Analysis
10 December 2020

International Bar Association – Cloud computing and the challenges facing professional secrecy

Stéphane de Navacelle, Clémentine Duverne and Sarah Reilly contributors to the International Bar Association Alternative and New Law Business Structures Committee and the Professional Ethics Committee joint newsletter by an article on “Cloud computing and the challenges facing professional secrecy”.

 

During the Covid-19 crisis and the resulting lockdown, the use of telework in France increased considerably, including in law firms.

In light of this, the French National Commission for Data Protection and Liberties (CNIL) published recommendations to better ensure personal data security. Referring to a list of certified products1, the CNIL advised that companies equip employee workstations with firewalls, encryption tools, antivirus software and, for cloud usage, protocols guaranteeing the confidentiality of the destination server, authentication mechanisms and regular verifications of access logs to limit the risk of intrusion2.

These information security considerations are relevant for lawyers, for whom the principle of professional secrecy in relation to client information and correspondence is critical. While professional secrecy was historically ensured in a material fashion, with client information preserved in paper files, client information now extends beyond the realm of the law firm offices, with the prevailing trend of digitalisation of the legal profession.

An enhanced accompanying regulation of cloud computing is thereby necessary to ensure the prevention of loss, theft or leaks of client data and uphold the cornerstone principle of the profession.

Cloud computing runs the risk of going against professional secrecy

A robust legal and regulatory framework lays the foundations of professional secrecy

On a European level, professional secrecy is enshrined as a fundamental right by the European Court of Human Rights. It is covered by Article 8 of the European Convention on Human Rights on the right to respect for private and family life in that it protects ‘the confidentiality of all “correspondence” between individuals’ and ‘affords strengthened protection to exchanges between lawyers and their clients’3.

Article 1.1 of the Charter of Core Principles of the European Legal Profession expressly lists ‘the right and duty of the lawyer to keep clients’ matters confidential and to respect professional secrecy’4. Article 2.3. of the Code of Conduct of the Council of Bars and Law Societies of Europe (CCBE) stresses the importance of confidentiality5. These provisions showcase the benefit of protection awarded to lawyer-client communications but also the lawyers’ duty to ensure confidentiality and professional secrecy – as do the provisions in France on a national level.

Article 66-5 of the Law of 31 December 1971 provides that ‘in all matters, be it for counseling or litigation […] correspondence exchanged between both parties, or between lawyers […] and all documents in the file are covered by professional secrecy’6. Article 2 of the National Internal Rules applicable to lawyers provides that ‘professional secrecy is a matter of public order. It is general, absolute and unlimited in time’7.

Lawyers are thereby prohibited from waiving professional secrecy in all circumstances – and this even when permitted to do so by their client – save for expressly limited cases. Indeed, Article 4 of the Decree of July 12, 2005, provides that ‘subject to the strict requirements of their own defense before any court of law and to the cases of declaration or disclosure provided for or authorized by law, lawyers shall not, in any matter, make any disclosure that contravenes professional secrecy’8.

Lawyers can be held criminally liable should they breach professional secrecy. Article 226-13 of the Criminal Code provides that ‘the divulgation of information of a secret nature by a person who is in possession of it either by state or profession, or because of a temporary function or mission, is punishable by one year’s imprisonment and a fine of 15,000 euros’9.

This marked obligation to maintain professional secrecy in all circumstances warrants heightened scrutiny on the part of lawyers when considering the risks posed by the increasing digitalisation of the profession.

A digitalisation of the profession poses risks to professional secrecy

Many law firms now operate with cloud computing, which can jeopardise professional secrecy if data is lost, stolen, or seized.

Loss and theft of data can be the result of accidental deletion, hacking, or insufficiently secure access to cloud systems. Solutions to mitigate these risks are available, such as user identity control, encryption key changes and agreements with cloud service providers that allow for switchover systems or data recovery. They fall short, however, of alleviating lawyers of their ethical obligations.

Seizure of data on the cloud, while complexifying raid operations in law firms by dematerialisation, can increase the risk of data that is covered by professional secrecy being seized – all the more so when involving foreign investigation and prosecution authorities.

Article 56-1 of the Criminal Procedure Code10 governs the conduct of raids in law firms or lawyers’ homes and identifies protective measures for professional secrecy. For example:

  • a judge and the head of the Bar (Bâtonnier) must be on-site to oversee the raid;
  • the Bâtonnier can consult the seized documents and contest the seizure of documents before a judge; and
  • the judge must ensure that the raid does not obstruct the exercise of the legal profession.

Some provisions may encroach upon the protections of this article. For instance, in the move towards fighting cybercrime, Article 57-1 of the Criminal Procedure Code on raids11 was amended to add that investigation authorities can carry out remote information system searches, be they located on-site or in another system accessible via the on-site system.

Article 56-1 of the Criminal Procedure Code does not expressly prohibit remote information system searches12, thereby creating somewhat of an uncertain legal landscape regarding the extent to which cloud information covered by professional secrecy is protected from raids.

Furthermore, Article 706-102-1 of the Criminal Procedure Code13 pertaining to crime and organised crime, provides that the investigating judge (juge d’instruction) can decide to set up, in all locations, a technological mechanism that can access, record, store and transmit computer data, without the consent of the persons involved. While Article 56-1 of the Criminal Procedure Code implies that such a mechanism should not be used for automated data processing systems located in a lawyer’s office or home, it is not excluded that it could be used when the location of a data processing service provider, for example for cloud computing, is outsourced by the law firm, in detriment of professional secrecy14.

Soft law regulates cloud computing, empowering lawyers to provide the necessary safeguards to maintain professional secrecy

Ordinal body and administrative agency recommendations guide lawyers

While there is no defined legislative or regulatory framework on cloud computing, recommendations and guidelines have been published on the subject by the CNIL, the CCBE, and the National Council of the Bars (Conseil National des Barreaux (CNB)).

The CNIL issued a dedicated practical guide for lawyers, written from a personal data protection perspective drawn from the law on information technology and freedoms15. It states that ‘the lawyer, as the one responsible for processing the information, is bound by a duty of security [and] must take all necessary measures to guarantee its confidentiality’16, adding examples of measures and specifying that cloud computing ‘raises issues of the qualification of the parties, the applicable law, the effective exercise of the rights and supervision of international transfers of personal data’17.

The CCBE issued guidelines for lawyers using cloud computing, recommending that prior to signing a related contract, lawyers must first conduct a preliminary review of the cloud computing services, including:

  • the applicable data protection professional secrecy legislation to ensure that there is no obligation to disclose data to non-European national authorities;
  • the data encryption procedures;
  • the due diligence performed on the provider;
  • the security of the data centre; and
  • the level of risk associated with the information processed.

The lawyers must determine the relevance of negotiating contractual clauses and informing the customer about ‘the legal standards regarding data protection, privacy and professional secrecy in the countries where the servers are located’18.

The CNB issued a Vademecum of digital ethics, which includes the above-mentioned CCBE recommendations19. A guide for lawyers and the General Data Protection Regulation (GDPR) was also published, stating that lawyers must be ‘particularly exemplary’ with respect to professional secrecy – a ‘keystone principle’ despite technological evolutions. Lawyers must thereby ensure that their associates and external services providers also have this concern in mind, namely when outsourcing firm data via cloud computing20.

Although these guidelines help lawyers to adopt appropriate security levels when using cloud computing, while still leaving room for flexibility and freedom in their implementation – in keeping with the independent status of the French avocat liberal – it is wholly still up to lawyers to act in compliance with the rules of their profession.

This empowering of the individual benefits some in the lawyer profession, that is, those in a position to negotiate secure information systems and those who have the necessary experience and knowledge. Others, however, exercise their profession with the looming threat of litigation in the back of their minds, as the consequences of non-abidance by the recommended standards remain unclear – be they criminal sanctions on the basis of a breach of professional secrecy, or ethical sanctions by a bar association.

French Bar offers technological solutions to lawyers

In an effort to put into practice the soft law on cloud computing and alleviate the risk of professional secrecy breaches, a private cloud21 was set up in 2016 for lawyers of the French Bar. It provides a connection to a cloud via a dedicated key or dual-factor authentication and offers a messaging system with encrypted archiving, a centralised lawyer directory to facilitate confidential communications and a drive on which the data can also be encrypted. The cloud features automatic encryption alongside encryption that can be performed by the lawyers to ensure that only the concerned lawyer has access to the relevant communications.

This type of initiative is paramount to ensuring that professional secrecy remains attainable to lawyers in a context of increased digitalisation. While it is a first step in the direction of harmonised solutions for lawyers using cloud computing, it does not fully compensate for the shortcomings of soft law regulation.

The legal and regulatory vacuum on cloud computing results in unpredictability of the courts’ stance with respect to a lawyer’s failure to ensure professional secrecy on account of lost, stolen or seized data via cloud. As it stands, lawyers have the duty to oversee that those who are intrinsically linked with the exercise of their profession, including firm associates and external service providers, comply with the issued recommendations. To this extent, lawyers are solely responsible of implementing the necessary safeguards to preserve professional secrecy and must show proof of heightened scrutiny in an age where data crosses walls.

Related content

Analysis
Proposition Loi Gauvain
20 October 2021
Analysis of the bill to reinforce the fight against corruption by Deputy Gauvain
Navacelle team has examined the “Bill to reinforce the fight against corruption” which has just been submitted by the Deputy Raphaël Gauvain at the National Assembly...
Julie Zorrilla
Partner Navacelle
Alexandre Coudreau
Student Sciences Po
Salomé Garnier
Associate Navacelle
News
19 October 2021
New decision in the jurisprudential saga in the field of arbitration and corruption
Navacelle team would like to inform you of a new decision in the jurisprudential saga in the field of arbitration and corruption.
Salomé Garnier
Associate Navacelle
Events
14 October 2021
The French criminal procedural law
Thomas Lapierre, associate at Navacelle presents the main elements of the French criminal procedural law for #LAWYEREX by European Lawyers Foundation.
Thomas Lapierre
Associate Navacelle
News
5 October 2021
Report of the Independent Commission on Sexual Abuse in the French Church
After two and a half years of work, the CIASE has submitted its report with the aim of understanding and analysing situations of sexual abuse of minors in the Catholic Fr...
Events
29 September 2021
Paris Legal Makers 2021
The first Paris Legal Makers conference dedicated to economic development through law will take place on 6 December 2021 at the Palais Brongniart.
News
27 September 2021
Update of French Financial Market Regulator (AMF) of its control charters (in French)
This update specifies the procedures for carrying out control missions, the principles of good conduct followed by those in charge of a control as well as the behavior ex...
News
27 September 2021
Update of French Financial Market Regulator (AMF) of its investigation charters (in French)
This update specifies the procedures for carrying out investigation missions, the principles of good conduct followed by those in charge of an investigation as well as th...
News
16 September 2021
The French DPA (“Convention judiciaire d’intérêt public”) on the way to simplification
On 4 August 2021, a new Decree was promulgated aiming to simplify formalities required for the conclusion of the CJIP between Public Prosecutors Office and the legal pers...
Julie Zorrilla
Partner Navacelle
Louis Beltaire
Trainee lawyer
Alexandre Desevedavy
Trainee lawyer
Salomé Garnier
Associate Navacelle
Publication
3 September 2021
The European Parliament Lays the Foundations of a Corporate Due Diligence and Corporate Accountability
Julie Zorrilla, Thomas Lapierre and Stéphane de Navacelle, highlight for the International Bar Association anticorrpution news, the adoption on 10 March 2021 by the Memb...
Stéphane de Navacelle
Managing partner Navacelle
Julie Zorrilla
Partner Navacelle
Thomas Lapierre
Associate Navacelle
Publication
20 August 2021
It’s not an “ego fight”: The do’s and don’ts of monitorships
Experts from around the world discuss what authorities, companies and monitors should do to ensure that a period of compliance oversight ends successfully. “the quality...
Julie Zorrilla
Partner Navacelle
Adam Dobrik
Journalist
Analysis
14 July 2021
The in-house attorney status in France: a bygone idea or an emerging one?
Bastille Day Newsletter 2021 - Legislative, Regulatory & Policy Updates
Publication
14 July 2021
Bastille Day Newsletter 2021
Happy 2021 Bastille Day! Lawyers at Navacelle thought you might be interested in reviewing a selection we made of noticeable events which occurred in France in the fiel...
Stéphane de Navacelle
Managing partner Navacelle
Julie Zorrilla
Partner Navacelle
Clémentine Duverne
Partner Navacelle