US law firms – especially immigration lawyers – dealing with EU data subject be shall be mindful of future privacy changes


On May 2018, Regulation (EU) 2016/679, on the Protection of Natural Persons with Regard to the Processing of personal Data and on the Free Movement of Such Data, and repealing Directive 95/46/EC (General Data Protection Regulation, in short “GDPR”), will enter into force.

The good thing is that starting from that date, the EU will have one data protection law instead of 28.

However, American law firms that don’t have an office in Europe shall need about to be compliant with this new piece of legislation. The GDPR territorial scope of application goes in fact far beyond the EU borders. Article 3, GDPR, dictates that the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the Union or not. In addition, the GDPR applies to the processing of personal data also if the controller is not located in the EU but offers goods or services to data subjects in the EU or it monitors data subjects in the EU. More on the new scope of application of EU data protection law is available here.

The following definitions may be helpful to understand whether the GDPR applies to your organization.

Article 4, GDPR, defines as personal data “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

The controller is the natural or legal person, agency or other body which “determines the purposes and means of the processing of personal data”.

The processor is a natural or legal person, agency or other body “which processes personal data on behalf of the controller.”

Personal data are processed when they undergo any operation performed on personal data, “such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

Generally speaking law firms fall within the definition of controllers of personal data and if they deal with the personal data of EU clients, they shall start worrying about GDPR compliance. Considering their highly international clientele, immigration lawyers should  start thinking about the consequences that the EU regulation may have on their practice. Also, the type of immigration software that immigration lawyers use and the agreement binding lawyer, client and service provider shall be carefully considered.

One of the reason to worry about compliance is that, depending on the GDPR’s rule that the firm breaches, infringement may result in a fine up to “10 000 000 EUR [or 20 000 000 EUR] or in the case of an undertaking, up to 2 % [or 4%] of the total worldwide annual turnover of the preceding financial year, whichever is higher.”

To avoid incurring in those fines, law firms under the GDPR’s scope of application shall make sure that all processing activities in which they act as controllers are lawful and fair.

Processing is lawful if the personal data is processed on the basis of the data subject consent (or of other legitimate basis), including compliance with the legal or contractual obligations to which the controller is subject. In particular, the GDPR provides for strengthened privacy obligations, which include the right of the data subject to:

  • be informed of the collection and processing of data. Controllers shall provide to data subjects certain information so that data subjects understand which data are processed and how. For example, are your clients aware of which data your firm collects and how and where this data is processed? Are they aware of any third party processing their data? How does your firm record consent and changes of preferences?
  • access the data and rectify errors. Does your firm keep all of its data in one place? Could you easily access the data so as to provide access to your clients? How long would it take you to comply?
  • erasure, or restrict processing. Data subjects have the right to know how their data is stored, and what it’s being used for (data minimisation). How long does your firm retain the personal data for? How long does your processor retain them for? Does your firm unlawfully hold data that it should delete right away?
  • ensure data portability. More on Data portability is available here. Is your firm able to provide the data subject with her information upon request? How do the third party service providers you use relate to this duty?
  • object to the collection of data. Who should decide which data should be deleted, or not: the law firm or the client?

For more information on the key aspects of the GDPR, see here.


For law firms – immigration law firms especially – all the mentioned points may present a problem when the firm acts as a controller, as well as when it relates to third parties service providers acting as data processors.


Hopefully this need of reorganization will push lawyers to build a more efficient data processing system and will translate in immigration softwares that are more user friendly.

More information on the GDPR is available at


See also our article Privacy Shield officially adopted by the EU Commission … but American organizations “targeting Europe” might want to consider whether GDPR compliance would make


For more information on the step your law firm may want to take to comply with privacy regulation, contact Francesca Giannoni-Crystal   and Federica Romanelli