Defendants in US civil suits have sought to withhold discoverable material because of privacy concerns based on foreign laws, such as the GDPR. Almost all cases on the issue of US discovery and transnational privacy statutes have found that such concerns do not override parties’ obligation to comply with discovery requests.
One case that specifically dealt with the interplay between the GDPR and discovery is Finjan, Inc. v. Zscaler, Inc., Case No. 17-CV-06946, 2019 WL 618554 (N.D. Cal. Feb. 14, 2019). The Finjan court required a UK-based patent defendant to comply with email discovery requests, despite GDPR-related privacy concerns. The court denied the defendant’s requests which included permanent redactions and anonymization of information. The court found that a protective order designating emails “highly confidential” was sufficient to protect privacy interests in light of the Ninth Circuit’s five-factor balancing test.
In Richmark Corp. v. Timber Falling Consultants, 959 F.2d 1468 (9th Cir. 1992), the Ninth Circuit established a five-factor test to evaluate whether a foreign statute excuses noncompliance with a discovery order. The factors are: (1) the importance of the documents or information to the litigation; (2) the specificity of the request; (3) the location of information and parties; (4) the availability of alternative means for securing the information; and (5) the balance of national interests. Richmark, 959 F.2d at 1475-76. These factors are not exhaustive; courts may also consider other factors.
The fifth factor, balancing each nations’ interest, is the most important factor. Id. at 1476. While EU countries are interested in protecting the privacy of their citizens, courts like Finjan and others recognized that such an interest “is diminished where the court has entered a protective order preventing disclosure of the secret information.” Masimo Corp. v. Mindray DS USA, Inc., Case No. SACV-12-02206, 2014 WL 12589321, at *3 (C.D. Cal. May 28, 2014).
A recent ITC case is consistent with these earlier cases. In In re Certain Vehicle Control Sys., Vehicles Containing the Same, & Components Thereof, the ALJ granted a motion to compel production of unredacted versions of documents a party had redacted pursuant to the GDPR. The Judge observed that “[m]any courts in the United States generally do not permit redaction or withholding of relevant information based on data privacy regulations of foreign sovereigns.” In re Certain Vehicle Control Sys., Vehicles Containing the Same, & Components Thereof, Inv. No. 337-TA-1235, Order No. 11 at *1 (Feb. 16, 2021). Because there was “a U.S. patent involved and allegations of its infringement, the United States has an interest insuring that all relevant information pertaining to that patent, and its potential infringement, is made available to the extent possible.” Id. at *2. However, the judge did not require disclosure of all personal information. The judge allowed redaction of some personal information, “such as an individual’s home addresses, home telephone numbers, business email addresses, and business phone numbers . . . unless a party, by motion, files for leave for good cause, or unless the Parties agree.” Id.
Foreign privacy statutes undoubtedly complicate parties’ litigation management obligations. The GDPR drafters commented that “[t]here is a duty upon the data controllers involved in litigation to take such steps as are appropriate (in view of the sensitivity of the data in question and of alternative sources of the information) to limit the discovery of personal data to that which is objectively relevant to the issues being litigated.” Article 29 Data Protection Working Party, Working Document 1/2009 on Pre-trial Discovery for Cross-border Civil Litigation, 00339/09/EN, WP 158, 10–11 (adopted Feb. 11, 2009). Further, exceptions to the general provisions apply when the data is necessary for “compliance with a legal obligation,” the “establishment, exercise or defense of legal claims,” or “for purposes of compelling legitimate interests . . . which are not overridden by the interests or rights and freedoms of the data subject.” See, e.g., GDPR, Arts. 6(1)(c), 49(1), and 49(1)(e).
Foreign blocking statutes do not prevent discovery
Even before recent privacy laws, courts considered the effect of so called blocking laws on discovery. Blocking laws are foreign statutes that criminalize compliance with US discovery on subject matter to which the foreign country objects. In Societe Nationale Industrielle Aerospatiale v. U.S. Dist. Ct. for S. Dist. of Iowa,the Supreme Court said a foreign country’s statute precluding disclosure of evidence “do[es] not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.” Societe Nationale Industrielle Aerospatiale v. U.S. Dist. Ct. for S. Dist. of Iowa, 482 U.S. 522, 544 n. 29 (1987).
Courts have noted a historic lack of enforcement for violations of blocking laws for the purposes of American litigation, which weighs in favor of disclosures. While courts rarely yield to blocking laws when ordering discovery, such laws may be relevant when considering “sanctions in the event that a discovery order is disobeyed by reason of a blocking statute.” In re Parmalat Sec. Litig., Case No. 04MD1653, 2006 WL 3151391, at *2 (S.D.N.Y. Nov. 2, 2006).
Privacy regulations are not blocking statutes
Swiss banking regulations were a notable exception to courts reticence to consider foreign laws. However, as one court observed, “Swiss [banking] laws are not blocking statutes—laws intended to thwart foreign discovery—but rather substantive laws designed to protect the right of privacy on which Switzerland places great importance.” Rotstain v. Trustmark Nat’l Bank, Case No. 3:09-CV-2384, 2015 WL 13031698, at *4 (N.D. Tex. Dec. 9, 2015). The GDPR and other foreign privacy statutes are arguably in this same category.
While the GDPR and other foreign privacy statutes do not prevent the discovery of relevant material in US litigation, parties can—and should—request protective orders as appropriate to limit exposure of sensitive information. As US jurisdictions enact their own privacy laws and courts increasingly grapple with protecting such information, court orders are likely to adopt language and terms that correspond with privacy regulation requirements. Litigants, however, should not misuse privacy regulations for strategic litigation delay or for obstructing discovery.