By Amanda E. Finley, Miami
The European Union implemented the General Data Protection Regulation (GDPR), and it became effective on 25 May 2018.1 The GDPR enforces privacy requirements to protect EU citizens.2 “The GDPR applies to the processing of ‘personal data,’ which is defined as any information related to an ‘identified or identifiable natural person,’” who can be directly or indirectly identified by the data produced.3 The GDPR purports to have extraterritorial effect by applying “regardless whether the processing takes place in the EU or elsewhere.”4 The GDPR allows imposition of penalties and sanctions that “significantly increase[d] the maximum fine to €20 million, or 4% of annual worldwide turnover, whichever is greater.”5 Further, “[t]he GDPR provides an individual with access to the courts to seek a judicial remedy” in addition to any administrative remedy.6 Essentially, any production of documents that contain information about EU citizens could cause serious consequences and large fines for a GDPR violation.
The early cases in the United States suggest that the GDPR may have a profound impact on discovery in the United States. The GDPR may provide for targets subject to the jurisdiction of courts in the United States to object to discovery with the purpose (or possibly under the guise) of protecting EU citizens’ privacy. Defendants may object to production as a whole, request significant redaction of the discovery, request a strict confidentiality agreement, request to produce anonymized data that does not identify any EU citizen, or any combination thereof. There is limited case law on the implications of the GDPR on U.S. discovery because it is a relatively new regulation. So far, U.S. courts have taken divergent approaches on how to address and resolve objections to discovery based on the GDPR. Overall, it appears that most courts are allowing production of the discovery in some form, over a defendant’s GDPR objection.
U.S. Courts’ Historical Response to Discovery Objections Based on Foreign Privacy Statutes or Secrecy Laws
Historically, U.S. courts have been unwilling to allow a foreign privacy statute to preclude the production of responsive documents that were otherwise discoverable in U.S. litigation. As the Supreme Court stated, “[i]t is well settled that such statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.”7 The Court further noted that the French “blocking statute” was “originally ‘inspired to impede enforcement of United States antitrust laws,’ and that it did not appear to have been strictly enforced in France,” which further undercut U.S. courts’ interest in enforcing that foreign privacy statute over the American interest of full disclosure in discovery.8 Prior and subsequent courts similarly ruled that foreign privacy statutes are not dispositive on production of discovery in U.S. cases, although the statutes may be relevant to the issue of whether sanctions should be imposed for failure to comply with U.S. discovery orders.9 Likewise, U.S. courts deemed foreign bank secrecy laws insufficient to preclude discovery in U.S. litigation.10 Therefore, generally, courts in the United States overwhelmingly have held that full disclosure in discovery outweighs any interest in enforcing foreign privacy or secrecy laws.
A Chronological Review of U.S. Courts’ Approaches to GDPR Discovery Disputes and Other Foreign Privacy Statutes
On 5 October 2018, the first published ruling on GDPR in U.S. litigation involved a defendant, Microsoft, raising a GDPR objection to discovery based on the undue burden and cost of producing the discovery due to “the alleged tension with GDPR.”11 The court did not significantly analyze the GDPR issue, but stated that “the court [wa]s not persuaded by Microsoft’s arguments concerning undue burden” and required the production of documents.12
On 17 December 2018, the first substantive ruling by a U.S. court to address an objection to discovery based on GDPR was in the context of a 28 U.S.C. § 1782 application to obtain discovery for use in a foreign proceeding.13 The court “grant[ed] the application with respect to documents held by foreign custodians only to the extent that the Applicants (1) assume the costs of the document production, including the costs of compliance with the GDPR or other applicable European data privacy laws and (2) indemnify Respondents against any potential breaches of European data privacy laws.”14 Although the court granted production of the documents over the GDPR objection, this ruling has serious adverse consequences for parties seeking discovery in U.S. litigation if the GDPR is implicated because it required unknown and potentially multimillion-dollar indemnification liability on the party receiving the documents.
The approach in Hansainvest of requiring indemnification of the discovery target “against any potential breaches of European data privacy laws” is a serious deterrent to any party seeking discovery.15 It would be unusual and highly unlikely that any party would knowingly accept such an open-ended and potentially large financial risk given the large fines for a GDPR violation. If courts routinely adopted this approach, it would have a significant chilling effect on U.S. discovery when the GDPR is implicated. Hansainvest is the only U.S. court, thus far, to rule that indemnification of any GDPR liability is a condition precedent to production of the documents. In later rulings, U.S. courts have taken less drastic approaches to GDPR objections to discovery.