The globalization of the General Data Protection Regulation (GDPR), Directive (EU) 2016/279, on May 25, 2018, appeared to be a new legal development, but it is unearthing familiar conflicts between U.S. law and other more restrictive discovery regimes. Article 1 of the GDPR recognizes protection of an individual’s personal data as a fundamental right and seeks to protect this fundamental right by requiring, among other things, that personal data be processed lawfully, fairly, and in a transparent manner. The GDPR not only limits the purpose for which data can be processed by third parties; it also establishes penalties for data processors and data controllers that fail to comply. GDPR arts. 77–84. The GDPR, however, may affect private parties and counsel more than government entities, which can demand access to cross-border discovery through the Clarifying Lawful Overseas Use of Data Act—the CLOUD Act.
Obligations under the GDPR vary depending on the amount of contact and manipulation of the data that occurs. A “processor” is defined as a natural or legal person who “processes data on behalf of a controller.” To process data under the GDPR means
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
A “controller” is defined as a natural or legal person that determines alone, or jointly with others, the “purposes and means of the processing of personal data.” GDPR art. 4(17). The line between a data processor and a controller is not clear, but fines for failure to comply with obligations are significant, rising to 4 percent of annual global turnover or €20 million, whichever is higher, in a severe case. See GDPR art. 83.
The GDPR also limits the lawful basis for which data may be collected and, in this way, creates greater tension between U.S.-style discovery, which is typically broad and involves access to electronically stored information (ESI), and the privacy rights that Europe provides to individuals. Article 6 limits the processing of data to data for which a subject has given consent or data that are necessary for the performance of a contract, compliance with a legal obligation, protection of vital interests of the data subject or other natural person, performance of a task carried out in the public interest, and “purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” GDPR art. 6. Article 48 of the GDPR is more convoluted, as it appears to limit the enforceability of court, tribunal, or administrative orders to circumstances where the decision is based on an international agreement or mutual legal assistance treaty (MLAT) but then opens the door to “other grounds” for legitimate transfer, such as where the European Commission has decided in its discretion that the third country has an adequate level of protection. See GDPR art. 48.
The limitations on data processing and transfer may conflict with the Federal Rules of Civil Procedure, which allow for broad discovery and collection of ESI. This conflict, however, is not new. “Blocking statutes” enacted by France impose civil and criminal penalties for complying with more pervasive discovery demands like those the Federal Rules allow. See Erica M. Davila, “International E-Discovery: Navigating the Maze,” 8 Pitt. J. Tech. & L. Pol’y 5, 11–14 (2008). In 2007, litigators were reminded that these conflicts were real when a French lawyer whose only crime was attempting to comply with a U.S. court order compelling production of documents was sanctioned. In re Christopher X, Cour de cassation [Cass.] [supreme court for judicial matters] crim., Dec. 12, 2007, Bull. Crim., No. 309, Case No. 07-83228 (Fr.). These issues concerning the concept of comity have presented a challenge to the courts for decades.
“Comity” in the legal sense is “neither a matter of absolute obligation, on the one hand, nor of mere courtesy and good will, upon the other. But it is the recognition which one nation allows within its territory to the legislative, executive, or judicial acts of another nation, having due regard both to international duty and convenience and to the rights of its own citizens or of other persons who are under the protection of its laws.” Hilton v. Guyot, 159 U.S. 113, 163–64 (1895). In Societe Internationale pour Participations Industrielles et Commerciales, S.A. v. Rogers, 357 U.S. 197 (1958), the Supreme Court considered comity when deciding whether to compel production under the U.S. laws or accept that such compulsion violated foreign banking laws. The district court had dismissed the case, finding good-faith efforts on behalf of the bank. The Supreme Court ultimately reversed, finding that, depending on the facts of the case, courts could compel production of discovery despite a conflict with foreign laws. The Court, however, provided no further guidance on when compulsion would be appropriate.
The lack of guidance had consequences. In 1965, a five-factor test, which included consideration of the “vital national interests of each of the states,” was codified in the Restatement (Second) of the Foreign Relations Law of the United States (sections 39–40), and courts began relying on this test over Rogers when U.S.-style discovery conflicted with the foreign laws. In re Uranium Antitrust Litig., 480 F. Supp. 1138 (N.D. Ill. 1979), changed things when the district court rejected the Restatement (Second) test and proposed its own three-part test: (1) “the importance of the policies underlying the United States statute which forms the basis for the plaintiffs’ claims,” (2) “the importance of the requested documents in illuminating key elements of the claims,” and (3) “the degree of flexibility in the foreign nation’s application of its nondisclosure laws.” The court refused to balance vital national interests because “[t]he competing interests here display an irreconcilable conflict on precisely the same plane of national policy.” Id. at 1148.
The courts thereafter exercised discretion but struggled and applied a variety of tests, including the following: the Restatement (Second) section 40 test, the Uranium Antitrust test, and then the test in a new draft of the Restatement issued in 1982 (potentially as a response to Uranium Antitrust). In 1987, the Supreme Court weighed in again in Societe Nationale Industrielle Aérospatiale v. United States District Court for Southern District of Iowa (Aérospatiale), 482 U.S. 522 (1987), presumably to provide greater guidance. Specifically, the Court provided the following five non-exhaustive factors for courts to consider when making these difficult decisions:
(1) the importance to the . . . litigation of the documents or other information requested; (2) the degree of specificity of the request; (3) whether the information originated in the United States; (4) the availability of alternative means of securing the information; and (5) the extent to which noncompliance with the request would undermine important interests of the United States, or compliance with the request would undermine important interests of the state where the information is located.
Id. at 544 n.28 (quoting Restatement of Foreign Relations Law of the United States (Revised) § 437(1)(c) (Am. Law Inst., Tentative Draft No. 7, 1986) (approved May 14, 1986)).
The factors from Aérospatiale were expressly set forth in the Restatement (Third) of the Foreign Relations of the United States section 442(1)(c) (1987). In addition, Aérospatiale declared that “[i]t is well settled that [blocking] statutes do not deprive an American court of the power to order a party to its jurisdiction to produce evidence, even though the act of production may violate that statute.” 482 U.S. at 544 n.28.
Recent decisions prove, however, that discretion, not any particular factor test, is dispositive. In Nike, Inc. v. Wu, No. 1:13-cv-0801, 2018 U.S. Dist. LEXIS 158174 (S.D.N.Y. Sept. 11, 2018), the U.S. District Court for the Southern District of New York addressed the issue of cross-border discovery and conflicting foreign laws. Notably, the primary issue considered was jurisdiction, not comity. The plaintiff sought discovery from several Chinese banks, including Bank of China, but the entities objected based on Chinese laws. The motion to quash was untimely, but the court, quoting Bouchard Transportation Co. v. Associated Electric & Gas Insurance Services Ltd., 2015 U.S. Dist. LEXIS 150097 (S.D.N.Y. Nov. 4, 2015), stated that it could exercise discretion to consider an untimely motion to quash, thereby avoiding one hurdle to jurisdiction. The court then engaged in a very complicated specific-jurisdiction analysis relying almost exclusively on New York tests and precedent. When the court turned to constitutional due process, it cited the traditional Supreme Court tests but then focused more heavily on its district’s precedents. Satisfied of its jurisdiction, the Nike court turned to comity and cited the factors in Aérospatiale but went further, stating that national interests are the “most important [factor],” quoting Wultz v. Bank of China Ltd., 910 F. Supp. 2d 548, 558 (S.D.N.Y. 2012). The court’s decision to rely so heavily on its own precedents and weigh certain Aérospatiale factors above others shows one way that discretion and local precedent can affect cross-border discovery decisions.
Nike dealt with the issue of cross-border discovery but did not involve the GDPR. On February 14, 2019, the U.S. District Court for the Northern District of California considered whether a motion to compel should be quashed due to the GDPR in Finjan, Inc. v. Zscaler, Inc., No. 17-cv-06946 (N.D. Cal. 2019), and issued a much shorter opinion than that in Nike. In Finjan, the plaintiff owned patents concerning computer security and sought the production of emails from a nonparty with “intimate knowledge” of the patent technology, including Secure Web Gateway. The nonparty argued it could not produce the emails because doing so would violate the GDPR. The court considered the Aérospatiale factors and, like the court in Nike, found that the balancing of national interests was “the most important factor,” quoting Richmark Corp. v. Timber Falling Consultants, 959 F.2d 1468 (9th Cir. 1992). The court stated that “there is a strong American interest in protecting American patents” where, as here, “the litigation . . . implicates United States interests of a constitutional magnitude in connection with its administration of its patent laws under U.S. Const. Art. 1, §8, cl. 8” (quoting Work v. Bier, 106 F.R.D. 45, 55 (D.D.C. 1985)). The Finjan court then addressed each Aérospatiale factor seriatim.
First, the court considered the importance of the documents to the litigation and noted that “[w]here the evidence is directly relevant, [the Ninth Circuit has] found this factor to weigh in favor of disclosure,” but the court will consider whether the information is duplicative if the issue is raised. The plaintiff argued that the nonparty’s emails would prove the fact and timing of the defendant’s infringement at issue in the case, and the defendant argued that the information was duplicative. The court found for the plaintiff on the issue, noting that the emails were directly relevant to the issue of infringement given the nonparty’s “personal knowledge of the technical aspects of the patented technology.”
Second, the court considered whether the request was sufficiently specific. The plaintiff’s proposed search terms were “Finjan,” “zero*day or zeroday or 0*day,” “malicious,” “obfuscat*,” and “sandbox.” The defendant argued that the terms should be limited to the plaintiff’s name (i.e., Finjan) and patent numbers. The court disagreed because the defendant’s proposed terms “would eliminate e-mails discussing the patents that do not refer to the patents by number” and found this factor weighed in favor of disclosure.
Third, the court considered the location of the information and the location of the parties. The nonparty was in the United Kingdom, but the defendant was an American company. The court found this factor weighed somewhat in favor of disclosure, citing United States v. Vetco Inc., 691 F.2d 1281, 1290 (9th Cir. 1981), in which the court found discovery was to take place in both America and Switzerland where the records were shipped out of Switzerland and production took place in America.
Fourth, the court addressed whether the information could be obtained by alternative means that are “‘substantially equivalent’ to the requested discovery.” The court found that the defendant did not carry its burden on this factor, noting that the defendant had not searched the nonparty’s emails or finished its own production.
Fifth is the balancing of the national interests, which, again, the court stated was “the most important factor.”
In addition to the Aérospatiale factors, the court noted that the party raising the issue that production will violate a foreign law has the burden of proof. The court held that the defendant had not carried its burden. The court also considered “the extent and the nature of the hardship that inconsistent enforcement would impose upon the person” and “the extent to which enforcement by action of either state can reasonably be expected to achieve compliance with the rule prescribed by the state” before compelling discovery.
Nike and Finjan show that courts are continuing to exercise a wide degree of discretion when deciding cross-border discovery disputes. It is therefore not surprising that, with the globalization of the GDPR, parties are trying to avoid the uncertainty of motions to compel discovery and corresponding motions to quash by using protective orders. At least two recent cases, Uniloc 2017 LLC v. Microsoft Corp., No. 8:18-cv-2053 (C.D. Cal. Dec. 18, 2018), and In re Smith & Nephew Birmingham Hip Resurfacing (BHR) Hip Implant Products Liability Litigation, No. 1:17-md-2775 (D. Md. Aug. 27, 2018), permitted the entry of a protective order to avoid the obstacles that the GDPR presents. This practical solution is particularly enticing because proceeding with discovery under the Hague Convention, a potential alternative, is time-consuming and provides for more limited discovery than that which can be gained under the Federal Rules.
The uncertainty facing litigants, however, could be reduced in other ways, making protective orders less of a necessity. Some limits could be placed on a district court’s discretion in cross-border discovery decisions by making these discovery decisions immediately appealable, which would create more binding precedents and opportunities to see conflicts among the circuits. In addition, Congress could pass U.S. data privacy legislation that would give the courts guidance as to where U.S. laws may align or conflict with the GDPR with respect to protecting data. Various bills—including the Consumer Data Protection Act, the Innovative and Ethical Data Act, and the Data Care Act—already have been proposed. Litigants should pay close attention to the developments in this field as more cases are decided and bills introduced concerning U.S. data privacy.
Robyn R. English-Mezzino is an associate in the Princeton, New Jersey, office of Pepper Hamilton LLP.
Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).