GDPR Lock Cybersecurity

U.S. civil litigants faced with an obligation to produce "personal data" protected by GDPR, the European Union's General Data Protection Regulation, can find themselves on the horns of a serious dilemma. In 2019, the first full year since GDPR was enacted, not a single court excused compliance with a discovery request because of GDPR-based objections.

Initial rulings addressing the tension between the broad scope of data protected by GDPR and the similarly broad scope of discovery under U.S. Federal Rule of Civil Procedure 26 revealed substantial skepticism that complying with a U.S. discovery request would expose parties to significant enforcement risk in the EU. Nor do courts appear particularly sympathetic to the burdens associated with fulfilling discovery requests in a way that complies with GDPR.

Below, we take a look at what arguments parties put forth in the past year, and make a few suggestions for how litigants can avoid violating one jurisdiction's law to satisfy another's courts.

|

GDPR-Based Objections Implicate Comity

Coming into 2019, only a couple of decisions had addressed this issue, and none was particularly instructive. For example, in Corel Software, LLC v. Microsoft Corp., Microsoft sought unsuccessfully to avoid producing 14 terabytes of telemetry data that Microsoft argued would need to be anonymized in order to comply with GDPR. The District of Utah court concluded that the information sought was relevant and proportional under Rule 26, but (because the parties did not raise the issue) the court did not apply the comity analysis laid out in Société Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa, which U.S. courts have traditionally used to analyze discovery requests that conflict with foreign law. Had it done so, the Microsoft court would have had to analyze five factors: (1) importance of the discovery to the litigation; (2) the specificity of the request; (3) whether the information sought originated in the U.S.; (4) the availability of alternative means to obtain the information; and (5) whether the foreign jurisdiction's interest in maintaining confidentiality outweighs U.S. interests.

By contrast, in the first (and arguably the most) notable case of 2019 to address this issue, the Northern District of California did apply the Aerospatiale factors to a potential conflict with GDPR in Finjan, Inc. v. Zscaler, Inc. The court compelled the discovery at issue, ruling that the request was narrow and sought directly relevant information.

The key factor in the court's decision was the balance of national interests factor, which it said weighed heavily in favor of disclosure. The court concluded that the "significant American interest in protecting its patents" was not outweighed by the "U.K. interest in protecting the privacy of its citizens," which the court ruled was diminished given that the documents would be marked "highly confidential" under the parties' protective order.

|

Redactions May Not Be an Acceptable Alternative

Finjan also demonstrated that redactions, a common suggestion to alleviate GDPR concerns in discovery, may not be considered an alternative means of obtaining the relevant information under Aerospatiale. The Finjan court rejected a request to provide only redacted versions of the documents, citing a 1981 Ninth Circuit case for the proposition that "[m]asking the names of third parties is not a substantially equivalent alternative since the identities of the third parties is relevant."

Redactions also came into play in Vancouver Alumni Asset Holdings, Inc. v. Daimler AG, in which the parties are engaged in a lengthy dispute over whether Daimler can be required to produce unredacted documents from German custodians. In October 2019, a magistrate judge ordered Daimler to produce unredacted versions of the documents; that ruling is stayed while Daimler appeals the ruling to the district court.

|

Absence of EU Enforcement Activity

In 2019's last notable decision addressing a potential GDPR conflict, the District of New Jersey also ordered Daimler to produce documents from European custodians. The court in In re Mercedes-Benz Emissions Litig. expressed deep skepticism that producing GDPR-protected data presented any European enforcement risk. Although the court acknowledged that GDPR defines personal data "broadly to include even seemingly innocuous information . . . that parties routinely exchange as part of discovery in U.S. litigation," the court ruled that this alone was not a sufficient basis to curtail the discovery request given that the defendants had not "pointed to any prior enforcement actions by the EU focused on violations in the litigation context."

The court's observation may be the root of the problem facing GDPR-based objections. Without any EU enforcement actions to point to, U.S. litigants may have difficulty arguing that they should be excused from complying in full with requests. In the coming year, it will be interesting to see whether a party to these cases faces EU enforcement activity related to the discovery at issue.

|

Key Lessons from 2019

What then are the key lessons parties should take into the new year? Parties need to educate courts about what GDPR requires and the consequences of noncompliance. Parties should also be prepared to present concrete and convincing evidence of the burdens associated with producing GDPR-protected information in U.S. litigation.

Although the court ultimately compelled the discovery at issue in Finjan, the case demonstrated that parties should argue the five Aerospatiale factors because they introduce a host of germane considerations that a pure Rule 26 analysis might omit. Given the great weight the Finjan court placed on the protective order, parties should affirmatively explain that because GDPR applies to the storage, processing, or transfer of data, suppressing its public disclosure alone may not mitigate the enforcement risk.

Given courts' reluctance to allow redacting or anonymizing GDPR-protected data, litigants anticipating discovery requests implicating GDPR should also first try to get GDPR-sensitive provisions included in their negotiated protective orders and e-discovery protocols.

|

Looking Ahead

Moving into 2020, many more courts in more circuits will have to face these issues, and early cases may start to reach the appellate courts, resulting in broader determinations. Parties should pay close attention to how U.S. courts balance the issues at play. It will also be interesting to see whether the enactment of the California Consumer Privacy Act gives rise to similar disputes regarding CCPA-protected data.

Leslie Meredith is counsel at Buckley LLP where she represents corporate and individual clients in complex civil litigation and government investigations involving the Department of Justice, the Consumer Financial Protection Bureau, state attorneys general, and in federal and state courts around the country.