Most lawyers, if they are anything like the writer, won't read the terms of their iTunes, Netflix or Facebook accounts unless they're being paid to by a client and for the purposes of providing legal advice. But lawyers who use third party internet services including cloud service providers (CSPs) ought to consider reviewing their terms and conditions before using them to store or distribute any privileged material.
With the increasingly large number of documents being stored and organised electronically by law firms it is important to consider how this might impact legal protections, such as privilege, which would ordinarily attach to such documents.
This consideration assumes even greater significance when one appreciates the legal profession's increased use of third party internet services and the necessary acceptance of their terms of service.
How does the use of these services impact on a lawyer's obligation to maintain and protect their client's legal professional privilege?
Privilege and waiver
Legal professional privilege is a common law and statutory protection against the disclosure of certain communications, including documents, between a lawyer and their client. The underlying justification is to ensure full and frank disclosure by the client to the lawyer without fear of third parties being privy to the information they have shared.
Privilege can be lost in a number of ways, including through an express or implied act which is inconsistent with the maintenance of privilege.
One of the primary benefits of cloud services is the ease of access to files regardless of where in the world the user is.
Cloud services allow the user to store and back-up files online so that they can be accessed at any place with an internet connection.
The files are uploaded to the website of a Cloud Service Provider (CSP) into a virtual folder and subsequently stored on the CSP's physical servers. The files are often replicated and stored in multiple locations to insure against risk of damage to one of the server locations. The folder can have varying level of security from password protected to publically available which is determined by the user. The CSP's also provide varying levels of security online and in person for the servers where the files are stored.
Potential issues with third party internet services
Before being able to utilise any of the services offered by a CSP users are required to accept the provider's terms of service.
The terms of service inevitably reserve the right for the CSP to access, store and scan the information the user uploads as it sees fit without the need for the user's prior consent. The cloud services that make up the majority of the market – Dropbox, Google Drive, I-Cloud and Microsoft One Drive - all have terms to this effect.
The fundamental problem when using third party internet services like cloud and email therefore is that agreeing to such terms is, at least arguably, inconsistent with the maintenance of privilege.
Relevantly the provider (being an independent third party) is able to (and may have, without the lawyer's knowledge) accessed the documents without the consent of the client. If those documents include communications between a lawyer and their client then, on its face, one starts to get into the territory where there has been a waiver of privilege.
There are not any Australian cases that have addressed privilege in the context of CSPs that are entitled to access and scan documents. However there is a recent decision from the High Court of Justice, Queens Bench Division which provides some guidance on how these types of issues might be dealt with in Australia.
In Simpkin v Berkeley Group Holdings Plc  EWHC 1472 (QB) the claimant, Simpkin, sent an email to his personal email from his work email address through the work wi-fi. The email contained an attachment and a footer which read:
"This email including attachments is confidential, may be covered by legal professional privilege and is intended for the addressee only. If you are not the intended recipient you are prohibited from printing copying or distributing it."
The attachment to the email was a document relevant to divorce proceedings that were extant and it was subsequently forwarded to the claimant's lawyer.
Simpkin claimed the email and attachment were privileged. Berkeley Group, the respondent (being the workplace employer where he sent the email from) claimed that the document was not privileged as it was entitled to access the email pursuant to the internal IT policy the claimant signed upon joining the respondent company. Thus the claimant could have no reasonable expectation of privacy.
The Court ultimately found that the document was not confidential and thus did not attract privilege for a number of reasons:
- The claimant signed the company IT policy which made clear that emails sent and received over the IT system were the property of Berkeley;
- The IT team had access to all computers and email and did not need authorisation before accessing the accounts;
- The claimant saved the document on one of Berkeley's servers and the document was not password protected or segregated from the claimant's work related documents; and
- The contents of the claimant's email would have appeared in his personal assistant's email and even if she didn't look at the contents, this undermined a reasonable expectation of privacy.
In determining that the claim of privilege could not be maintained the High Court considered it relevant that the claimant had agreed to the company's IT policy. The terms of that policy provided that emails sent and received over the IT system were the property of the company.
The essence of the terms of the IT policy in the Simpkin decision generally echo the standard terms of CSPs. Those terms undermine any claim of privilege over material held by CSPs.
While there are some exceptions that allow privilege to be maintained over material even though it has been given to a third party (for example, for the dominant purpose of the client being provided with professional legal services in relation to proceedings), in the writer's opinion it would be difficult to establish that they apply in the case of the use of CSPs.
Users of CSPs should therefore give careful consideration to the terms that they are agreeing to and what material they will actually upload to the relevant CSP.