The Effect of the General Data Protection Regulation on Discovery in the United States

Introduction

The European Union (“EU”) implemented the General Data Protection Regulation (“GDPR”) effective as of May 25, 2018.[1] The GDPR enforces privacy requirements to protect EU citizens.[2] “The GDPR applies to the processing of ‘personal data,’ which is defined as any information related to an ‘identified or identifiable natural person,’” who can be directly or indirectly identified by the data produced.[3] The GDPR purports to have extraterritorial effect by applying “regardless whether the processing takes place in the EU or elsewhere.”[4] The GDPR allows imposition of penalties and sanctions that “significantly increase[d] the maximum fine to €20 million, or 4% of annual worldwide turnover, whichever is greater.”[5] Further, “[t]he GDPR provides an individual with access to the courts to seek a judicial remedy” in addition to any administrative remedy.[6] Essentially, any production of documents that contain information about EU citizens could cause serious consequences and large fines for a GDPR violation.

The early cases in the United States suggest that the GDPR may have a profound impact on discovery in the United States. The GDPR may subject litigants in United States courts to discovery objections for the purpose (or possibly under the guise) of protecting EU citizens’ privacy. Defendants may object to production as a whole, request significant redaction of the discovery, request a strict confidentiality agreement, request to produce anonymized data that does not identify any EU citizen, or any combination thereof. There is limited case law on the implications of the GDPR on United States discovery because it is a relatively new regulation. So far, United States courts have taken divergent approaches on how to address and resolve objections to discovery based on GDPR. Overall, it appears that most courts are allowing production of the discovery in some form, over a defendant’s GDPR objection.

United States Courts’ Historical Response to Discovery Objections Based on Foreign Privacy Statutes or Secrecy Laws.

Historically, United States courts have been unwilling to allow a foreign privacy statute to preclude the production of responsive documents that were otherwise discoverable in United States litigation. As the Supreme Court stated, “[i]t is well settled that such statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.”[7] The Court further noted that the French “blocking statute” was “originally ‘inspired to impede enforcement of United States antitrust laws,’ and that it did not appear to have been strictly enforced in France,” which further undercut United States courts’ interest in enforcing that foreign privacy statute over the American interest of full disclosure in discovery.[8] Prior and subsequent courts similarly ruled that foreign privacy statutes are not dispositive of discovery objections in United States cases, although the statutes may be relevant to the issue of whether sanctions should be imposed for failure to comply with United States discovery orders.[9] Likewise, United States courts deemed foreign bank secrecy laws insufficient to preclude discovery in United States litigation.[10] Therefore, generally, courts in the United States overwhelmingly have held that full disclosure in discovery outweighs any interest in enforcing foreign privacy or secrecy laws.

A Chronological Review of United States Courts’ Approaches to GDPR Discovery Disputes and Other Foreign Privacy Statutes.

On October 5, 2018, the first published ruling on GDPR in United States litigation involved a defendant, Microsoft, raising a GDPR objection to discovery based on the undue burden and cost of producing the discovery due to “the alleged tension with GDPR.”[11] The court did not significantly analyze the GDPR issue, but stated that “the court [wa]s not persuaded by Microsoft’s arguments concerning undue burden,” and required the production of documents.[12]

On December 17, 2018, the first substantive ruling by a United States court to address an objection to discovery based on GDPR was in the context of a 28 U.S.C. § 1782 application to obtain discovery for use in a foreign proceeding.[13] The court “grant[ed] the application with respect to documents held by foreign custodians only to the extent that the Applicants (1) assume the costs of the document production, including the costs of compliance with the GDPR or other applicable European data privacy laws and (2) indemnify Respondents against any potential breaches of European data privacy laws.”[14] Although the court required production of the requested documents over the GDPR objection, this ruling has serious adverse consequences for parties seeking discovery in United States litigation if the GDPR is implicated because it required unknown and potentially multi-million dollar indemnification liability on the party receiving the documents.

The approach in Hansainvest of requiring indemnification of the discovery target “against any potential breaches of European data privacy laws” is a serious deterrent to any party seeking discovery.[15] It would be unusual and highly unlikely that any party would knowingly accept such an open ended and potentially large financial risk given the large fines for a GDPR violation. If courts routinely adopt this approach, it would have a significant chilling effect on United States discovery when the GDPR is implicated. Hansainvest is the only United States court, thus far, to rule that indemnification of any GDPR liability is a condition precedent to production of the documents. In later rulings, United States courts have taken less drastic approaches to GDPR objections to discovery.

On February 14, 2019, the court in Finjan entered a reasoned opinion “conclud[ing] that the GDPR d[oes] not preclude the Court from ordering Defendant to produce the requested e-mails in an unredacted form, subject to the existing protective order,” and did not amend the existing protective order to include cost splitting related to anonymization, as requested by the defendant.[16] The court relied upon the Supreme Court ruling that a foreign country’s statute precluding disclosure of evidence “do[es] not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.’”[17] “In determining whether the foreign statute excuses noncompliance with the discovery order, courts consider: (1) the importance of the documents or other information requested to the litigation; (2) the degree of specificity of the request; (3) whether the information originated in the United States; (4) the availability of alternative means of securing the information; and (5) the extent to which noncompliance would undermine important interests of the United States.”[18] Other considerations include “the extent and the nature of the hardship that inconsistent enforcement would impose upon the person” and “the extent to which enforcement by action of either state can reasonably be expected to achieve compliance with the rule prescribed by the state.”[19]

The court in Finjan stated “the balance of national interests … ‘is the most important factor’ [and] protecting privacy ‘is diminished where the court has entered a protective order preventing disclosure of secret information.’”[20] This is crucial to the analysis because facilitating the availability of discovery in United States litigation should be a national interest, among others. Further, it is logical not to prohibit or limit the disclosure of relevant documents in United States litigation based on a foreign privacy statute when there is already a court order in the case that accomplishes the goal of protecting all private data required to be disclosed in discovery.

Finally, the court in Finjan found that “‘[t]he party relying on foreign law has the burden of showing that such law bars production.”[21] In that case, the defendant failed to put forth evidence that there was a “likelihood of enforcement.”[22] This is important because it relates to prior case law regarding the French “blocking statutes” and other privacy statutes implemented to prevent United States discovery or enforcement of other United States laws, such as Anti-Trust laws, but were not even enforced in the country of origin.[23] As a practice point, an objector should always offer evidence of GDPR’s enforcement because a showing of “likelihood of enforcement” is necessary to meet the objector’s burden. Likewise, the party seeking the discovery should always raise the objector’s failure to offer evidence of GDPR enforcement, particularly in the context of fines imposed for discovery required to be produced in litigation abroad.

On May 31, 2019, the court in Strauch entered a ruling on a GDPR objection.[24] This ruling recounted that the appointed special master initially required a “filtered” approach to attempt to resolve the GDPR objection.[25] “Plaintiffs wanted a more comprehensive approach and objected to this ‘filtering’ because it left unanswered questions and potentially could lead to the omission of class members who worked in non-U.S. locations.”[26] The plaintiffs would not agree to the defendant self-filtering responsive discovery, which could be problematic by potentially reducing the amount of responsive information to which the plaintiffs were otherwise entitled.[27] Later, after considering numerous proposals, the parties consensually resolved the issue by requiring the production of de-identified data that was subject to the GDPR.[28]

On November 7, 2019, the special master in the Mercedez-Benz Emissions Litigation denied a motion to stay pending appeal regarding document production that the defendants alleged would violate the GDPR.[29] The special master ruled that the documents should be produced under a confidentiality order, which already protected the GDPR protected information.[30] The special master did not require redaction and there was no mention of cost splitting in the ruling.[31] The special master stated “[w]hile the GDPR defines ‘personal data’ broadly to include even seemingly innocuous information like business contact and other related data about a business’s employees, business partners, and customers—the sort of information in business records that parties routinely exchange as part of discovery in U.S. litigation, Defendants have not pointed to any prior enforcement actions by the EU focused on violations in the litigation context.”[32] Again, the defendants failed to meet their burden by not introducing evidence of enforcement actions relating to disclosure of GDPR information required to be disclosed in discovery.

On January 30, 2020, the court in the same case, Mercedez-Benz Emissions Litigation, overruled the objection to the defendants’ appeal of the special master’s opinion and affirmed the special master’s GDPR ruling.[33] The court stated, “[b]ased on the Court’s own international comity analysis, as well as an analysis of the Special Master’s GDPR Ruling, the Court finds that the Special Master conducted a well-reasoned international comity analysis and did not abuse his discretion by prohibiting parties from redacting the names, positions, titles, or professional contact information of relevant current or former employees of any Defendant or third parties identified in relevant, responsive documents, data, or information produced in discovery in the above-captioned matter.”[34] The court found that “[s]uch information can be designated and protected as ‘Highly Confidential’ pursuant to the Discovery Confidentiality Order provision,” which balanced the plaintiffs’ right to obtain the discovery and the EU citizens’ privacy rights.[35]

Overall, with some outliers, courts seem to take a balanced and practical view in resolving GDPR objections. As the case law develops, time will tell whether additional courts will require indemnification or may otherwise limit discovery that parties are otherwise entitled to obtain in United States litigation. Additionally, over time, there will be more information on GDPR enforcement actions, and particularly whether there are enforcement actions based on information that was required to be produced in discovery, which could affect future litigation on GDPR objections.

Approaches for Consensually Resolving a GDPR Discovery Objection.

While there is limited case law on this issue, given that the GDPR became effective in May 2018, it appears that most courts in the United States are not willing to allow GDPR objections to outweigh a party’s right to obtain discovery that they are otherwise entitled to obtain in United States litigation. This is consistent with the manner in which United States courts have historically addressed discovery objections based on foreign privacy or secrecy statutes.

This is a sensible approach given that there are less rigid ways of handling such objections than preventing or limiting the disclosure of the information. One option is redaction. This approach is not ideal, particularly for the party seeking the information, because the requesting party should be able to review the data themselves rather than relying on their opponent to filter the information. The next option is anonymization of the EU citizen’s information. This is a fair approach to allow the discovery, while also preventing it from disclosure in a manner that could compromise the privacy rights that the GDPR seeks to protect. One downside is that anonymization may be expensive. However, that should not be enough of a deterrent to outweigh a party’s right to discovery in United States litigation. Finally, requiring the discovery to be subject to a confidentiality order seems to be the most straightforward approach, and one that is already widely used. The information is protected from disclosure, so it protects the privacy of EU citizens, while still allowing the necessary, responsive discovery and not requiring the time and expense of redaction and anonymization.

[1] Id.

[2] Finjan, Inc. v. Zscaler, Inc., No. 17CV06946JSTKAW, 2019 WL 618554, at *1 (N.D. Cal. Feb. 14, 2019).

[3] § 11:3.GDPR—Scope and main provisions, 2 Data Sec. & Privacy Law § 11:3 (2019) (citing Article 4(1) of the GDPR).

[4] § 11:2.General Data Protection Regulation 2016/679, 2 Data Sec. & Privacy Law § 11:2 (2019) (citing Article 3(1) of the GDPR).

[5] § 11:2.General Data Protection Regulation 2016/679, 2 Data Sec. & Privacy Law § 11:2 (2019) (citing Article 83 of the GDPR).

[6] § 11:4.GDPR—Remedies, liability and sanctions, 2 Data Sec. & Privacy Law § 11:4 (2019) (citing Chapter 8 of the GDPR).

[7] Societe Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa, 482 U.S. 522, 544 n.29, 107 S. Ct. 2542, 2556, 96 L. Ed. 2d 461 (1987) (citing Societe Internationale Pour Participations Industrielles et Commerciales, S.A. v. Rogers, 357 U.S. 197, 204–206, 78 S.Ct. 1087, 1091–1092, 2 L.Ed.2d 1255 (1958)).

[8] Societe Nationale Industrielle Aerospatiale, 482 U.S. at 527; see also Laydon v. Mizuho Bank, Ltd., 183 F. Supp.3d 409 (S.D.N.Y 2016) (refusing to enforce predecessor United Kingdom privacy law, in which there was no evidence of enforcement of the law in the United Kingdom).

[9] See e.g., Arthur Andersen & Co. v. Finesilver, 546 F.2d 338 (10th Cir. 1976)(“district court did not usurp its power in entering discovery orders which required accounting firm to produce certain documents, even though production of such documents would allegedly violate nondisclosure laws of Switzerland.”); Graco v. Kremlin, Incorporated, 101 F.R.D. 503, 514 (N.D. Ill. 1984); First American Corp. v. Price Waterhouse LLP, 154 F.3d 16, 21-22 (2d Cir. 1998); Bodner v. Banque Paribas, 202 F.R.D. 370, 375 (E.D.N.Y 2000); Stauss v. Credit Lyonnais, S.A., 249 F.R.D. 429 (E.D.N.Y 2008); In re Air Crash at Taipei, Taiwan on Oct. 31, 2000, 211 F.R.D. 374 (C.D. Cal. 2002); Pershing Pacific West, LLC v. Marinemax, Inc., 2013 WL 941617, at *8-9 (S.D. Cal. Mar. 11, 2013); St. Jude Med. S.C. v. Janssen-Counotte, 104 F. Supp.3d 1150, 1162 (D. Or. 2015); Laydon, 183 F. Supp.3d 409 (S.D.N.Y 2016); Las Vegas Sands v. Eighth Jud. Dist. Ct., 130 Nev. 578, 585, 331 P.3d 876, 880 (2014); Wynn Resorts, Ltd. v. Eighth Judicial Dist. Court of State in & for Cty. of Clark, 386 P.3d 996 (Nev. 2016); Knight Capital Partners Corp. v. Henkel AG & Co., 290 F. Supp.3d 681, 690-91 (E.D. Mich. 2017); Republic Tech. LLC v. BBK Tobacco & Foods, LLP, 2017 WL 4287205, at *4-5 (N.D. Ill. Sept. 27, 2017); Royal Park Investments SA/NV v. HSBC Bank USA, N.A., 2018 WL 745994, at *2 (S.D.N.Y. Feb. 6, 2018).

[10] See e.g., Strauss, 249 F.R.D. at 456; Wultz v. Bank of China Ltd., 910 F. Supp. 2d 548, 559 (S.D.N.Y. 2012).

[11] Corel Software, LLC v. Microsoft Corp., No. 215CV00528JNPPMW, 2018 WL 4855268, at *1–2 (D. Utah Oct. 5, 2018).

[12] Id.

[13] See In re Hansainvest Hanseatische Inv.-GmbH, 364 F. Supp. 3d 243 (S.D.N.Y. 2018).

[14] Id. at 252.

[15] Id.

[16] Finjan, 2019 WL 618554, at *3.

[17] Id. (citing Societe Nationale Industrielle Aerospatiale, 482 U.S. at 544 n.29).

[18] Id. (citing Richmark Corp. v. Timber Falling Consultants, 959 F.2d 1468, 1475 (9th Cir. 1992)).

[19] Id.

[20] Id. (citing Richmark, 959 F.2d 1468, 1475 (9th Cir. 1992); Masimo Corp. v. Mindray DS USA, Inc., Case No.: SACV 12-02206-CJC(JPRx), 2014 WL 12589321, at *3 (C.D. Cal. May 28, 2014); United States v. Vetco Inc., 691 F.2d 1281, 1287, 1289 (9th Cir. 1981)).

[21] Id. (citing Vetco, 691 F.2d at 1289).

[22] Id.

[23] See Societe Nationale Industrielle Aerospatiale, 482 U.S. at 527.

[24] Strauch v. Computer Scis. Corp., No. 3:14-CV-956 (JBA), 2019 WL 3337889, at *6 (D. Conn. May 31, 2019).

[25] Id.

[26] Id.

[27] Id.

[28] Id.

[29] In re Mercedes-Benz Emissions Litig., No. 216CV881SDWJAD, 2019 WL 5800270, at *2 (D.N.J. Nov. 7, 2019).

[30] Id.

[31] Id.

[32] Id.