In federal court, with jurisdiction over the foreign entity, discovery of foreign companies in U.S. litigation may be obtained through federal rules of civil procedure. Societe Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa, 482 U.S. 522 (1987). However, a foreign company may be placed into conflict where it either complies with U.S. discovery demands and risks criminal liability or other sanctions for violation of its own data privacy laws, or complies with its home law and risk sanctions in the U.S. litigation. In Aerospatiale, the Supreme Court expressly recognized a need for “special vigilance to protect foreign litigants from the danger that unnecessary, or unduly burdensome, discovery may place them in a disadvantageous position,” and that courts recognize “the demands of comity in suits involving foreign states, either as parties or as sovereigns with a coordinate interest in the litigation.”

The European Union's General Data Protection Regulation (GDPR), enforced on May 25, 2018, imposes a set of rules and restrictions on how personal data is handled and transferred. Notably, compliance by American companies with the EU-U.S. Privacy Shield does not ensure full compliance with GDPR, inasmuch as that Privacy Shield was meant to provide a provisional remedy. Companies must still comply with GDPR to the extent the jurisdictional parameters are met.

In perhaps the first case to address the impact of GDPR on American discovery demands since GDPR's enforcement date, an unreported decision shows continued primacy of the obligations of parties to follow discovery demands in U.S. litigation. In Corel Software, LLC v. Microsoft Corp., No. 215CV00528JNPPMW, 2018 WL 4855268 (D. Utah Oct. 5, 2018), the court rejected Microsoft's request for a protective order “barring further retention and production of its telemetry data” in a patent infringement case. Among other arguments, Microsoft argued that retention of such data created “tension with Microsoft's obligations under the European General Data Protection Regulation 2016/679.” The court agreed with plaintiff that Microsoft had failed to show undue burden or expense in compliance. A review of the motion papers on the docket reveals that Microsoft simply raised the issue as noted above, indicated a willingness to submit further briefing, but the court decided the matter on the papers before it.

The enforcement of the GDPR does not change the parameters of the analysis by a court in the United States, whether federal or state. As recognized in Aerospatiale, the Restatement of Foreign Relations Law of the United States notes five factors relevant to the comity analysis: “(1) the importance to the … litigation of the documents or other information requested; (2) the degree of specificity of the request; (3) whether the information originated in the United States; (4) the availability of alternative means of securing the information; and (5) the extent to which noncompliance with the request would undermine important interests of the United States, or compliance with the request would undermine important interests of the state where the information is located.” These would apply whether or not the foreign law is simply a “blocking statute” precluding general transmittal of documents, or a privacy law addressing personal data, or both. American courts require proofs of plausible risk of enforcement of criminal and civil penalties by foreign authorities, not just possibilities; see. e.g., Knight Capital Partners Corp. v. Henkel Ag & Co., KGaA, 290 F. Supp. 3d 681, 691 (E.D. Mich. 2017).

Reasonable minds may differ as to whether the current approach under Aerospatiale and the Restatement, as developed in the case law, is sufficient to handle the issue post-GDPR. Perhaps had Microsoft had the opportunity to further brief and develop its point, it might have tipped the scale. Perhaps not. On the minimal information before it, the Corel court probably got it right.

At a minimum, the lesson to be learned is to raise the issue early. At least in federal court, the forms preceding the initial conference provide an opportunity to raise issues relating to discovery regarding data privacy. We do not believe the local or federal rules, or even the New Jersey state court rules, need to be changed to address this. The rules of discovery currently in place regarding electronic discovery and overly burdensome discovery should be sufficient. However, practitioners need to anticipate and raise such issues early, together with reserving the right to assert the application of foreign law, and be aware of the preventative measures that can be taken by clients in terms of where data is stored and processed, to minimize the potential for significant exposure to their clients.