Deidentified information is defined within the CCPA to mean “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:

  1. Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information

A law firm will most likely be considered a controller when processing personal data from third parties as part of a representation of a client (e.g., when collecting information from a witness).

While it is theoretically possible that a law firm may function as a processor by collecting personal data from a third party on

A joint controller is defined within the GDPR as “two or more controllers” that “jointly determine the purposes and means of processing.”[1]

There is considerable ambiguity surrounding what it means to “jointly determine” the purpose and means of processing. Legal professional organizations in some countries have indicated that barristers and solicitors rarely function as

A joint controller is defined within the GDPR as “two or more controllers” that “jointly determine the purposes and means of processing.”[1]

There is considerable ambiguity surrounding what it means to “jointly determine” the purpose and means of processing. While regulatory authorities have not offered guidance as to whether the term does, or does

It depends.

Many lawyers (and clients) incorrectly assume that attorneys must be processors because they are service providers of their clients. In some situations, a service provider has a role in determining the purposes and means of processing; when that occurs the service provider is, like its client, considered a “controller” or a “joint controller.”