To serve today’s clients, lawyers need more than words in their legal toolbox.
The complexity of incoming privacy regulations stretches beyond interpreting statutes, writing memoranda, and negotiating agreements, although those skills remain in demand. New laws like the General Data Protection Regulation (“GDPR”) require extensive technical expertise: data mapping, flow charts, inventorying, as well as recordkeeping. Lawyers, while not typically engaged to do such tasks, are now intimately involved.
Privacy Law in the United States is not new, of course. Tort Laws have long protected against unlawful intrusions upon seclusion, publication of private facts, false light representations, and misappropriation of likeness. But today’s businesses collect, store, and monetize personal data on a vastly larger scale. Modern businesses are also vulnerable to cyberattacks and data breaches and can track consumers across websites and devices, as well as target with advertising or otherwise profile consuming behavior. As homes and automobiles also come online, data generation and use rises radically. Personal privacy is challenged anew.
This reality has transformed our world. It has also created significant new roles for lawyers. Privacy laws address a broad range of subjects, such as health and financial information, consumer information collected via websites and mobile devices, biometric information, data security, breach and remediation plans. States like California have led consumer privacy law developments, while the Federal Trade Commission uses its authority under the FTC Act to crack down on unfair and deceptive data practices.
Meanwhile, because commerce is global, U.S. organizations must take pains to avoid running afoul of laws in jurisdictions where privacy is more than just a consumer protection concern: it’s a fundamental human right. Organizations doing business in Canada, for example, must comply with its unique anti-spam laws, while those catering to European Union customers are now faced with the most complex and comprehensive privacy law in a generation in the form of the GDPR.
As a result, the modern practice of Privacy Law requires knowledge of myriad state, federal, and international laws. It also requires a deep understanding of information technology and networks, the role of cloud service providers, and the highly technical aspects of information security.
An attorney may be required to describe a client’s “appropriate technical and organizational” measures to protect the security of personal data. She may be asked to advise a client on when it is acting as a “data controller” versus a “data processor,” depending on the legal definition and the technical data processing circumstances. Perhaps the client needs advice on “pseudonymization” or “anonymization” of data, and the legal distinctions between them in a given situation, as well as encryption processes of data “at rest” or “in transit.”
Law firms are rightly stepping up their game to comply with these new regulations. Many are appointing privacy attorneys to serve as privacy counsel to the firm, or even hiring from outside to fill the chief privacy officer role. Breach notification, data inventory and mapping, and template data protection agreements should find themselves into the law practices of firms with multinational clients.
The International Association of Privacy Professional’s annual Privacy Tech Vendor Report provides one guide for attorneys and their clients seeking technical tools to aid in privacy law compliance. At the same time, the report shows that technical tools may sometimes be used in place of legal advice. If a process that seems complex can be standardized and routinized, maybe counsel isn’t needed to explain compliance? On the other hand, there remain many gaps where technical complexity requires engaging a competent lawyer.
IAPP research shows attorneys, globally, are most commonly engaged for GDPR compliance to assist with international data transfers, operationalizing the “right to be forgotten,” and analyzing the organization’s claim of “legitimate interest” to process data. In the U.S., outside counsel are, in general, more likely to be engaged for GDPR compliance than they are in the EU. This presents big opportunities for law firms investing in these practice areas.
Privacy law is poised to explode — if it hasn’t already — and continue to grow for some time to come. To cash in, however, attorneys will need more than just words to service their clients. Technical expertise, increasingly, will be required to sustain a healthy privacy practice in this new age.
Rita Heimes is Research Director at the International Association of Privacy Professionals, where she also serves as the in-house Data Protection Officer. Rita is an attorney and academic with many years of experience in the fields of privacy, information security, and intellectual property law. In her role as Research Director at the IAPP, Rita helps to promote the privacy profession through empirical and qualitative research on privacy functions globally as well as through outreach to academic institutions developing the next generation of privacy and security professionals. As the DPO, Rita facilitates and oversees the IAPP’s data protection policies and policies. Prior to joining the IAPP, Rita was a law professor and academic dean at the University of Maine School of Law, where she directed the Center for Law + Innovation and developed the nation’s first Privacy Pathways program and one of the first intellectual property clinics. She also spent many years in private practice with law firms in Seattle, Boulder and Portland (Maine). Rita remains an active scholar, and still coordinates and teaches in the Information Privacy Summer Institute at Maine Law. Rita can be reached at rheimes@iapp.org.
