This question is prompted by our discussions with some US law firms as regards sharing personal information or data of clients with our students whom they want to engage as paralegals. We did some digging on this matter and here’s what we found:
Let’s approach this question from two angles:
- Client confidentiality requirements – Do the Model Rules for Professional Conduct established by the American Bar Association (ABA) or State Bar Associations prohibit sharing of client information outside the US?; and
- Data protection laws – are law firms subject to data protection laws as regards their clients’ information?
The Model Rules of Professional Conduct adopted by the ABA (ABA Rules) do not make any distinction between sharing the information within or outside the US. The general requirement as per Rule 1.6 of the ABA Rules is that the lawyer shall not reveal any information relating to the representation of a client unless the client gives informed consent or the disclosure is impliedly authorized in order to carry out the representation.
The State Bar Rules of Professional Conduct for California (Rule 1.6), New York (Rule 1.6), Delaware (Rule 1.6), Texas (Rule 1.05), Florida (Rule 4-1.6), Wyoming (Rule 1.6), and Nevada (Rule 1.6) are modeled on similar lines and all of them permit disclosure of client information with “informed consent”.
Let’s look at this with an example of a US law firm sharing client information with an Indian lawyer (providing paralegal services for US purposes, but having an Advocate’s license in India). Some relevant points are:
- As regards the US law firm, there is actually more risk in sharing the information with an American paralegal than an Indian Advocate providing paralegal services. This is because in the case of paralegals in the US, the requirement to ensure confidentiality is on the law firm or the lawyers who have supervisory authority over such non-lawyers, as per Rule 5.3 of the ABA Rules.
The Indian Advocates, on the other hand, are themselves bound by the Rules on Professional Standards framed under Section 49(1)(c) of the Advocates Act, 1961, which requires them not to disclose the communications between them and the client to anyone. Where the Indian Advocate is providing paralegal services to a US law firm, the US law firm is considered to be their client, and accordingly, any communication between the US law firm and the Indian Advocate is protected.
2. For its part, the US law firm is required to ensure that the clients provide “informed consent”. In fact, the US law firm might be able to price its services differently to a client, stating that they will be getting the administrative work completed by an Indian Advocate, who is statutorily bound of his or her own, to maintain confidentiality and yet, can be charging a lesser amount per hour than an American paralegal, in whose case it is the law firm’s responsibility to ensure confidentiality.
Let’s now look at the data protection laws.
Interestingly, as of 28th July 2021, there are comprehensive data protection and privacy laws in place for only California, Colorado, and Virginia and there are active bills in the states of Massachusetts, New York, North Carolina, Ohio, and Pennsylvania. There are separate federal and state laws covering some specific data protection requirements, but the comprehensive privacy laws are only in these states (Check the IAPP US State Privacy Legislation Tracker here).
We will consider the provisions of the California Consumer Privacy Act, and the proposed California Privacy Rights Act (applicable from 1 January 2023), as well as the proposed New York Privacy Act, just to get an idea of the intent of such data protection and privacy laws.
The obligations under the California Consumer Privacy Act (CCPA) are applicable to:
- Service Providers; and
- Third Parties
A law firm can very well fall within the criteria of a “business” if it is hitting any of the following criteria:
- The firm has annual gross revenues in excess of twenty-five million dollars;
Note: The California Privacy Rights Act (CPRA) fixes the date of determination of this revenue as 1st January of the calendar year, for revenues in the preceding calendar year.
2. The firm receives personal information of 50000 or more consumers, households or devices;
Note: The CPRA increases this limit to 100,000 and changes the applicability from receipt of information to buying, selling, or sharing of information. In short, if you just receive the information and do nothing with it, you won’t hit this condition of CPRA.
3. The firm derives 50% or more of its annual revenues from selling consumer information.
Note: The CPRA retains this criterion as it is, but you’re not going to be selling the client information anyway.
If you’re not qualified as a ‘business’, the CCPA will apply to you as a ‘service provider’,
- If businesses are collecting information from consumers and sharing such information with you (either by sale or for other business purposes); and
- Are entering into a written contract with you basically prohibiting you to do anything with that information other than using it for the specific purpose of providing the services.
Let’s say you don’t qualify as a ‘business’ and there is also no written contract (unlikely) or that even if there is a written contract, it doesn’t expressly mention anything about using the information provided by the business. In this case, you can still be covered under the definition of a ‘third party’ if you are violating any of the restrictions specified by the CCPA.
Simply put, restrictions are that the retention, sharing, or sale of consumer information is controlled by the consumer and these activities happen with the consent of the consumer.
Law firms are not going to sell the information. As regards the retention or sharing of information is concerned, this is possible with the “informed consent” that you secure from the client anyway, before disclosing their information to someone else. Again, these requirements are equally applicable, irrespective of whether you share the information within or outside the US.
Under the proposed New York Privacy Act (NYPA) (NY Senate Bill S5642), it is possible that a law firm falls within the definition of a “controller” of data since that term is broadly defined as any natural or legal person who alone or jointly determines the purposes and means of processing personal data.
Under the NYPA, the obligation is that personal data shall not be used, processed, or transferred to a third party unless the consumer provides express and documented consent. There is no distinction as to whether the third party is within or outside the US.
Continuing our example of a US law firm engaging an Indian Advocate as a paralegal, the US firm needs to secure and document the consent from the client whose personal data is being shared.
The bottom line or conclusion is that a law firm will be able to share the personal data of a client with someone outside the US if they have secured written consent from the client to do so, both under the Rules for Professional Conduct as well as the data protection laws. They will need this consent equally if they were sharing the data with someone in the US.
This kind of consent can be easily incorporated as a term in the engagement letter and once the client accepts the engagement, it is a clear and documented consent, after which, the information can be shared.
What exactly is the personal information or personal data which is covered under the data protection laws?
The CCPA, CPRA, and NYPA all intend to indicate personal data as data that can be clearly identified with a person, such as a name or address or a social security number.
All three laws exclude publicly available information from the definition of personal data or personal information.
Therefore, if, for instance, you are engaging someone to conduct a search in the records of USPTO or Secretary of State, the data that they secure through the search is not covered within the definition of personal data. This is because it is publicly available.
Secondly, as regards the filings, for instance, if someone is filing an Annual Statement of Information with the Secretary of State with the same details as the previous year, this is also not personal data because it is possible to purchase and/or download the previous year’s statement from their records and check that information by any member of the public.
Therefore, in such cases, the law firms will not be hit by the data protection laws if they share such publicly available information.
However, in order to complete form filings or manage records, it may be necessary for the law firm to share the personal information of a client which is not publicly available. This information can be shared after securing the client’s consent, which can be incorporated as a part of the engagement letter.
The second level of protection will be that the consultancy agreement or contract entered into with the person providing services outside the US should incorporate confidentiality clauses. However, similar confidentiality clauses would be required to be put in place in an employment agreement with a US paralegal too.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: