The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world.  Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: Is a law firm required to respond to a data subject access request?

Answer: Sometimes.
To the extent that a law firm is considered a controller of data, it is responsible for responding “to requests for access to the data” that are submitted from a data subject. ¹  That said, the obligation to respond to a request for access does not necessarily mean that an attorney must always respond with a copy of the information that the attorney holds about the individual that sends the request. 

The GDPR permits a controller to refuse to provide a copy of information if doing so would “adversely affect the rights and freedoms of others.”²  One instance in which disclosure of personal data would arguably affect the rights and freedoms of others occurs when an attorney would violate a legal professional privilege that is recognized in a Member State (e.g., work product doctrine or attorney-client communication) if it were to make the disclosure.  So, for example, the UK Information Commissioner’s Office has stated that “Personal data is . . . exempt from the right of subject access if it consists of information for which legal professional privilege . . . could be claimed in legal proceedings in any part of the UK.”³ It is worth noting, however, that if a legal privilege does not apply, the ICO has stated that a lawyer may not “refuse to supply information in response to a [subject access request] simply because the information is requested in connection with actual or potential legal proceedings.”⁴

To the extent that information is privileged under the laws of a country outside of the EEA (e.g., is subject to United States legal privilege, but not legal privilege under UK law) it is unclear whether a supervisory authority would take the position that a lawyer is exempt from the obligation to produce the information pursuant to a data subject access request.  As such a disclosure would still “adversely affect the rights and freedoms of others” a strong argument could be made that the exemption should continue to apply.

1. UK ICO, “Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are” at 13.

2. GDPR, Article 15(4).

3. UK ICO, “Subject Access Code of Practice: Dealing with Requests from Individulas for Personal Information, at 55 (Version 1.2).

4. UK ICO, “Subject Access Code of Practice: Dealing with Requests from Individulas for Personal Information, at 55 (Version 1.2).

[View source.]