US courts have long held that foreign data protection regulations cannot be used as a shield against discovery in US litigation. This installment of The eData Guide to GDPR examines a recent case from the Northern District of California that makes no exception for the GDPR, ruling that the regulation does not outweigh the United States’ interests in the requested production, and that the GDPR does not provide a total ban on data transfers but instead requires that such transfers be protected.
As data protection regulations emerge around the world, global parties to US litigation are faced with a choice: which master to serve. US courts have long refused the attempts of foreign legislators to dictate what data is discoverable in US litigation and what must be shielded from the reach of US courts. Recent case law continues that tradition in the era of the European Union’s General Data Protection Regulation (GDPR) as the US District Court for the Northern District of California rejects an attempt to use the GDPR as a shield against discovery in US litigation.
In the patent infringement suit Finjan, Inc. v. Zscaler, Inc., the plaintiff sought discovery of the emails of a former employee who is employed by the defendant. This person had been the chief director of sales for the plaintiff’s licensed products in Europe and elsewhere, and is now responsible for the defendants’ sales in the United Kingdom. In attempting to determine whether the defendant had intimate knowledge of the technical aspects of the potentially infringed product, the plaintiff wished to view the former employee’s current emails.
The defendant refused to produce this email for several reasons, most notably arguing that the GDPR bars production of personal data. The defendant argued that the plaintiff’s overbroad requests were not designed to target data related to the issues of the litigation and would include extensive personal, nonrelevant data in such a production. The defendant also argued that the anonymization required by the GDPR would be too expensive, and demanded that the plaintiff “split the cost.” In response, the plaintiff argued that anonymization would impede the plaintiff’s understanding of the relationships between those communicating about the allegedly infringed product. The plaintiff also argued that, pursuant to the agreed-upon protective order, these emails could be produced as “attorney’s eyes only,” thereby avoiding public dissemination of the personal information.
The court turned to the US Supreme Court’s decision in Societe Nationale Industrielle Aerospatiale v. US District Court for Southern District of Iowa for the general proposition that foreign restrictions on data transfers do not restrict a US court from requiring production of documents and information in the course of litigation. Further, the court applied the five-factor test from Richmark Corp. v. Timber Falling Consultants to determine whether the foreign regulation would trump a US court’s interest in requiring production. The court analyzed the factors as follows:
Weighing all of the factors and concluding that the requested data was narrowly identified, relevant to the primary issues of the case, only available from the United Kingdom, and protected with a protective order, the court concluded that the GDPR would not preclude production of this data. The court also found that producing the data would not impose a significant burden on the defendant, and that the GDPR would allow the data to be transferred under the circumstances identified by the plaintiff. Further, the court was not convinced that such a data transfer would result in any further damage or penalty to the defendant under the GDPR. Therefore, the defendant was ordered to produce the data as requested.
This opinion restates very clearly the view of US courts that consistently rejected the use of foreign data privacy regulations as a shield against discovery in US litigation. The GDPR is no exception.
If you have any questions or would like more information on the issues discussed in this installment of The eData Guide to GDPR, please contact any of the following Morgan Lewis lawyers:
 Case No. 17-cv-06946-JST (KAW), 2019 WL 618554 (N.D. Cal. Feb. 14, 2019).
 482 U.S. 522, 544 n.29 (1987).
 959 F.2d 1468, 1475 (9th Cir. 1992).
 See Work v. Bier, 106 F.R.D. 45, 55 (D.D.C. 1985); Dyson, Inc. v. SharkNinja Operating LLC, No. 1:14-cv-779, 2016 WL 5720702, at *3 (N.D. Ill. Sept. 30, 2016).
 Masimo Corp. v. Mindray DS USA, Inc., Case No.: SACV 12-02206-CJC(JPRx), 2014 WL 12589321, at *3 (C.D. Cal. May 28, 2014); see also United States v. Vetco Inc., 691 F.2d 1281, 1289 (9th Cir. 1981).