Trust services providers struggle with data protection legislation

Trust services providers can potentially face enormous difficulties when complying with data requests under Europe’s data protection legislation, which gives individuals the right to ask for information held about them by third parties.

Especially in the trust context, an individual’s right for information may run counter to long-standing common law principles about the disclosure of trust information.

In contrast to discovery in litigation, this type of data gathering is also new to trust services providers. As the types of data requested are much wider, the costs of compliance quickly escalate. At the same time, the penalties for non-compliance are harsh.

To complicate matters, subjects access requests are frequently made as fishing expeditions to provide ammunition for potential litigation, trust professionals heard at the Mourant Trust and Private Client Conference in October.

While a trustee must account to the beneficiaries for the administration of the trust, trustees have typically a wide discretion to refuse information requests by beneficiaries, albeit under the supervision of the court.

Not surprisingly, this often leads to disputes and can be the first stage in a beneficiary campaign to hold trustees to account for their conduct.

The introduction of the EU General Data Protection Regulation has highlighted the tension in the area of trust documentation.

Under the European regulation, personal information held by organizations must be accurate and can only be used for the purpose to which the individual agrees. It also gives individuals the right to make data subject access requests for all information that a third party holds on them.

In a case in the Bahamas, in which beneficiaries requested personal information held about them from the British law firm acting for a Bahamian trust, a court found in favor of the data protection laws over the common law.

The law firm could not rely on legal privilege arguments because the trustee had used trust funds to pay for legal advice. The fact that the exercise of complying with the data request was very onerous was also rejected by the court because the law firm had not detailed how extensive the effort would be in practice.

The ulterior motive of the beneficiaries to use the information in ongoing litigation was also considered irrelevant by the court.

However, a new version of the data protection legislation has since recast the legal professional privilege exemption and it is likely that the case would see a different outcome today, panelists at the trust conference said.

The relationship between a lawyer and a client is always likely to give rise to a duty of confidentiality, said Suzanne Marriott, partner at law firm Charles Russell Speechlys in London.

“But, in order to have confidential information, it has to be sufficiently certain and it has to be of limited availability to the public,” she said.

Where a trustee has a record of fact that one beneficiary should receive a contribution instead of another, the trustee might be obligated to disclose that information.

The Cayman Islands’ new Data Protection Law that will come into force in 2019 includes a carve-out which should prevent requests by beneficiaries for trust information. Various jurisdictions have similar statutory provisions protecting the information held by trustees.

But those protections are still at risk of being undermined because subject access requests can be made to U.K. professionals and anyone advising the trustee.

In contrast to the typically quite specific information disclosure in proceedings, subject access requests for personal data are almost random and the information is completely different, said Marriott.

As a result, the requests are “incredibly onerous in terms of money and time,” she said, referring to an example that cost her firm more than $150,000 to comply with.

To ensure that firms do not have to foot the bill, they will likely need to amend their engagement letters and terms of business. Insurance is unlikely to cover it, unless it is specifically tailored to data requests.

Service providers will have to think about how they store data to make it searchable and what types of information they record.

The logistics of complying with data requests can be horrendous, the British lawyer said. “What it showed us is how to record and store data, because that needs to change hugely from how we are doing it to date.”

For instance, drafts, notebooks, handwritten notes and scribbles are very difficult to search against.

And legal advice, strategy and instructions should be kept separate and not included in the same email to make it easier to carve out information and documents that qualify for exemptions, she advised.

Law firms need to be particularly aware that the personal data requests can unearth nuggets of information that can be valuable in litigation. And if proceedings are going on at the same time, they can be used as a tool to frustrate the process and “take people off the day job,” Marriott said.

The data protection rules have provoked a reconsideration of the adage that law firms should record everything, she concluded. “Don’t record as much as you think.”