Conflicting Obligations under Data Privacy Regulations and the Discovery Phase of a Lawsuit

January 2019

2018 witnessed a wave of data privacy regulations that will continue to affect national and international business operations. The European Union (EU) General Data Protection Regulation (GDPR) became effective on May 25, 2018, affecting companies globally. The California Consumer Privacy Act of 2018 (CCPA) will become operative on January 1, 2020 and will affect thousands of U.S. companies. Several other states also enacted sweeping data privacy laws or substantial changes to their existing data privacy laws. Many of these could have far-reaching effects as well.

Determining whether a company is subject to these laws and if so, ensuring compliance, is difficult enough. But companies should not fail to also consider how to fulfill the competing obligations between the U.S. discovery process and the privacy laws’ stringent data processing and transfer limitations. Suppose a customer sues a company for negligently manufacturing an allegedly faulty product. The company possesses thousands of e-mails between its customer service representatives and customers. A few of these customers are located in the EU, as is one of the company’s data servers. The company then receives a U.S. discovery request seeking all communications with customers relating to the allegedly faulty product. What should the company do?

Refresher on Basic U.S. Discovery Obligations

Every party in the US must adhere to the common-law rule to preserve evidence in current or future litigation. Rule 37 authorizes sanctions if a party fails to obey a discovery order, which can include dismissal of the action or a default judgment. Rule 26, amended in 2015, limits the scope of discovery to that which is proportional to the needs of the case, and the rule includes a balancing test. Rule 26 also allows for a court's issuance of protective orders to preclude oppression or undue burden or expense involved in discovery. Protective orders can also require that certain items be afforded confidential status.

Do HIPAA, the GLBA, and the CCPA Conflict with U.S. Discovery Obligations?

Each of the major U. S. data privacy laws generally regards compliance with discovery obligations as not violating data privacy. For example, the Health Insurance Portability and Accountability Act (HIPAA) authorizes the disclosure of an individual’s protected health information (PHI) in response to a court order or in response to a discovery request or subpoena. Each discovery request or subpoena must be accompanied by “satisfactory assurance” of “reasonable efforts” either to provide appropriate notice to the affected patient or to secure a qualified protective order.Likewise, the Gramm-Leach Bliley Act (GLBA) authorizes the disclosure of an individual’s non-public information (NPI) “to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons…or to respond to a judicial process.”2 A “judicial process” has been interpreted to include a court order.3 Even the CCPA provides exceptions to its strict data privacy requirements for compliance with a “legal obligation”—which might apply to discovery requests—and for compliance “with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state or local authorities” and for the “[e]xercise or defense of claims.”4 However, this might not necessarily be true for foreign data privacy laws.

Does the GDPR Conflict with U.S. Discovery Obligations?

For many companies, yes. Unlike HIPAA and the GLBA, the GDPR does not explicitly provide a means for a company to lawfully comply with both the GDPR’s stringent data privacy requirements and U.S. discovery obligations. The GDPR requires a lawful basis for both the processing and international transfer of an EU resident’s personal data. “Processing” personal data includes storing and preserving that data in anticipation of litigation. If a company’s data controller ("controller") processes the data or transfers it overseas without a lawful basis, it could face fines amounting to the greater of 20 million euros or 4% of the company’s worldwide annual turnover.5 But if the company opts to comply with the GDPR and fails to obey U.S. discovery requests, it could face Rule 37 sanctions.

GDPR-approved Processing of Personal Data

The GDPR provides several avenues by which a controller may lawfully process personal data, each of which is fraught with potential difficulties. One such avenue is consent, but relying on consent is troublesome because the EU resident must be able to withdraw consent at any time. If consent is withdrawn, the controller may not rely on a separate lawful basis for the processing; instead, it must respect the EU resident’s decision.

A controller can lawfully process the data also when the processing is necessary for compliance with a legal obligation. Although seemingly straightforward and directly applicable to U.S. companies, such obligations are recognized by the GDPR only where they stem from the laws of a member of the EU. A controller may also lawfully process personal data when it is necessary to protect the legitimate interests of the controller, except where overridden by the interest or fundamental rights or freedoms of the EU resident. The interest in not being subject to legal action in the US might qualify as a legitimate interest, according to the EU Commission. But when does a controller’s interest override the EU resident’s interest? Even if a U. S. court determines that the controller’s interest in complying with its discovery obligations overrides the EU resident’s interest and compels discovery, an EU court might rule otherwise.

GDPR-approved Transfer of Personal Data

The GDPR also provides several lawful bases for the transfer of personal data out of the EU. Among them are binding corporate rules and model contractual clauses, which are likely infeasible for most U.S. companies. A controller might be able to lawfully transfer the personal data under the EU/US Privacy Shield framework, but the EU’s increased scrutiny of that framework has led to uncertainty. A transfer may also be accomplished as follows: by obtaining explicit consent; when it is necessary for the establishment, exercise, or defense of legal claims; or when it is a one-time transfer to serve compelling, legitimate interests. Although the European Data Protection Board—the body charged with ensuring the GDPR’s consistent application by EU courts—asserted that formal pre-trial discovery procedures in civil litigation might constitute the establishment, exercise, or defense of a legal claim, uncertainty still exists until an EU court renders a decision and officially interprets the GDPR language.

Companies must also adhere to an EU resident’s right to be forgotten, which compels the controller to delete the personal data under certain circumstances. Although this right is qualified and not absolute (for example, it does not apply to the controller’s establishment, exercise, or defense of legal claims), it remains unclear whether U.S. discovery obligations constitute a “legal claim.”

How Might a Company Fulfill These Competing Obligations?

Several U. S. courts have made clear that a company may not rely on the GDPR to avoid its U. S. discovery obligations. Moreover, courts are unlikely to accept broad redactions of personal data. Instead, a company can mitigate its risk by refining its privacy policy disclosures and contractual language, executing and enforcing a strict record management and retention strategy, and segregating personal data of EU residents from that of U.S. residents. The privacy policy disclosures and contractual language should explicitly explain that the EU resident’s personal data might be processed for litigation purposes. If litigation is reasonably anticipated, a company should identify its key custodians to narrow the focus of discovery and minimize risk and cost. The company can also develop a record supporting the argument that its legitimate interest overrides the EU resident’s interest, seek a protective order to assign confidential status to the personal data, investigate EU data onsite in the EU (if possible), and perhaps even offer a Rule 26 proportionality argument in court.

Navigating these competing obligations can be complex. Please contact a Lewis Rice attorney in our Cybersecurity & Data Privacy Practice Group if you have any questions about data privacy and regulatory compliance.


1 45 CFR 164.512(e).

2 15 U.S.C. 6802(e)(8).

3 Alpha Funding Grp. v. Cont’l Funding, LLC, 848 N.Y.S. 2d 825 (S. Ct. 2007).

4 Cal. Civ. Code §§ 1798.105, 1798.145(a) (West).

5 “Annual turnover” means “annual sales volume net of all discounts and sales taxes.” http://www.businessdictionary.com/definition/turnover.html

Firm Highlights
Client Alert

The Changing Workplace Following the Latest CDC Mask Guidance

More
News

Michael D. Mulligan, Mysun Charitable Foundation Recognized at Greensfelder Park Ribbon Cutting Ceremony

More
News

Claims Filed for Compensation in North Carolina Ecusta Trail Rail-to-Trail Case

More
Client Alert

Colorado Joins the Bandwagon, Enacts Comprehensive Privacy Law

More
News

Lewis Rice Welcomes 2021 Summer Associates

More
Client Alert

DOL Publishes Cybersecurity Guidance for Benefits Plans

More
Client Alert

The New Standard Contractual Clauses: Scope, Impact, and Next Steps

More
Client Alert

FTC Adds Teeth to the ‘Made in USA’ Rule

More
Client Alert

CROWN Act Legislation on the Verge of Passage in St. Louis City & County

More
News

Jeremy P. Brummond Presents at Webinar for Experienced Construction Attorneys

More
Client Alert

EEOC Issues Updated Guidance on COVID Vaccination Policies

More
News

A Lawyer’s Guide to the Galaxy Podcast Named Among Best Copyright Law Podcasts for 2021 by Welp Magazine

More
Diversity & Inclusion

Law Firm ILN-telligence Podcast Hosts Ronald A. Norwood to Discuss Mentorship, Diversity & Inclusion in the Legal Industry, and the Importance of Equity for All

More
Client Alert

First-Issued Interim Final Rule Gives Guidance on No Surprises Act

More
Client Alert

Supreme Court Hands Down Unanimous Decision Limiting FTC’s Ability to Seek Monetary Relief

More
Client Alert

Supreme Court Limits Ability to Compel Access to Private Property Without Compensation

More
Client Alert

Missouri Supreme Court Reverses Overtime Wages Judgment Resulting from Employer-Mandated Screenings Under the Portal-to-Portal Act

More
Diversity & Inclusion

Lewis Rice Launches “Next Level” Diversity and Inclusion Programs

More
Client Alert

Missouri Supreme Court Holds that Public Governmental Bodies May Not Charge for Attorney Review Time

More
News

Jeannine Moentmann Becomes President of St. Louis Paralegal Association for 2021-2022

More