MARYLAND STATE BAR ASSOCIATION, INC.
COMMITTEE ON ETHICS
ETHICS DOCKET NO. 2018-06
You have asked about your obligations under the Maryland Rules of Professional Conduct (“MRPC”) to avoid conflicts of interest between current and former clients in light of the European Union’s General Data Protection Regulation (“GDPR”), which became effective on May 25, 2018.
You have stated that there are circumstances under which the GDPR may require you to delete information needed to identify a client or former client and the matters upon which you worked, if the client or former client requests that you do so. This is colloquially referred to as the “right to be forgotten.” You are concerned that, if you comply with such a request, you would be unable adequately to check for conflicts for purposes of complying with Rules 19-301.7 or 19-301.9 of the Maryland Rules of Professional Conduct (“MRPC”).
This Committee is empowered only to interpret the MRPC and therefore cannot render an opinion as to your legal obligations under the GDPR. There may be exceptions in the GDPR itself that would permit an attorney to retain sufficient information to adequately check for conflicts of interest, even if a former client requests deletion of its data. If this is the case, this aspect of the GDPR raises no ethical issue.
Ethical issues arise, however, if the GDPR does require an attorney to delete all identifying
information pertaining to a client or former client, upon the client’s request. In that case, the
requesting client may effectively render it impossible for a firm or an individual attorney to check
for conflicts between current and former clients. Assuming that this is the case, we draw two
- Rules 19-301.7 and 19-301.9, which govern attorney conflicts of interest, do not directly impose specific requirements to maintain records. Rather, those rules impose an obligation upon lawyers to avoid the specified conflicts of interest, unless a waiver has been obtained for waivable conflicts. While the GDPR may prevent an attorney from maintaining records, it would not authorize or compel an attorney to engage in a conflicted representation, and thus cannot alleviate an attorney’s obligation to comply with Rules 19-301.7 and 19-301.9.
- If a former client asks an attorney to delete the information needed to manage conflicts of interest, and the GDPR requires the attorney do so, we believe that the client’s request can act as a waiver of conflicts that could have been discovered had the data been retained if: (1) the firm provides written advice to the former client that fully informs the former client that deleting the information could result in a conflict and that by requiring such deletion the client consents to the firm’s potential future representation of other clients with conflicts that might otherwise have been discovered, and (2) none of the attorneys who handle the matter for the firm have any retained knowledge of the former client’s information.
In general, the GDPR applies to the processing of personal data that is automated or part of a filing system. It applies when (a) the processing of personal data relates to an establishment of a controller or processor in the EU; (b) when the processing relates to data subjects in the EU and relates to the offering of goods and services within the EU and the “monitoring” of behavior of EU subjects within the EU, or (c) where personal data is processed in a place where the law of an EU member state applies under international law. GDPR, Article 3. “Processing” of data includes the storage and retrieval of such data; “personal” data would include names and addresses, and similar identifying information; and a “controller” is an entity that has the ability to control what is done with data within the scope of the GDPR. Article 4. You are concerned that some identifying information pertaining to your current or former clients may fall within the scope of the GDPR, including former EU clients and prospective EU clients who submit information for purposes of engaging legal services, but the engagement never comes to fruition.
Article 17(1) of the GDPR provides that “[t]he data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay” where one of several circumstances applies, such as when “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.” Article 17(3) of the GDPR sets out some circumstances under which such data can be retained despite subsection (1), such as when retention is necessary to comply with an obligation under EU law or the law of an EU member or necessary for the establishment or defense of legal claims. You have asserted that there is a potential that a former or prospective client’s identifying information may fall within the scope of Article 17, and that you may therefore be required to remove all information about that former or prospective client from your records.
Attorneys retain information to identify current and former clients in order to avoid potential conflicts of interest. Rule 19-301.7 applies to conflicts generally and prohibits an attorney from representing a client in a matter where the lawyer’s representation of the client will be affected by the lawyer’s duty to a former client (among others). Rule 19-301.7(a)(2). This Rule defines the lawyer’s duty to a current client. Under Rule 19-301.7, among other things, an attorney cannot represent two clients if the representation of one client is directly adverse to another client, or if there is a significant risk that an attorney’s representation of one client will be materially limited by the representation of the other. The two clients can give written consent to the attorney’s representation, however, so long as (1) the representation does not involve an assertion of a claim on behalf of one client against another client who the attorney also represents in that same proceeding, (2) the attorney reasonably believes that the attorney will be able to provide competent and diligent representation to each affected client, and (3) the representation is not prohibited by law. Rule 19-301.7(b).
Rule 19-301.9 applies directly to conflicts between a current and a former client and defines the lawyer’s duty to the former client. Under Rule 19-301.9(a), “[a]n attorney who has formerly represented a client in a matter shall not thereafter represent another person in the same or a substantially related matter in which that person’s interests are materially adverse to the interests of the former client unless the former client gives informed consent, confirmed in writing.” Under Rule 19-301.9(b), “[a]n attorney shall not knowingly represent a person in the same or a substantially related matter in which a firm with which the attorney formerly was associated had previously represented a client: (1) whose interests are materially adverse to that person; and (2) about whom the attorney had acquired information protected by Rules 19-301.6 (1.6) and 19-301.9(c) (1.9) that is material to the matter; unless the former client gives informed consent, confirmed in writing.”
As you note in your letter, there may be exceptions in the GDPR that would permit an attorney or firm to retain information pertaining to a client’s identity and matter, even if the client requests deletion of such information. You identified several arguments in your request for an opinion that may avoid such an event. If an attorney is permitted to retain such information, the attorney should do so in order to ensure compliance with Rules 19-301.7 and 19-301.9.
Assuming that a client or former client can require an attorney or firm to delete information under the GDPR that would identify the client and the subject of the representation, the attorney is not automatically excused from compliance with Rules 19-301.7 and 19-301.9. Rules 19-301.7 and 19-301.9 prohibit attorneys from engaging in certain representations without obtaining conflict waivers. Nevertheless, we believe that an attorney can comply with both the GDPR and the MRPC.
If a current client compels an attorney to delete identifying information and the matter under the GDPR, the attorney would be unable to contact the client, bill the client for services, or otherwise represent the client. The attorney would be compelled to withdraw from the representation, and the client who wishes to be “forgotten” would become a former client to be evaluated under Rule 19-301.9.
Rule 19-301.9 prohibits attorneys from representing a current client where an adverse former client was represented by the attorney in the same or “substantially related matter” absent a waiver under either subsections (a) or (b) of this Rule where the former client gives “informed consent, confirmed in writing.” In some circumstances, an attorney may seek a former client’s waiver, based upon informed consent, of future conflicts that have not yet arisen. See Rule 19- 301.9, Comment 9. As stated in Comment 22 to Rule 19-301.7,
The effectiveness of such waivers is generally determined by the extent to which the client reasonably understands the material risks that the waiver entails. The more comprehensive the explanation of the types of future representations that might arise and the actual and reasonably foreseeable consequences of those representations, the greater the likelihood that the client will have the requisite understanding.
A client’s sophistication is a key consideration in considering the effectiveness of such waivers:
“[I]f the client is an experienced user of the legal services involved and is reasonably informed regarding the risk that a conflict may arise, such consent is more likely to be effective. . . .” Id.
In this case, if a lawyer or law firm gives the client a full explanation of the consequences if a client exercises its “right to be forgotten,” including an explanation of the reasons why a law firm or attorney tracks client and matter information, and the client nevertheless gives written instruction to delete all of its data, we believe that the client has waived any conflicts that may arise in the future with respect to other clients and that may have been avoided by use of the deleted data.
There seems little practical risk to the client from such a waiver. As noted above, Rule 19- 301.9 only applies where to matters are the same or “substantially related.” Matters are “substantially related” if “they involve the same transaction or legal dispute or if there otherwise is a substantial risk that confidential factual information as would normally have been obtained in the prior representation would materially advance the client’s position in the subsequent matter.” Rule 19-301.9, Comment. In the hypothetical situation at hand, where a firm has eliminated all knowledge of a former client and the matter that was handled, it seems very unlikely that there is any substantial risk that the firm retains any confidential factual information within the scope of the Rule.
However, the “right to be forgotten” cannot expunge the recollections of individual attorneys. Rule 19-301.9 continues to prohibit a lawyer from revealing information adverse to a former client, requiring that an attorney with actual knowledge of the former client’s matter be screened from the current representation in the event of a conflict. Additionally, under Rule 19-301.7, once knowledge of a prior representation comes to light, the attorney and firm will need to evaluate anew whether any written consent from the former client is sufficient to waive potential conflicts, in light of the attorney’s actual knowledge, or whether informed consent must be obtained from the former client prior to continuing representation.
A firm that may be subject to the requirements of the GPDR should consider including a discussion of the “right to be forgotten” in its engagement letter, including the effect of that right upon the relationship between the attorney and client and the effect that exercise of that right may have on potential conflicts both for past, present and future clients. The Committee suggests including in the letter the firm’s policy for handling those conflict situations where clients have made decisions to delete data.