“When all you have is a legal education, everything looks like a contract”


Dear lawyers

The rule of law and principles of justice are the foundation of civilised society. Thank you for doing your part to prevent us from sinking into Hobbesian savagery. Getting a legal education and licence to practice is clearly a long, arduous and expensive process. Well done you, for coming out the other end with a job.


Seriously. A legal education and a quick scan of the text of the GDPR do not make you a privacy expert. It may equip you to start out on your privacy expertise journey with a bit of an advantage, but it certainly doesn’t confer god-like powers of acumen and omniscience on your data protection pronouncements. And yet, people will treat you as though it does, because ‘lawyer’. You are in a position of responsibility, and your professional obligations include the duty to refrain from giving advice you are not professionally competent to provide, no matter how lucrative the opportunity or how clever and powerful it makes you feel.

Even if you’ve studied privacy law in depth and detail, you should probably avoid the temptation to offer your services as an adviser on operational matters. You may not have the business experience, the tech knowledge, the communication skills or the risk management discipline necessary to do the job adequately. Your legal background is also likely to skew your assessments of risk in favour of ‘legally-defensible’ rather than ‘protecting rights and freedoms’. This does your clients and their data subjects no favours at all.

Obviously there are lawyers who do have real data protection expertise, operational (not just legal) experience, who know how to get stuff done in a business-as-usual context, and who can reliably assess ‘what stuff, when and how’. They are a tiny minority of your profession. They are not who this plea is aimed at.

As I’ve said in a previous post, I’m not advocating ‘remain in your lane’, but rather ‘don’t merge until you are up to speed’ (as the brilliant Sarah Clarke paraphrased so succinctly)

Much of the most egregious #GDPRubbish in circulation is spouted by lawyers who don’t realise how uninformed and unprepared they are (see: Dunning-Kruger Effect). Whether from a well-meaning General Counsel who read in an online article that consent is always required, or a contracts specialist within an organisation who believes that all third-party suppliers are only Processors because, well, it’s in the contracts, or a law firm desperate to cash in on the privacy gold rush; the degree of sheer nonsense being propagated by lawyers who think they know best is a disgrace to the profession as a whole. It’s got to the point where I always double-check data protection advice when I learn that it originated from lawyers – and in the large majority of cases, I find it to be at best, inadequate and misleading; and at worst, downright inaccurate.

Uninformed, inexpert data protection advice from negligent lawyers has cost organisations not only the money for fees but also the funds required to fix things when the errors are discovered. It fritters away their time, their effort and their will to do things properly. It has unnecessarily decimated databases and probably killed whole forests-worth of paperwork. It’s shocking.

My experience does not appear to be unusual – in fact, the hordes of lawyers who gave poor GDPR advice are being encouraged to make amends to their clients, for the damage they caused. We’ll see how that goes.

Your professional education has possibly primed you to view your objectives in terms of ‘winning’, or ‘closing’. Data protection isn’t like that. It doesn’t shut up and go away when you cite clauses at it, its purpose is not to provide you with clients, income, or prestige. It’s the protection of human rights, dignity and freedoms. You can’t do that with documents or clever semantic debate, no matter how hard you try (or how much you charge). Data protection advice is not a courtroom battle, you’re not looking to crush the data subject, but to help your clients understand and apply the law. You need to think differently about data protection than you would about contracts, criminal cases, or civil litigation. If you can’t do that – keep your beaks* out of it.

If you’re a lawyer getting interested in data protection then hurrah – I hope you enjoy this exciting, challenging, complex area of law. Now please keep your head down until you know a lot more than law school taught you. Things like….

A privacy notice is NOT A SODDING CONTRACT!! It should not look like, read like, or give the impression of being a contract. Privacy information is not a fig-leaf behind which the unsightly intimacies of data processing can be hidden, it’s a vehicle for the communication of important information about autonomy, rights, and responsibilities. It’s not an internal policy, nor is it the Ten Commandments. And it is most certainly not part of any Terms and Conditions. Using crafty euphemisms and ambiguous platitudes to dodge around telling data subjects what’s really going on might be clever lawyering, but it isn’t data protection. Privacy notices written by lawyers tend to be those which bear least resemblance to the legal obligation of transparency. Awkward.

You are probably one of the least suitable people to be a Data Protection Officer, especially if you already have a role in the organisation and even more so if that role is General Counsel. Apart from potentially lacking the professional attributes and experience described earlier, you also have a massive conflict of interest. As a lawyer, the organisation is your client. As a DPO, you have two ‘clients’ with often-opposing interests which you most balance – the organisation and the data subjects’ right and freedoms. Such conflicts of interest for a DPO role-holder are prohibited by the GDPR. If you’re an outsourced DPO, then either you need to have had a few years experience in the practical side of integrating data protection within an organisation, or you need to have a bloody good team of people around you who can make up for the deficiency. If you have neither, you are the Emperor’s new clothes and sooner or later, someone is going to see through you.

If you have never heard of e-Privacy law and can’t explain the differences between PECR Regulations 6 and 22, then you are absolutely not qualified to advise on the legality of email marketing tactics or cookie dialogues. Don’t.

If you are an intellectual property lawyer then you need to forget pretty much everything you have learned and start over with an open mind. There is no concept of ownership in data protection law, only individuals’ rights and organisational responsibilities. Arguing otherwise makes you look like a buffoon. Data is not property in the eyes of privacy law. Repeat this every night 100 times until it sinks in and your buffoonery quotient is reduced. Fundamental, statutory rights cannot be waived by contract. Arguing otherwise makes you look like an American (which isn’t inherently a bad thing, but is a fairly strong predictor that your understanding of European law is insufficient to rely on for good data protection advice. #NotAllAmericanLawyers, of course).

Contracts do not determine reality. They are not magic spells. Contracts are, in theory, supposed to reflect and document reality for future reference (nice theory, rarely found in practice). If a supplier is making their own decisions about why and what to do with the personal data they access or receive from their customers, then the supplier is a Data Controller no matter what the paperwork says. They may be processing the data unlawfully by repurposing it, but they are doing so as a Controller. Paying someone does not make them your bitch, and paying another company does not make them your Processor, unless they cannot deviate from your (clear, detailed) instructions without your permission.

The terms ‘personal data’, ‘processing’, and ‘data protection breach’, are defined in Article 4 of the GDPR. Read them. You don’t get to make up your own definitions just because your legal brain is bigger than those of the drafters’.

I’ve probably pissed off a lot of people by now, and if you’re one of them, then perhaps take a minute to examine why you are cross. Is it because the criticisms laid out here don’t apply to you? Great, forget about it. Is it because they do apply to you and you’re now feeling attacked and victimised? Please try to get over it. See this as a learning opportunity, not a telling-off. Prove me wrong, I’ll be delighted. Is it because I used rude words? In that case, do please bugger off and learn to distinguish signal from carrier wave.

If you do want to become an awesome data protection professional as well as a lawyer, then come on in, the water’s fine – but start at the shallow end and keep your water wings on or you’ll make a mess.

*see what I did there? I made a legal joke! Laugh, dammit

Tagged with: |

7 Replies to “Brief Encounters: an open letter to lawyers”

  1. As a retired lawyer (who had the fun of doing some lobbying back when the DPA 1984 was in gestation), I found this great fun. More power to your elbow.

    I think your notion of the purpose of contracts is a little off (they’re for structuring the risks of the future); but that’s a side issue.

  2. What a fantastic article, loved it. You make a fantastic, important point and I learned a some key bits of detail there too. Thank you.

  3. This is truly one of the most arrogant things I’ve ever read. What the lawyers understand that you appear not to is that in the law, property refers most accurately to legal rights, not to things. Data is quite clearly a personal property, as the GDPR allocates an exclusive bundle of rights to the data subject. Just because the word “property” doesn’t turn up in the legislation doesn’t mean data is not property. Instead of chastising well trained lawyers, perhaps it is you who needs to do some more homework: https://www.dummies.com/education/law/distinguish-between-real-property-and-personal-property/

    1. Oh dear! Well, first of all, thank you for proving my point so elegantly.

      Secondly, data protection law is based on human rights law; not ‘property’ law. One can say that personal data is ‘a property’, in the sense of ‘an attribute’; but that’s more of a semantic association than a legal one.
      By your argument, the word “shellfish” doesn’t appear in the GDPR either, but that doesn’t mean that data is not shellfish.

      Under European data protection law; personal data IS NOT PROPERTY, it’s a conduit to exercising power over natural persons, and as such requires regulation in order to protect those people’s human rights.

      I suggest you graduate to reading more advanced texts on the subject than ‘property law for dummies’. Maybe start here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e1888-1-1

  4. Apples and oranges here.

    Paraphrasing slightly “Persona Data is a personal property right, as the GDPR allocates an exclusive bundle of rights to the data subject.” is something I would fully accept. Those rights are defined by reference to human rights law ( and a few other things).

    However that property right is not “ownership” in the same way as you “own” a car so the lawyer is wrong in asserting that the dummies article is of direct relevance. So basically I am with the OP in substance. There are many property rights less than ownership even in the field of “real” property.

    You wouldn’t let a pure “property lawyer” anywhere a complex IP dispute without experience, even though IP rights are perhaps closer to ownership as a concept than personal data rights

Comments are closed.