Privacy issues continue to challenge UK law firms
Last week Facebook was ordered by the data protection commissioner of Hamburg, Germany to delete all its WhatsApp data. The commissioner said that Facebook had no legal right to merge WhatsApp data after it had acquired the business a couple of years ago. The fact that both companies publically stated that there would be no data sharing has led observers to believe a disingenuous approach by Facebook.
BBC also announced that it expects in 2017 to introduce a requirement that all UK users of the popular streaming service iPlayer will need an account that will include post code details. The BBC claim that this has nothing to do with the enforcement of TV Licensing but hasn’t ruled that out in the future.
The importance of consumer data cannot be over-emphasised. It is obvious that the privacy and security of our personal data is very important, not least as it could lead to clone identities, fraud and theft in the digital arena.
However it goes a bit further than that when we consider where in the world our data is held. Facebook for example refuses to recognise any jurisdiction when it comes to privacy laws other than Ireland. The issue it is having in Hamburg is because it has an office there for European districts.
When it comes to law firms, it is important to know where their client data is held, especially if the organisation uses cloud based services. A lot of data is stored in the US which causes a dilemma for law firms as technically, client data can be requested without an order by a Government agency under the Patriot Act – that’s a big problem and arguably breaches the SRA’s Code of Conduct relating to confidentiality.
The EU Safe Harbour Agreement used to provide some protection but when this was declared in October 2016 that it was invalid. A desperate attempt to bring into force the EU-US Privacy Shield quickly continued to stall but on 1st August an agreement was reached and now it is up to US companies to bring their terms and systems into line with the Privacy Shield to demonstrate compliance.
However, from my recent experience pressing US based companies on this topic, no one seems to have done anything about it as they continue to spout the ineffective Safe Harbour Agreement as sufficient protection of client data.
The difficulty this causes is that UK legal businesses cannot take advantage of some unique and powerful tools operating in the US without arguably breaching the SRA Code of Conduct. US companies need to get their act together if they want to take advantage of the powerful UK legal industry.