450 likes | 566 Views
When lawyering goes digital. Mads Bryde Andersen professor, dr.jur. University of Copenhagen – Faculty of Law mads.bryde.andersen@jur.ku.dk. Starting points. Counselling is information provision (mainly on the law) Litigation focuses on information (facts and law)
E N D
When lawyering goes digital Mads Bryde Andersen professor, dr.jur. University of Copenhagen – Faculty of Law mads.bryde.andersen@jur.ku.dk
Starting points • Counselling isinformation provision (mainly on the law) • Litigation focuses oninformation (facts and law) • In a world where all information is digital, new problems occur about what lawyers • can do • should do • must not do by using digital technology
On digital evidence in general • Almost all steps leave digital footprints • Online (telecommunication, stored data) • In social media (including Facebook posts) • By surveillance • ”Little Brother” information (photos etc.) • On servers and mobile devices • Almost endless sources (big data) available • Courts and prosecutors rely on this information • Yet this information appear to most as ”private”
Three main issues • How should lawyers handle and communicate information? • Security (how to communicate and store) • Data protection (what information may be processed) II. How can lawyers collect information • Under professional rules • Under til dataprotection directive • How can lawyers request information • Document requests • Discovery
Both issues concern rules applicabable to both lawers and others, but • Lawyers are under stricter rules than their clients • But may, conversely, offer higher confidentiality (than other professionals) • Because they are seen as • trused advisors towards their clients and • essential components in the legal system
… lawyers as components in the legal system • Information provider for all actors in • Decision making • Conflict resolution • Access provider for litigants • Articulator in • Negotiations • Conflicts • Buffer against frivolous claims
In other words: • Party-representative in legal disputes • Trusted advisor in legal matters • Articulator • ”Hired gun” • Ethical and mental buffer • Social engineer • Information provider
The legal profession has changed just as societies, social relations and conflicts have • Ancient societies – role as orator based upon personal trust, convincing power and relations • The commercial society – focus on document drafting, dispute resolution and consultation • The industrial society: Planning and dispute prevention. Specialization • Information society: Cross-disciplinary work. outsourcing. Hyper-specialization. Cross-competition. Information engineer and strategist.
I. How should lawyers handle and communicate information?
How and when is paper and ink replaced by digital data? • Party-to-party communication: Already in place (both B2B, B2G and B2C), e.g. company registration, but not bailiff prosecution (Vestre Landsret decision 6 September 2013) • Negotiable instruments: Only when statutory law or agreement among all concerned • Document production (litigation and due diligence): On its way – e.g. 20 September 2013 guide by DK Domstolsstyrelse
Other applications for lawyers • Case management systems • Contract management systems • Time management and hour tracking • E-billing • E-discovery • Virtual data rooms
Data security for lawyers (I) • Lawyers are obliged to maintain a high level of data security • Nevertheless, only few specific rules given by various bar associations See e.g. Rule 11.6 of the Finnish Code of professional conduct of Lawyers: ”11.6 Datasäkerhet En advokat ska sörja för datasäkerheten vid byrån så att inte utomstående olovligen kan skaffa sig tillgång till uppgifter om klienterna.”
Data security for lawyers (II) See for a more specific approach, Chapter 4: Confidentiality and disclosure issued by the English Solicitors Regulation Authority, which indicate the following ”Indicative Behaviours”: ”Acting in the following way(s) may tend to show that you have achieved these outcomes and therefore complied with the Principles: IB(4.1) your systems and controls for identifying risks to client confidentiality are appropriate to the size and complexity of the firm or in-house practice and the nature of the work undertaken, and enable you to assess all the relevant circumstances; IB(4.2) you comply with the law in respect of your fiduciary duties in relation to confidentiality and disclosure; IB(4.3) you only outsource services when you are satisfied that the provider has taken all appropriate steps to ensure that your clients' confidential information will be protected …”
Data security for lawyers (III) CCBE: Electronic Communication and the Internet (Guidance of 24 October 2008): 1. Deliberate interception and hacking • Consider to use and offer appropriate means to protect the content of correspondence against any fraudulent modification, such as digital signatures or encryption, or both digital signatures and encryption • Consider to use and offer a means of electronic communication, in particular when using web-mail service providers, online messengers or mobile devices, which is reasonably protected against any interception and hacking which could result in the disclosure of the existence and content of communications • Use encryption techniques which are reasonably available every time clients or correspondents request them • Inform clients and correspondents, if necessary, of the risks encountered by the use of electronic communications
Danish practice • An order of 25 February 2003 from the Danish Complaints Board for Advocates (Advokatnævnet), reprimaned an adocate for leaving sensitive documents in a car which was subsequently stolen Advokaten 4/2003, Kendelser s. 5 f.).
Security obligations under the 1995 data protection directive Article 17 security of processing: ”… the controller must implementappropriatetechnical and organizational measures to protectpersonal data againstaccidental or unlawfuldestruction or accidentalloss, alteration, unauthorized disclosure or access, in particularwhere the processinginvolves the transmission of data over a network, and against all otherunlawful forms of processing. Havingregard to the state of the art and the cost of theirimplementation, such measures shallensure a level of securityappropriate to the risksrepresented by the processing and the nature of the data to beprotected. 2. The Member States shall provide that the controller must, whereprocessing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technicalsecurity measures and organizational measures governing the processing to becarried out, and must ensurecompliance with those measures.
Practical guidelines? • No. Here, like elsewhere within it security, not one shoe that fits all purposes • Balancing of risks, costs and effiency • Each client defines its needs better than the law firm does
Conclusion • The legal professions has not been first mover to set security standards • But have adopted the standards set by clients, courts and governments • The first mover role would in fact be difficult given the multitude of industries that the legal profession work with • Lawyers should make sure information is not lost • As long as it isn’t, regulators seldomly interfere
II. How can lawyers collect information (investigation)?
Generally on lawyers as investigators • In civil proceedings (state court and arbitration) – no restrictions other than good practice for advocates • In criminal proceedings (at least in Denmark) lawyers are prevented from playing an active role as investigators • However, difficult distinction between critical inspection of police investigation vs. separate investigation
New kinds of evidence • Technical evidence (expert opinions) • Accidental photographs • Documents (at hand or by discovery request) • Databases (public or private) • Big data (including surveillance data)
Starting points Investigation (i.e. the collection of evidence from various sources to confirm or reject assumptions in a suspicion) • May be conducted by anybody • Within general rules of law Cf. U 2004.274 Ø: Detective investigation lawful But the closer one gets to the private sphere, the more problematic it becomes: • Legally (privacy rules) and • Ethically (professional ethics)
Legal consequences: • The lawyer may face criminal sanctions under the penal code or privacy rules • The lawyer may face disciplinary sanctions under applicable rules of advocacy • Gathered evidence may be inadmissible • The client suffers loss of branding
General principles of criminal law The legal situation under the criminal code varies among countries. In Denmark (straffelovens §§ 263-264d) it is based upon three principles of legitimacy and transparency: • Surveillance is lawful in the public sphere • And if the private sphere, when transparent • Unless conducted in unfair or illegimate ways
The legitimacy exception • How far does the legitimacy exception go, cf. U 2012.2328 H (hidden camera recording for journalistic purposes lawful) • Restricted in criminal investigations, cf. retsplejelovens § 791a(3) on observation • Applicable to private parties in cases where public prosecution is in fact non existent. Reasonable balance?
Danish case law U 2012.1893 V: Insurance company could produce video observations in case concerning policy holders right to compensation for disablement although unlawfully taken Administrative decision (Ankestyrelsen) 24 January 2013 in case 1201087-12: Video observations and photos be admitted
Data protection law • Processing of personal data only allowed under the specific rules of the Directive; • Manual processing of data included; • Sporadic it-processing is not ”processing”; • If in doubt, how intense is the operation?
The legal basis for processing personal data (Directive 95/46) • Art. 7(a): Unambigous consent from data subject: … what is ”unambigous”? • Art. 7(b): Necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract • Art. 7(c): Necessary for compliance with a legalobligation to which the controller is subject
The balancing of interest rule • Article 7(f): processing is otherwise lawful, when ”… necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data is disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1(1)”
Other requirements • The fair and lawful principle, Art 6(a) • The purpose limitation principle, Art 6(b) • The adequacy principle, Art. 6(c) • The data quality principle, Art. 6(d) • The time limitation principle, Art. 6(e)
Information to be given to the data subject on investigative measures Article 10 (and similarly Article 11): ” …the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it: (a) the identity of the controller and of his representative, if any; (b) the purposes of the processing for which the data are intended; (c) any further information such as …”
Does this provision prevent private surveillance and investigation? • Not if previously agreed (not often) • Not if the purpose of a legitimate investigation is thereby hampered • Discussions in the Danish insurance sector. • 11 November 2011 Codex by the Danish Insurance Council (Forsikring og Pension) confirms the obligation to disclose, either if the surveillance confirms the suspicion, or the opposite
Facebook investigation 1. Open facebook inquiries are generally allowed, even if ”private”, and even if conflicting to Facebook rules 2. This principle also applies to public entities, cf. Danish Ombudsman opinion 9 November 2011: 3. But using false profiles or a misleading identity information may be unlawful under • Good practice rules (e.g. for financial sector) • Professional ethics (e.g. for lawyers)
US litigation in particular • In US litigation the litigants have a duty to preserve potentially-relevant evidence.The duty serves the basic purpose of allowing litigants' access to the evidence needed to prove their case, or in a more idealistic sense, access to justice. • The consequences of failing to preserve potentially-relevant social media information (corporate as well as personal accounts) can result in punitive sanctions against a party and their counsel. • Cases have effectively been won and lost because a party has failed to preserve documents — known as spoliation.
GPS Investigation • Is it illegal? And if so, under which rules? • U 2012.2510 Ø: Illegal to install GPS device on fishing boat (trespass) • U 2000.2476 HK: GPS device considered to be lawful under § 791a(2) • U 2009.1099 Ø: GPS device installed since requirements for photo surveillance were fulfilled under § 791a(2)
III. Taking evidence in litigation
On taking of evidence in general • When private parties litigate, a number of data protection guarantees fall: • Witnesses are obliged to testify and present documents against their will (unless adverse conclusions shall be drawn) • Parties may also be obliged to present such statements or to produce documents • Certain juristictions allow for discovery procedures or specific kinds of evidence taking (including
Legal challenges • How does parties protect • personal data and • trade secrets? • Self-encrimination? • EHRC art. 6 • US Constitution + 11 USC § 344 • Various legal cultures (discovery vs. document requests) • Particular issues in • Domestic proceedings • Transnational proceedings • International arbitration
1970 Haag Convention on the Taking of Evidence Abroad in Civil and Commercial Matters Art. 1: ”In civil or commercial matters a judicial authority of a Contracting State may, in accordance with the provisions of the law of that State, request the competent authority of another Contracting State, by means of a Letter of Request, to obtain evidence, or to perform some other judicial act.” www.hcch.net • art. 23 – reservation from Nordic Countries in relation to pre-trial discovery.
Retention of data Stored communication under Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks • Article 7: Data protection and data security • Article 13: Allows for acccess permitted under national law
TRIPS Agreement TRIPS Section 3: provisional measures Article 50.1. The judicial authorities shall have the authority to order prompt and effective provisional measures: … (b) to preserve relevant evidence in regard to the alleged infringement. 2. The judicial authorities shall have the authority to adopt provisional measures inaudita altera parte where appropriate, in particular where any delay is likely to cause irreparable harm to the right holder, or where there is a demonstrable risk of evidence being destroyed.
Danish law Chapter of the Danish Procedural Code (Retsplejeloven) on the securing of evidence (”bevissikring”): § 653 mandates the bailiff court to conduct a search to secure evidence for an infringement or violation if plausible that the respondent has performed or will perform such an infringement and it is likely that evidence hereof my be found in the localities to be searched.
29 April 2004 Directive on the enforcement of intellectual property rights (2004/48/EF) Article 8(1): In infringement proceedings … order that information on the origin or distribution networks of goods or services that infringe … be provided by the infringer, including Article 8(2): names and addresses (b) and information on the quantities produced
Conclusion • Sevaral digital sources available for litigants • A move favouring claimant’s interests in presenting its case by allowing access to evidence over defendant’s interest in preserving privacy • That balance is most clearly seen in IP related disputes but also in international arbitration
Further reading • Mads Bryde Andersen: Redegørelse om de retlige problemer ved efterforskning ved mistanke om forsikringssvindel. Nordisk forsikringstidsskrift 2/2011: http://www.nft.nu/en/node/1576 • Christian Wiese Svanberg: Privates efterforskning af strafbare forhold. Juristen, 2011, s. 269 ff.