European Union Discovery Presents Compliance Headaches for US Litigants
Discovery of personal data held in the European Union (EU) has been an issue that has bedeviled U.S. litigants for some time. On the one hand, the U.S. Supreme Court has held that discovery of foreign documents is not barred by foreign privacy law.
February 05, 2018 at 01:47 PM
8 minute read
Discovery of personal data held in the European Union (EU) has been an issue that has bedeviled U.S. litigants for some time. On the one hand, the U.S. Supreme Court has held that discovery of foreign documents is not barred by foreign privacy law. On the other hand, EU privacy regulators have threatened enforcement actions against U.S. companies that don't take proper steps to protect EU personal data in discovery. The result is that U.S. lawyers and litigants are often caught in a Catch 22 with regard to foreign discovery, forced to choose between sanctions by a U.S. court for failure to conduct discovery or sanctions from an EU regulator for conducting such discovery.
Many had hoped that the EU's new data privacy law, the General Data Protection Regulation (GDPR) would ease the burden of conducting discovery in the EU. Unfortunately, while the GDPR makes it easier in some ways to conduct foreign discovery, it imposes new record-keeping requirements on U.S. litigants. Moreover, fines under the GDPR can be as high as 20 million euro, or 4 percent of worldwide turnover, greatly increasing the compliance risk for U.S. litigants.
Conducting Discovery Under Current Law
Under current European data privacy law, U.S. companies cannot process the personal data of any EU residents except under certain limited conditions. “Personal data” is defined very broadly to mean any information about unidentified or identifiable persons, which would include email addresses, street addresses, phone numbers, and even in some cases IP addresses. “Processing” is also broadly defined and covers all aspects of discovery. Current law, however, provides a number of exceptions to the general prohibition on processing of personal data. The one most relevant for U.S. discovery is the “legitimate interests” exception, permitting discovery of E.U. personal data where necessary for the legitimate interests pursued by the controller, including defense or prosecution of litigation in the United States.
Current E.U. privacy law also prohibits the transfer data from the E.U. to the United States—which is not considered to be a nation that has an adequate level of protection—except under certain limited conditions. Data can be transferred to the United States if necessary or legally required for the exercise or defense of legal claims.
Relevant Changes Under the GDPR
In some ways, the GDPR does not differ greatly from current law. The definition of personal data and processing remain broad under the GDPR, as does the general prohibition against the processing and transfer of personal data to the United States. Like current law, the GDPR provides several bases—including some new ones—that would allow for discovery of EU personal data and transfer to the United States. It also imposes new record-keeping requirements on U.S. litigants as well as potentially massive fines—up to 20 mm euros, or 4 percent of worldwide turnover—for violations of the regulation. Here are the key provisions of the GDPR relevant to U.S. discovery:
Legitimate Interests
The GDPR provides a “legitimate interests” exception that allows processing where “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” The language of this exception is very similar to current law and likely would cover most U.S. litigation.
Consent
Consent continues to be a valid basis under the GDPR both for processing personal data and for transferring the data to the United States. Changes under the GDPR, however, make the use of consent considerably more challenging in the employer-employee context (which is how consent is typically obtained in U.S. civil matters) because of a presumption that employee consent is inherently coercive. Valid consent in the employment context requires written declaration that the employee may decline consent without fear of retaliation as well as verification that the data transfer cannot subject the employee to any legal harm. Consent must also be revocable by the employee at any point, which could present challenges in U.S. litigation where documents containing the personal data may already have been produced to the other side, and potentially disseminated to others, at the time consent is revoked.
Establishment, Exercise of Defense of Legal Claims
The “defense of legal claims” derogation under current law permits the transfer of EU personal data to the United States for litigation and remains in force under the GDPR. In some ways, this mechanism will be easier to employ under the GDPR than current law, which allows member states to implement national legislation that narrowly limits the legal claims exception and has led to a patchwork of differing requirements across EU. Because the GDPR does not need to be implemented by separate national legislation, the 'defense of legal claims' derogation will be applied in a more uniform fashion across the EU, which in theory should lower compliance risks for U.S. litigants.
Public Interest
The GDPR introduces a 'public interest' derogation that may allow for the transfers of personal data to the United States for law enforcement purposes. This derogation, however, would likely not apply to discovery in U.S. civil matters. The public interest exception is also not unlimited. The public interest must be recognized by either the EU or member states laws. Examples include money laundering or anti-trust proceedings, financial supervisory investigations or for the purpose of public health.
Limited Transfer of Individual Data in Case of Compelling Legitimate Interest
This provision—new under the GDPR—may also permit the transfer of personal data to the United States for discovery purposes if the following criteria are met: the one-time transfer of data affects only a limited number of data subjects; is necessary for compelling legitimate interests to the data transferring entity; these interests are not outweighed by the interests or rights and freedoms of data subjects, and the transferring entity has assessed all circumstances surrounding the data transfer and has provided suitable safeguards. An open question is whether defense or prosecution of litigation will be deemed a compelling legitimate interest by regulators. Under current law it is considered a legitimate interest.
Data Minimization and Other Safeguards
If transfer of data to the United States for discovery purposes is permissible under the GDPR, litigants must continue to implement safeguards, such as use of search terms and data restrictions, to limit the amount of data that is collected and transferred to the United States. This obligations flows, in part, from the GDPR's data minimization standard, which requires that companies process the minimum amount of personal data necessary for the purposes for which the data is being processed. Where data is processed without valid consent, the GDPR also requires that U.S litigants consider other mechanisms, such as encryption of pseudonymization, to protect the rights of EU citizens and prevent “further processing.” One way to achieve these goals could be though use of a protective order that limits the parties' ability to access and disseminate EU personal data in litigation.
Accountability
The GDPR has a new “accountability” requirement that requires that data controllers document the steps they have taken to comply with the GDPR. This is a new requirement for many U.S. companies who may not be accustomed to rigorously documenting the procedures they have implemented to safeguard the rights and freedoms of EU residents whose personal data is collected and processed for U.S. discovery purposes.
Fines
The most controversial aspects of the GDPR are the new administrative fines and the potential for extra-territorial application of the Regulation. The GDPR permits fines of up to 20 million euros, or 4 percent of worldwide turnover, for failing to abide by the GDPR's provisions governing processing of personal data, data access rights,or the transfer of data to the United States. Importantly, the sorts of errors that give rise to these heightened fines are implicated by discovery for EU residents for U.S litigation: e.g., improper basis for processing the data, improper consents and lack of safeguards for limiting access to EU personal data. Whether and how EU regulators enforce the GDPR against U.S. litigants that conduct EU discovery is the great unknown. Historically, EU regulators have not fined many U.S. companies for conducting discovery in E.U., but all bets are off once the GDPR becomes operative.
Final Takeaways
Discovery of EU nationals for U.S. litigation continues to be permissible under the GDPR, but limitations on the use of consent and the new accountability provisions will require careful compliance by U.S. litigants, particularly in light of the potentially onerous fines available under the GDPR. Other discovery best practices, such as use of search terms and a protective order to limit the amount of data collected and further use of the data, as well as safeguards like encryption and redaction to limit access to personal data will, in certain circumstances, continue to be necessary under the GDPR.
Philip Yannella is practice leader of Ballard Spahr's e-discovery and data management group. He concentrates his practice on complex litigation and investigations involving digital evidence, particularly data breaches, class actions and theft of trade secrets.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
While Data Breaches May Lead to Years of Legal Battles, Cyberattacks Can Be Prevented
4 minute read
Survival Guide for Executives and Board Members: 4 Steps to Safeguard Against Individual Liability for Data Security Failures
9 minute read
Proposed 'Bulk Sensitive Personal Data' Rule and the DOJ’s Comprehensive National Security Regulations
7 minute readTrending Stories
- 1Uber Files RICO Suit Against Plaintiff-Side Firms Alleging Fraudulent Injury Claims
- 2The Law Firm Disrupted: Scrutinizing the Elephant More Than the Mouse
- 3Inherent Diminished Value Damages Unavailable to 3rd-Party Claimants, Court Says
- 4Pa. Defense Firm Sued by Client Over Ex-Eagles Player's $43.5M Med Mal Win
- 5Losses Mount at Morris Manning, but Departing Ex-Chair Stays Bullish About His Old Firm's Future
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
