ISBA Development Site
This website is for ISBA staff use only. All visitors should return to the main ISBA website.
This website is for ISBA staff use only. All visitors should return to the main ISBA website.
The General Data Protection Regulation (GDPR) provides broad privacy restrictions applicable to the data of EU citizens wherever they may reside. When it became effective in 2018 litigators queried whether the GDPR would complicate discovery in cross-border disputes, or in any disputes involving the personal data of EU citizens. Several recent U.S. cases have affirmed that the GDPR will not provide a safe harbor in which parties may seek refuge from U.S. litigation discovery obligations.
The GDPR1 changed the European Union’s data privacy landscape for entities in possession of citizens’ personal information. Lauded as the world’s strongest set of data protection rules, the regulation imposes limits on how organizations that control or process personal data may use and provide access to such data. Key provisions authorize EU nations to enact their own data privacy legislation consistent with the regulation, guiding how the GDPR will be implemented in respective EU-member countries. The UK2, for example, has since passed the Data Protection Act of 2018.
The wide applicability of the GDPR impacts industries and jurisdictions across the globe. Companies, including those in the U.S. that operate or service EU citizens have had to adapt to comply with GDPR mandates or face fines up 20 million euros per violation.3
Litigants in U.S. courts have attempted to use the GDPR to limit or avoid discovery obligations with little success. Courts have declined to protect deposition testimony based on the assertion that the GDPR creates greater confidentiality for such testimony, see, e.g., Ironburg Inventions, Ltd. v. Valve Corp.,4 declined to limit data retention and production based on an assertion that the GDPR increased the data anonymization burden, see, e.g., Corel Software, LLC v. Microsoft,5 and declined to prohibit a video deposition on the basis that doing so over a party’s objection violated the GDPR, see, e.g., d'Amico Dry D.A.C. v. Nikka Financial.6 As discussed in detail below, when faced with a challenge that the GDPR prohibits the discovery sought entirely U.S. Courts have thus far generally maintained that they will not weigh foreign nations’ privacy interests over the interests of domestic parties seeking discovery.
The conflict between the GDPR and the right to discovery in U.S. litigation has been confronted by courts across the United States. In a California patent infringement suit, Finjan, Inc. v. Zscaler, Inc., the defendant contended that the production of its former sales director’s emails would violate the GDPR unless costly redactions and anonymization were applied.7 In South Carolina, the plaintiffs in Rollins Ranches, LLC, v. Watson raised claims of defamation, tortious interference, and civil conspiracy against a U.K. citizen based on her social media communications. The defendant opposed the plaintiffs’ initial and renewed motions to compel discovery responses and the production of records, asserting that the UK Data Protection Act blocks access to these communications.8 In Pennsylvania, in Giorgi Global Holdings, Inc. v. Smulski, an action for civil RICO and breach of contract, among other claims, Defendants argued that Polish privacy law and the GDPR prohibited them from producing otherwise discoverable documents. In New Jersey, in In re Mercedes-Benz Emissions Litigation, the defendants sought to overturn an appointed special master’s finding that sought after discovery could not be withheld under GDPR protections, but rather could be produced and designated as “Highly Confidential.”9
Where a party has met its burden to prove that a foreign law bars production of discovery, courts will engage in a case-by-case comity analysis to determine its application. 10 In Societe Nationale Industrielle Aerospatiale v. U.S. District Court for Southern District of Iowa, the Supreme Court followed the “particularized analysis,” set forth in the Restatement (Third) of Foreign Relations Law § 442(1)(c), to weigh the privacy interests of the foreign nation against the disclosure interests of the U.S. based on the following factors:
The importance of the documents weighs in favor of disclosure when the evidence is “directly relevant” to the claims11 and there is a “substantial likelihood” that the documents will be important to prove the claims.12
Where a party makes a specific request directly related to relevant information from relevant documents this factor weighs in favor of production. This factor weighs against production where a party seeks irrelevant, sensitive, personal information and unduly burdens the opposing party with “generalized searches for information.”13
This factor weighs against production where it is found that the majority of the sought-after documents and their custodians are located in a foreign nation.
Where there is no alternative means for a plaintiff to obtain the sought-after information, this factor weighs in favor of production.14
Arguably the most important factor, the Courts recognize that the U.S. “has a substantial interest in fully and fairly adjudicating matters before its courts – an interest only realized if parties have access to relevant discovery – and in vindicating the rights of American plaintiffs.”15 Where this goal can be accomplished while respecting foreign privacy interests (i.e., through protective orders and confidentiality agreements), this factor weighs in favor of production.16 Likewise, this factor weighs in favor of production where respecting foreign privacy interests would impede the pursuit of serious claims with significant impact (i.e., impacting American consumers en masse).17
The Finjan, Rollins Ranches, In re Mercedes-Benz Emissions Litig., and Giorgi courts rejected the invocation of the GDPR and implementing regulations. Those courts found that the parties resisting discovery failed to meet their burden, to demonstrate that the regulations should apply and, upon evaluation of the aforementioned factors, found that the interests of the U.S. and the party seeking discovery outweighed the interest of the foreign nation privacy interests.18 Accordingly, the GDPR and implementing legislation did not result in a prohibition against the requested discovery.
Chapter 6 GDPR provides that a “legal requirement” may be a basis for which a company can make a compliant disclosure of personal information.19 Article 49 of the GDPR further provides that personal data can be transferred to a third country where it is “necessary for the establishment, exercise or defence of legal claims.”20 However the European Data Protection Board (“EDPB”), which was created by the GDPR to create guidance on its application, has advised that a legal requirement is not established merely by an order of a U.S. Court, and the Article 49 derogation is not granted for every foreign legal proceeding—only those in which pass a strict “necessity test.” While balancing the interests of domestic parties seeking discovery U.S. courts must also be aware of the reality that action may be taken against litigants for their disclosures in discovery.
U.S. courts’ rulings in favor of disclosure over litigants’ invocation of the GDPR and other foreign data protection laws are likely to make waves for companies with an EU presence. Where courts determine that litigants must comply with discovery requests, the companies involved in maintaining relevant personal data run the risk of violating the GDPR. While not the focus of regulators thus far, document production in litigation may soon garner their attention, as enforcement efforts have been aggressive, and the imposition of fines has been significant.
Furthermore, as domestic data privacy legislation expands in the U.S.—California’s enactment of the California Consumer Privacy Act (CCPA)21 is expected to be followed by additional states enacting similarly restrictive data privacy laws—similar discovery objections and claims are likely to be raised, based instead on state law.
Brittney L. Denley is an attorney at Riley Safer Holmes & Cancila LLP.
2. The UK will continue to be subject to the GDPR through its Brexit transition period, until December 2020. Brexit and data protection in the UK, IT Governance (Feb. 5, 2020), https://www.itgovernance.co.uk/eu-gdpr-uk-dpa-2018-uk-gdpr.
3. Ryan Browne, Europe’s privacy overhaul has led to $126 million in fines — but regulators are just getting started, CNBC (Jan. 19, 2020) https://www.cnbc.com/2020/01/19/eu-gdpr-privacy-law-led-to-over-100-million-in-fines.html; Ivana Kottasová, These companies are getting killed by GDPR, CNN Business (May 11, 2018), https://money.cnn.com/2018/05/11/technology/gdpr-tech-companies-losers/index.html.
4. Ironburg Inventions v. Valve Corp., Case No. C17-1182-TSZ (W.D. Wash. Aug. 22, 2018).
5. Corel Software, LLC v. Microsoft, Case No. 2:15-cv-00528-JNP-PMW (D. Utah Oct. 5, 2018).
6. d'Amico Dry D.A.C. v. Nikka Financial, CA 18-0284-KD-MU, Dkt. No. 140 (Adm. S.D. Ala. Oct. 19, 2018).
7. Finjan, Inc. v. Zscaler, Inc., No. 17CV06946JSTKAW, 2019 WL 618554, 1 (N.D. Cal. Feb. 14, 2019).
8. Rollins Ranches, LLC v. Watson, 2020 BL 192422, 4 (D.S.C. May 22, 2020).
9. In re Mercedes-Benz Emissions Litig., No. 16-CV-881, 2020 WL 487288, 3 (D.N.J. Jan. 30, 2020).
10. Id. at *6 ; Royal Park Investments SA/NV v. HSBC Bank USA, N.A., No. 14 CIV. 8175 (LGS), 2018 WL 745994, *11 (S.D.N.Y. Feb. 6, 2018)); In re Air Crash at Taipei, Taiwan on Oct. 31, 2000, 211 F.R.D. 374, 377 (C.D. Cal. 2002).
11. In re Mercedes-Benz Emissions Litig., No. 16-CV-881, 2020 WL 487288, 6 (D.N.J. Jan. 30, 2020; AstraZeneca LP v. Breath Ltd., No. CIV. 08-1512 (RMB/AM), 2011 WL 1421800, 13 (citing In re Air Crash at Taipei, 211 F.R.D. at 377).
12. Giorgi Glob. Holdings, Inc. v. Smulski, No. CV 17-4416, 2020 WL 2571177, 1 (E.D. Pa. May 21, 2020); quoting Laydon v. Mizuho Bank, Ltd., 183 F.Supp.3d 409, 420 (S.D.N.Y. 2016).
13. In re Mercedes-Benz Emissions Litig., 7.
14. “Where ‘the information sought in discovery can easily be obtained elsewhere, there is little or no reason to require a party to violate foreign law.’” AstraZeneca LP v. Breath Ltd., No. CIV. 08-1512 (RMB/AM), 2011 WL 1421800, *14 (D.N.J. Mar. 31, 2011); In re Air Crash at Taipei, 211 F.R.D. at 378 (citing Richmark Corp. v. Timber Falling Consultants, 959 F.2d 1468, 1475 (9th Cir.1992)).
15. Giorgi Glob. Holdings, Inc. v. Smulski, No. CV 17-4416, 2020 WL 2571177, *2 (E.D. Pa. May 21, 2020); quoting Fenerjian v. Nong Shim Co., Ltd., 2016 WL 245263, *5 (N.D. Cal. Jan. 21, 2016).
16. In re Mercedes-Benz Emissions Litig., 3.
17. See, e.g., In re Mercedes-Benz Emissions Litig., No. 16-CV-881 (KM) (ESK), 2020 WL 487288, at *8 (D.N.J. Jan. 30, 2020) (noting the unlawful misleading of American consumers).
18. Rollins Ranches, LLC v. Watson, at *4 (holding that the defendant offered no support for her assertion that the UK Data Protection Act applied to limit her discovery responses, in reliance upon Societe Nationale Industrielle Aerospatiale’s holding that that “[foreign] statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute;” Societe Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa, 482 U.S. 522, 544, 107 S. Ct. 2542, 2556, 96 L. Ed. 2d 461 (1987 ); Giorgi Glob. Holdings, Inc. v. Smulski, at *2 (holding that defendants failed to meet their burden to prove that GDPR protections should apply to their documents even where the defendants’ documents originated or were located outside of the U.S., as an analysis of all the Restatement factors weighed in in favor of disclosure); In re Mercedes-Benz Emissions Litig., at *8 (holding that the Special Master did an appropriate comity analysis and did not abuse his discretion in finding that the GDPR did not preclude disclosure of evidence where the information could be protected under a Discovery Confidentiality Order); Finjan, Inc., at *3 (holding that the defendant did not meet its burden to prove that the GDPR barred production or that disclosure would result in a GDPR enforcement action, even where sales director from whom the discovery was sought was physically located in the U.K.).
19. EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, adopted on 25 May 2018, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf.
20. Id.
21. California enacted its own data privacy legislation at the top 2020—the first legislation of its kind in the U.S. The California Consumer Privacy Act (CCPA) applies to companies operating in California that either a) earn at least $25 million in annual revenue, b) gather, buy, or sell data on more than 50,000 of its users, or c) generate more than half of their revenue from the sale of user data. Similar to the GDPR, the CCPA aims to protect consumers’ personal information. Key provisions detail consumers’ legal rights to know what personal information covered entities possess and disclose about them, to request the deletion of personal information, to request to opt in or out of the sale of personal information, to name a few.