Does the attorney-client privilege apply to communications with a data protection officer (DPO)? This is a cross-jurisdictional question mixing laws and regimes that has perplexed many organizations. As explained below, while the ultimate answer is “it depends,” an organization that appoints an external attorney to serve as DPO and thoughtfully manages communications with the DPO will be best positioned to invoke the privilege in response to a supervisory authority investigation.
What is the attorney-client privilege?
In the United States, the attorney-client privilege is, at its heart, a rule of evidence that protects the secrecy of certain communications between lawyers and their clients. Specifically, the privilege protects confidential communications between a lawyer and their client made for the purpose of obtaining or providing legal advice or services. Each of these emphasized terms is significant:
- Confidential: The communication must be made with an expectation of confidentiality between the lawyer and the client. In practice, this generally means that there should be no wide distribution (such as to an entire company’s workforce) or additional third parties present to the communication. Note, however, that certain third parties may still be within the scope of the privilege if their role is to facilitate legal advice (such as an interpreter).
- Lawyer: As the name of the privilege suggests, there must be an attorney involved for the attorney-client privilege to apply. There are nuances to this rule. For example, agents of the lawyer, such as secretaries, may still be covered by the privilege. But if there is no attorney involved, there will not be a credible application of the privilege.
- Legal advice or services: The communication must be for the purpose of legal advice or services. This is a two-way street: it can be the lawyer providing advice to the client, or it can be the client seeking advice from the lawyer. Some of the more challenging aspects of this requirement relate to the line between legal advice versus business advice. The privilege only protects legal advice.
The privilege is not absolute and there are certain exceptions. For example, the privilege will not apply if someone seeks advice from a lawyer to commit a crime or fraud.
Are DPOs covered by attorney-client privilege?
Multiple data privacy laws, including the European Union’s General Data Protection Regulation (GDPR), require organizations to appoint a DPO. Generally, DPOs must help their organizations maintain compliance with data privacy laws. They also have specific legal duties. (See A Comprehensive Guide to Data Protection Officers.)
For attorney-client privilege to apply to DPOs, certain threshold conditions must be met:
- The DPO should be an attorney. If not, an organization is unlikely to have a credible position that the privilege applies.
- The DPO’s advice should be expressed with an expectation of confidentiality. This generally means that third parties should not be included in communications. In addition, communications with DPOs should be limited to those who need to receive the information. It may also be helpful to mark communications as “confidential.” Although there is no hard-and-fast rule here, thoughtfully managing communications with DPOs can strengthen the position that the communications are intended to be confidential.
- The communications must be for the provision of legal advice, not business advice. This presents an interesting dilemma for the role of the DPO, who sits at an intersection of law and business. DPOs help businesses implement processes to comply with data privacy laws. At its heart, though, the role of a DPO is to manage legal compliance. DPOs are tasked with understanding laws, translating them into business processes, and monitoring business compliance. When performed by an attorney, this work is presumptively legal in nature.
Accordingly, there is at least a preliminary argument that the attorney-client privilege applies to the context of an attorney serving as a DPO. The analysis does not stop there, however. There are additional considerations unique to the role of the DPO which we will analyze in the following sections.
Does it matter if the DPO is external or internal?
The privilege could apply either way, but there is a stronger argument that it applies to an external DPO than an internal DPO.
Courts have traditionally found a stronger application of the attorney-client privilege to external counsel as compared to in-house counsel. This is because in-house counsel are often involved in (or at least copied on) business decisions that blur the lines between legal and business advice. External counsel, in comparison, are traditionally retained and used only for the provision of legal advice. And some jurisdictions (including in Europe) largely extend the legal privilege only to external counsel.
With that in mind, an organization will likely find it significantly easier to argue that their communications with a DPO are protected by attorney-client privilege when their DPO is an external attorney.
What about the DPO’s obligation to cooperate with supervisory authorities?
DPOs don’t just provide advice to organizations regarding data privacy compliance; they must also cooperate with supervisory authorities. This obligation potentially impacts their ability to preserve the confidentiality of communications with the organization. And without confidentiality, the privilege does not apply.
This raises the question: what exactly does it mean for a DPO to have to cooperate with supervisory authorities? If a supervisory authority asks for it, do they have to reveal the advice they provided to an organization (or the advice the organization sought)?
There is no clear answer to this question, but some textual clues alongside guidance from the European Data Protection Board (EDPB) offer some insights. The EDPB guidance construes the cooperation requirement as one that helps facilitate access by the supervisory authority to the organization’s documents and information. In other words, the DPO acts as the “contact point” so that a supervisory authority knows who to reach with any inquiries.
Significantly, Article 38.5 of the GDPR states that “[t]he data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.” The EDPB reiterates this rule in its guidance.
Read together, this suggests that the DPO must be a liaison between the supervisory authority and organization, but is not required to disclose information that would otherwise be protected by secrecy or confidentiality protections under the law.
Accordingly, if a supervisory authority requested a DPO to reveal its communications with the organization, attorney-client privilege could be invoked to protect against disclosure of such information.
What about multijurisdictional considerations?
There are also complex multijurisdictional questions at issue. Take, for example, a U.S.-based company that expands into Europe and appoints an external attorney as their DPO to comply with the GDPR. In the U.S., communications with that attorney would be protected by attorney-client privilege to the extent analyzed above. But a supervisory authority seeking information from the DPO will not be in the U.S. And the GDPR protections regarding secrecy or confidentiality “in accordance with Union or Member State law” would not apply to the U.S., given that the U.S. is not a member state. A supervisory authority could therefore potentially argue that U.S. legal privileges are not applicable to their inquiry – and perhaps that any such equivalent privilege in their own jurisdiction is not as robust or as expansive as the U.S. privilege.
This is a gray area that could turn on legal choice-of-law considerations as well as factual circumstances such as the nature of the investigation, the information requested, and the information sought to be withheld from disclosure.
The best path an organization can take to strengthen its position in this context is to heed the guidance above: appoint an external DPO who is an attorney; demonstrate that communications with the DPO were intended to be confidential; and assert that such communications were provided for the specific purpose of obtaining or receiving legal advice. Armed with these facts, the organization will have at least a plausible argument that such communications should be protected from disclosure.
If you are an organization that would like to appoint experienced outside attorneys as your DPO, VeraSafe can help.
Related topics: US Privacy Laws, EU Privacy Laws, Compliance Tools and Advice
You may also like:
EU Digital Services Act: Role of the Legal Representative
CIPA vs. Chatbots: Can Websites Be Sued for Eavesdropping?
Accidental Data Breach? Misdirected Emails Can Land You in Hot Water