GDPR-Based Objections to U.S. Discovery Requests: 2019 Year in Review
A look at what arguments parties put forth in the past year, and a few suggestions for how litigants can avoid violating one jurisdiction's law to satisfy another's courts.
January 09, 2020 at 07:00 AM
6 minute read
U.S. civil litigants faced with an obligation to produce "personal data" protected by GDPR, the European Union's General Data Protection Regulation, can find themselves on the horns of a serious dilemma. In 2019, the first full year since GDPR was enacted, not a single court excused compliance with a discovery request because of GDPR-based objections.
Initial rulings addressing the tension between the broad scope of data protected by GDPR and the similarly broad scope of discovery under U.S. Federal Rule of Civil Procedure 26 revealed substantial skepticism that complying with a U.S. discovery request would expose parties to significant enforcement risk in the EU. Nor do courts appear particularly sympathetic to the burdens associated with fulfilling discovery requests in a way that complies with GDPR.
Below, we take a look at what arguments parties put forth in the past year, and make a few suggestions for how litigants can avoid violating one jurisdiction's law to satisfy another's courts.
|GDPR-Based Objections Implicate Comity
Coming into 2019, only a couple of decisions had addressed this issue, and none was particularly instructive. For example, in Corel Software, LLC v. Microsoft Corp., Microsoft sought unsuccessfully to avoid producing 14 terabytes of telemetry data that Microsoft argued would need to be anonymized in order to comply with GDPR. The District of Utah court concluded that the information sought was relevant and proportional under Rule 26, but (because the parties did not raise the issue) the court did not apply the comity analysis laid out in Société Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa, which U.S. courts have traditionally used to analyze discovery requests that conflict with foreign law. Had it done so, the Microsoft court would have had to analyze five factors: (1) importance of the discovery to the litigation; (2) the specificity of the request; (3) whether the information sought originated in the U.S.; (4) the availability of alternative means to obtain the information; and (5) whether the foreign jurisdiction's interest in maintaining confidentiality outweighs U.S. interests.
By contrast, in the first (and arguably the most) notable case of 2019 to address this issue, the Northern District of California did apply the Aerospatiale factors to a potential conflict with GDPR in Finjan, Inc. v. Zscaler, Inc. The court compelled the discovery at issue, ruling that the request was narrow and sought directly relevant information.
The key factor in the court's decision was the balance of national interests factor, which it said weighed heavily in favor of disclosure. The court concluded that the "significant American interest in protecting its patents" was not outweighed by the "U.K. interest in protecting the privacy of its citizens," which the court ruled was diminished given that the documents would be marked "highly confidential" under the parties' protective order.
|Redactions May Not Be an Acceptable Alternative
Finjan also demonstrated that redactions, a common suggestion to alleviate GDPR concerns in discovery, may not be considered an alternative means of obtaining the relevant information under Aerospatiale. The Finjan court rejected a request to provide only redacted versions of the documents, citing a 1981 Ninth Circuit case for the proposition that "[m]asking the names of third parties is not a substantially equivalent alternative since the identities of the third parties is relevant."
Redactions also came into play in Vancouver Alumni Asset Holdings, Inc. v. Daimler AG, in which the parties are engaged in a lengthy dispute over whether Daimler can be required to produce unredacted documents from German custodians. In October 2019, a magistrate judge ordered Daimler to produce unredacted versions of the documents; that ruling is stayed while Daimler appeals the ruling to the district court.
|Absence of EU Enforcement Activity
In 2019's last notable decision addressing a potential GDPR conflict, the District of New Jersey also ordered Daimler to produce documents from European custodians. The court in In re Mercedes-Benz Emissions Litig. expressed deep skepticism that producing GDPR-protected data presented any European enforcement risk. Although the court acknowledged that GDPR defines personal data "broadly to include even seemingly innocuous information . . . that parties routinely exchange as part of discovery in U.S. litigation," the court ruled that this alone was not a sufficient basis to curtail the discovery request given that the defendants had not "pointed to any prior enforcement actions by the EU focused on violations in the litigation context."
The court's observation may be the root of the problem facing GDPR-based objections. Without any EU enforcement actions to point to, U.S. litigants may have difficulty arguing that they should be excused from complying in full with requests. In the coming year, it will be interesting to see whether a party to these cases faces EU enforcement activity related to the discovery at issue.
|Key Lessons from 2019
What then are the key lessons parties should take into the new year? Parties need to educate courts about what GDPR requires and the consequences of noncompliance. Parties should also be prepared to present concrete and convincing evidence of the burdens associated with producing GDPR-protected information in U.S. litigation.
Although the court ultimately compelled the discovery at issue in Finjan, the case demonstrated that parties should argue the five Aerospatiale factors because they introduce a host of germane considerations that a pure Rule 26 analysis might omit. Given the great weight the Finjan court placed on the protective order, parties should affirmatively explain that because GDPR applies to the storage, processing, or transfer of data, suppressing its public disclosure alone may not mitigate the enforcement risk.
Given courts' reluctance to allow redacting or anonymizing GDPR-protected data, litigants anticipating discovery requests implicating GDPR should also first try to get GDPR-sensitive provisions included in their negotiated protective orders and e-discovery protocols.
|Looking Ahead
Moving into 2020, many more courts in more circuits will have to face these issues, and early cases may start to reach the appellate courts, resulting in broader determinations. Parties should pay close attention to how U.S. courts balance the issues at play. It will also be interesting to see whether the enactment of the California Consumer Privacy Act gives rise to similar disputes regarding CCPA-protected data.
Leslie Meredith is counsel at Buckley LLP where she represents corporate and individual clients in complex civil litigation and government investigations involving the Department of Justice, the Consumer Financial Protection Bureau, state attorneys general, and in federal and state courts around the country.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Lululemon Faces Legal Fire Over Its DEI Program After Bias Complaints Surface
- 2Plaintiff Gets $500K Policy Limit Without Surgery
- 3Philadelphia Bar Association Executive Director Announces Retirement
- 4SEC Chair Gary Gensler to Resign on Trump's Inauguration Day
- 5How I Made Partner: 'Develop a Practice Area You Really Care About,' Says Jennifer A. Gniady of Stradley Ronon
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250