Professional confidentiality and digital communication

What the duty of confidentiality covers

Professional secrecy for tax advisors — and for accountants, auditors, and related advisors in most jurisdictions — is not merely a courtesy. It is a legally enforceable obligation that typically covers all information a client shares in the context of the professional relationship: financial data, personal circumstances, business plans, and anything else disclosed in confidence. Breaching it can lead to disciplinary proceedings, civil liability, and, in some countries, criminal sanctions.

The duty extends beyond deliberate disclosure. Allowing a third party to gain access to client information — even inadvertently, even if that party never actually reads the data — can constitute a breach in many jurisdictions. This is precisely the point where digital communication tools become legally significant. The rules were written before cloud servers existed; applying them to modern software requires careful thought.

Confidentiality and digital channels

When a message travels across the internet, it typically passes through infrastructure operated by a third party — a platform provider, a cloud service, or both. Under GDPR, engaging such a provider to process personal data on your behalf generally requires a data processing agreement and a documented legal basis. But the confidentiality question goes further than GDPR compliance: it asks whether the provider can, technically, read the content.

Many widely used tools — including standard business email, popular messaging platforms, and collaboration suites — store messages on central servers. Even when those messages are encrypted in transit, they are often decryptable by the provider at rest. The provider holds the keys. That means a third party with no professional secrecy obligation has, at least in principle, technical access to client-sensitive content. Whether or not the provider ever exercises that access is a separate question from whether the legal risk exists.

The same concern applies to video-call platforms that route media through centralised servers, or that store recordings in the cloud by default. Each such arrangement introduces a party who is neither bound by your professional obligations nor under your control.

Common pitfalls

• Using consumer email without encryption for exchanging documents containing financial or personal data — standard SMTP delivers messages through multiple servers, any of which may retain a copy.
• Relying on end-to-end encryption promises without verifying that the provider cannot access plaintext: many services advertise encryption while retaining the ability to decrypt for moderation, legal requests, or account recovery.
• Calling via platforms that log metadata — who called whom and when — even if the audio content is encrypted. Metadata can itself reveal client relationships.
• Sharing screens or files through tools that buffer or cache content on cloud infrastructure, even temporarily.
• Assuming a data processing agreement is sufficient to satisfy professional secrecy: it addresses data protection law, but it does not eliminate the provider's technical access to confidential content.

What to require of a secure tool

The most direct way to reduce third-party access risk is to use a tool where the provider is architecturally incapable of reading the content — not just contractually restricted from doing so. Peer-to-peer communication, where data travels directly between the two devices involved and encryption keys are generated and held only on those devices, achieves this. There is no central copy for a third party to hold, subpoena, or inadvertently leak.

When evaluating any tool for professional use, consider the following questions:

• Where are encryption keys generated and stored? Keys held only on client devices mean the provider cannot decrypt content even if compelled.
• Is communication peer-to-peer, or does data pass through and reside on the provider's servers? Peer-to-peer leaves no central copy.
• Does the provider store message content, call recordings, or file transfers? A nothing-stored architecture removes the most obvious source of third-party access.
• Can guests join without creating an account? Requiring account registration means the provider collects identity data about your clients.
• Where is the signalling and relay infrastructure hosted, and under which jurisdiction's data protection law does it fall?
• Is there an independent technical description of how encryption is implemented, so that the claims can be verified?

A tool that answers favourably to all of these questions substantially reduces — though no technology eliminates entirely — the risk that confidential client conversations are accessible to anyone outside the professional relationship. It also simplifies your GDPR documentation, because a provider who stores no personal data and holds no decryption keys has a limited role as a data processor.

COVANAN is built on exactly this model: messages and calls run peer-to-peer via WebRTC directly between browsers; AES-256-GCM encryption keys are generated in the browser and never leave the device; the signalling servers — hosted in Germany — store only temporary connection setup data, not message content; and guests can join a conversation via a shared link without registering an account. File transfers up to 500 MB travel device-to-device. An optional TURN relay is available to handle restrictive network conditions, and it hides both parties' IP addresses. None of the conversation content is stored on any server.

That said, no article can substitute for professional legal advice tailored to your jurisdiction and the specifics of your practice. Professional secrecy rules vary significantly between countries — and sometimes between professional categories within the same country. Before adopting any new communication tool for sensitive client work, it is worth checking your local professional body's guidance and, where in doubt, seeking legal advice.