What privacy issues arise when legal apps are used by the public? What are current best practices for safeguarding privacy interests when developing legal apps? What do developers think? What challenges arise in developing privacy best practices for legal apps?
Along with my colleagues Suzanne Bouclin, Jena McGill and Teresa Scassa, I recently completed a project that tried to answer these questions. A pre-print version of the peer-reviewed article that discusses this project at length can be found here. This column will provide highlights of the discussion contained in that article.
We were inspired to develop privacy best practices for legal apps intended to be used by the public (which we call “Direct-to-Public” or “DTP” legal apps) after three members of our research team (Professors Bouclin, McGill and I) completed research identifying privacy risks as a key, largely under-studied, concern in relation to legal apps (full report here, summary article here).
In our view, DTP legal apps raise unique and pressing privacy risks for their users, including:
- a danger that the public will believe that their personal information is protected by solicitor-client privilege when in fact, it is not;
- the fact that legal apps, like health apps, often collect particularly sensitive information (in some cases, the fact that an individual is even using a legal app – like a divorce app or a criminal pardon app – may be sensitive information); and
- the fact that personal information collected by many legal apps may be of particular interest to commercial third parties (for example, as we noted in the article, “real estate agents may want to obtain the contact information of individuals getting divorced or who are planning to immigrate to Canada; financial planners may want gather similar information for those drafting wills; and criminal defence lawyers could benefit from targeted advertising to individuals who have been recently detained by police.”)
Notwithstanding these risks, our previous research identified a total lack of privacy best practices for developing DTP legal apps.
In 2016, the federal Office of the Privacy Commissioner issued a call for proposals for those interested in developing sector-specific guidance for compliance with privacy obligations. We put in an application as we saw this as a good opportunity to continue our research on privacy issues and legal apps. In 2017, we were fortunate to receive funding to undertake this project.
Privacy Best Practices for Legal Apps
Our final report, Improving Privacy Practices for Legal Apps: A Best Practices Guide, can be found as an Appendix to our article.
The first part of the report is structured around providing answers to the following 12 questions:
- Will PIPEDA apply to my legal app?
- What makes legal apps different from other apps for privacy purposes?
- What is Privacy by Design and what does it mean for legal apps?
- What do I need to consider if I build my app on a pre-existing platform or if I use third-party code?
- Are there limits to what personal information I can collect, and if so, what are they?
- Do I need consent from users to collect, use or disclose their personal information?
- How should I obtain consent for the collection, use or disclosure of personal information through my legal app?
- How long can I keep the personal information I have collected through my app?
- What is data localization and does it matter for legal apps?
- What are my data security obligations for personal information collected by my legal app?
- What are the consequences to me and my organization if we do not comply with PIPEDA?
These questions and answers are then followed by a Developers’ Checklist.
As the list above makes clear, our best practices focus on the issue of compliance with PIPEDA, the federally-enacted data protection statute that applies to the collection, use and disclosure of personal information in the course of private sector commercial activity in most of Canada. Our focus on PIPEDA reflects the fact that the source of funding for this project was the federal Office of the Privacy Commissioner which is charged with, among other things, overseeing compliance with PIPEDA. Our article discusses how structuring the best practices through the lens of PIPEDA shaped our final product. That said, even if PIPEDA does not apply to a particular legal app in a given context, we believe that our best practices guide is nonethetless useful to app developers by pointing them towards privacy-protective measures that can attract users and reduce their exposure to the negative consequences associated with privacy breaches.
In preparing our best practices, we sought out developer feedback through a variety of means. In October 2017, we held an invited workshop which included a number of legal app developers as well as privacy experts, legal academics, and policy professionals. We also consulted one-on-one with several developers. Some of the major points of feedback we received from legal app developers include:
- As a general matter, there is little discussion about data regulation and privacy compliance in legal innovation spaces. It was suggested to us that this is likely due to: (1) lack of awareness; and (2) the emerging nature of the “industry”, which often involves developing with small teams under tight timelines and budget constraints;
- Legal app developers have significant concerns about privacy compliance guidance creating more barriers to entry and potentially “chilling” innovation;
- Privacy best practices and/or checklists were suggested as useful formats because developers often had no idea where to start on issues of privacy and security when building their apps;
- It was repeatedly emphasized that usability would be a key determinant in whether legal app developers would consider guidance on privacy compliance. We were warned against preparing any materials that were too long or overly detailed;
- We were told that it would be useful to implement incentives – like, for example, trust marks or certification – for developer adoption of privacy best practices; and
- Some developers expressed concern about a lack of clarity from Canadian law societies regarding their regulatory approach to legal apps and told us that this operated as a significant disincentive to innovation because people were worried about potential investigations for unauthorized practice of law.
The format of our final report – a series of “entry level” questions and answers regarding important privacy principles followed by a checklist – was a direct result of the feedback that we received from developers.
Challenges in Developing Privacy Best Practices for Legal Apps
We identified and experienced several challenges in developing best practices for DTP legal apps. Here, I will highlight three of the key challenges discussed in greater length in the full article:
- Currently, the provision of DTP legal apps in Canada is generally characterized by: (1) a diffuse and largely uncoordinated set of smaller developers; (2) significant diversity in tool functionality; and (3) instability and rapid development in what is being offered to the public. This creates a challenge in obtaining “industry buy-in” for any set of best practices. It also generates a tension between creating guidance that has sufficiently meaningful detail and which is also broadly applicable and capable of being adopted “sector-wide”. These features are one other major reason (in addition to developer feedback) that we chose to present best practices to developers as opposed to a prescriptive code of requirements;
- In many cases, the line between the user and the app developer, in terms of information collection, use and disclosure, is neither straight nor necessarily clear. A specific concern we identified is that certain third-party tools which developers may use to ease the development process or facilitate revenue generation may collect personal information from users in a manner that is not disclosed to users or, in some cases, not even understood by the developers themselves.
- The fact that DTP legal apps intersect not only with privacy regulation and regulators but also, potentially, with legal services regulation and regulators generates a discrete set of challenges. One particular challenge we identified is the current lack of clarity in Canada as to when law societies can and should exercise jurisdiction over DTP legal apps. With respect to the issue of voluntary compliance with best practices backed by a certification regime, the current regulatory environment raises a number of questions about who or what entity is best placed to administer such a regime.
The goal of this column was to introduce you to our project that developed privacy best practices for DTP legal apps. It is our hope that by not only sharing our final product with the public, but also sharing some of the observations and questions that arose along the way, we are able to provide the foundation for future initiatives relating to the optimal provision of DTP legal apps in Canada, and inspire further study and conversation on the topic.