International Bar Association – Cloud computing and the challenges facing professional secrecy

Stéphane de Navacelle, Clémentine Duverne and Sarah Reilly contributors to the International Bar Association Alternative and New Law Business Structures Committee and the Professional Ethics Committee joint newsletter by an article on “Cloud computing and the challenges facing professional secrecy”.

During the Covid-19 crisis and the resulting lockdown, the use of telework in France increased considerably, including in law firms.

In light of this, the French National Commission for Data Protection and Liberties (CNIL) published recommendations to better ensure personal data security. Referring to a list of certified productS [1], the CNIL advised that companies equip employee workstations with firewalls, encryption tools, antivirus software and, for cloud usage, protocols guaranteeing the confidentiality of the destination server, authentication mechanisms and regular verifications of access logs to limit the risk of intrusion [2].

These information security considerations are relevant for lawyers, for whom the principle of professional secrecy in relation to client information and correspondence is critical. While professional secrecy was historically ensured in a material fashion, with client information preserved in paper files, client information now extends beyond the realm of the law firm offices, with the prevailing trend of digitalisation of the legal profession.

An enhanced accompanying regulation of cloud computing is thereby necessary to ensure the prevention of loss, theft or leaks of client data and uphold the cornerstone principle of the profession.

Cloud computing runs the risk of going against professional secrecy

A robust legal and regulatory framework lays the foundations of professional secrecy

On a European level, professional secrecy is enshrined as a fundamental right by the European Court of Human Rights. It is covered by Article 8 of the European Convention on Human Rights on the right to respect for private and family life in that it protects ‘the confidentiality of all “correspondence” between individuals’ and ‘affords strengthened protection to exchanges between lawyers and their clients’ [3].

Article 1.1 of the Charter of Core Principles of the European Legal Profession expressly lists ‘the right and duty of the lawyer to keep clients’ matters confidential and to respect professional secrecy’[4] . Article 2.3. of the Code of Conduct of the Council of Bars and Law Societies of Europe (CCBE) stresses the importance of confidentiality [5] . These provisions showcase the benefit of protection awarded to lawyer-client communications but also the lawyers’ duty to ensure confidentiality and professional secrecy – as do the provisions in France on a national level.

Article 66-5 of the Law of 31 December 1971 provides that ‘in all matters, be it for counseling or litigation […] correspondence exchanged between both parties, or between lawyers […] and all documents in the file are covered by professional secrecy’[6]. Article 2 of the National Internal Rules applicable to lawyers provides that ‘professional secrecy is a matter of public order. It is general, absolute and unlimited in time’ [7].

Lawyers are thereby prohibited from waiving professional secrecy in all circumstances – and this even when permitted to do so by their client – save for expressly limited cases. Indeed, Article 4 of the Decree of July 12, 2005, provides that ‘subject to the strict requirements of their own defense before any court of law and to the cases of declaration or disclosure provided for or authorized by law, lawyers shall not, in any matter, make any disclosure that contravenes professional secrecy’ [8].

Lawyers can be held criminally liable should they breach professional secrecy. Article 226-13 of the Criminal Code provides that ‘the divulgation of information of a secret nature by a person who is in possession of it either by state or profession, or because of a temporary function or mission, is punishable by one year’s imprisonment and a fine of 15,000 euros’ [9].

This marked obligation to maintain professional secrecy in all circumstances warrants heightened scrutiny on the part of lawyers when considering the risks posed by the increasing digitalisation of the profession.

A digitalisation of the profession poses risks to professional secrecy

Many law firms now operate with cloud computing, which can jeopardise professional secrecy if data is lost, stolen, or seized.

Loss and theft of data can be the result of accidental deletion, hacking, or insufficiently secure access to cloud systems. Solutions to mitigate these risks are available, such as user identity control, encryption key changes and agreements with cloud service providers that allow for switchover systems or data recovery. They fall short, however, of alleviating lawyers of their ethical obligations.

Seizure of data on the cloud, while complexifying raid operations in law firms by dematerialisation, can increase the risk of data that is covered by professional secrecy being seized – all the more so when involving foreign investigation and prosecution authorities.

Article 56-1 of the Criminal Procedure Code [10] governs the conduct of raids in law firms or lawyers’ homes and identifies protective measures for professional secrecy. For example:

a judge and the head of the Bar (Bâtonnier) must be on-site to oversee the raid;
the Bâtonnier can consult the seized documents and contest the seizure of documents before a judge; and
the judge must ensure that the raid does not obstruct the exercise of the legal profession.

Some provisions may encroach upon the protections of this article. For instance, in the move towards fighting cybercrime, Article 57-1 of the Criminal Procedure Code on raids [11] was amended to add that investigation authorities can carry out remote information system searches, be they located on-site or in another system accessible via the on-site system.

Article 56-1 of the Criminal Procedure Code does not expressly prohibit remote information system searches [12], thereby creating somewhat of an uncertain legal landscape regarding the extent to which cloud information covered by professional secrecy is protected from raids.

Furthermore, Article 706-102-1 of the Criminal Procedure Code [13] pertaining to crime and organised crime, provides that the investigating judge (juge d’instruction) can decide to set up, in all locations, a technological mechanism that can access, record, store and transmit computer data, without the consent of the persons involved. While Article 56-1 of the Criminal Procedure Code implies that such a mechanism should not be used for automated data processing systems located in a lawyer’s office or home, it is not excluded that it could be used when the location of a data processing service provider, for example for cloud computing, is outsourced by the law firm, in detriment of professional secrecy [14] .

Soft law regulates cloud computing, empowering lawyers to provide the necessary safeguards to maintain professional secrecy

Ordinal body and administrative agency recommendations guide lawyers

While there is no defined legislative or regulatory framework on cloud computing, recommendations and guidelines have been published on the subject by the CNIL, the CCBE, and the National Council of the Bars (Conseil National des Barreaux (CNB)).

The CNIL issued a dedicated practical guide for lawyers, written from a personal data protection perspective drawn from the law on information technology and freedoms [15]. It states that ‘the lawyer, as the one responsible for processing the information, is bound by a duty of security [and] must take all necessary measures to guarantee its confidentiality’[16] , adding examples of measures and specifying that cloud computing ‘raises issues of the qualification of the parties, the applicable law, the effective exercise of the rights and supervision of international transfers of personal data’[17] .

The CCBE issued guidelines for lawyers using cloud computing, recommending that prior to signing a related contract, lawyers must first conduct a preliminary review of the cloud computing services, including:

the applicable data protection professional secrecy legislation to ensure that there is no obligation to disclose data to non-European national authorities;
the data encryption procedures;
the due diligence performed on the provider;
the security of the data centre; and
the level of risk associated with the information processed.

The lawyers must determine the relevance of negotiating contractual clauses and informing the customer about ‘the legal standards regarding data protection, privacy and professional secrecy in the countries where the servers are located’[18] .

The CNB issued a Vademecum of digital ethics, which includes the above-mentioned CCBE recommendations [19] . A guide for lawyers and the General Data Protection Regulation (GDPR) was also published, stating that lawyers must be ‘particularly exemplary’ with respect to professional secrecy – a ‘keystone principle’ despite technological evolutions. Lawyers must thereby ensure that their associates and external services providers also have this concern in mind, namely when outsourcing firm data via cloud computing [20].

Although these guidelines help lawyers to adopt appropriate security levels when using cloud computing, while still leaving room for flexibility and freedom in their implementation – in keeping with the independent status of the French avocat liberal – it is wholly still up to lawyers to act in compliance with the rules of their profession.

This empowering of the individual benefits some in the lawyer profession, that is, those in a position to negotiate secure information systems and those who have the necessary experience and knowledge. Others, however, exercise their profession with the looming threat of litigation in the back of their minds, as the consequences of non-abidance by the recommended standards remain unclear – be they criminal sanctions on the basis of a breach of professional secrecy, or ethical sanctions by a bar association.

French Bar offers technological solutions to lawyers

In an effort to put into practice the soft law on cloud computing and alleviate the risk of professional secrecy breaches, a private cloud [21] was set up in 2016 for lawyers of the French Bar. It provides a connection to a cloud via a dedicated key or dual-factor authentication and offers a messaging system with encrypted archiving, a centralised lawyer directory to facilitate confidential communications and a drive on which the data can also be encrypted. The cloud features automatic encryption alongside encryption that can be performed by the lawyers to ensure that only the concerned lawyer has access to the relevant communications.

This type of initiative is paramount to ensuring that professional secrecy remains attainable to lawyers in a context of increased digitalisation. While it is a first step in the direction of harmonised solutions for lawyers using cloud computing, it does not fully compensate for the shortcomings of soft law regulation.

The legal and regulatory vacuum on cloud computing results in unpredictability of the courts’ stance with respect to a lawyer’s failure to ensure professional secrecy on account of lost, stolen or seized data via cloud. As it stands, lawyers have the duty to oversee that those who are intrinsically linked with the exercise of their profession, including firm associates and external service providers, comply with the issued recommendations. To this extent, lawyers are solely responsible of implementing the necessary safeguards to preserve professional secrecy and must show proof of heightened scrutiny in an age where data crosses walls.