  • the security of the data centre; and
  • the level of risk associated with the information processed.

The lawyers must determine the relevance of negotiating contractual clauses and informing the customer about ‘the legal standards regarding data protection, privacy and professional secrecy in the countries where the servers are located’[18] .

The CNB issued a Vademecum of digital ethics, which includes the above-mentioned CCBE recommendations [19] . A guide for lawyers and the General Data Protection Regulation (GDPR) was also published, stating that lawyers must be ‘particularly exemplary’ with respect to professional secrecy – a ‘keystone principle’ despite technological evolutions. Lawyers must thereby ensure that their associates and external services providers also have this concern in mind, namely when outsourcing firm data via cloud computing [20].

Although these guidelines help lawyers to adopt appropriate security levels when using cloud computing, while still leaving room for flexibility and freedom in their implementation – in keeping with the independent status of the French avocat liberal – it is wholly still up to lawyers to act in compliance with the rules of their profession.

This empowering of the individual benefits some in the lawyer profession, that is, those in a position to negotiate secure information systems and those who have the necessary experience and knowledge. Others, however, exercise their profession with the looming threat of litigation in the back of their minds, as the consequences of non-abidance by the recommended standards remain unclear – be they criminal sanctions on the basis of a breach of professional secrecy, or ethical sanctions by a bar association.

French Bar offers technological solutions to lawyers

In an effort to put into practice the soft law on cloud computing and alleviate the risk of professional secrecy breaches, a private cloud [21] was set up in 2016 for lawyers of the French Bar. It provides a connection to a cloud via a dedicated key or dual-factor authentication and offers a messaging system with encrypted archiving, a centralised lawyer directory to facilitate confidential communications and a drive on which the data can also be encrypted. The cloud features automatic encryption alongside encryption that can be performed by the lawyers to ensure that only the concerned lawyer has access to the relevant communications.

This type of initiative is paramount to ensuring that professional secrecy remains attainable to lawyers in a context of increased digitalisation. While it is a first step in the direction of harmonised solutions for lawyers using cloud computing, it does not fully compensate for the shortcomings of soft law regulation.

The legal and regulatory vacuum on cloud computing results in unpredictability of the courts’ stance with respect to a lawyer’s failure to ensure professional secrecy on account of lost, stolen or seized data via cloud. As it stands, lawyers have the duty to oversee that those who are intrinsically linked with the exercise of their profession, including firm associates and external service providers, comply with the issued recommendations. To this extent, lawyers are solely responsible of implementing the necessary safeguards to preserve professional secrecy and must show proof of heightened scrutiny in an age where data crosses walls.

Related content

Publication
13 September 2024
Cross-country insights: Addressing Corruption Allegations in Arbitration Disputes
This guide aims at providing a comprehensive understanding of how different countries handle allegations of corruption in the course of...
Publication
29 August 2024
LIR 7th Edition : Focus on third-party evaluation, a challenging due diligence measure for French companies
Navacelle contributes to The Legal Industry Reviews' seventh edition, focusing on third-party evaluation, a challenging due diligence measure for French...
Press review
6 December 2024
Press review – Week of 2 December 2024
This week’s press review covers the suspicions of favoritism at Caisse des Dépôts, the fine of 2,2 million euros for...
Press review
29 November 2024
Press review – Week of 25 November 2024
This week’s press review covers the report by the Council of Europe's Group of States against Corruption (GRECO) calling on...
Press review
22 November 2024
Press review – Week of 18 November 2024
This week’s press review covers the dismantling of a VAT fraud network in Europe, the opening of an investigation into...
Publication
15 November 2024
Practitioner’s Guide to Global Investigations (2025) – GIR
NAVACELLE co-author of the ninth edition of Global Investigations Review’s Practitioner’s Guide to Global Investigations.
Press review
15 November 2024
Press review – Week of 11 November 2024
This week’s press review covers the conviction of Marco Mouly for organizing his insolvency and the issue of an arrest...
Press review
8 November 2024
Press review – Week of 4 November 2024
This week’s press review covers the searches conducted in Paris and Amsterdam as part of the tax fraud allegations against...
Analysis
8 November 2024
AFA’s advice on implementing anti-corruption indicators under the CSRD
The Corporate Sustainability Reporting Directive (CSRD), transposed into French law in December 2023, imposes new extra-financial transparency obligations to companies....
Press review
1 November 2024
Press review – Week of 28 October 2024
This week’s press review covers BNP Paribas’ conviction to compensate a fake bank advisor fraud victim, ESMA’s report positioning the...
Press review
25 October 2024
Press review – Week of 21 October 2024
This week’s press review covers the dismissal of the investigation into laundering of tax fraud money the Mulliez Group, the...
Press review
18 October 2024
Press review – Week of 14 October 2024
This week’s press review covers the failure of around a quarter of France’s major companies to comply with their obligation...
Press review
11 October 2024
Press review – Week of 7 October 2024
This week’s press review covers the corruption indictment of the mayor of New York, the investigation into the embezzlement of...
Press review
4 October 2024
Press review – Week of 30 September 2024
This week’s press review covers the financial fraud perpetrated against the Kiabi brand, the opening of the RN’s European parliamentary...