The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Is a law firm required to respond to a data subject access request?
Answer: Sometimes. To the extent that a law firm is considered a controller of data, it is responsible for responding “to requests for access to the data” that are submitted from a data subject. 1 That said, the obligation to respond to a request for access does not necessarily mean that an attorney must always respond with a copy of the information that the attorney holds about the individual that sends the request.
The GDPR permits a controller to refuse to provide a copy of information if doing so would “adversely affect the rights and freedoms of others.”2 One instance in which disclosure of personal data would arguably affect the rights and freedoms of others occurs when an attorney would violate a legal professional privilege that is recognized in a Member State (e.g., work product doctrine or attorney-client communication) if it were to make the disclosure. So, for example, the UK Information Commissioner’s Office has stated that “Personal data is . . . exempt from the right of subject access if it consists of information for which legal professional privilege . . . could be claimed in legal proceedings in any part of the UK.”3 It is worth noting, however, that if a legal privilege does not apply, the ICO has stated that a lawyer may not “refuse to supply information in response to a [subject access request] simply because the information is requested in connection with actual or potential legal proceedings.”4
To the extent that information is privileged under the laws of a country outside of the EEA (e.g., is subject to United States legal privilege, but not legal privilege under UK law) it is unclear whether a supervisory authority would take the position that a lawyer is exempt from the obligation to produce the information pursuant to a data subject access request. As such a disclosure would still “adversely affect the rights and freedoms of others” a strong argument could be made that the exemption should continue to apply.