When lawyering goes digital

Mads Bryde Andersenprofessor, dr.jur.

University of Copenhagen – Faculty of Lawmads.bryde.andersen@jur.ku.dk

Starting points

• Counselling is information provision (mainly on the law)

• Litigation focuses on information (facts and law)• In a world where all information is digital, new

problems occur about what lawyers – can do– should do– must not do

by using digital technology

On digital evidence in general

• Almost all steps leave digital footprints– Online (telecommunication, stored data)– In social media (including Facebook posts)– By surveillance– ”Little Brother” information (photos etc.)– On servers and mobile devices

• Almost endless sources (big data) available• Courts and prosecutors rely on this information• Yet this information appear to most as ”private”

Three main issues

I. How should lawyers handle and communicate information?

a. Security (how to communicate and store)b. Data protection (what information may be

processed)

II. How can lawyers collect informationa. Under professional rulesb. Under til dataprotection directive

III. How can lawyers request informationa. Document requestsb. Discovery

Both issues concern rules applicabable to both lawers and

others, but• Lawyers are under stricter rules than their

clients

• But may, conversely, offer higher confidentiality (than other professionals)

• Because they are seen as – trused advisors towards their clients and – essential components in the legal system

… lawyers as components in the legal system

• Information provider for all actors in– Decision making– Conflict resolution

• Access provider for litigants

• Articulator in– Negotiations– Conflicts

• Buffer against frivolous claims

In other words:

1. Party-representative in legal disputes2. Trusted advisor in legal matters

• Articulator • ”Hired gun” • Ethical and mental buffer• Social engineer• Information provider

The legal profession has changed just as societies, social relations and conflicts have

• Ancient societies – role as orator based upon personal trust, convincing power and relations

• The commercial society – focus on document drafting, dispute resolution and consultation

• The industrial society: Planning and dispute prevention. Specialization

• Information society: Cross-disciplinary work. outsourcing. Hyper-specialization. Cross-competition. Information engineer and strategist.

I.How should lawyers handle and

communicate information?

How and when is paper and ink replaced by digital data?

• Party-to-party communication: Already in place (both B2B, B2G and B2C), e.g. company registration, but not bailiff prosecution (Vestre Landsret decision 6 September 2013)

• Negotiable instruments: Only when statutory law or agreement among all concerned

• Document production (litigation and due diligence): On its way – e.g. 20 September 2013 guide by DK Domstolsstyrelse

Other applications for lawyers

• Case management systems

• Contract management systems

• Time management and hour tracking

• E-billing

• E-discovery

• Virtual data rooms

Data security for lawyers (I)

• Lawyers are obliged to maintain a high level of data security

• Nevertheless, only few specific rules given by various bar associations

See e.g. Rule 11.6 of the Finnish Code of professional conduct of Lawyers:

”11.6 DatasäkerhetEn advokat ska sörja för datasäkerheten vid byrån så att inte utomstående olovligen kan skaffa sig tillgång till uppgifter om klienterna.”

Data security for lawyers (II)

See for a more specific approach, Chapter 4: Confidentiality and disclosure issued by the English Solicitors Regulation Authority, which indicate the following ”Indicative Behaviours”:

”Acting in the following way(s) may tend to show that you have achieved these outcomes and therefore complied with the Principles:

IB(4.1) your systems and controls for identifying risks to client confidentiality are appropriate to the size and complexity of the firm or in-house practice and the nature of the work undertaken, and enable you to assess all the relevant circumstances;

IB(4.2) you comply with the law in respect of your fiduciary duties in relation to confidentiality and disclosure;

IB(4.3) you only outsource services when you are satisfied that the provider has taken all appropriate steps to ensure that your clients' confidential information will be protected …”

Data security for lawyers (III)CCBE: Electronic Communication and the Internet (Guidance of 24 October

2008):

1. Deliberate interception and hacking • Consider to use and offer appropriate means to protect the content of

correspondence against any fraudulent modification, such as digital signatures or encryption, or both digital signatures and encryption

• Consider to use and offer a means of electronic communication, in particular when using web-mail service providers, online messengers or mobile devices, which is reasonably protected against any interception and hacking which could result in the disclosure of the existence and content of communications

• Use encryption techniques which are reasonably available every time clients or correspondents request them

• Inform clients and correspondents, if necessary, of the risks encountered by the use of electronic communications

Danish practice

• An order of 25 February 2003 from the Danish Complaints Board for Advocates (Advokatnævnet), reprimaned an adocate for leaving sensitive documents in a car which was subsequently stolen Advokaten 4/2003, Kendelser s. 5 f.).

Security obligations under the 1995 data protection directive

Article 17 security of processing: ”… the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.

Practical guidelines?

• No. Here, like elsewhere within it security, not one shoe that fits all purposes

• Balancing of risks, costs and effiency

• Each client defines its needs better than the law firm does

Conclusion

• The legal professions has not been first mover to set security standards

• But have adopted the standards set by clients, courts and governments

• The first mover role would in fact be difficult given the multitude of industries that the legal profession work with

• Lawyers should make sure information is not lost• As long as it isn’t, regulators seldomly interfere

II.

How can lawyers collect information (investigation)?

Generally on lawyers as investigators

• In civil proceedings (state court and arbitration) – no restrictions other than good practice for advocates

• In criminal proceedings (at least in Denmark) lawyers are prevented from playing an active role as investigators

• However, difficult distinction between critical inspection of police investigation vs. separate investigation

New kinds of evidence

• Technical evidence (expert opinions)

• Accidental photographs

• Documents (at hand or by discovery request)

• Databases (public or private)

• Big data (including surveillance data)

Starting points

Investigation (i.e. the collection of evidence from various sources to confirm or reject assumptions in a suspicion)

• May be conducted by anybody• Within general rules of law Cf. U 2004.274 Ø: Detective investigation lawfulBut the closer one gets to the private sphere, the

more problematic it becomes:• Legally (privacy rules) and• Ethically (professional ethics)

Legal consequences:

• The lawyer may face criminal sanctions under the penal code or privacy rules

• The lawyer may face disciplinary sanctions under applicable rules of advocacy

• Gathered evidence may be inadmissible

• The client suffers loss of branding

General principles of criminal law

The legal situation under the criminal code varies among countries. In Denmark (straffelovens §§ 263-264d) it is based upon three principles of legitimacy and transparency:

1. Surveillance is lawful in the public sphere

2. And if the private sphere, when transparent

3. Unless conducted in unfair or illegimate ways

The legitimacy exception

• How far does the legitimacy exception go, cf. U 2012.2328 H (hidden camera recording for journalistic purposes lawful)

• Restricted in criminal investigations, cf. retsplejelovens § 791a(3) on observation

• Applicable to private parties in cases where public prosecution is in fact non existent. Reasonable balance?

Danish case law

U 2012.1893 V: Insurance company could produce video observations in case concerning policy holders right to compensation for disablement although unlawfully taken

Administrative decision (Ankestyrelsen) 24 January 2013 in case 1201087-12: Video observations and photos be admitted

Data protection law

• Processing of personal data only allowed under the specific rules of the Directive;

• Manual processing of data included;

• Sporadic it-processing is not ”processing”;

• If in doubt, how intense is the operation?

The legal basis for processing personal data (Directive 95/46)

• Art. 7(a): Unambigous consent from data subject: … what is ”unambigous”?

• Art. 7(b): Necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

• Art. 7(c): Necessary for compliance with a legalobligation to which the controller is subject

The balancing of interest rule

• Article 7(f): processing is otherwise lawful, when

”… necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data is disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1(1)”

Other requirements

• The fair and lawful principle, Art 6(a)

• The purpose limitation principle, Art 6(b)

• The adequacy principle, Art. 6(c)

• The data quality principle, Art. 6(d)

• The time limitation principle, Art. 6(e)

Information to be given to the data subject on investigative measures

Article 10 (and similarly Article 11): ” …the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:

(a) the identity of the controller and of his representative, if any;

(b) the purposes of the processing for which the data are intended;

(c) any further information such as …”

Does this provision prevent private surveillance and investigation?

• Not if previously agreed (not often)• Not if the purpose of a legitimate

investigation is thereby hampered• Discussions in the Danish insurance sector.• 11 November 2011 Codex by the Danish

Insurance Council (Forsikring og Pension) confirms the obligation to disclose, either if the surveillance confirms the suspicion, or the opposite

Facebook investigation

1. Open facebook inquiries are generally allowed, even if ”private”, and even if conflicting to Facebook rules

2. This principle also applies to public entities, cf. Danish Ombudsman opinion 9 November 2011:

3. But using false profiles or a misleading identity information may be unlawful under- Good practice rules (e.g. for financial sector)- Professional ethics (e.g. for lawyers)

US litigation in particular

• In US litigation the litigants have a duty to preserve potentially-relevant evidence.The duty serves the basic purpose of allowing litigants' access to the evidence needed to prove their case, or in a more idealistic sense, access to justice.

• The consequences of failing to preserve potentially-relevant social media information (corporate as well as personal accounts) can result in punitive sanctions against a party and their counsel.

• Cases have effectively been won and lost because a party has failed to preserve documents — known as spoliation.

GPS Investigation

• Is it illegal? And if so, under which rules?

• U 2012.2510 Ø: Illegal to install GPS device on fishing boat (trespass)

• U 2000.2476 HK: GPS device considered to be lawful under § 791a(2)

• U 2009.1099 Ø: GPS device installed since requirements for photo surveillance were fulfilled under § 791a(2)

III.

Taking evidence

in litigation

On taking of evidence in general

• When private parties litigate, a number of data protection guarantees fall:– Witnesses are obliged to testify and present

documents against their will (unless adverse conclusions shall be drawn)

– Parties may also be obliged to present such statements or to produce documents

– Certain juristictions allow for discovery procedures or specific kinds of evidence taking (including

Legal challenges

• How does parties protect– personal data and – trade secrets?

• Self-encrimination? – EHRC art. 6– US Constitution + 11 USC § 344

• Various legal cultures (discovery vs. document requests)• Particular issues in

– Domestic proceedings– Transnational proceedings– International arbitration

1970 Haag Convention on the Taking of Evidence Abroad in Civil and Commercial Matters

Art. 1: ”In civil or commercial matters a judicial authority of a Contracting State may, in accordance with the provisions of the law of that State, request the competent authority of another Contracting State, by means of a Letter of Request, to obtain evidence, or to perform some other judicial act.” www.hcch.net

• art. 23 – reservation from Nordic Countries in relation to pre-trial discovery.

Retention of data

Stored communication under Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks

• Article 7: Data protection and data security• Article 13: Allows for acccess permitted

under national law

TRIPS Agreement

TRIPS Section 3: provisional measures Article 50.1. The judicial authorities shall have the authority to order prompt and effective provisional measures:…(b) to preserve relevant evidence in regard to the alleged infringement.2. The judicial authorities shall have the authority to adopt provisional measures inaudita altera parte where appropriate, in particular where any delay is likely to cause irreparable harm to the right holder, or where there is a demonstrable risk of evidence being destroyed.

Danish law

Chapter of the Danish Procedural Code (Retsplejeloven) on the securing of evidence (”bevissikring”):

§ 653 mandates the bailiff court to conduct a search to secure evidence for an infringement or violation if plausible that the respondent has performed or will perform such an infringement and it is likely that evidence hereof my be found in the localities to be searched.

29 April 2004 Directive on the enforcement of intellectual property rights (2004/48/EF)

Article 8(1): In infringement proceedings … order that information on the origin or distribution networks of goods or services that infringe … be provided by the infringer, including

Article 8(2): names and addresses (b) and information on the quantities produced

Conclusion

• Sevaral digital sources available for litigants

• A move favouring claimant’s interests in presenting its case by allowing access to evidence over defendant’s interest in preserving privacy

• That balance is most clearly seen in IP related disputes but also in international arbitration

Further reading

• Mads Bryde Andersen: Redegørelse om de retlige problemer ved efterforskning ved mistanke om forsikringssvindel. Nordisk forsikringstidsskrift 2/2011: http://www.nft.nu/en/node/1576

• Christian Wiese Svanberg: Privates efterforskning af strafbare forhold. Juristen, 2011, s. 269 ff.