How the European Union’s General Data Protection Regulation Affects Pretrial Discovery Practices in US Federal Courts
In 2016, the European Union established the General Data Protection Regulation (“GDPR”), which prohibits any entity from unlawfully transferring European-processed data relating to any natural person to third parties.[1] The GDPR only exempts US pretrial discovery orders that proceed through international diplomatic channels such as the Hague Convention, so US litigants who produce protected material may face state sanctions and private liability to consumer groups.[2] As foreign electronically sourced information becomes more prevalent in litigation, and as the EU member states’ individual Data Protection Authorities (“DPAs”) increasingly levy GDPR sanctions, US courts must balance their interest in conducting full and fair discovery with the litigants’ interest in complying with the GDPR.[3] This post sheds light on the international comity approach in addressing GDPR discovery conflicts and documents the novel risks litigants face in transferring protected materials in pretrial discovery.
Unlike the EU, the US does not have a comprehensive data privacy regulatory scheme. Instead, industry-specific federal statutes and state laws govern the production of potentially sensitive material in litigation.[4] The US Supreme Court, in Aerospatiale, specified five factors for federal courts to balance in considering discovery requests that potentially expose litigants to foreign liability and undermine international comity.[5] The factors are (1) the requested information’s importance to the litigation, (2) the specificity of the request, (3) whether the information originated in the US, (4) whether an alternative means of discovery exists, and (5) the conflict between US and foreign interests in compelling discovery.[6] Courts emphasize the first and fifth factors, though some circuits weigh additional factors.[7] The Second Circuit, for example, also considers the parties’ good faith and hardship of compliance.[8]
The GDPR-approved diplomatic channels of discovery present further obstacles.[9] First, such channels are slow and procedurally complex. Second, foreign authorities may restrict the scope of discovery beyond what the Federal Rules of Civil Procedure would require.[10] Third, some signatory countries might resist Hague Convention requests for pretrial discovery.[11] Therefore, electronic discovery experts recommend that US parties seeking to avoid diplomatic channels take special care to narrowly tailor discovery requests, document any foreign custodians of European data, and thoroughly demonstrate their need for expeditious pretrial discovery.[12]
Historically, courts have not considered European data privacy laws to be significant obstacles to discovery.[13] However, European data regulators have recently ramped up their GDPR enforcement. Each EU member state’s DPA levies civil fines under the GDPR and, in extreme cases, issues data-processing bans within their jurisdiction.[14] The GDPR also does not preclude member states’ legislation authorizing private consumer associations to seek damages for data privacy violations.[15] Between July 2018 and April 2024, DPAs have levied nearly 4.5 billion Euros in publicly known GDPR fines.[16] For context, in June 2021, DPAs had levied under 300 million Euros in fines.[17] Though it is unclear what portion of these fines relate to discovery orders or how much DPAs have levied in non-public fines, the continued increase in GDPR penalties signifies Europe’s staunch commitment to data privacy.
Going forward, US courts may take special care to protect GDPR-covered parties. Allowing litigants to redact or withhold as much European-processed material as possible would limit their GDPR liability, especially where no acceptable alternative to producing the requested material exists under the international comity test’s fourth prong. Finally, more US courts may adopt the Second Circuit’s additional factors to prevent litigants acting in bad faith from using the GDPR as a crutch to circumvent fair discovery procedures. In any event, many US litigants will inevitably have to choose between violating the GDPR and complying with discovery orders where the requested material is necessary to the litigation.
Matthew Classi is a staff member of Fordham International Law Journal Volume XLVII.
[1] See Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) [hereinafter GDPR].
[2] David J. Kessler et al., The Potential Impact of Article 48 of the General Data Protection Regulation on Cross Border Discovery from the United States, 17 SEDONA CONF. J. 575, 588 (2016).
[3] See Societe Nationale Industrielle Aerospatiale v. U.S. Dist. Ct. for S. Dist. of Iowa, 482 U.S. 522, 543 (1987) [hereinafter Aerospatiale].
[4] See generally Squire Patton Boggs, Overview of Privacy & Data Protection Laws: United States, Squire Patton Boggs: Privacy World, https://www.privacyworld.blog/summary-of-data-privacy-protection-laws-in-the-united-states/ (last visited Apr. 9, 2024).
[5] Aerospatiale, 482 U.S. at 544 n.28.
[6] Id.
[7] See United States v. Eaton Corp, No. 1:23-MC-00037-JG, 2024 WL 553965, at 9 (N.D. Ohio Jan. 4, 2024) (citing In re Mercedes-Benz Emissions Litig., No. 16-CV-881, 2020 WL 487288, at 8 (D.N.J. Jan. 30, 2020)).
[8] See Owen v. Elastos Found., 343 F.R.D. 268, 282 (S.D.N.Y. 2023).
[9] Samantha Ettari, Navigating Cross-Border Discovery in US Litigation, Perkins Coie 18 (Jan. 2020), https://www.perkinscoie.com/images/content/2/4/244640/LIT-Dec19Jan20-EDiscoveryBulletin-2021Update.pdf.
[10] Id.
[11] Id.
[12] Id.
[13] Id. at 17.
[14] GDPR, Arts. 51 to 59.
[15] Consumer protection associations may bring representative actions against infringements of personal data (Federal Union v. Meta Platforms Ireland), Judgment, 2022 I.C.J., C-319/20 ❡ 5 (Apr. 28).
[16] CMS Law, GDPR Enforcement Tracker, https://www.enforcementtracker.com/?insights (last visited Apr. 9, 2024).
[17] Id.
This is a student blog post and in no way represents the views of the Fordham International Law Journal.