Recent cases have highlighted the continued tensions between the GDPR and U.S. demands for discovery in the context of U.S. litigation and investigations. This issue can present a real concern for companies operating on both sides of the pond seeking to comply with obligations on either side. Whilst the GDPR provides EU citizens with valuable protections on the processing and cross-border transfer of their data, it is not an automatic shield from the demands of U.S. state or federal laws that require the preservation, collection, and potential disclosure of any documentation relevant to a matter – regardless of where it originates or to whom it relates.
The process of U.S. discovery that requires the transfer of potential evidence originating or stored in the EU to the U.S. will often trigger obligations under the GDPR where it involves the processing and cross-border transfer of personal data. While previous cases have shown U.S. courts to be reluctant to allow foreign laws to be a barrier to U.S. discovery, two recent cases have provided insight on the U.S. courts’ approach when dealing with the GDPR in this context.
In late May, two separate courts in the U.S. added to this discussion on the conflict between U.S. discovery and the GDPR: Rollins Ranches LLC, et al v. Watson, No.0:2018-cv-03278, 2020 BL 19242 (D.S.C. May 22, 2020) and Giorgi Global Holdings v. Wieslaw Smulski, No. 17-4416, 2020 BL 190347 (E.D.P.A. May 21, 2020). Both cases involved a request for disclosure of information relating to UK and Polish citizens for the purposes of discovery for ongoing litigation in the U.S. The respondents attempted to prevent the disclosure of information originating from the EU, arguing that this would be in conflict with the protections afforded under the GDPR and national data protection laws. In both instances, this argument stumbled.
Whilst both courts were reluctant for disclosure to be prohibited, the reasoning behind the decisions in each case differed. In Rollins Ranches, the court was not satisfied that the respondent had sufficient evidence to argue that the principles in the GDPR or the UK Data Protection Act 2018 applied to limit discovery, and highlighted that the burden was on the respondent to prove that discovery should be resisted. The court cited Societe Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa for the proposition that, within the U.S., it “is well settled that foreign blocking statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.” 482 U.S. 522, 544 n.29, 107 S. Ct. 2542, 96 L. Ed. 2d 461 (1987). The court further noted that the arguments made for applying the GDPR or UK data protection laws were not conclusive, and that whilst the respondent claimed to have received UK legal advice on this topic, none was provided to the court.
The court in Giorgi Global also relied on Aerospatiale and agreed that the party resisting the disclosure bears the burden of proof, but also stated that a multi-factor balancing test should apply to determine whether a foreign statute should function to excuse a party from their discovery obligations. The court then undertook a detailed examination of the importance of the documents to the litigation and U.S. interests, as well as the specificity of the request and whether there were any alternate means of securing the information required. The court concluded that the interests of the U.S. litigation outweighed the need to comply with the GDPR in this instance. In addition, it was relevant that the parties in the Georgi Global matter had a protective order to limit disclosure of the documents, which the court considered sufficiently protected the personal data of any third parties benefiting from protection under Polish data protection law.
SEC v. Telegram
These cases underline the U.S. courts’ preference to allow discovery despite express provisions of the GDPR or other foreign national data protection laws limiting cross-border transfers without appropriate safeguards in place. Although U.S. case law has implied that it is theoretically possible for the GDPR to be invoked to block discovery of documents containing personal data protected by the GDPR, this has yet to occur. Instead, and unless there is a confidentiality or protective order in place, litigants are more likely to be able to argue for the redaction of personal data, as occurred in the SEC v. Telegram decision from January of this year. Telegram Group Inc. had been ordered to release bank records that Telegram had sought to withhold from disclosure due to “foreign privacy laws”. The SEC argued that “invoking the words ‘foreign data privacy’ is not a talisman that exempts Telegram from its discovery obligations”. The court ordered production of the documents, but allowed Telegram to make redactions that were “necessitated by foreign privacy laws” and requested “a log stating the basis for any redaction shall be produced at the time the redacted documents are produced”.
Litigants involved in U.S. discovery obligations do therefore need to consider the GDPR and how best to comply with both their EU data protection and U.S. discovery obligations. Whilst a level conflict remains between these laws, there are a number of practical steps that organizations can undertake to comply with U.S. discovery demands whilst reducing their data compliance risk in the EU and beyond. For example, exercises can be carried out to minimize the data within the EU, such as through a review for relevant documents and making appropriate redactions before the transfer to the U.S. It is also advisable that any measures taken to protect personal data in these circumstances should be documented for accountability purposes. It is clear though that these practical and considered measures will provide for a more compliant approach to avoid the risk of violating either U.S. discovery demands or facing potential regulatory inquiries in the EU.