Transcript When lawyering goes digital - Det juridiske fakultet, UiO

When lawyering goes digital
Mads Bryde Andersen
professor, dr.jur.
University of Copenhagen – Faculty of Law
[email protected]
Starting points
• Counselling is information provision (mainly on
the law)
• Litigation focuses on information (facts and law)
• In a world where all information is digital, new
problems occur about what lawyers
– can do
– should do
– must not do
by using digital technology
On digital evidence in general
• Almost all steps leave digital footprints
–
–
–
–
–
Online (telecommunication, stored data)
In social media (including Facebook posts)
By surveillance
”Little Brother” information (photos etc.)
On servers and mobile devices
• Almost endless sources (big data) available
• Courts and prosecutors rely on this information
• Yet this information appear to most as ”private”
Three main issues
I.
How should lawyers handle and
communicate information?
a.
b.
II.
Security (how to communicate and store)
Data protection (what information may be
processed)
How can lawyers collect information
a.
b.
III.
Under professional rules
Under til dataprotection directive
How can lawyers request information
a.
b.
Document requests
Discovery
Both issues concern rules
applicabable to both lawers and
others, but
• Lawyers are under stricter rules than their
clients
• But may, conversely, offer higher
confidentiality (than other professionals)
• Because they are seen as
– trused advisors towards their clients and
– essential components in the legal system
… lawyers as components in the
legal system
• Information provider for all actors in
– Decision making
– Conflict resolution
• Access provider for litigants
• Articulator in
– Negotiations
– Conflicts
• Buffer against frivolous claims
In other words:
1. Party-representative in legal disputes
2. Trusted advisor in legal matters
•
•
•
•
•
Articulator
”Hired gun”
Ethical and mental buffer
Social engineer
Information provider
The legal profession has changed just as
societies, social relations and conflicts have
• Ancient societies – role as orator based upon
personal trust, convincing power and relations
• The commercial society – focus on document
drafting, dispute resolution and consultation
• The industrial society: Planning and dispute
prevention. Specialization
• Information society: Cross-disciplinary work.
outsourcing. Hyper-specialization. Crosscompetition. Information engineer and strategist.
I.
How should lawyers handle and
communicate information?
How and when is paper and ink
replaced by digital data?
• Party-to-party communication: Already in place
(both B2B, B2G and B2C), e.g. company
registration, but not bailiff prosecution (Vestre
Landsret decision 6 September 2013)
• Negotiable instruments: Only when statutory law
or agreement among all concerned
• Document production (litigation and due
diligence): On its way – e.g. 20 September 2013
guide by DK Domstolsstyrelse
Other applications for lawyers
•
•
•
•
•
•
Case management systems
Contract management systems
Time management and hour tracking
E-billing
E-discovery
Virtual data rooms
Data security for lawyers (I)
• Lawyers are obliged to maintain a high level of
data security
• Nevertheless, only few specific rules given by
various bar associations
See e.g. Rule 11.6 of the Finnish Code of professional
conduct of Lawyers:
”11.6 Datasäkerhet
En advokat ska sörja för datasäkerheten vid byrån så att
inte utomstående olovligen kan skaffa sig tillgång till
uppgifter om klienterna.”
Data security for lawyers (II)
See for a more specific approach, Chapter 4:
Confidentiality and disclosure issued by the English
Solicitors Regulation Authority, which indicate the
following ”Indicative Behaviours”:
”Acting in the following way(s) may tend to show that you have
achieved these outcomes and therefore complied with the
Principles:
IB(4.1) your systems and controls for identifying risks to client
confidentiality are appropriate to the size and complexity of the firm
or in-house practice and the nature of the work undertaken, and
enable you to assess all the relevant circumstances;
IB(4.2) you comply with the law in respect of your fiduciary duties in
relation to confidentiality and disclosure;
IB(4.3) you only outsource services when you are satisfied that the
provider has taken all appropriate steps to ensure that your clients'
confidential information will be protected …”
Data security for lawyers (III)
CCBE: Electronic Communication and the Internet (Guidance of 24 October
2008):
1. Deliberate interception and hacking
• Consider to use and offer appropriate means to protect the content of
correspondence against any fraudulent modification, such as digital
signatures or encryption, or both digital signatures and encryption
• Consider to use and offer a means of electronic communication, in
particular when using web-mail service providers, online messengers or
mobile devices, which is reasonably protected against any interception and
hacking which could result in the disclosure of the existence and content of
communications
• Use encryption techniques which are reasonably available every time
clients or correspondents request them
• Inform clients and correspondents, if necessary, of the risks encountered by
the use of electronic communications
Danish practice
• An order of 25 February 2003 from the
Danish Complaints Board for Advocates
(Advokatnævnet), reprimaned an adocate
for leaving sensitive documents in a car
which was subsequently stolen Advokaten
4/2003, Kendelser s. 5 f.).
Security obligations under the
1995 data protection directive
Article 17 security of processing:
”… the controller must implement appropriate technical and
organizational measures to protect personal data against accidental
or unlawful destruction or accidental loss, alteration, unauthorized
disclosure or access, in particular where the processing involves the
transmission of data over a network, and against all other unlawful
forms of processing.
Having regard to the state of the art and the cost of their
implementation, such measures shall ensure a level of security
appropriate to the risks represented by the processing and the
nature of the data to be protected.
2. The Member States shall provide that the controller must, where
processing is carried out on his behalf, choose a processor
providing sufficient guarantees in respect of the technical security
measures and organizational measures governing the processing to
be carried out, and must ensure compliance with those measures.
Practical guidelines?
• No. Here, like elsewhere within it security,
not one shoe that fits all purposes
• Balancing of risks, costs and effiency
• Each client defines its needs better than
the law firm does
Conclusion
• The legal professions has not been first mover
to set security standards
• But have adopted the standards set by clients,
courts and governments
• The first mover role would in fact be difficult
given the multitude of industries that the legal
profession work with
• Lawyers should make sure information is not lost
• As long as it isn’t, regulators seldomly interfere
II.
How can lawyers collect
information (investigation)?
Generally on lawyers as
investigators
• In civil proceedings (state court and
arbitration) – no restrictions other than
good practice for advocates
• In criminal proceedings (at least in
Denmark) lawyers are prevented from
playing an active role as investigators
• However, difficult distinction between
critical inspection of police investigation
vs. separate investigation
New kinds of evidence
• Technical evidence (expert opinions)
• Accidental photographs
• Documents (at hand or by discovery
request)
• Databases (public or private)
• Big data (including surveillance data)
Starting points
Investigation (i.e. the collection of evidence from
various sources to confirm or reject assumptions
in a suspicion)
• May be conducted by anybody
• Within general rules of law
Cf. U 2004.274 Ø: Detective investigation lawful
But the closer one gets to the private sphere, the
more problematic it becomes:
• Legally (privacy rules) and
• Ethically (professional ethics)
Legal consequences:
• The lawyer may face criminal sanctions
under the penal code or privacy rules
• The lawyer may face disciplinary sanctions
under applicable rules of advocacy
• Gathered evidence may be inadmissible
• The client suffers loss of branding
General principles of criminal law
The legal situation under the criminal code varies
among countries. In Denmark (straffelovens §§
263-264d) it is based upon three principles of
legitimacy and transparency:
1. Surveillance is lawful in the public sphere
2. And if the private sphere, when transparent
3. Unless conducted in unfair or illegimate ways
The legitimacy exception
• How far does the legitimacy exception go,
cf. U 2012.2328 H (hidden camera
recording for journalistic purposes lawful)
• Restricted in criminal investigations, cf.
retsplejelovens § 791a(3) on observation
• Applicable to private parties in cases
where public prosecution is in fact non
existent. Reasonable balance?
Danish case law
U 2012.1893 V: Insurance company could
produce video observations in case
concerning policy holders right to
compensation for disablement although
unlawfully taken
Administrative decision (Ankestyrelsen) 24
January 2013 in case 1201087-12: Video
observations and photos be admitted
Data protection law
• Processing of personal data only allowed
under the specific rules of the Directive;
• Manual processing of data included;
• Sporadic it-processing is not ”processing”;
• If in doubt, how intense is the operation?
The legal basis for processing
personal data (Directive 95/46)
• Art. 7(a): Unambigous consent from data
subject: … what is ”unambigous”?
• Art. 7(b): Necessary for the performance of a
contract to which the data subject is party or in
order to take steps at the request of the data
subject prior to entering into a contract
• Art. 7(c): Necessary for compliance with a
legalobligation to which the controller is subject
The balancing of interest rule
• Article 7(f): processing is otherwise lawful, when
”… necessary for the purposes of the legitimate
interests pursued by the controller or by the
third party or parties to whom the data is
disclosed, except where such interests are
overridden by the interests for fundamental
rights and freedoms of the data subject which
require protection under Article 1(1)”
Other requirements
•
•
•
•
•
The fair and lawful principle, Art 6(a)
The purpose limitation principle, Art 6(b)
The adequacy principle, Art. 6(c)
The data quality principle, Art. 6(d)
The time limitation principle, Art. 6(e)
Information to be given to the data
subject on investigative measures
Article 10 (and similarly Article 11): ” …the
controller or his representative must provide a
data subject from whom data relating to himself
are collected with at least the following
information, except where he already has it:
(a) the identity of the controller and of his
representative, if any;
(b) the purposes of the processing for which the
data are intended;
(c) any further information such as …”
Does this provision prevent private
surveillance and investigation?
• Not if previously agreed (not often)
• Not if the purpose of a legitimate
investigation is thereby hampered
• Discussions in the Danish insurance
sector.
• 11 November 2011 Codex by the Danish
Insurance Council (Forsikring og Pension)
confirms the obligation to disclose, either if
the surveillance confirms the suspicion, or
the opposite
Facebook investigation
1. Open facebook inquiries are generally
allowed, even if ”private”, and even if conflicting
to Facebook rules
2. This principle also applies to public entities, cf.
Danish Ombudsman opinion 9 November 2011:
3. But using false profiles or a misleading
identity information may be unlawful under
- Good practice rules (e.g. for financial sector)
- Professional ethics (e.g. for lawyers)
US litigation in particular
• In US litigation the litigants have a duty to preserve
potentially-relevant evidence.The duty serves the
basic purpose of allowing litigants' access to the
evidence needed to prove their case, or in a more
idealistic sense, access to justice.
• The consequences of failing to preserve potentiallyrelevant social media information (corporate as well as
personal accounts) can result in punitive sanctions
against a party and their counsel.
• Cases have effectively been won and lost because a
party has failed to preserve documents — known as
spoliation.
GPS Investigation
• Is it illegal? And if so, under which rules?
• U 2012.2510 Ø: Illegal to install GPS
device on fishing boat (trespass)
• U 2000.2476 HK: GPS device considered
to be lawful under § 791a(2)
• U 2009.1099 Ø: GPS device installed
since requirements for photo surveillance
were fulfilled under § 791a(2)
III.
Taking evidence
in litigation
On taking of evidence in general
• When private parties litigate, a number of
data protection guarantees fall:
– Witnesses are obliged to testify and present
documents against their will (unless adverse
conclusions shall be drawn)
– Parties may also be obliged to present such
statements or to produce documents
– Certain juristictions allow for discovery
procedures or specific kinds of evidence
taking (including
Legal challenges
• How does parties protect
– personal data and
– trade secrets?
• Self-encrimination?
– EHRC art. 6
– US Constitution + 11 USC § 344
• Various legal cultures (discovery vs. document requests)
• Particular issues in
– Domestic proceedings
– Transnational proceedings
– International arbitration
1970 Haag Convention on the Taking of Evidence
Abroad in Civil and Commercial Matters
Art. 1: ”In civil or commercial matters a judicial
authority of a Contracting State may, in
accordance with the provisions of the law of that
State, request the competent authority of
another Contracting State, by means of a Letter
of Request, to obtain evidence, or to perform
some other judicial act.” www.hcch.net
• art. 23 – reservation from Nordic Countries in
relation to pre-trial discovery.
Retention of data
Stored communication under Directive
2006/24/EC on the retention of data
generated or processed in connection with
the provision of publicly available
electronic communications services or of
public communications networks
• Article 7: Data protection and data security
• Article 13: Allows for acccess permitted
under national law
TRIPS Agreement
TRIPS Section 3: provisional measures
Article 50.1. The judicial authorities shall have the
authority to order prompt and effective provisional
measures:
…
(b) to preserve relevant evidence in regard to the alleged
infringement.
2. The judicial authorities shall have the authority to
adopt provisional measures inaudita altera parte where
appropriate, in particular where any delay is likely to
cause irreparable harm to the right holder, or where
there is a demonstrable risk of evidence being
destroyed.
Danish law
Chapter of the Danish Procedural Code
(Retsplejeloven) on the securing of evidence
(”bevissikring”):
§ 653 mandates the bailiff court to conduct a
search to secure evidence for an infringement or
violation if plausible that the respondent has
performed or will perform such an infringement
and it is likely that evidence hereof my be found
in the localities to be searched.
29 April 2004 Directive on the enforcement of
intellectual property rights (2004/48/EF)
Article 8(1): In infringement proceedings …
order that information on the origin or
distribution networks of goods or services
that infringe … be provided by the
infringer, including
Article 8(2): names and addresses (b) and
information on the quantities produced
Conclusion
• Sevaral digital sources available for
litigants
• A move favouring claimant’s interests in
presenting its case by allowing access to
evidence over defendant’s interest in
preserving privacy
• That balance is most clearly seen in IP
related disputes but also in international
arbitration
Further reading
• Mads Bryde Andersen: Redegørelse om
de retlige problemer ved efterforskning
ved mistanke om forsikringssvindel.
Nordisk forsikringstidsskrift 2/2011:
http://www.nft.nu/en/node/1576
• Christian Wiese Svanberg: Privates
efterforskning af strafbare forhold.
Juristen, 2011, s. 269 ff.