Ethics Charter for an Online Legal Market and its Actors
This Charter, prepared under the auspices of the ADIJ (Association pour le développement de l’informatique juridique [Association for the Development of Legal Data Processing]) and Open Law*, an association dedicated to bring innovation and openness to the legal sector, proposes a set of rules aimed at providing all law end-users with guarantees of competence, confidentiality and responsibility designed to stimulate innovation within the Legal Tech industry (referred to herein as “Legal Tech”) within a framework which is harmonious and respectful towards the diversity of actors while reinforcing the public’s trust in its products and services.
In order to facilitate access to law and to justice, the Signatories agree on the fact that law and justice demand a special level of ethical behaviour in the interest of citizens and respect of the rule of law. They also recognize the need of healthy competition for the development of the sector.
With this in mind, the Charter embodies its Signatories’ commitment to contribute to both the promotion of new technologies and to the quality of the transition to these new technologies, in particular, by committing to:
- Quality of service that economic actors using Legal Tech services can expect,
- Compliance with obligations pertaining to security and confidentiality,
- Respect the scope of action of each profession,
- Responsible behaviour of Legal Tech actors
Article 1 – Definition and Scope of Application
Any organization that uses technology to develop, offer or provide products or services related to law and to justice, or enabling access of law end-users, both professional and non-professional, to such products or services, is an actor of Legal Tech intended to respect, and to sign, this Charter.
Legal professionals who engage in a similar activity may also be Signatories of this Charter, although it shall not in any way prevail over compliance with their professional and deontological obligations.
Article 2 – Protection of Client Interests
The Signatories of this Charter undertake to act, as a matter of priority, in the interest of the end clients for the benefit of which their services and their technological solutions will be implemented. For this reason, they will have particular regard to :
- Ensure the security and confidentiality of the data and information of end-clients and of their records,
- Remain free of any potential conflict of interest,
- Ensure, on a continuous basis, that the services rendered comply with applicable substantive law,
- Provide clients with fair, clear and transparent information about the nature of the services delivered, their performance and risk of error, their cost and their compliance with the law.
They also undertake to impose the same obligations on their partners and subcontractors whose services could be requested to carry out the processing of their clients’ data.
Where the offered services include the provision of intermediation services, within the meaning of article L. 111-7 of the French Consumer Code, the concerned Signatories must also comply with the obligations of consumer loyalty and information provided for in such article.
Article 3 – Security and Confidentiality
The Signatories agree that the data and information of the end-clients entrusted to them cannot be stored, exchanged or processed outside of an appropriate and secure framework. As a result, they are putting into place the necessary technical measures of security and confidentiality to comply with this undertaking, in order to ensure a relevant level of security and confidentiality of the user’s data and information concerning its products or services. To this end, they comply with the security and confidentiality recommendations stated in the security annex to this Charter. They are able to provide evidence of such compliance at any time.
Subject to implementing these means of security, the data pertaining to the use of their online services may be used for the purpose of improving the service, provided that it is anonymized and that it can be deleted upon request. Consequently, all technical provisions allowing such deletion, in particular through an identification system, must be put into place.
The Signatories recognize the absolute necessity in a state that is subject to the rule of law to guarantee professional secrecy and ensure the confidentiality of their exchanges with their clients, by not disclosing the information entrusted to them, unless the law requires or authorizes them to do so.
Article 4 – Conflicts of Interest
The Signatories shall refrain from interfering in situations of conflict of interest, and notably :
- Not to work directly or indirectly for several end-clients who are in dispute with each other,
- Any situation where the actor, because of his/her position or prior services delivered, would hold confidential information concerning a person that could affect the way it deals with another person’s situation, or more generally that could compromise the neutrality of its services.
In their dealings with the other Legal Tech actors as well as with legal professionals, the Signatories undertake to perform a prior verification of potential risks of conflicts of interest, before engaging in any collaboration or partnership.
Article 5 – Compliance with Substantive Law
The Signatories undertake to take all necessary measures so that their activities are in compliance with applicable law, and in particular to the relevant provisions of the Consumer Code, Commerce Code, Electronic Communications Code and the Code of Intellectual Property as well as the law on the protection of personal data.
The Signatories undertake to develop and deliver their services, concerning directly or indirectly the management of litigation or pre-litigation proceedings, in strict compliance with the legal provisions applicable to each type of proceeding, notably the right to a fair trial.
Article 6 – Fair, Clear and Transparent Information
The Signatories undertake to provide all non-confidential information which would allow the beneficiary of the service to understand its essential components, and notably whether it is performed personally by the actor, or by a third party subcontractor, in part or in full, or if it integrates the use of an algorithm.
In the latter case, they shall explain the role of such algorithm, and provide the relevant information required to understand the results of the processing by this latter. They also provide a breakdown of the various elements of the service and its cost, and more generally indicate how the price is set.
The Signatories undertake to inform the user about the products and services that they provide, about their adequacy to the user’s needs, notably with regards to their performance and risk of error. In particular, in the event of legal data processing through algorithms, the user’s attention must be called to the fact that these are only tools to assist decision-making, and that a decision should only be taken after a complete assessment of the situation, with regards to its specificities.
Article 7 – Civil Professional Liability
The Signatories undertake to subscribe to professional civil liability insurance adapted to their activities in order to guarantee against, and compensate for, damages which their activities may cause, both in respect of technical services and consultancy services.
Article 8 – Collaborative Work / Fair and Healthy Competition
The Signatories undertake to put their skills at the service of innovation and to foster open and collaborative exchanges among themselves, in order to promote to the best of their respective possibilities, the development of Legal Tech services and related technologies.
They also undertake to maintain fair cooperative or competitive relationships with the other Legal Tech actors as well as with all the legal professionals.
They support the new Signatories to the Charter where possible, guiding them in the implementation there of.
Article 9 – Relation with Regulated Professions
The Signatories undertake to respect the scope of intervention of regulated professions of the law as defined by their respective status.
Those Signatories who, through their activities, are required to provide services to regulated professions undertake to comply with the essential principles and to the ethics governing the professions of their clients.
In particular, the Signatories undertake, for any provision of online services involving members of regulated professions, to implement means enabling the identification of the client, the possibility of ensuring the absence of any conflict of interest as well as a separate cash collection process.
More generally, the reciprocal collaboration between Legal Techs and law professionals must be carried out in a balanced manner between them and transparent towards the clients.
Article 10 – Monitoring the Application of the Charter
The Signatories agree that adhesion to the Charter implies a voluntary approach to the implementation of the commitments it contains, as well as regular monitoring and evaluation of the measures taken to that effect, to constantly improve their practices.
They therefore undertake to regularly establish a statement of the actions taken under the Charter, as well as a review of the fulfilment of the commitments made, explaining, if necessary, why some of these commitments could not be fulfilled. On the basis of this review, an action plan can be established to further satisfy the commitments made, or to go beyond such commitments if they are all satisfied.
At each actor’s discretion, these documents along with any information on the practices enforced, can be shared, on a website for this purpose, between the Signatories of the Charter.
CLIENT RELATIONS ANNEX
By signing the ethical charter for an online law market and its actors (“the Charter”), the Signatories underline their commitment to promote quality client relationships in order to guarantee the development of the legal market and public trust. They undertake to implement the following principles for the benefit of the clients :
- Quality of service
- User-path simplicity
- Compliance with response times
- Client relations service
- Duty to provide appropriate information
The Signatories reaffirm their conviction that the relationship of trust between the actors of the online law market and their clients can be considerably strengthened by the adoption and application of these principles.
The Signatories undertake to provide advice and assistance to deliver to clients and users quality service along with the relevant information for decision-making.
Client satisfaction is the priority and must guide all actions and processes.
Article 1 – Scope of Application
Any person signing or stating its compliance with the Charter undertakes to, notably, implement the means necessary to adopt and apply the principles laid down in this annex.
Article 2 – Quality of Goods and Services and Continuous Improvement
The Signatories undertake to offer quality products and services. Towards this purpose :
They ensure that they have the support of competent professionals and subcontractors;
They implement continuous processes for improvement in product design and manufacturing and quality of service.
They ensure, in the development of software solutions, that such continuous improvement relates in particular to the smooth operation of the software solution with regard to the specifics advertised.
Article 3 – Simplicity of the User-path
The Signatories acknowledge that the simplicity of the user-path is, for their clients, a significant advantage for the development of the online legal market. They therefore strive to implement the relevant means to facilitate and continuously improve the user-path.
Article 4 – Compliance with Response Times
The Signatories ensure that they offer reasonable response times both in respect of the delivery of their products or services and in the event of difficulties in accessing the service or a malfunction.
Article 5 – Transparency
Aware that clients need clear and complete information, particularly with regard to prices, services and products, the Signatories undertake to exercise full transparency in this respect.
In particular, the Signatories:
Adopt a clear pricing policy
Specify, in an exhaustive manner, the details of each service, the specifications of each product and the delivery times.
Provide an easily accessible entry point for any complaint.
Provide the client with clear information regarding access to the entry point for potential complaints.
Article 6 – Client Relations Service
The Signatories offer their clients a client relations service to respond efficiently and promptly to any support request and to allow the clients to express and deal with possible dissatisfaction, in order to ensure the continuous improvement of products and services.
Article 7 – Duty of Information
The Signatories ensure that they offer formalized, simple and complete information to their clients for all of the points referred to in this annex. They ensure that the information is easily accessible and understandable.
By signing the Ethics Charter for an Online Legal Market and its Actors, the Signatories underline their commitment to information security. They undertake to implement the security provisions of this Annex.
This annex was developed by the AIDJ and OPEN LAW associations. It notably complies with :
- The various guides of good practices formalized by the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information [National Cybersecurity Agency of France] )
- The Guide of Best Practices for Computing by the CGPME
This annex to the Charter aims to establish public trust, including from the informed public, in the Signatories’ products and services and contribute to both the quality of the transition to new technologies and the promotion of these technologies.
The Signatories reaffirm their conviction that online legal services cannot develop without a clear set of rules of best practices, which represent both a necessary minimum standard and a specific guarantee for clients and partners of the Signatories.
Article 1 – Scope of Application
Anyone signing, or stating its compliance with the ethics charter undertakes to comply with the rules established in this annex.
The Signatories are aware that threats to information systems are numerous and in constant evolution and that this fact warrants the adoption of a security-oriented attitude towards their technology.
Article 2 – In-depth Security Principle
The Signatories undertake to institute security covering all aspects of their organization: human, organizational and technical.
This Charter offers a minimum level of security, based on best practices established by the leading organizations and in line with the sensitivity of the processed data and the strict obligations of Professional Secrecy which apply to law professionals.
To ensure an in-depth defense, the Signatories undertake to appoint a “Security Referent” within their organization, whose mission is to coordinate and ensure compliance with the security recommendations of this annex.
Article 3 – Compliance with the Legal and Regulatory Framework
The Signatories confirm that they comply with applicable regulations, including the Computing Systems and Freedom Act, the Law of 5 January 1998 known as the “Godfrain Act”, general security standards, protection of “IT assets”, intellectual property and Professional Secrecy obligations.
The Signatories also undertake to comply with the provisions of the EU Regulation No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.
Article 4 – Security Monitoring
Signatories undertake to establish the monitoring of new threats to Information Systems in the context of their business.
The “Security Referent” of the Signatories shall subscribe, at least, to the CERT-FR alerts to stay informed of new vulnerabilities affecting their information systems.
The “Security Referent” ensures processing of identified vulnerabilities.
Article 5 – Classification and Handling of Information
The Signatories undertake to classify the various types of information they handle according to their degree of confidentiality and implement a sensitive data processing policy to best guarantee its confidentiality. This policy should specify how data is stored, deleted, transferred and who has access to it, depending on its classifications.
Any user data processed for purposes other than those for which it was provided (tests, statistics, etc.) must be anonymized beforehand.
Article 6 – Logical Access Management
The Signatories undertake to establish appropriate processes to ensure secured access to organizational resources.
1. A password policy should be implemented
passwords must be robust: a minimum of 8 characters (Uppercase, lowercase, numbers and special characters). Administrator accounts shall have 12-character passwords;
Passwords should be changed every three months at least;
Passwords are non-transferable and personal;
Passwords are stored in an encrypted form;
Using a password safe is moreover recommended.
2. Access rights must be regularly reviewed: dormant accounts, or belonging to former staff of the organization, must be systematically disabled. Access reviews must be performed at least once per year.
3. Connections to an information system should comply with state of the art practices, as stated in ANSSI’s guides and the Guide des Bonnes Pratiques de l’Informatique [Guide of Best Practices for Computing] (ANSSI et CGPME).
Article 7 – Data Storage
Data must be stored in an encrypted form and in secure facilities. The encryption protocol should be robust; a 256-bit SSL encryption is recommended. The duration of storage and reprocessing of data must comply with applicable regulations.
Data files and any modification of their perimeter must be notified to the CNIL in accordance with the law.
Article 8 – Back-up and Restoration
Signatories undertake to back up their data at a frequency that they shall determine with regard to the needs of their users. Backups must be encrypted.
Restoration tests should be performed to ensure the proper preservation of data entrusted by users.
Article 9 – Secure Development
Application development should comply with the most recent secure development standards. Open source development is moreover recommended.
The development of web applications should comply with ASVS OWASP standards. The ASVS Level (1 to 3) shall be representative of the sensitivity of the data that are to be processed through the web application.
It is also recommended to perform intrusion tests and code audits on a yearly basis or after each significant update of the application.
Article 10 – Logging and Monitoring
Event logs must be stored and protected against the risk of tampering or unauthorized access. These logs must be kept for a duration of at least six months, unless more strict applicable regulations provide otherwise.
Article 11 – Protection against Malware
Signatories undertake to implement an anti-malware policy.
In accordance with the in-depth defense principle, various filtering mechanisms must be implemented: firewalls, proxies, antivirus, etc.
Article 12 – Safety Principles regarding Third Parties
All contracts signed with third parties must bind that party to the same security provisions regarding the processing, storage, transfer of, and access to, data as the Signatory.
The Signatory should also include in the annex a right to audit the third party to ensure that it is in compliance with its data security obligations.
Article 13 – Data Transfer
Data transfers through web applications must be secured through SSL encryption.
Article 14 – Continuous Improvement and Activity Report
The Signatories undertake to continuously improve the security of their information systems.
They state all measures implemented to guarantee the security of client data that they process and of their information systems in a yearly report. Where applicable, the report indicates the improvements added since the previous year.