Tag Archive for: Amanda E. Finley

The Effect of the General Data Protection Regulation on Discovery in the United States

By Amanda E. Finley, Miami

The European Union implemented the General Data Protection Regulation (GDPR), and it became effective on 25 May 2018.1 The GDPR enforces privacy requirements to protect EU citizens.2 “The GDPR applies to the processing of ‘personal data,’ which is defined as any information related to an ‘identified or identifiable natural person,’” who can be directly or indirectly identified by the data produced.3 The GDPR purports to have extraterritorial effect by applying “regardless whether the processing takes place in the EU or elsewhere.”4 The GDPR allows imposition of penalties and sanctions that “significantly increase[d] the maximum fine to €20 million, or 4% of annual worldwide turnover, whichever is greater.”5 Further, “[t]he GDPR provides an individual with access to the courts to seek a judicial remedy” in addition to any administrative remedy.6 Essentially, any production of documents that contain information about EU citizens could cause serious consequences and large fines for a GDPR violation.

The early cases in the United States suggest that the GDPR may have a profound impact on discovery in the United States. The GDPR may provide for targets subject to the jurisdiction of courts in the United States to object to discovery with the purpose (or possibly under the guise) of protecting EU citizens’ privacy. Defendants may object to production as a whole, request significant redaction of the discovery, request a strict confidentiality agreement, request to produce anonymized data that does not identify any EU citizen, or any combination thereof. There is limited case law on the implications of the GDPR on U.S. discovery because it is a relatively new regulation. So far, U.S. courts have taken divergent approaches on how to address and resolve objections to discovery based on the GDPR. Overall, it appears that most courts are allowing production of the discovery in some form, over a defendant’s GDPR objection.

U.S. Courts’ Historical Response to Discovery Objections Based on Foreign Privacy Statutes or Secrecy Laws

Historically, U.S. courts have been unwilling to allow a foreign privacy statute to preclude the production of responsive documents that were otherwise discoverable in U.S. litigation. As the Supreme Court stated, “[i]t is well settled that such statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.”7 The Court further noted that the French “blocking statute” was “originally ‘inspired to impede enforcement of United States antitrust laws,’ and that it did not appear to have been strictly enforced in France,” which further undercut U.S. courts’ interest in enforcing that foreign privacy statute over the American interest of full disclosure in discovery.8 Prior and subsequent courts similarly ruled that foreign privacy statutes are not dispositive on production of discovery in U.S. cases, although the statutes may be relevant to the issue of whether sanctions should be imposed for failure to comply with U.S. discovery orders.9 Likewise, U.S. courts deemed foreign bank secrecy laws insufficient to preclude discovery in U.S. litigation.10 Therefore, generally, courts in the United States overwhelmingly have held that full disclosure in discovery outweighs any interest in enforcing foreign privacy or secrecy laws.

A Chronological Review of U.S. Courts’ Approaches to GDPR Discovery Disputes and Other Foreign Privacy Statutes

On 5 October 2018, the first published ruling on GDPR in U.S. litigation involved a defendant, Microsoft, raising a GDPR objection to discovery based on the undue burden and cost of producing the discovery due to “the alleged tension with GDPR.”11 The court did not significantly analyze the GDPR issue, but stated that “the court [wa]s not persuaded by Microsoft’s arguments concerning undue burden” and required the production of documents.12

On 17 December 2018, the first substantive ruling by a U.S. court to address an objection to discovery based on GDPR was in the context of a 28 U.S.C. § 1782 application to obtain discovery for use in a foreign proceeding.13 The court “grant[ed] the application with respect to documents held by foreign custodians only to the extent that the Applicants (1) assume the costs of the document production, including the costs of compliance with the GDPR or other applicable European data privacy laws and (2) indemnify Respondents against any potential breaches of European data privacy laws.”14 Although the court granted production of the documents over the GDPR objection, this ruling has serious adverse consequences for parties seeking discovery in U.S. litigation if the GDPR is implicated because it required unknown and potentially multimillion-dollar indemnification liability on the party receiving the documents.

The approach in Hansainvest of requiring indemnification of the discovery target “against any potential breaches of European data privacy laws” is a serious deterrent to any party seeking discovery.15 It would be unusual and highly unlikely that any party would knowingly accept such an open-ended and potentially large financial risk given the large fines for a GDPR violation. If courts routinely adopted this approach, it would have a significant chilling effect on U.S. discovery when the GDPR is implicated. Hansainvest is the only U.S. court, thus far, to rule that indemnification of any GDPR liability is a condition precedent to production of the documents. In later rulings, U.S. courts have taken less drastic approaches to GDPR objections to discovery.

Click here to read the full article in the Spring 2020 International Law Quarterly (page 16) and the Business Law Section.

Emergency Measures in Insolvency Legislation in Response to the COVID-19 Crisis

by Cristina Vicens, Sequor Law, P.A., Miami, Florida

What emergency measures in insolvency or restructuring legislation has the United States adopted to help businesses cope with the economic crisis caused by the COVID-19 pandemic?

In March 2020, the U.S. Congress swiftly passed a series of stimulus packages to help stabilise the economy after COVID-19 forced many businesses to shut down and caused millions of Americans to become unemployed. The third (and latest) of these stimulus packages, the “Coronavirus Aid, Relief, and Economic Security Act” (CARES Act; P.L. 116-136), was a US$2 trillion stimulus packages passed on 25 March 2020. The CARES Act directs financial assistance to individual tax payers, expands unemployment benefits to persons that normally would not have qualified for unemployment benefits, provides for federal grants, loans, and other assistance for small businesses and other businesses disproportionately affected by the COVID-19 pandemic, and establishes a US$150 billion Coronavirus Relief Fund to make payments to states, tribal governments, and local governments as they respond to the public health emergency.

Specifically, with regard to insolvency or restructuring legislation adopted to help businesses cope with the economic crisis, the CARES Act provides for several amendments to the U.S. Bankruptcy Code. First, it increases the debt ceiling for businesses to be eligible to file under the small business provisions of Chapter 11 of the Bankruptcy Code from US$2,725,625 to US$ 7,500,000. The Small Business Reorganisation Act (“SBRA”), which took effect on 19 February 2020, just a few weeks before the national shutdown, provides a streamlined path through Chapter 11 for small business debtors. This increased threshold will potentially allow more businesses with access to the SBRA to survive. After one year, however, the debt ceiling increase reverts to US$2,725,625. Second, for a period of one year, the CARES Act amends the definition of “income” under Chapters 7 and 13 to exclude COVID-19 related payments from the federal government. Third, applicable to individuals rather than businesses, it clarifies that the calculation of disposable income under Chapter 13 does not include COVID-19 related payments; and, lastly, permits individuals and families in Chapter 13 proceedings to seek payment plan modifications in response to COVID-19 related financial hardship, including extending payments for up to seven years after their initial payment was due.

In addition, the CARES Act provides the authority to the Administrator of the U.S. Small Business Administration (“SBA”) to make loans under the Paycheck Protection Program (“PPP”) through the commercial banking market. The PPP is designed to provide a direct incentive for small businesses to keep their employees on the payroll and allows loans to be forgiven if all employees of a business are kept on the payroll for eight weeks and the loan proceeds are used for payroll, rent, mortgage interest, or utilities. While the CARES Act does not prohibit PPP loans or grants to be provided to Chapter 11 debtors, the SBA has taken the position that it does, creating uncertainty for companies operating under Chapter 11 protection and leading to litigation. [See Perspectives on COVID-19 Relief Funding and the Reopening of America, ABI Journal, July 2020, at 8.]

Further, small business owners are able to apply for Economic Injury Disaster Loans (“EIDL”) and receive an advance of up to US$10,000, designed to provide economic relief to businesses that are experiencing a temporary loss of revenue. Relevantly, the loan advance does not have to be repaid and recipients do not have to be approved for the loan in order to receive the Emergency Measures in Insolvency Legislation in Response to the COVID-19 Crisis AIJA Insolvency Commission 2020 68 advance. Contrary to the PPP loans, the SBA administers the EIDL program directly and not through the commercial banking market.

 

Click here to read the full summary (page 67).