Analysis
10 December 2020

International Bar Association – Cloud computing and the challenges facing professional secrecy

Stéphane de Navacelle, Clémentine Duverne and Sarah Reilly contributors to the International Bar Association Alternative and New Law Business Structures Committee and the Professional Ethics Committee joint newsletter by an article on “Cloud computing and the challenges facing professional secrecy”.

 

During the Covid-19 crisis and the resulting lockdown, the use of telework in France increased considerably, including in law firms.

In light of this, the French National Commission for Data Protection and Liberties (CNIL) published recommendations to better ensure personal data security. Referring to a list of certified productS [1], the CNIL advised that companies equip employee workstations with firewalls, encryption tools, antivirus software and, for cloud usage, protocols guaranteeing the confidentiality of the destination server, authentication mechanisms and regular verifications of access logs to limit the risk of intrusion [2].

These information security considerations are relevant for lawyers, for whom the principle of professional secrecy in relation to client information and correspondence is critical. While professional secrecy was historically ensured in a material fashion, with client information preserved in paper files, client information now extends beyond the realm of the law firm offices, with the prevailing trend of digitalisation of the legal profession.

An enhanced accompanying regulation of cloud computing is thereby necessary to ensure the prevention of loss, theft or leaks of client data and uphold the cornerstone principle of the profession.

 

Cloud computing runs the risk of going against professional secrecy

 

A robust legal and regulatory framework lays the foundations of professional secrecy

On a European level, professional secrecy is enshrined as a fundamental right by the European Court of Human Rights. It is covered by Article 8 of the European Convention on Human Rights on the right to respect for private and family life in that it protects ‘the confidentiality of all “correspondence” between individuals’ and ‘affords strengthened protection to exchanges between lawyers and their clients’ [3].

Article 1.1 of the Charter of Core Principles of the European Legal Profession expressly lists ‘the right and duty of the lawyer to keep clients’ matters confidential and to respect professional secrecy’[4] . Article 2.3. of the Code of Conduct of the Council of Bars and Law Societies of Europe (CCBE) stresses the importance of confidentiality [5] . These provisions showcase the benefit of protection awarded to lawyer-client communications but also the lawyers’ duty to ensure confidentiality and professional secrecy – as do the provisions in France on a national level.

Article 66-5 of the Law of 31 December 1971 provides that ‘in all matters, be it for counseling or litigation […] correspondence exchanged between both parties, or between lawyers […] and all documents in the file are covered by professional secrecy’[6]. Article 2 of the National Internal Rules applicable to lawyers provides that ‘professional secrecy is a matter of public order. It is general, absolute and unlimited in time’ [7].

Lawyers are thereby prohibited from waiving professional secrecy in all circumstances – and this even when permitted to do so by their client – save for expressly limited cases. Indeed, Article 4 of the Decree of July 12, 2005, provides that ‘subject to the strict requirements of their own defense before any court of law and to the cases of declaration or disclosure provided for or authorized by law, lawyers shall not, in any matter, make any disclosure that contravenes professional secrecy’ [8].

Lawyers can be held criminally liable should they breach professional secrecy. Article 226-13 of the Criminal Code provides that ‘the divulgation of information of a secret nature by a person who is in possession of it either by state or profession, or because of a temporary function or mission, is punishable by one year’s imprisonment and a fine of 15,000 euros’ [9].

This marked obligation to maintain professional secrecy in all circumstances warrants heightened scrutiny on the part of lawyers when considering the risks posed by the increasing digitalisation of the profession.

A digitalisation of the profession poses risks to professional secrecy

Many law firms now operate with cloud computing, which can jeopardise professional secrecy if data is lost, stolen, or seized.

Loss and theft of data can be the result of accidental deletion, hacking, or insufficiently secure access to cloud systems. Solutions to mitigate these risks are available, such as user identity control, encryption key changes and agreements with cloud service providers that allow for switchover systems or data recovery. They fall short, however, of alleviating lawyers of their ethical obligations.

Seizure of data on the cloud, while complexifying raid operations in law firms by dematerialisation, can increase the risk of data that is covered by professional secrecy being seized – all the more so when involving foreign investigation and prosecution authorities.

Article 56-1 of the Criminal Procedure Code [10] governs the conduct of raids in law firms or lawyers’ homes and identifies protective measures for professional secrecy. For example:

  • a judge and the head of the Bar (Bâtonnier) must be on-site to oversee the raid;
  • the Bâtonnier can consult the seized documents and contest the seizure of documents before a judge; and
  • the judge must ensure that the raid does not obstruct the exercise of the legal profession.

Some provisions may encroach upon the protections of this article. For instance, in the move towards fighting cybercrime, Article 57-1 of the Criminal Procedure Code on raids [11] was amended to add that investigation authorities can carry out remote information system searches, be they located on-site or in another system accessible via the on-site system.

Article 56-1 of the Criminal Procedure Code does not expressly prohibit remote information system searches [12], thereby creating somewhat of an uncertain legal landscape regarding the extent to which cloud information covered by professional secrecy is protected from raids.

Furthermore, Article 706-102-1 of the Criminal Procedure Code [13] pertaining to crime and organised crime, provides that the investigating judge (juge d’instruction) can decide to set up, in all locations, a technological mechanism that can access, record, store and transmit computer data, without the consent of the persons involved. While Article 56-1 of the Criminal Procedure Code implies that such a mechanism should not be used for automated data processing systems located in a lawyer’s office or home, it is not excluded that it could be used when the location of a data processing service provider, for example for cloud computing, is outsourced by the law firm, in detriment of professional secrecy [14] .

 

Soft law regulates cloud computing, empowering lawyers to provide the necessary safeguards to maintain professional secrecy

 

Ordinal body and administrative agency recommendations guide lawyers

While there is no defined legislative or regulatory framework on cloud computing, recommendations and guidelines have been published on the subject by the CNIL, the CCBE, and the National Council of the Bars (Conseil National des Barreaux (CNB)).

The CNIL issued a dedicated practical guide for lawyers, written from a personal data protection perspective drawn from the law on information technology and freedoms [15]. It states that ‘the lawyer, as the one responsible for processing the information, is bound by a duty of security [and] must take all necessary measures to guarantee its confidentiality’[16] , adding examples of measures and specifying that cloud computing ‘raises issues of the qualification of the parties, the applicable law, the effective exercise of the rights and supervision of international transfers of personal data’[17] .

The CCBE issued guidelines for lawyers using cloud computing, recommending that prior to signing a related contract, lawyers must first conduct a preliminary review of the cloud computing services, including:

  • the applicable data protection professional secrecy legislation to ensure that there is no obligation to disclose data to non-European national authorities;
  • the data encryption procedures;
  • the due diligence performed on the provider;
  • the security of the data centre; and
  • the level of risk associated with the information processed.

The lawyers must determine the relevance of negotiating contractual clauses and informing the customer about ‘the legal standards regarding data protection, privacy and professional secrecy in the countries where the servers are located’[18] .

The CNB issued a Vademecum of digital ethics, which includes the above-mentioned CCBE recommendations [19] . A guide for lawyers and the General Data Protection Regulation (GDPR) was also published, stating that lawyers must be ‘particularly exemplary’ with respect to professional secrecy – a ‘keystone principle’ despite technological evolutions. Lawyers must thereby ensure that their associates and external services providers also have this concern in mind, namely when outsourcing firm data via cloud computing [20].

Although these guidelines help lawyers to adopt appropriate security levels when using cloud computing, while still leaving room for flexibility and freedom in their implementation – in keeping with the independent status of the French avocat liberal – it is wholly still up to lawyers to act in compliance with the rules of their profession.

This empowering of the individual benefits some in the lawyer profession, that is, those in a position to negotiate secure information systems and those who have the necessary experience and knowledge. Others, however, exercise their profession with the looming threat of litigation in the back of their minds, as the consequences of non-abidance by the recommended standards remain unclear – be they criminal sanctions on the basis of a breach of professional secrecy, or ethical sanctions by a bar association.

French Bar offers technological solutions to lawyers

In an effort to put into practice the soft law on cloud computing and alleviate the risk of professional secrecy breaches, a private cloud [21] was set up in 2016 for lawyers of the French Bar. It provides a connection to a cloud via a dedicated key or dual-factor authentication and offers a messaging system with encrypted archiving, a centralised lawyer directory to facilitate confidential communications and a drive on which the data can also be encrypted. The cloud features automatic encryption alongside encryption that can be performed by the lawyers to ensure that only the concerned lawyer has access to the relevant communications.

This type of initiative is paramount to ensuring that professional secrecy remains attainable to lawyers in a context of increased digitalisation. While it is a first step in the direction of harmonised solutions for lawyers using cloud computing, it does not fully compensate for the shortcomings of soft law regulation.

The legal and regulatory vacuum on cloud computing results in unpredictability of the courts’ stance with respect to a lawyer’s failure to ensure professional secrecy on account of lost, stolen or seized data via cloud. As it stands, lawyers have the duty to oversee that those who are intrinsically linked with the exercise of their profession, including firm associates and external service providers, comply with the issued recommendations. To this extent, lawyers are solely responsible of implementing the necessary safeguards to preserve professional secrecy and must show proof of heightened scrutiny in an age where data crosses walls.

Related content

Analysis
Lobbying : Declaration obligations of interest representatives in France
14 July 2022
Lobbying: Declaration obligations of interest representatives in France
Highlight on the disclosure obligations imposed on interest representatives in France, as provided for by Law 2013-907 of October 11, 2013, as amended by Law 2016-1691 of...
Publication
The Guide to Sanctions -GIR (2022)
10 July 2022
The Guide to Sanctions (2022) – GIR
Navacelle co-author of the third edition of the Global Investigation Review's Guide to Sanctions.
Press review
Press review - Week of 19 September 2022
23 September 2022
Press review – Week of 19 September 2022
In this week's press review, you will discover the criminal initiatives at the European Union level announced by the President of the European Commission, and the new Fre...
Press review
Press review - Week of 12 September 2022
16 September 2022
Press review – Week of 12 September 2022
In this week's press review, you will find three articles on white collar crime. Firstly, clarifications related to the cumulation of qualification for tax fraud and omis...
Press review
Press review - Week of 5 September 2022
9 September 2022
Press review – Week of 5 September 2022
In this press review you will find two cases regarding the criminal prosecution of foreign nationals. First, the review addresses the conviction confirmed by the French C...
Event
How to successfully conduct an investigation
8 September 2022
Webinar: How to successfully conduct an investigation?
Stéphane de Navacelle spoke at the EQS webinar on "Internal investigation in companies: our advice for successfully conduct an investigation!"
Publication
International Criminal Law, International Courts, and Judicial Affairs - ABA
5 September 2022
International Legal Developments 2021 in Review – American Bar Association
Navacelle co-author of the 2021 annual review of international legal developments of the American Bar Association International Law Section (ABA).
Press review
Press review - Week of 29 August 2022
2 September 2022
Press review – Week of 29 August 2022
In this press review you will find the implications for France following the delay of transposition of the European directive on whistleblowers. The French Conseil d'Etat...
Analysis
30 August 2022
Strengthening the effectiveness of the French “Blocking Statute”
Highlight on the 18 February 2022 decree and the 7 March 2022 order, which strengthen the competence of the Strategic Information and Economic Security Department (Servic...
Press review
Press review - Week of 25 july 2022
29 July 2022
Press review – Week of 25 July 2022
In this review, you will discover two CNIL’s recent decisions, the first one aiming at protecting data rental cars’ users and the second one aiming at regulating the ...
Press review
Press review - Week of 18 July 2022
22 July 2022
Press review – Week of 18 July 2022
In this review you will discover a Dalloz study on the growing control of the European Courts on arbitration matters, a campaign of the CJEU against arbitration which is ...
Podcast
reforms suggested by compliance professionals
21 July 2022
Vigilance: reforms suggested by compliance professionals
Simplification of the legal framework, exemption from criminal liability, better coordination of litigation, a future authority responsible for the duty of vigilance and ...
Press review
Press review - Week of 11 july 2022
15 July 2022
Press review – Week of 11 July 2022
In this press review you will find a decision of the French Cour de cassation which clarifies the interpretation of the principle of speciality in extradition matters. Mo...
Analysis
Transposition of the European Whistleblowers Directive: Towards a reinforcement of the French protection system
14 July 2022
Transposition of the European Whistleblowers Directive: Towards a reinforcement of the French protection system
The text of the law aimed at improving the protection of whistleblowers, drafted by the Joint Committee, was approved by the National Assembly on 8 February and by the Se...