Law firms are mostly controllers rather than processors. Law firms are controllers when they independently decide how to process personal data for the client’s benefit or for legal representation. Because a law firm is mostly a controller, a data processing agreement is generally not necessary between the law firm and its clients. The law only requires a data processing agreement between a controller and its processor.
Whilst this article deals with law firms (and legal practitioners), it applies equally to most specialist service providers, professional advisers or consultants, and professions (like accountants, tax advisers and auditors when they provide audit and other professional advisory services). A legal practitioner includes an attorney, advocate, solicitor or barrister.
It is important to determine with certainty who is responsible for data protection in your relationships because various consequences flow from this key issue. If you find this article useful, learn more about data protection and keep abreast of the latest developments by joining our data protection programme and accessing our data protection for legal practitioners lens.
Are law firms controllers or processors?
Many people are unsure whether law firms are “processors” or “controllers” of personal data. If you think about booking a cruise, you let the cruise line know where you want to go. When you board the ship, it is the captain of the ship who decides how you get there safely. Using this analogy, we explain why law firms are mostly controllers rather than processors using examples of processing personal data in practice.
It is important to distinguish between the role of a controller and a processor.
- A data controller is the body that determines the purpose and means of processing personal data. Called a responsible party in some countries.
- A data processor is a body that processes personal data on behalf of (or for) a controller. Called an operator in some countries.
Law firms are mostly like the captain of the ship – the controller
Examples of a law firm as a controller
Providing legal services on general instructions
Law firms are controllers where they provide legal services on the basis of general instructions. For example, if the client instructs the law firm to divorce them, draft a will, administer their estate, register a company or claim from a fund.
Representing a client in court
Generally, a service provider determining the purpose and means of processing is a controller. Consider the scenario of a client instructing a legal practitioner and hands over personal data during this process. When the legal practitioner processes personal data to represent the client in court, they are a controller. When the legal practitioner independently decides how to process personal data for the client’s benefit, the legal practitioner acts as a controller.
Providing legal advice
In their guidance note discussing the difference between controllers and processors, the UK ICO explains why solicitors are controllers. They explain this in the context of solicitors providing legal advice to clients about their rights in a matter. For example, an employer has evidence that a former employee stole a client list and is using the information to a competitor’s advantage. The employer instructs solicitors to find out whether the solicitors can secure the return of the list and prevent the rival firm from using it.
The employer doesn’t fully understand the process the solicitors will adopt. There is also no understanding of how the solicitors will process the personal data about the ex-employee. When the employer hands over the personal data to the solicitors, the solicitors become controllers responsible for the data. They determine the manner of processing personal data to provide legal advice to the employer in accordance with their professional obligations. The solicitors act as the controller of the personal data processed in connection with the client’s instructions.
Providing a legal opinion
A law firm acts as a controller when they provide a legal opinion to a client. The law firm processes personal data that the client provides to the law firm to draft the opinion. Once the client hands over the personal data to the law firm, the law firm decides how to process it to formulate the legal opinion. The law firm becomes a controller because they process personal data independently (without the client’s input).
Complying with their regulatory duties
Law firms have to perform certain tasks to comply with their regulatory duties. For example:
- The law firm has to perform regulatory checks on new client matters or perform client due diligence required by anti-money laundering laws.
- The law firm must cooperate with regulators and other public authorities. This includes responding to regulatory requests for information, undertaking internal investigations, and complying with reporting and other professional obligations. The law firm has to be mindful of confidentiality and privilege in this scenario.
Law firms might be processors in some cases
A law firm might be the processor for a controller where a client gives clear, detailed and specific instructions to a law firm to process personal data on behalf of (or for) the client.
If the law firm process personal data for a client and has no control over the purposes (why) and the means of (how) processing the relevant personal data, they are a processor.
A law firm might function as a processor if a client instructs a law firm for data processing purposes alone. An example of a data processing activity would be a client handing over a document containing personal data of people and the law firm does nothing more with the data other than enhancing it according to the client instructions.
Another example would be a law firm providing implementation services to a client, like implementing OneTrust. A client provides a law firm with a list of their vendors with clear instructions on what to do with it. The law firm becomes a processor when they “clean up” the data to import the list of vendors into the OneTrust platform.
Accountants are mostly controllers rather than processors
The ICO gives this example regards accountants. “A firm uses an accountant to do its books. When acting for his client, the accountant is a controller in relation to the personal data in the accounts. This is because accountants and similar providers of professional services work under a range of professional obligations that oblige them to take responsibility for the personal data they process. For example, if the accountant detects malpractice while doing the firm’s accounts he may, depending on its nature, be required under his monitoring obligations to report the malpractice to the police or other authorities. In doing so, an accountant would not be acting on the client’s instructions but in line with his own professional obligations and therefore as a controller in his own right. If specialist service providers are processing data in line with their own professional obligations, they will always be acting as the controller. In this context, they cannot agree to hand over or share controller obligations with the client.”
The EDPB gives us this example regards accountants. “The qualification of accountants can vary depending on the context. Where accountants provide services to the general public and small traders on the basis of very general instructions (”Prepare my tax returns”), then – as with solicitors acting in similar circumstances and for similar reasons – the accountant will be a data controller. However, where an accountant is employed by a firm, and subject to detailed instructions from the in-house accountant, perhaps to carry out a detailed audit, then in general, if not a regular employee, he will be a processor, because of the clarity of the instructions and the consequent limited scope for discretion. However, this is subject to one major caveat, namely that where they consider that they have detected malpractice which they are obliged to report, then, because of the professional obligations they owe they are acting independently as a controller.”
Useful resources
International bodies like the UK ICO (page 9 in particular), the UK Bar Council, and the European Data Protection Board agree that law firms are almost always controllers. For example, the UK Bar Council says “For the avoidance of doubt, self-employed barristers are data controllers of their client’s data. They are not merely data processors, i.e. merely processing data on behalf of a controller.”
The LSSA published guidelines for attorneys on POPIA, which explains what a responsible party (the name for a controller) does and who it is.
