Billee Elliott McAuliffe, Cybersecurity & Data Privacy Practice Group Leader

2018 witnessed a wave of data privacy regulations that will continue to affect national and international business operations. The European Union (EU) General Data Protection Regulation (GDPR) became effective on May 25, 2018, affecting companies globally. The California Consumer Privacy Act of 2018 (CCPA) will become operative on January 1, 2020 and will affect thousands of U.S. companies. Several other states also enacted sweeping data privacy laws or substantial changes to their existing data privacy laws. Many of these could have far-reaching effects as well.

Determining whether a company is subject to these laws and if so, ensuring compliance, is difficult enough. But companies should not fail to also consider how to fulfill the competing obligations between the U.S. discovery process and the privacy laws’ stringent data processing and transfer limitations. Suppose a customer sues a company for negligently manufacturing an allegedly faulty product. The company possesses thousands of e-mails between its customer service representatives and customers. A few of these customers are located in the EU, as is one of the company’s data servers. The company then receives a U.S. discovery request seeking all communications with customers relating to the allegedly faulty product. What should the company do?

Refresher on Basic U.S. Discovery Obligations

Every party in the US must adhere to the common-law rule to preserve evidence in current or future litigation. Rule 37 authorizes sanctions if a party fails to obey a discovery order, which can include dismissal of the action or a default judgment. Rule 26, amended in 2015, limits the scope of discovery to that which is proportional to the needs of the case, and the rule includes a balancing test. Rule 26 also allows for a court's issuance of protective orders to preclude oppression or undue burden or expense involved in discovery. Protective orders can also require that certain items be afforded confidential status.

Do HIPAA, the GLBA, and the CCPA Conflict with U.S. Discovery Obligations?

Each of the major U. S. data privacy laws generally regards compliance with discovery obligations as not violating data privacy. For example, the Health Insurance Portability and Accountability Act (HIPAA) authorizes the disclosure of an individual’s protected health information (PHI) in response to a court order or in response to a discovery request or subpoena. Each discovery request or subpoena must be accompanied by “satisfactory assurance” of “reasonable efforts” either to provide appropriate notice to the affected patient or to secure a qualified protective order.¹ Likewise, the Gramm-Leach Bliley Act (GLBA) authorizes the disclosure of an individual’s non-public information (NPI) “to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons…or to respond to a judicial process.”² A “judicial process” has been interpreted to include a court order.³ Even the CCPA provides exceptions to its strict data privacy requirements for compliance with a “legal obligation”—which might apply to discovery requests—and for compliance “with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state or local authorities” and for the “[e]xercise or defense of claims.”⁴ However, this might not necessarily be true for foreign data privacy laws.

Does the GDPR Conflict with U.S. Discovery Obligations?

For many companies, yes. Unlike HIPAA and the GLBA, the GDPR does not explicitly provide a means for a company to lawfully comply with both the GDPR’s stringent data privacy requirements and U.S. discovery obligations. The GDPR requires a lawful basis for both the processing and international transfer of an EU resident’s personal data. “Processing” personal data includes storing and preserving that data in anticipation of litigation. If a company’s data controller ("controller") processes the data or transfers it overseas without a lawful basis, it could face fines amounting to the greater of 20 million euros or 4% of the company’s worldwide annual turnover.⁵ But if the company opts to comply with the GDPR and fails to obey U.S. discovery requests, it could face Rule 37 sanctions.

GDPR-approved Processing of Personal Data

The GDPR provides several avenues by which a controller may lawfully process personal data, each of which is fraught with potential difficulties. One such avenue is consent, but relying on consent is troublesome because the EU resident must be able to withdraw consent at any time. If consent is withdrawn, the controller may not rely on a separate lawful basis for the processing; instead, it must respect the EU resident’s decision.

A controller can lawfully process the data also when the processing is necessary for compliance with a legal obligation. Although seemingly straightforward and directly applicable to U.S. companies, such obligations are recognized by the GDPR only where they stem from the laws of a member of the EU. A controller may also lawfully process personal data when it is necessary to protect the legitimate interests of the controller, except where overridden by the interest or fundamental rights or freedoms of the EU resident. The interest in not being subject to legal action in the US might qualify as a legitimate interest, according to the EU Commission. But when does a controller’s interest override the EU resident’s interest? Even if a U. S. court determines that the controller’s interest in complying with its discovery obligations overrides the EU resident’s interest and compels discovery, an EU court might rule otherwise.

GDPR-approved Transfer of Personal Data

The GDPR also provides several lawful bases for the transfer of personal data out of the EU. Among them are binding corporate rules and model contractual clauses, which are likely infeasible for most U.S. companies. A controller might be able to lawfully transfer the personal data under the EU/US Privacy Shield framework, but the EU’s increased scrutiny of that framework has led to uncertainty. A transfer may also be accomplished as follows: by obtaining explicit consent; when it is necessary for the establishment, exercise, or defense of legal claims; or when it is a one-time transfer to serve compelling, legitimate interests. Although the European Data Protection Board—the body charged with ensuring the GDPR’s consistent application by EU courts—asserted that formal pre-trial discovery procedures in civil litigation might constitute the establishment, exercise, or defense of a legal claim, uncertainty still exists until an EU court renders a decision and officially interprets the GDPR language.

Companies must also adhere to an EU resident’s right to be forgotten, which compels the controller to delete the personal data under certain circumstances. Although this right is qualified and not absolute (for example, it does not apply to the controller’s establishment, exercise, or defense of legal claims), it remains unclear whether U.S. discovery obligations constitute a “legal claim.”

How Might a Company Fulfill These Competing Obligations?

Several U. S. courts have made clear that a company may not rely on the GDPR to avoid its U. S. discovery obligations. Moreover, courts are unlikely to accept broad redactions of personal data. Instead, a company can mitigate its risk by refining its privacy policy disclosures and contractual language, executing and enforcing a strict record management and retention strategy, and segregating personal data of EU residents from that of U.S. residents. The privacy policy disclosures and contractual language should explicitly explain that the EU resident’s personal data might be processed for litigation purposes. If litigation is reasonably anticipated, a company should identify its key custodians to narrow the focus of discovery and minimize risk and cost. The company can also develop a record supporting the argument that its legitimate interest overrides the EU resident’s interest, seek a protective order to assign confidential status to the personal data, investigate EU data onsite in the EU (if possible), and perhaps even offer a Rule 26 proportionality argument in court.

Navigating these competing obligations can be complex. Please contact a Lewis Rice attorney in our Cybersecurity & Data Privacy Practice Group if you have any questions about data privacy and regulatory compliance.