This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 2 minute read

GDPR and discovery in the United States - two legal systems separated by a common language

There is a conflict between the obligations relating to discovery in the United States and the obligations arising under the GDPR. In his article (linked here), Michael H. Gladstone helpfully summarises recent US case law on this point.  He concludes that, until a European regulator takes enforcement action against a US litigant, the US Courts are unlikely to take the risk of such action seriously. This means that, as things currently stand, adherence to discovery procedures will be prioritised by the US courts over the risk that a litigant will face enforcement action under the GDPR.

When it comes to navigating the exceptions under Art 49 of the GDPR, a UK/European litigant faces a further problem because the scope of US discovery is so broad.  The breadth of US discovery and the requirements for the preservation of documents can come as a shock.  A litigant can be compelled to produce material which is only of indirect relevance to a claim, if this material might lead to the discovery of further evidence that can be used at trial.  If a litigant fails to comply or if it has altered, lost or deleted data, it is at risk of sanctions.  Further, in US proceedings the identification of what is relevant for discovery is not limited by reference to the pleaded issues nor to considerations of necessity.   

By contrast, in the European context, necessity is so fundamental to the GDPR it affects all routine record keeping, including the retention and storage of documents. Necessity is also at the heart of a litigant's deliberations when it comes to transferring data to the US within the exceptions permitted by Art 49 of the GDPR; there is an expectation that data transfers for the purposes of litigation will only be justified by reference to actual or prospective legal claims. In order to satisfy this test, it is likely that the data will need to have probative value or be highly relevant to the issues in dispute.  

In practice this means that, faced with a wide-ranging order for preservation or discovery in US proceedings, a European litigant is likely to find itself in a position where it cannot lawfully comply or transfer data to the US under Art 49.

Unfortunately, there are no easy answers for litigants in this situation. It is clear that they need to be proactive and ready to explain their record keeping processes and to propose solutions (such as redaction or anonymisation).  Bearing in mind the US Court's power to impose sanctions, it is also important for a litigant to avoid misunderstandings and to be aware that "relevance" and "necessity" are precise terms of art, with different meanings and implications in each jurisdiction. 

The cases repeatedly reference the lack of evidence of any immediate enforcement activity, or record of enforcement, by supervisory authorities against EU companies which produce GDPR protected data in U.S. civil litigation under U.S. discovery and protective orders. So far, the EU enforcement threat seems abstract.

Subscribe to receive our latest insights - on the topics that matter most to you - direct to your inbox, at your preferred frequency. Subscribe here

Tags

it disputes, data protection and privacy