GDPR and Requests by EU Clients to be Forgotten

By David Hricik

Prosecution for foreign clients presents several ethical issues, and the recently enacted EU General Data Protect Regulation (“GDPR”) presents some fun ones.  In Maryland State Bar Association Ethics Opinion 2018-06 (here), the committee tackled how a firm can abide by an EU client’s request to be “forgotten” — and so delete all records of having represented the client — and  yet after that run conflicts checks to make sure the firm isn’t being adverse to that former client in a substantially related matter, as Rule 1.9 of most state ethical rules (and USPTO rule 11.109) require.  To illustrate, if you delete the fact that your firm once represented Bob Smith, and someone in the future asks your firm to be adverse to Bob Smith, Bob’s name won’t show up in the conflicts check and, if the matter against Bob is related to the work your firm and done for him, you could wind up having Bob complain that your violating Rule 1.9.

The committee stated that, if an EU client asks to be forgotten, this can be a waiver of any future conflict, stating:

If a former client asks an attorney to delete the information needed to manage conflicts of interest, and the GDPR requires the attorney do so, we believe that the client’s request can act as a waiver of conflicts that could have been discovered had the data been retained if: (1) the firm provides written advice to the former client that fully informs the former client that deleting the information could result in a conflict and that by requiring such deletion the client consents to the firm’s potential future representation of other clients with conflicts that might otherwise have been discovered, and (2) none of the attorneys who handle the matter for the firm have any retained knowledge of the former client’s information.

The opinion goes on to describe what is required for informed consent, and provides a useful guide.  I don’t know how often this will happen, but if it does, this opinion provides a framework to analyze the issues. I’d be really certain the former client understands what being forgotten will mean.  Perhaps they can be persuaded to let the firm forget everything except its name, and so at least that will trigger some future analysis by firm lawyers if Bob’s name shows up on a conflicts check.

About David

Professor of Law, Mercer University School of Law. Formerly Of Counsel, Taylor English Duma, LLP and in 2012-13, judicial clerk to Chief Judge Rader.

5 thoughts on “GDPR and Requests by EU Clients to be Forgotten

  1. 4

    I don’t see how this affects patent attorneys or litigators, especially those that must disclose personal data to the PTO, to the courts, or to adverse parties in litigation. Perhaps there are explicit exceptions in the GDPR for law firms?

  2. 3

    If you do a national stage application for a European corporate client, the only “personal” data you need is the corporate name and address, which is published on the face of the PCT application. The inventors are not clients, and you do not need their addresses, but both appear on the face of the PCT application. If the national stage issues, the client and inventor names appear on the face of the patent, along with your name. This “personal” data cannot be forgotten, unless the EPO, PCT and USPTO are obliged to delete the info from published applications and issued patents.
    So what does it matter that the US patent attorney retains the “personal data?”

  3. 2

    I don’t get it. If my firm doesn’t have an office in the EU, what do I care about what GDPR says? The EU can’t sanction me; my state bar can. No brainer.

    I suppose if my firm had an office in the EU then this question might be of interest…did the MD ethics committee consider how conflicts checks are handled within the EU itself under the GDPR? Surely this question has already arisen there.

    1. 2.1

      You may want to read up on the GDPR (and its — at least purported — extra-territorial reach).

      The US is not the only sovereign that writes law that has impacts transnationally.

  4. 1

    Possibly an interesting delimma when an individual expresses a request but it is juristic person of a corporation that is the client.

    Would an individual (non-client) assertion impact a non-asserted client information holding?

    Corporate leader Miss Z of client Corporation A expresses her “right” to be forgotten, while client Corporation A has been entirely silent. Miss Z, having been — and possibly continuing to be — intimately involved in client matters, may “exist” profusely in the client records.

    Not only for conflict issues, but general retention, how do you handle Miss Z’s request?

    And we haven’t even gotten to any decentralized “on the blockchain” complications….

Comments are closed.