Consider this scenario: A company receives a subpoena for documents from the U.S. government or a U.S.-based regulator, but is concerned because some of its documents are hosted on a server in a foreign country with restrictive personal data protections. How should attorneys advise this company to comply with the subpoena without violating foreign data privacy laws?

Any person in this situation must understand the potential conflicts between the broad extraterritorial discovery sanctioned by U.S. courts, and the strict limitations on the processing and transferring of personal data in the European Union (EU) and other foreign countries. For example, the EU’s General Data Protection Regulation (GDPR) governs, and severely restricts, the collection and disclosure of personal data in the 28 EU member states, plus Iceland, Norway, and Liechtenstein. (The GDPR broadly defines “personal data” as “any information relating to an identified or identifiable natural person.” GDPR, Regulation (EU) 2016/679, Article 4:1.)