Local Privacy Laws Not Ready for Prime Time: Enterprises that process or store the personal information of EU citizens will also need to heed EU member states' local privacy laws. GDPR has also allowed local data protection authorities to individually interpret some aspects of the law and add requirements. However, a lot of local privacy laws are not yet set in stone. “There are still member states lagging behind and working behind where they're supposed to have prepared for, so for once we can say it's not just organizations who are behind, it's also the member states,” said Bird & Bird partner Gabriel Voisin. EU's General Data Protection Regulation can affect pretrial U.S. e-discovery processes

The Sedona Conference's international electronic information management, discovery and disclosure working group hosted a webinar Monday that looked at how e-discovery professionals and courts are subject to EU's General Data Protection Regulation (GDPR).

The panel noted that the wide scope of what is defined as personally identifiable information (PII) by the GDPR includes much of the information that is generally processed during e-discovery, and that any EU data collection done by U.S. attorneys would likely have to comply to GDPR standards.

Denise Backhouse, shareholder at Littler Mendelson, said that in the pretrial context, bulk collection of data isn't OK because counsel is required to comply with GDPR protocol even when they're transferring to the U.S. She said attorneys must do everything they can to transfer only the information that is necessary for discovery. 

The webinar also looked to inform its audience that the GDPR is not a blocking statute. Retired Magistrate Judge James Francis IV of the Southern District of New York, for instance, said the GDPR isn't comparable to blocking statutes.

“Blocking statutes in general are designed to prevent the production of information outside of a particular country. … The GDPR is not a blocking statute because it's a substantive statute [that] deals with the privacy rights of EU citizens and is not directed exclusively at discovery, in any means.”

Still, “We've seen an onerous reference to GDPR or its predecessor or similar statutes as blocking statues,” Francis added. He stated it's important to differentiate between a blocking statute and a regulation such as the GDPR because courts must determine whether to permit cross-border discovery. When they are confronted with a blocking statute they tend to look at it more skeptically and give it less weight than they would give a substantive law like the GDPR.

However, courts wouldn't consider themselves bound to the GDPR in the U.S, said Francis. Cecilia Álvarez, European privacy officer lead of Pfizer SA, observed that even in Europe, the courts generally aren't restrained by the GDPR because courts aren't considered a data processor.

David Shonka, a partner at Redgrave, and former acting general counsel at the Federal Trade Commission, said the judiciary being excluded from the scope of the GDPR is “a question of sovereign immunity and the basic premise of international law that one nation doesn't make laws that bind the government institutions of another nation. The U.S. courts and other branches of government would not be affected by GDPR [no more] than those institutions would be subject to the U.S. authority.”