Between a Rock and a Hard Place? How GDPR Can Affect Discovery in US Litigation
As we’ve discussed at some length, privacy and data security laws create significant litigation risk for businesses. Individuals, other businesses, and federal and state regulators can and do sue when they believe a business violates these laws.
Those same laws can also create risk in the conduct of litigation, even when the claims don’t have anything to do with privacy or data security. That’s because civil discovery often requires parties to exchange documents that contain personal information.
To that end, our own Stephen Feldman has written about how US privacy laws like HIPAA and the Gramm Leach Bliley Act can impact civil discovery.
For litigants that do business internationally, another law can come into play: the European Union’s new General Data Protection Regulation (GDPR). GDPR broadly regulates the collection, use, storage, and disclosure of “personal data” relating to individuals in the EU. Among other restrictions, GDPR strictly regulates the export of personal data from the EU to countries—like the United States—that aren’t considered to provide an “adequate level of protection” for personal data.
GDPR defines “personal data” broadly to include even seemingly innocuous information like business contact and other related data about a business’s employees, business partners, and customers—the sort of information in business records that parties routinely exchange as part of discovery in business litigation.
Thus, when a litigant receives a discovery request seeking documents stored in the EU that contain personal data, it could face a difficult decision:
- export and produce the documents, and risk violating GDPR and facing an enforcement action by European privacy regulators (a frightening proposition given that just last month, France fined Google € 50 million under GDPR for its data collection practices); or
- refuse to produce, and risk discovery sanctions under Rule 37(b)(2).
Last week, a federal court in California dealt with a discovery dispute focused on GDPR. This post examines that decision, called Finjan, Inc. v. Zscaler, Inc.
The discovery dispute
In Finjan, Finjan, Inc. alleged that Zscaler, Inc. infringed Finjan’s patent on certain computer security technology. During discovery, Finjan requested all the emails of Zscaler’s UK sales director Tim Warner—a former Finjan employee—that contained certain search terms.
Zscaler objected, arguing it could not produce those emails because they would contain large volumes of “unnecessary personal data” whose disclosure was prohibited by GDPR. That personal data, said Zscaler, would need to be anonymized or redacted at great cost to Zscaler.
Instead, Zscaler proposed staging discovery so that Warner’s emails be produced, if necessary, only after the production of documents from custodians in the US. Zscaler also proposed that the parties split the cost of anonymizing or redacting EU personal data from Warner’s emails.
Finjan countered that redacting or removing the personal data from those emails would impede Finjan’s use and review of those documents. It also argued that designating Warner’s emails as “Attorneys Eyes Only” under the protective order already entered in the case would satisfy Zscaler’s obligations under GDPR.
The court’s decision
The court begin its analysis of the dispute with the Supreme Court’s decision in Societe Nationale Industrielle Aerospatiale v. U.S. Dist. Ct. for S. Dist. of Iowa. In Aerospatiale, the Supreme Court explained that a foreign country statute cannot deprive an American court of the power to order a party to produce evidence, even though the act of production might violate that statute.
Instead, under Aerospatiale and its progeny, US courts consider several factors to determine whether a foreign statute provides an excuse for not producing documents. Several of those factors focus on the documents themselves. But, explained the Finjan court, they also include the burden faced by the producing party and the likelihood that the foreign country will enforce the law at issue.
Those considerations, explained the court, did not justify Zscaler’s refusal to produce Warner’s emails as requested, for three reasons.
First, the court explained, Finjan had convincingly argued that GDPR allowed Zcaler to produce the emails. To that end, a provision in GDPR permits the export of personal data from the EU when “necessary for the establishment, exercise, or defense of legal claims.”
Second, the court concluded that the risks to Zscaler of producing EU personal data could be minimized through the protections offered by the existing protective order. Zscaler could produce the emails as “Attorneys Eyes Only” to protect the privacy of the individuals involved.
Finally, the court observed, Zscaler had failed to provide any information about the likelihood that a government in the EU would pursue a GDPR enforcement action based on its production of Warner’s emails. Thus, Zscaler could not show that producing those emails posed an undue burden, especially given Finjan’s own interest in enforcing its rights in the patents at issue.
Lessons for litigants
Finjan is one of the first decisions to address the vexing question of how GDPR might apply to discovery in US litigation.
Not surprisingly, the decision confirms that US courts are unlikely to accept GDPR as grounds for refusing to produce documents located in the EU—especially without a concrete showing about the likelihood of a GDPR enforcement action to support a claim of undue burden.
But it also identifies some steps that litigants can take to reduce their GDPR enforcement risk when producing those documents.
First, the business should produce only those documents that are relevant and necessary to establish or defend against claims in pending or imminent litigation. Consistent with Finjan, Guidelines issued last year by EU data protection regulators concluded that GDPR allows these documents to be exported from Europe and produced in unredacted form as part of pretrial discovery in litigation. Critically, however, those Guidelines also make clear that GDPR does not allow a party to export documents “on the grounds of the mere possibility that legal proceedings or formal procedures may be brought in the future.”
Second, the business can address lingering concerns about risks to individuals’ privacy by producing documents under a protective order that limits the other side’s use and disclosure of any personal data they contain.
Author: Alex Pearce