TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

""

""

Civil litigants in the United States have broad rights to information — from each other and from others not involved in the litigation, whether or not they are within the U.S. Other countries often have more limited “discovery” rights and often have confidentiality or privacy laws that restrict sharing information or transferring that information across borders, like the EU General Data Protection Regulation.

This often generates conflicts for those who are required by U.S. law to deliver evidence but forbidden to do so by their own local law. In fact, U.S. law permits those litigating cases in non-U.S. venues to use its generous discovery rules where the person from whom they seek information resides or is found in the US. So cross-border discovery conflicts do not always come from litigation in U.S. courts.

US perspective

This conflict is not new. The broad extraterritorial discovery practices in the U.S. have resulted in international backlash for at least the last half-century. The U.S.-led the negotiations for what it offered as a solution: the Hague Convention on Taking of Evidence Abroad in Civil or Commercial Matters, signed it in 1970 and ratified it in 1972. The convention established a diplomatic letter-of-request process for international discovery requests. But U.S. litigants preferred the faster, broader and more familiar discovery rules, and the convention was seldom used. A conflict developed over whether the convention was the only means by which U.S. litigants could get evidence abroad or whether they could continue to use ordinary civil discovery. 

The Supreme Court settled the issue in Aerospatiale: The use of the convention was not mandatory. U.S. courts could order extraterritorial discovery using a set of factors from the Restatement of Foreign Relations Law. The five restatement factors were (1) the importance to the litigation of the documents or other information requested; (2) the degree of specificity of the request; (3) whether the information originated in the U.S.; (4) the availability of alternative means of securing the information; and (5) the extent to which noncompliance with the request would undermine important interests of the U.S. or compliance with the request would undermine the important interests of the state where the information is located.

While U.S. courts identified additional factors, such as "the extent and the nature of the hardship that inconsistent enforcement would impose upon the person, ... [and] the extent to which enforcement by action of either state can reasonably be expected to achieve compliance with the rule prescribed by that state,” these comity rules were honored mostly in the breach. Courts routinely ordered discovery, even when compliance with the order was a crime in the other country or potentially conflicted with the laws of multiple foreign countries.

With the adoption of the GDPR and some other U.S. legal developments, lawyers representing companies with an EU presence expected a more even-handed approach. But this appears to have been wishful thinking.

Recent court rulings suggest that companies still face a Catch-22 when getting involved in U.S.-discovery. There have been several cases in 2019 and 2020 in which a party has objected to discovery based on GDPR concerns. In a recent case, a company specifically pointed out the issues posed by the GDPR, noting: “the EU's ‘weighty interest in protecting its citizens' privacy,’ [and that] a violation of the GDPR would place [it] in legal jeopardy, threaten severe reputational harm, and damage the morale of [its] workforce. (Id.).” The court found these objections “unavailing.”

The "Schrems II" decision makes U.S. discovery from EU sources even more fraught. Cross-border transfers of personal data (which most U.S. discovery requests will require) are more difficult to justify. A case from the 9th Circuit Court of Appeals recognized the issue but did not address it. Given the cases we’ve seen so far, it’s unlikely that it would have impacted the outcome.

Given these results, parties are likely to find themselves with an unpleasant dilemma: Violate a U.S. court order or violate the GDPR or a different data protection law.  

Given these results, parties are likely to find themselves with an unpleasant dilemma: Violate a U.S. court order or violate the GDPR or a different data protection law.  

If they follow the U.S. court order and transfer data from the EU to the U.S., they will struggle for an adequate safeguard or derogation that permits the transfer. As a result, European data protection authorities may impose draconian fines. On the other hand, if they refuse, citing data protection law, the U.S. court may enforce sanctions, including contempt.

But all is not lost. Under certain circumstances, any data transfer from the EU to the U.S. can be accomplished without breaking any laws.

GDPR perspective

According to Article 6 of the GDPR, the processing of personal data shall only be lawful if and to the extent one of the listed legal grounds applies. The transfer of personal data is considered a processing activity pursuant to Article 4(2) of the GDPR. But transferring data isn’t the only kind of processing that requires review in cross-border discovery. U.S. discovery requires a party to pause its retention and deletion schedules, deny data subject access requests requesting deletion and rectification, and to share the data with third parties that weren’t disclosed. Processing can be justified with reference to Article 6(1)(c) of the GDPR if it is necessary for compliance with a legal obligation to which the controller is subject. The European Data Protection Board has confirmed that an order of a U.S. court is not itself a legal basis for a transfer of personal data to the U.S. (EDPB Guidelines 2/2018 on derogations of Article 49 at 5). So, a U.S. court order doesn’t count as a legal obligation under the GDPR.

A better argument comes from Article 49(1)(e) of the GDPR: A data transfer to a third country is permitted if the transfer is necessary for the establishment, exercise or defense of legal claims. Recital 111 of the GDPR states a transfer can be made where it is “occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies.” This covers a wide range of activities, for example, in the context of formal pretrial discovery procedures in civil litigations (EDPB Guidelines 2/2018 on derogations of Article 49 at 11).

There are three issues here. First, whose legal claim or defense are we talking about? In U.S. litigation, there are often multiple parties (plaintiffs, defendants, third-party defendants and others). But U.S. discovery also impacts non-parties — a party to a lawsuit can serve a subpoena seeking records or testimony from anyone. If Company A is the plaintiff in a U.S. lawsuit, Article 49(1)(e) of the GDPR certainly permits the transfer of necessary information for it to prove Company A's claims.

But discovery comes from other parties in the case: Company B, the defendant, may request documents that are relevant to its statute of limitations defense, for example. It seems likely that Article 49(1)(e) of the GDPR is meant to cover the transfer of that data, too, but what if Company B subpoenas records from Company A's EU-based wireless provider? This data may be "necessary to establish a claim" that Company B asserts in litigation with Company A, but is the transfer permitted under Article 49(1)(e) GDPR? 

Second, Article 49(1)(e) of the GDPR permits the transfer of data but not other kinds of processing. There is no similar derogation for processing other than transfers so this derogation may not help those responding to subpoenas or discovery requests. For example, a U.S. litigant may request the discovery of data about a former Company B employee.

As we've discussed, Article 6 GDPR doesn't include a derogation similar to Article 49(e)(1) of the GDPR. Not only does the request require sharing or analysis (which are forms of processing) of the data about a third party, the related data subject, but in some cases, the data subject rights under Articles 15 through 21 of the GDPR could also be implicated. For example, the data subject could request erasure or rectification, but if the data is subject to a legal hold, Company B might need to deny the request.

Similarly, if the data is subject to a protective order, in some cases, Company B may need to deny an access or portability request. For other data subject rights, Company B will need to consider the derogations available under the relevant article. For example, Article 17(3)(e) of the GDPR includes a derogation to the right to erasure for legal claims and defenses.

For additional processing, particularly for sharing the in-scope data of that individual, Company B will need to identify a justification according to Article 6 of the GDPR. While consent is a possibility, in many cases, it won't work because of uneven bargaining power between employers and employees or because the data subject refuses to consent. Therefore, the most likely choice is a legitimate interest.

Third, even if the transfer to the U.S. seems relevant to a claim or defense, the GDPR requires it to be necessary. Establishing necessity is a high bar under the GDPR and requires a close and substantial connection between the data in question and the specific legal claim. The bottom line is that the party disclosing personal data to the U.S. court needs to thoroughly assess its relevance to the particular matter before transferring the data.

This approach is entirely in sync with the principles of purpose limitation and data minimization, both enshrined in the GDPR and constituting the cornerstones of all cutting-edge data privacy regimes.

In Finjan, Inc. v. Zscaler, Inc. the defendant argued the GDPR limits “discovery of personal data to that which is objectively relevant to the issues being litigated.” This is an important part of avoiding overbroad discovery requests and violating the GDPR. Parties should push back on requests that fail the necessity test and the data minimization principle.

Further, they can highlight the series of blockbuster fines that European DPAs have recently imposed on data controllers. The more prolific and substantial the enforcement actions in Europe are, the more likely U.S. courts are to take note.

Ultimately, however, litigants in U.S. courts must demonstrate or showcase the likelihood of enforcement action against them to win relief from discovery.

Guidance and practical solutions

In addition to addressing the points made above, there are some things companies can do to address cross-border discovery requests.

  1. In 2016, the Sedona Conference issued its "Practical In-House Approaches for Cross-Border Discovery & Data Protection." Read it and do so before you face a cross-border discovery issue.
  2. Have a plan for responding to cross-border discovery. The GDPR requires technical and organizational measures to ensure compliance, e.g., Article 24(1) of the GDPR. Policies and procedures for addressing legal holds and cross-border discovery (if it is likely) should be part of the organizational measures.
  3. Don’t punt. Simply invoking the GDPR will not establish the record you need to compliantly respond to a discovery issue. Early in the case, you should involve your local data protection officer and local counsel, then conduct a data protection impact assessment and determine what kinds of supplementary measures and additional safeguards are merited.
  4. Discuss with opposing counsel whether the use of the Hague Convention mechanisms is possible. Article 48 of the GDPR permits cross-border transfers that are ordered by a court or administrative agency under an international agreement.
  5. Develop a clear explanation of how data protection law applies, what the consequences will be and what measures can be taken to minimize the risk of harm to data subjects. An affidavit or report from an expert on data protection compliance could make a big difference. Should the data be pseudonymous? Can it be redacted? Can inspection in the EU be ordered? All these things require explanation and justification, but they can be made part of a discovery order if you develop the case.
  6. Involve your supervisory authority. Ask them to file an amicus brief or intervene in the case. This will help them see your side if you are ordered to produce data and will demonstrate the EU’s interest in the litigation. In some cases, consultation or notice may be required by Article 36 (Prior Consultation), Article 33 (Notice of Data Breach) or local law.
  7. Ask the court to require the requesting party to sign an agreement that includes standard contractual clauses for transfers between controllers.
  8. Seek indemnity. Some courts will require the requesting party to indemnify the producing party in cases of fines or lawsuits by impacted parties. It’s worth asking, especially if you are claiming you will be fined or sued for complying.

Photo by Tingey Injury Law Firm on Unsplash

'GDPR Genius'

This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.

View here

'Data Processing Agreements — Coordination, Drafting & Negotiation'

Members of the Privacy Bar Section of the International Association of Privacy Professionals have come together to produce this collective work, designed to assist newer and veteran practitioners alike to better understand the particulars of drafting and negotiating data processing agreements.

Print version | Digital version


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

3 Comments

If you want to comment on this post, you need to login.

  • comment John Kropf • Jan 27, 2021
    Great article on a complex and often overlooked aspect of cross-border data transfers.
  • comment Robert Baugh • Jan 31, 2021
    Great article, particularly the breakdown of Art 49, thanks.  Although I did find this part rather depressing: '“the EU's ‘weighty interest in protecting its citizens' privacy,’ [and that] a violation of the GDPR would place [it] in legal jeopardy, threaten severe reputational harm, and damage the morale of [its] workforce. (Id.).” The court found these objections “unavailing.”'  Governments should give clear solutions, organisations shouldn't be put between a rock and a hard place.
    
    As you note, GDPR doesn't recognise laws or orders from a third country as legal obligations and they need to go through a MLAT or similar.  However, I'd hope a UK or EEA court would recognise a US entity being bound by US law that might prevent compliance with a UK or EEA court order.  
    
    (Not going to mention the current NOYB action in LUX on the DPA dropping action against a US entity because it felt it couldn't enforce an order...)
  • comment Melissa (Ann) Gorgei • Feb 4, 2021
    Outstanding article. Looks like indemnity allows for the greatest protection here given recent US rulings.