GDPR and U.S. eDiscovery - Who Will Win the Game of Chicken
Well, it has now happened. The European Union’s new General Data Protection Regulation (GDPR) went into effect on May 25, 2018. In the lead up to G-Day, commentators published a voluminous amount of materials in legal journals, newsletters, and blogposts about what GDPR is, what it is supposed to accomplish, how to comply with it, the potential penalties for not complying, and the challenges that U.S. companies are facing in trying to re-work their entire data maintenance practices to keep pace with the GDPR’s requirements. One topic, however, that has gotten scant attention is what the GDPR will mean for litigators seeking discovery from Europe. Well, here is a prediction – U.S. courts will have little patience for GDPR compliance requirements if the result is a failure to preserve electronically stored information (ESI), a substantial delay in producing requested documents and data, or an outright refusal to produce the materials requested.
First, let’s examine – very briefly – what GDPR is and what it requires. (For more detailed descriptions, please refer to the aforementioned materials that have been published in recent months.) Simply put, the GDPR is a mandatory regulation designed to protect an individual’s privacy by limiting how electronic information about that person may be maintained, processed, used, or transferred. The GDPR is applicable in all 28 EU member states, as well as in the slightly wider European Economic Area (EEA), which includes non-EU member states such as Iceland and Norway. Even if a company is not physically located in those countries but provides goods and services to individuals located in the EU/EEA on a regular enough basis, then the GDPR is applicable to that entity. So, yes – the GDPR applies equally to a business based in Paris, France selling over the internet to individuals in Italy, as well as a business located in Paris, Texas, offering goods or services to people located in in Ireland. Moreover – and probably most importantly in terms of ediscovery – the GDPR is applicable to employers of people located in the EU/EEA or entities that maintain electronic records of a European company’s employees.
Two things make GDPR compliance – or the failure to comply – particularly daunting. First is the regulation’s definition of “personal data” and the rights given to an individual to control the electronic data containing such personal information. More on this in a moment. . . . Second is the financial “bite” that EU regulators put into the GDPR, a bite which far exceeds any potential fines that theoretically existed under previous EU or individual country rules. Specifically, the GDPR allows for administrative fines for failure to comply with the GDPR’s data transfer provisions of up to € 20 million (about $23.5 million) or 4% of the violating company’s annual worldwide revenue, whichever is higher – and that revenue amount can be calculated across the violating company’s corporate worldwide parents, subsidiaries, and other affiliates. GDPR, Art. 83(5). Granted, fines at the highest level are reserved for the most egregious situations, but there can be no question that it was the potential threat of these hefty fines that caught the attention of companies throughout the world and led to the enormous efforts over the last year or so to develop GDPR-compliant data policies.
Turning back to the challenges raised by “personal data” under the GDPR, U.S. litigators should understand that the GDPR defines personal data as “any information relating to an identified or identifiable natural person.” GDPR, Art. 4. This definition is much, much broader than what U.S. practitioners typically recognize as sensitive personal information worthy of protection – e.g., a person’s name in conjunction with the person’s social security number, or bank account numbers, or health records. The GDPR’s reference to “any” information includes, at least, the person’s name in conjunction with the person’s email address (business or personal), a physical address or telephone number, or just about anything else that can directly or indirectly identify a specific person. For example, just think of the typical footer people often include at the end of business emails listing the person’s name, company, title, business address, business telephone number, a mobile telephone number, and the person’s email address. Under the GDPR, all of that information constitutes “personal data.” Likewise, the GDPR definition is broad enough to capture an individual’s IP address, which can be found in data logs or other electronic records – information that well could be caught up in ESI discovery requests.
As to an individual’s rights over his/her personal data, the European Commission (EC) explained, in an amicus brief filed to the U.S. Supreme Court last December, that the EC regards “protection of personal data [as] a fundamental right” and that the GDPR is a reflection of the EU’s interest to protect such a right(s).1 The GDPR requires, under certain circumstances, that individuals whose data are being “processed” – e.g., collected, stored or transferred – be provided with explicit and easily understood notice. The GDPR also grants to affected individuals the right to demand to examine that personal data, to correct the data, to erase the data, to object to the collection, use or transfer of the data, and/or the ultimate right to demand to be forgotten.2 There are some exceptions to these rights, including when the data are necessary for “compliance with a legal obligation” the “establishment, exercise or defence of legal claims” or “for purposes of compelling legitimate interests . . . which are not overridden by the interests or rights and freedoms of the data subject.” See, e.g., GDPR, Arts. 6(1)(c) and 49(1) and 49(1)(e). How these provisions will be interpreted remains an open question, but given many European countries’ long-standing distain for the entire concept of U.S. discovery, such language should not be regarded as a certain GDPR “get out of jail free” card. Indeed, the European Commission has already explained that orders from a foreign court to produce documents does not render that order legal under the GDPR and that absent an agreement between countries for mutual legal assistance, such an order could proceed “only if it qualified under Article 49.”3
Now, the GDPR’s personal data protections may offer comfort to individuals who do not wish for their personal information to be sold by one web business to another with the second business using that personal data to engage in a targeted advertisement campaign. Likewise, people get very agitated when – oh, for example – Facebook collects and retains personal data and winds up opening a cyber door to the Cambridge Analyticas of the world or hidden foreign government agents who collect and make use of that data for all sorts of political games and gains. But, let’s think about personal data protection when it comes to a typical – and assumedly non-nefarious – need such as an obligation to adhere to U.S. discovery rules.
As we all know, under the Federal Rules of Civil Procedure, discovery is wide-open and broad (concerns for proportionality notwithstanding), and American lawyers use those procedural mechanisms every day to demand that both opposing parties and non-parties undertake extensive efforts to preserve, collect, and/or produce ESI relevant to claims or defenses in a legal dispute. And while these requests may spark motions to a judge seeking protection because of burden and costs, for the most part, American recipients of preservation notices or document requests comply. They also may seek a protective order so that the information cannot be widely disseminated or examined by just anyone4 . . . but they comply.
Now assume that a U.S. party brings a civil suit against a company located in any of the EU/EEA member countries – let’s say France – or sues a U.S. subsidiary of a French company but seeks documents in discovery “located” at the company’s French parent’s office . . . or even serves a subpoena under Rule 45 on a U.S. subsidiary of a French company requiring the production of documents that are in the possession of the parent French company. And yes, all three of these variations are a possibility.5
Under prevailing U.S. rules, once a defendant either is sued or has reason to believe that litigation is imminent, it is obligated to preserve documents, including all ESI, that is potentially relevant to the claims or defenses raised in the litigation. Thus, a party is obligated to “suspend its routine document retention/destruction policy and put in place a ‘litigation hold’ to ensure the preservation of relevant documents.”6 Likewise, a subpoena recipient is obligated to preserve documents for a sufficiently long enough period of time to allow for collection and production of the documents consistent with the subpoena’s terms.
So, assuming that the defendant in U.S. litigation is a European entity, that company, under U.S. rules, must “immediately” take steps to preserve all documents – hard-copy and electronic – that may be relevant to the case. Such efforts almost inevitably call for the employer at that point to send a “litigation hold” notice to employee/custodians notifying them of the obligation to preserver relevant information. Upon receiving that notice, each recipient, under the terms of the GDPR, has the right to review the material swept up in the preservation effort, including historical ESI that may have been preserved or archived by the employer. Likewise, it could be argued that other people whose “personal data” is contained within the ESI of a document hold recipient has a similar right of review.
The next question is how long it will take to allow those who choose to review their data to complete the task – and possibly raise questions about why certain information is included in the sweep. Will people have a second or third chance to conduct such a review once the data is culled to specific topics and time periods are identified in discovery requests – and then again, before the ESI is actually produced? What about the time it will take to resolve any objections that individuals raise about the use or transfer of the data – even if it is later determined that the objection is not valid? The possibilities for delay and conflict cannot be ignored.
The question that then arises is whether any U.S. court is going to tolerate the complexities and inevitable time delays that will arise when ESI is sought from EU/EEA member state companies – or from companies located elsewhere but which hold personal data about individuals located in those countries. If past is prologue, the answer to that question should be a resounding “no.”
There is nothing new about the tension between the U.S. discovery system and efforts by European countries to limit American lawyers from being able to obtain information in discovery.7 As long ago as 1958, the U.S. Supreme Court grappled with how to reconcile an effort to obtain certain Swiss bank records when Swiss penal laws protected those same records. See Société Internationale Pour Participations Industrielles et Commerciales, S.A. v. Rogers, 357 U.S. 197, 212-13 (1958) (reversing dismissal of suit as penalty for failure to produce without first making a willfulness determination, but warning that that significant evidentiary penalties remained possible). In 1987, the Supreme Court weighed in again and stated that in reference to the French “blocking statute” which calls for criminal penalties for the production of economic, commercial, industrial, financial, or technical documents “with a view” to foreign judicial proceedings that, “It is well settled that such statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.” Société Nationale Industrielle Aerospatiale v. U.S. District Court for the Southern District of Iowa, 482 U.S. 522, 544, n.29 (1987).
Since Aerospatiale, U.S. courts have remained, with very few exceptions, consistently hostile to concerns about foreign laws that conflict with U.S. discovery obligations.8 Following upon Aerospatiale’s guidance to courts to engage in an international comity analysis when confronted with conflicting foreign law, U.S. courts regularly weigh, among other things, the importance of the information to the U.S. proceeding; the foreign country’s national interest in its own law; the extent to which compliance with foreign law would undermine important U.S. interests; and whether violation of the foreign law would likely lead to a hardship upon the persons or entity producing the documents.9 However, these examinations generally have been perfunctory and almost inevitably lead to the conclusion that U.S. legal interests outweigh the interests reflected in European law. U.S. courts also almost always note that, despite the threat of criminal jeopardy or monetary fines, prosecutions are extremely rare, and the lack of enforcement by European authorities undermines any concerns about the potential hardship to befall any individual or company that complies with U.S. discovery demands.
A recent decision is illustrative of this approach. In Laydon v. Mizuho Bank, Ltd., 183 F. Supp.3d 409 (S.D.N.Y 2016), a group of European defendants sought relief from having to respond to plaintiffs’ discovery requests on the grounds that compliance would violate the then-existing 1995 EU Directive 95/46/EC, which was implemented in the United Kingdom as part of the UK’s Data Protection Act. Many of the key data protections provisions of the 1995 EU Directive are very similar to those found in the present GDPR.
In support of their motion, the foreign defendants submitted expert declarations from UK privacy and data protection experts, both of whom argued that the EU Directive and, thus, the UK law prohibited the production of documents in response to plaintiffs’ discovery. The Magistrate Judge agreed that a conflict between the countries’ law existed and, thus, embarked on a comity analysis. In short shrift, he determined that the information sought was important to plaintiffs’ case; that while the UK had an interest in enforcing the European data privacy provisions, U.S. interests in enforcing its own laws are superior; that the lack of an official UK government objection indicated that the foreign law interest was not particularly great; and that defendants could not point to a single instance in which the UK government pursued an enforcement action under the Data Privacy Act against any entity for responding to U.S. discovery requests. Id. at 423-26.
The Laydon decision is in line with a long list of prior decisions. See, e.g., St. Jude Med. S.C. v. Janssen-Counotte, 104 F. Supp.3d 1150, 1162 (D. Or. 2015) (German Data Privacy Act not impediment to U.S. discovery; U.S. has substantial interest in vindicating rights of U.S. citizens); Pershing Pacific West, LLC v. Marinemax, Inc., 2013 WL 941617, at *8-9 (S.D. Cal. Mar. 11, 2013) (U.S. interests in vindicating rights of its citizens outweigh provisions of German Data Privacy Act); Stauss v. Credit Lyonnais, S.A., 249 F.R.D. 429 (E.D.N.Y 2008) (interests of U.S. in deterring international terrorism outweighs French interest in French bank secrecy law and discovery blocking statute; likelihood that France would pursue criminal penalties against French bank limited); Bodner v. Banque Paribas, 202 F.R.D. 370, 375 (E.D.N.Y 2000) (French blocking statute does not prohibit U.S. discovery, following numerous other courts); First American Corp. v. Price Waterhouse LLP, 154 F.3d 16, 21-22 (2d Cir. 1998) (U.S. interests outweighs British confidentiality laws); Graco v. Kremlin, Incorporated, 101 F.R.D. 503, 514 (N.D. Ill. 1984) (French defendant “has been unable to point to a single case in which France enforced it blocking statute”).
Since Laydon, other courts have reached similar decisions. See, e.g., Royal Park Investments SA/NV v. HSBC Bank USA, N.A., 2018 WL 745994, at *2 (S.D.N.Y. Feb. 6, 2018) (plaintiff improperly withheld document custodial information and redacted individual names and email addresses in deference to Belgian Data Privacy Act; comity analysis weighs in favor of compelling bank to produce documents in unredacted form, with custodial information restored); Knight Capital Partners Corp. v. Henkel AG & Co., 290 F. Supp.3d 681, 690-91 (E.D. Mich. 2017) (subpoena for documents held by defendant’s German subsidiary upheld; German Data Protection Act prohibition against producing “personal data” does not supersede U.S. interests; court is not bound by interpretations of German law by German legal expert; no plausible indication that German authorities would pursue enforcement action); Republic Tech. LLC v. BBK Tobacco & Foods, LLP, 2017 WL 4287205, at *4-5 (N.D. Ill. Sept. 27, 2017) (same regarding French blocking statute).
Against this entrenched background, there should be no reason to expect that U.S. courts will regard the terms of the GDPR as a game-changer – and certainly not one that should be allowed essentially to eviscerate the U.S. discovery system. The Europeans have long taken a different approach towards compelled – or involuntary – disclosure of information that relates to an individual. And what may have begun, at least in part, as a reflection of specific countries’ disdain for U.S. discovery – e.g., the French blocking statute – has evolved in more recent years to genuine concern about personal privacy in an era where electronic data is ubiquitous, instantly transferable across national boundaries, and subject to unknown uses or misuse. Nonetheless, U.S. courts continually have treated European privacy protection efforts as more of an annoyance to be quickly swatted away and dispelled. And while we may be seeing the beginnings of an awakening in the United States about how easily personal data can be collected and manipulated, there certainly is no indication that U.S. policymakers are considering substantial amendments to the discovery rules to address any such concerns. Hence, we all should assume that U.S. discovery as we know it is here to stay for the foreseeable future. Thus, the two legal systems are at loggerheads.
Only one thing may tip the balance – but that is going to require a very serious game of chicken. As noted above, one of the continuing themes repeated in U.S. decisions declining to defer to European or individual country laws is that there has been virtually no enforcement of those laws. The French blocking statute has only ever been enforced once – in 2007, against a French lawyer who lied to a potential French witness to get information for use in a California case, but that case did not actually involve pending discovery.10 Thus, U.S. courts continue to issue orders compelling the production of European documents, data, and ESI. Recall, however, that the GDPR significantly upped the fining authority ante. So, who is going to give way first? Will European companies stand firm behind the GDPR and either decline to produce data or seek substantial delays, thereby risking the wrath of U.S. judges – or will they elect to comply with U.S. discovery orders and risk the significant fines that can be imposed on them for non-compliance with the GDPR’s provisions? Are the European authorities really going to impose those fine despite having not done so in the past? If they do, are U.S. courts really going to continue to require compliance with U.S. discovery rules, essentially ignoring the hardships those fines represent?
The answers to these questions remain to be seen. All we can say for now is that U.S. judges over many years have consistently shown a steely determination to enforce U.S. discovery requirements against foreign nationals, and European authorities have taken no action in response either against the United States or their own citizens. Will that change? Game on!
1 See Brief of the European Commission on Behalf of the European Union as Amicus Curiae in Support of Neither Party at 1 and 8, United States v. Microsoft Corp., No. 17-2 (S. Ct. Dec. 13, 2017) (hereinafter “EC Amicus Brief”). The Microsoft case concerned a warrant issued under the Stored Communications Act by a federal magistrate judge in New York for an individual’s electronic data/documents stored on a Microsoft server in Ireland and Microsoft’s refusal to comply on the grounds that the Stored Communications Act did not have extraterritorial reach. The Second Circuit subsequently agreed with Microsoft and overturned the district court decision. The U.S. government appealed the matter to the Supreme Court and oral argument was held in February 2018; however, due to new legislation that clarified the extraterritorial application of the Stored Communications Act, the appeal was deemed moot and dismissed.
2 See EC Amicus Brief at 10 (referencing GDPR, Arts. 15, 16, 17 and 21).
3 Id. at 14-15.
4 The normal rule is that, absent a protective order, a party in receipt of documents produced in discovery may share those documents or the information therein with anyone or everyone. See, e.g., Mitial v. Dr. Pepper Snapple Group, 2012 WL 12868405, at *2 (S.D. Fla. May 29, 2012) (well settled, without a protective order, parties may disseminate discovery materials as they see fit) (quoting Jepson, Inc. v. Makita Elec. Works, Ltd., 30 F.3d 854, 858 (7th Cir. 1994)).
5 See e.g., Republic Tech. (NA), LLC v. BBK Tobacco & Foods, Inc., 2017 WL 4287205, at *3 (N.D. Ill. Sept. 27, 2017) (U.S.-based plaintiff ordered to produce documents from its French subsidiary); St. Jude Medical S.C., Inc. v. Janssen-Counotte, 104 F. Supp.3d 1150 (D. Or. 2015) (plaintiff’s subpoena to non-party U.S. company for its European affiliates’ documents upheld); Costa v. Kerzner Intn’l Resorts, Inc., 277 F.R.D. 468 (S.D. Fla. 2011) (defendants ordered to produce documents from Bahamian corporate affiliates); In re Subpoena Duces Tecum to Ingetem, Inc., 2011 WL 3608407, at *2 (E.D. Wisc. Aug. 16, 2011) (subpoena to non-party U.S. company seeking documents from company’s Spanish parent upheld).
6 EPAC Technologies, Inc. v. HarperCollins Christian Publishing, Inc., 2018 WL 1542040, at * 17 (M.D. Tenn. Mar. 29, 2018) (quoting Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 217 (S.D.N.Y 2003)).
7 This tension is not exclusive to Europe – other countries throughout the world also have legal systems and philosophies that conflict with U.S. discovery rules. However, as this article relates to the implications on ediscovery of the new GDPR, the discussion is limited to the tension with European law.
8 Exceptions do exist but are few and far between. See, e.g., Salt River Project Agricultural Improvement and Power Dist. v. Trench France, SAS, 2018 WL 1382529 (D. Ariz. Mar. 19, 2018) (recognizing potential hardship to French defendant due to French blocking statute and permitting discovery to proceed under the Hague Convention).
9 See generally Restatement (Third) of the Foreign Relations Law of the United States at § 442(1)(c).
10 See In re Air Cargo Shipping Servs., 278 F.R.D. 51, 54 (E.D.N.Y. 2010) (discussing French decision fining lawyer 10,000 Euros; information sought not responsive to discovery requests in California case or any U.S. court order).