Best Practices for Responding to Subpoenas That Conflict With Foreign Data Privacy Laws
Companies who do business in the United States and have documents located abroad must understand the potential conflicts between the broad extraterritorial discovery authorized by U.S. courts, and the major restrictions on the transferring of personal data in many foreign countries.
March 27, 2020 at 02:10 PM
8 minute read
Consider this scenario: A company receives a subpoena for documents from the U.S. government or a U.S.-based regulator, but is concerned because some of its documents are hosted on a server in a foreign country with restrictive personal data protections. How should attorneys advise this company to comply with the subpoena without violating foreign data privacy laws?
Any person in this situation must understand the potential conflicts between the broad extraterritorial discovery sanctioned by U.S. courts, and the strict limitations on the processing and transferring of personal data in the European Union (EU) and other foreign countries. For example, the EU's General Data Protection Regulation (GDPR) governs, and severely restricts, the collection and disclosure of personal data in the 28 EU member states, plus Iceland, Norway, and Liechtenstein. (The GDPR broadly defines "personal data" as "any information relating to an identified or identifiable natural person." GDPR, Regulation (EU) 2016/679, Article 4:1.)
This article discusses various considerations on how to respond to such subpoenas, including: (1) negotiating with the party issuing the subpoena or document request to narrow the scope of the requests; (2) determining if the same information can be obtained through means that do not implicate foreign data privacy concerns; (3) consulting with local counsel in the country where the data is located to more fully understand the obligations; (4) seeking U.S. court intervention; and (5) taking all reasonable steps to limit and protect data productions.
|Case Law on Conflict Between U.S. Discovery and Foreign Data Protections
U.S. courts typically rule in favor of the broad discovery sanctioned by the Federal Rules of Civil Procedure (FRCP), rather than the limitations on production set by foreign data privacy laws. See, e.g., Royal Park Investments SA/NV v. HSBC Bank USA, N.A., No. 14 CIV. 8175 (LGS), 2018 WL 745994, at *2 (S.D.N.Y. Feb. 6, 2018) (overruling Royal Park's objections to producing unredacted documents based on the Belgian Data Privacy Act, finding "that the comity analysis weighs in favor" of compelling production); Knight Capital Partners v. Henkel Ag & Co., KGaA, 290 F. Supp. 3d 681, 687 (E.D. Mich. 2017) ("the German Federal Data Protection Act does not bar the defendant from disclosing email communications and other business records included in the plaintiff's discovery requests, principally because the Act contains an express exception to the broad prohibitions on personal data disclosure."). In Societe Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa, 482 U.S. 522, 544 n.29 (1987), the Supreme Court noted that "[i]t is well settled that [foreign blocking] statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute."
The Supreme Court listed factors relevant to a court's case-by-case determination of whether to order discovery despite conflict with foreign laws, including "(1) the importance to the … litigation of the documents or other information requested; (2) the degree of specificity of the request; (3) whether the information originated in the United States; (4) the availability of alternative means of securing the information; and (5) the extent to which noncompliance with the request would undermine important interests of the United States, or compliance with the request would undermine important interests of the state where the information is located." Id. at 544, n.28. Lower courts applying the Supreme Court's guidance have held that this list of factors is not exhaustive. See, e.g., Gucci Am. v. Curveal Fashion, No. 09 CIV. 8458 RJS/THK, 2010 WL 808639, at *2 (S.D.N.Y. March 8, 2010) ("courts in the Second Circuit may also consider the hardship of compliance on the party or witness from whom discovery is sought [and] the good faith of the party resisting discovery") (internal citations omitted)
In Laydon v. Mizuho Bank, Ltd., defendants objected to plaintiff's document requests, claiming compliance would risk violation of the UK's Data Protection Act (DPA). 183 F. Supp. 3d 409, 413 (S.D.N.Y. 2016). The DPA is the UK's codification of the EU's predecessor directive to the GDPR, and serves to protect the rights of individuals with respect to the processing of personal data. Id. at 414. The court analyzed the Aerospatiale factors, finding most weighed in plaintiff's favor, including that the discovery sought "relates directly to plaintiff's claims" and was sufficiently specific. Id. at 420-21. Noting that the balancing of national interests is "the most important" factor, the court pointed to the UK Serious Fraud Office's statement that it had no objection to the production of the materials, and found that "the UK's interest in protecting the privacy of its citizens is mitigated by the protective order in place in this case, which permits [] Defendants to designate disclosed materials as 'Highly Confidential.'" Id. at 425. The court was also persuaded by defendants' inability to point to a single example of a UK enforcement action for violation of the DPA by complying with U.S. discovery. Id.
|Practice Tips
Knowing that U.S. courts are likely to grant broad extraterritorial discovery, respondents should take certain steps throughout the process to minimize conflicts. Counsel should work with their clients to understand if the same data exists on U.S. servers or databases. Attorneys should come prepared to the initial negotiations with the requesting party with an understanding of where client documents are stored, and any potential conflicts with foreign data protections.
A lot of ground can be gained through negotiations with opposing counsel. The requesting party may agree to accept anonymized or aggregated personal data, which could mitigate concerns about identifying individuals. The requesting party may also consent to the same information being obtained through discovery mechanisms that do not implicate foreign data privacy laws, such as: (1) interrogatory responses; (2) requests for admission responses; (3) providing affidavits; (4) stipulating to facts; or (5) offering a FRCP 30(b)(6) corporate designee witness for deposition.
If the discovery dispute cannot be resolved through negotiations, court intervention may be necessary. In opposing a motion to compel the production of documents, attorneys should consult with local counsel in the country where the client's data is located in order to more fully understand the obligations and risks of violation. Foreign experts may need to submit affidavits or testimony to explain the applicable data protection laws, and describe the risk of enforcement. (FRCP 44.1 provides that "[i]n determining foreign law, the court may consider any relevant material or source, including testimony, whether or not submitted by a party or admissible under the Federal Rules of Evidence." Courts will look to determine whether the plain language of the foreign statute is clear. See Knight Capital Partners v. Henkel Ag & Co., KGaA, 290 F. Supp. 3d 681, 687 (E.D. Mich. 2017) ("[w]hen construing a foreign statute, the Court certainly must presume that the most pertinent and authoritative source on the scope and import of any foreign law is the plain language of the statute itself.").) Many foreign data privacy laws have exceptions that provide for the disclosure of personal information, such as in a litigation or for the defense of a legal claim, or if the data subject provides consent. In AccessData v. ALSTE Techs. GmbH, the court found that the party resisting discovery failed to demonstrate how the legal claims or consent exceptions did not apply, and ordered the production of documents. No. 2:08CV569, 2010 WL 318477, at *2 (D. Utah Jan. 21, 2010). Foreign experts' testimony can also be used to demonstrate why statutory exceptions to production do not apply.
Attorneys should consider that U.S. courts may not recognize the foreign data privacy protections, and nevertheless compel the production of documents. Steps should be taken to limit and protect such data productions, including entering into a robust confidentiality and protective order. See, e.g., Phoenix Process Equip. Co. v. Capital Equip. & Trading, No. 3:16CV-00024-RGJ-RSE, 2019 WL 1261352, at *15 (W.D. Ky. March 19, 2019) (finding U.S. interests outweigh those of Russia, where documents located, because parties' confidentiality agreement "protects any proprietary and commercially valuable information disclosed in this lawsuit, which should alleviate concerns of this information falling into the public or any non-parties' hands."). While production of documents may ultimately be compelled, the company must do everything in its power to ensure its own compliance with foreign data privacy rules.
|Conclusion
Companies who do business in the United States and have documents located abroad must understand the potential conflicts between the broad extraterritorial discovery authorized by U.S. courts, and the major restrictions on the transferring of personal data in many foreign countries. Counsel and their clients can work to minimize these conflicts while complying with their legal obligations.
Gregory Baker and Rachel Maimin are partners, Kathleen McGee and Alexandra Droz are counsel, at Lowenstein Sandler.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250