This month, Colorado became the third U.S. state to enact a comprehensive cross-industry privacy law. Colorado is following an international trend. Many foreign countries have adopted similar privacy laws, inspired by the European Union’s GDPR. Yet conducting discovery in U.S. litigation has not caught up, and U.S. courts are grappling with balancing discovery obligations against international privacy laws and their restrictions.
The GDPR and other international data protection laws can limit how a company uses personal data and transfers it across national borders. A company can produce documents in U.S. litigation containing personal data subject to most international privacy laws in a manner consistent with those legal frameworks. But the limitations must be managed. If not, they can conflict with a company’s obligations to participate in discovery. What happens if a court isn’t educated about it can be seen in two recent decisions overruling objections based on the GDPR.
Why this matters: Recently, two U.S. federal district courts issued written opinions displaying continued skepticism that the GDPR and other international privacy laws limit a party’s discovery obligations. In other words, those laws may not excuse discovery obligations if their (and so a party’s) privacy obligations are not presented to the court clearly and completely. And these decisions show the risk to a company that does not take the time to educate a U.S. court. Considering the risk of noncompliance—fines under the GDPR can be €20 million or more—a company may wish to educate the court on what those international laws require.
A company often has a choice when producing information that may be subject to the GDPR or another international privacy law: Comply with its discovery obligations as if the laws do not apply, or apply the laws and don’t produce. The company can cite generally to the applicable international law excusing performance. Or the company can educate the court on the specific application of privacy laws that may limit its discovery obligations. Indeed, the company may even want its internal or external privacy counsel to pitch in on court submissions.
This month, in Woldegiorgis v. NYK Ship Management, a judge in the Northern District of California rejected a party’s attempt to avoid producing the names and contact information of the crew on its ship. The party’s briefing claimed that the GDPR and the Philippines equivalent precluded production of that information—but as the judge observed, the party did not “cite[] to any particular provision[s]” or “demonstrate[] that they apply” to the names and contact information.
Last month, in AnywhereCommerce, Inc. v. Ingenico Inc., a judge in the District of Massachusetts also rejected a party’s attempt to avoid producing information subject to the GDPR and denied the party’s request to file the information under seal. The judge considered (among other things) the protective order in the action, which permitted personal data subject to the GDPR to be designated as attorney’s eyes only. And in a separate minute order, the judge denied a request to file personal data as such under seal, seizing on what the judge termed “the GDPR’s litigation exemption.” In both decisions, the court relied on a 2017 federal court decision considering an identically termed exemption under a predecessor of the GDPR, which lacked some features of the GDPR.
In each case, the party resisting production offered brief, cursory arguments in its written submissions. Neither party sought in writing to educate the court on how the GDPR works or applies—or even why it matters. The result? Their GDPR objections were disregarded by the court.