This article appeared in Cybersecurity Law & Strategyan ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

The intersection of foreign laws governing data collection and cross-border discovery operations continues to be a potentially volatile conjunction. Global enterprises have been cautioned to tread carefully when responding to U.S.-driven discovery requests, as expansive discovery exercises, so common in the U.S. under federal and state laws of civil procedure, can be completely foreign and often legally problematic in jurisdictions abroad.

Accordingly, discovery requests implicating custodians and data outside the U.S. can potentially put organizations in a Catch-22: either fall short of their discovery obligations on the one hand or fall afoul of legislation in other nations prohibiting or limiting data collection and transfer to the U.S. on the other. Laws potentially conflicting with discovery obligations include blocking statutes, requirements pertaining to works council agreements and, perhaps most significantly, data privacy regulations.