GDPR-Based Objections to U.S. Discovery Requests: 2019 Year in Review
A look at what arguments parties put forth in the past year, and a few suggestions for how litigants can avoid violating one jurisdiction's law to satisfy another's courts.
January 09, 2020 at 07:00 AM
6 minute read
U.S. civil litigants faced with an obligation to produce "personal data" protected by GDPR, the European Union's General Data Protection Regulation, can find themselves on the horns of a serious dilemma. In 2019, the first full year since GDPR was enacted, not a single court excused compliance with a discovery request because of GDPR-based objections.
Initial rulings addressing the tension between the broad scope of data protected by GDPR and the similarly broad scope of discovery under U.S. Federal Rule of Civil Procedure 26 revealed substantial skepticism that complying with a U.S. discovery request would expose parties to significant enforcement risk in the EU. Nor do courts appear particularly sympathetic to the burdens associated with fulfilling discovery requests in a way that complies with GDPR.
Below, we take a look at what arguments parties put forth in the past year, and make a few suggestions for how litigants can avoid violating one jurisdiction's law to satisfy another's courts.
GDPR-Based Objections Implicate Comity
Coming into 2019, only a couple of decisions had addressed this issue, and none was particularly instructive. For example, in Corel Software, LLC v. Microsoft Corp., Microsoft sought unsuccessfully to avoid producing 14 terabytes of telemetry data that Microsoft argued would need to be anonymized in order to comply with GDPR. The District of Utah court concluded that the information sought was relevant and proportional under Rule 26, but (because the parties did not raise the issue) the court did not apply the comity analysis laid out in Société Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa, which U.S. courts have traditionally used to analyze discovery requests that conflict with foreign law. Had it done so, the Microsoft court would have had to analyze five factors: (1) importance of the discovery to the litigation; (2) the specificity of the request; (3) whether the information sought originated in the U.S.; (4) the availability of alternative means to obtain the information; and (5) whether the foreign jurisdiction's interest in maintaining confidentiality outweighs U.S. interests.
By contrast, in the first (and arguably the most) notable case of 2019 to address this issue, the Northern District of California did apply the Aerospatiale factors to a potential conflict with GDPR in Finjan, Inc. v. Zscaler, Inc. The court compelled the discovery at issue, ruling that the request was narrow and sought directly relevant information.
The key factor in the court's decision was the balance of national interests factor, which it said weighed heavily in favor of disclosure. The court concluded that the "significant American interest in protecting its patents" was not outweighed by the "U.K. interest in protecting the privacy of its citizens," which the court ruled was diminished given that the documents would be marked "highly confidential" under the parties' protective order.
Redactions May Not Be an Acceptable Alternative
Finjan also demonstrated that redactions, a common suggestion to alleviate GDPR concerns in discovery, may not be considered an alternative means of obtaining the relevant information under Aerospatiale. The Finjan court rejected a request to provide only redacted versions of the documents, citing a 1981 Ninth Circuit case for the proposition that "[m]asking the names of third parties is not a substantially equivalent alternative since the identities of the third parties is relevant."
Redactions also came into play in Vancouver Alumni Asset Holdings, Inc. v. Daimler AG, in which the parties are engaged in a lengthy dispute over whether Daimler can be required to produce unredacted documents from German custodians. In October 2019, a magistrate judge ordered Daimler to produce unredacted versions of the documents; that ruling is stayed while Daimler appeals the ruling to the district court.
Absence of EU Enforcement Activity
In 2019's last notable decision addressing a potential GDPR conflict, the District of New Jersey also ordered Daimler to produce documents from European custodians. The court in In re Mercedes-Benz Emissions Litig. expressed deep skepticism that producing GDPR-protected data presented any European enforcement risk. Although the court acknowledged that GDPR defines personal data "broadly to include even seemingly innocuous information . . . that parties routinely exchange as part of discovery in U.S. litigation," the court ruled that this alone was not a sufficient basis to curtail the discovery request given that the defendants had not "pointed to any prior enforcement actions by the EU focused on violations in the litigation context."
The court's observation may be the root of the problem facing GDPR-based objections. Without any EU enforcement actions to point to, U.S. litigants may have difficulty arguing that they should be excused from complying in full with requests. In the coming year, it will be interesting to see whether a party to these cases faces EU enforcement activity related to the discovery at issue.
Key Lessons from 2019
What then are the key lessons parties should take into the new year? Parties need to educate courts about what GDPR requires and the consequences of noncompliance. Parties should also be prepared to present concrete and convincing evidence of the burdens associated with producing GDPR-protected information in U.S. litigation.
Although the court ultimately compelled the discovery at issue in Finjan, the case demonstrated that parties should argue the five Aerospatiale factors because they introduce a host of germane considerations that a pure Rule 26 analysis might omit. Given the great weight the Finjan court placed on the protective order, parties should affirmatively explain that because GDPR applies to the storage, processing, or transfer of data, suppressing its public disclosure alone may not mitigate the enforcement risk.
Given courts' reluctance to allow redacting or anonymizing GDPR-protected data, litigants anticipating discovery requests implicating GDPR should also first try to get GDPR-sensitive provisions included in their negotiated protective orders and e-discovery protocols.
Looking Ahead
Moving into 2020, many more courts in more circuits will have to face these issues, and early cases may start to reach the appellate courts, resulting in broader determinations. Parties should pay close attention to how U.S. courts balance the issues at play. It will also be interesting to see whether the enactment of the California Consumer Privacy Act gives rise to similar disputes regarding CCPA-protected data.
Leslie Meredith is counsel at Buckley LLP where she represents corporate and individual clients in complex civil litigation and government investigations involving the Department of Justice, the Consumer Financial Protection Bureau, state attorneys general, and in federal and state courts around the country.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Critical Mass With Law.com’s Amanda Bronstad: LA Judge Orders Edison to Preserve Wildfire Evidence, Is Kline & Specter Fight With Thomas Bosworth Finally Over?
- 2What Businesses Need to Know About Anticipated FTC Leadership Changes
- 3Federal Court Considers Blurry Lines Between Artist's Consultant and Business Manager
- 4US Judge Cannon Blocks DOJ From Releasing Final Report in Trump Documents Probe
- 5White & Case KOs Claims Against Voltage Inc. in Solar Companies' Trade Dispute
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
