A lawyer who chooses a cloud tool without verifying it is not delegating a technical task alone. They remain responsible to the client — regardless of what the service contract says, regardless of where the servers are located.
That is the Barreau du Québec's position, set out in its guidance on cloud computing and information technology. These documents do not replace the Code of ethics. They apply it in a digital context.
What the Barreau expects from a firm
Before adopting a cloud tool, the Barreau expects a firm to:
- Assess risks before adoption, not after
- Protect professional secrecy and client file confidentiality
- Ensure the provider offers real contractual guarantees, not marketing promises
- Maintain control over data: access, export, destruction
Four points. One principle behind them: you never transfer responsibility, only execution.
Cloud computing and subcontracting
Entrusting files to a host is subcontracting. The Barreau is clear: responsibility stays with the lawyer, outsourced contract or not.
Due diligence does not stop at the signature. It applies to provider selection — and continues afterward, in ongoing monitoring.
« The lawyer remains responsible to the client, even when processing is outsourced. »
Recommended hosting approach
The Barreau does not recommend a specific provider. It recommends a logic: limit exposure to foreign data laws.
In practice, that means favouring hosting that escapes the CLOUD Act and similar legal frameworks — not because U.S. law specifically targets Quebec firms, but because a provider subject to that law may be compelled to disclose data, with or without the firm's consent.
This approach is distinct from product endorsement. It steers firms toward data sovereignty compatible with deontological obligations — nothing more, nothing less.
Technology tools and competence
The Code of ethics requires competence. Digital tools are no exception.
Lawyers must have sufficient knowledge to use the tools they adopt, or obtain adequate support if they do not. Choosing practice management software without understanding where data goes or how it is protected exposes the firm to an ethical breach — not just a technical risk.
In other words: ignoring how your own tool works is no longer an acceptable excuse.