Although today is Halloween in my part of the world, I am not offering any spooky content. I thought about trying to replace all mentions of Maryland in this post with Scaryland, but that just seemed like I was trying too hard.
In fact, I’m a bit torn about even writing about this particular topic because I’m really of two minds in all respects about what to say about Maryland becoming the first U.S. jurisdiction to issue an ethics opinion attempting to wrestle with any aspect of the EU’s General Data Protection Regulation (“GDPR”).
On the one hand, it seems like Maryland ought to be applauded for trying to be on the leading edge of issues of concern and many lawyers (and their firms) are struggling with exactly what GDPR might require of them.
On the other hand, the core premise of the inquiry being addressed involves an assumption about a legal question — not an ethics issue — and is the kind of thing ethics-opinion-writing bodies likely ought to stay away from.
Lots of commentators will give ethics-opinion-writing bodies grief for not, for example, striving to apply Constitutional issues when issuing opinions about the ethics rules. I’ve probably done that myself in the past. But, on the whole, more trouble for lawyers can likely come from ethics opinions straying outside the lines and getting a legal issue altogether wrong.
That might or might not have been how it would have shaken out if the Maryland State Bar Association Committee on Ethics had fully committed to trying to figure out whether the premise of the question posed to it in Opinion No. 2018-06 was even how the GDPR would work in the circumstances.
Instead, the committee flagged for the reader the possibility that the GDPR would not require the lawyer to respect the request to be forgotten at all but offered up what is, on the whole, pretty sound guidance that lawyers can bear in mind as to this and similar questions as other jurisdictions start adopting new privacy laws and regulations that may hit closer to home than the GDPR.
The question posed relied on the premise that a former client, if a citizen of the EU, could exercise the “right to be forgotten” by demanding the lawyer delete data about the person and, thereby, cause the lawyer to delete information that would otherwise protect the lawyer in terms of conflict checking in the future to avoid taking on a new client or matter that would involve an unethical conflict of interest as to the former client representation.
The core of the guidance ultimately given – again explicitly premised on assuming that it might ever be necessary – is this:
If a former client asks an attorney to delete the information needed to manage conflicts of interest, and the GDPR requires the attorney do so, we believe that the client’s request can act as a waiver of conflicts that could have been discovered had the data been retained if: (1) the firm provides written advice to the former client that fully informs the former client that deleting the information could result in a conflict and that by requiring such deletion the client consents to the firm’s potential future representation of other clients with conflicts that might have otherwise have been discovered, and (2) none of the attorneys who handle the matter for the firm have any retained knowledge of the former client’s information.
That’s pretty good guidance, actually.
It probably would have been better though if they hadn’t imposed quite so large a burden of communication and advice to the firm in response to the former client. I think that simply saying that any such request from a former client can be treated by the firm as equivalent to a waiver on the basis that a former client cannot demand that s/he be forgotten and then try to later claim the “forgotten” relationship presents a conflict.
You can read the full Maryland opinion here.
And, if you are interested in more opportunities to hear me try to talk intelligently about what the GDPR does actually mean for U.S. lawyers, I’ll be participating in a panel discussion in Washington, D.C. on November 9 as part of a joint program presented by APRL and the Law Society of England and Wales. If you’re interested, you can register at this link.