California Federal Court Rejects GDPR as a Means to Block Discovery

The eData Guide to GDPR

April 17, 2019

US courts have long held that foreign data protection regulations cannot be used as a shield against discovery in US litigation. This installment of The eData Guide to GDPR examines a recent case from the Northern District of California that makes no exception for the GDPR, ruling that the regulation does not outweigh the United States’ interests in the requested production, and that the GDPR does not provide a total ban on data transfers but instead requires that such transfers be protected.

As data protection regulations emerge around the world, global parties to US litigation are faced with a choice: which master to serve. US courts have long refused the attempts of foreign legislators to dictate what data is discoverable in US litigation and what must be shielded from the reach of US courts. Recent case law continues that tradition in the era of the European Union’s General Data Protection Regulation (GDPR) as the US District Court for the Northern District of California rejects an attempt to use the GDPR as a shield against discovery in US litigation.

In the patent infringement suit Finjan, Inc. v. Zscaler, Inc.,[1] the plaintiff sought discovery of the emails of a former employee who is employed by the defendant. This person had been the chief director of sales for the plaintiff’s licensed products in Europe and elsewhere, and is now responsible for the defendants’ sales in the United Kingdom. In attempting to determine whether the defendant had intimate knowledge of the technical aspects of the potentially infringed product, the plaintiff wished to view the former employee’s current emails.

The defendant refused to produce this email for several reasons, most notably arguing that the GDPR bars production of personal data. The defendant argued that the plaintiff’s overbroad requests were not designed to target data related to the issues of the litigation and would include extensive personal, nonrelevant data in such a production. The defendant also argued that the anonymization required by the GDPR would be too expensive, and demanded that the plaintiff “split the cost.” In response, the plaintiff argued that anonymization would impede the plaintiff’s understanding of the relationships between those communicating about the allegedly infringed product. The plaintiff also argued that, pursuant to the agreed-upon protective order, these emails could be produced as “attorney’s eyes only,” thereby avoiding public dissemination of the personal information.

The court turned to the US Supreme Court’s decision in Societe Nationale Industrielle Aerospatiale v. US District Court for Southern District of Iowa[2] for the general proposition that foreign restrictions on data transfers do not restrict a US court from requiring production of documents and information in the course of litigation. Further, the court applied the five-factor test from Richmark Corp. v. Timber Falling Consultants[3] to determine whether the foreign regulation would trump a US court’s interest in requiring production. The court analyzed the factors as follows:

  1. Importance of the documents or other information requested to the litigation. This factor requires a determination of whether the data requested is relevant to the litigation or rather simply additive or duplicative of other data found elsewhere. The court was convinced by the plaintiff’s argument that the former employee’s emails would be significant since he overlapped employers during the time that the alleged infringement took place. The defendant argued that there was a chance that that same data would be contained elsewhere in the collection and that the use of the plaintiff’s search terms would return a large variety of documents not specifically targeting the important information, but this argument was not convincing enough to tip this factor against the production of the data.


  2. Degree of specificity of the request. The court must weigh whether the requesting party has appropriately defined the set of data it is requesting so as not to make the burden on the producing party to transfer data onerous. Here, the plaintiff won a battle of proposed search terms, seeking emails that referred to the plaintiff company, the patent at issue, and several key phrases to isolate potentially relevant documents. The defendant argued that it should only be required to search for references to the patent number, but that was deemed too restrictive by the court.


  3. Whether the information originated in the United States. The location of the data is a less determinative factor here when the parties are US based. Considering the defendant is a US company and therefore “subject to American discovery law,” the court again leaned toward allowing production.


  4. Availability of alternative means of securing the information. Quoting Richmark, the court sought to determine whether an alternate source for the data was available, and if so whether that source would be “substantially equivalent” to the data requested. Although the defendant suggested there would be equivalent data in US-sourced custodian emails, it did not conduct a proper search in order to support this claim. The court also determined that the alternative anonymized production proposed by the defendant would not be “substantially equivalent” and therefore would not satisfy this factor either.


  5. Extent to which noncompliance would undermine important interests of the United States. The court attempted to “balance national interests” at stake in this analysis but relied on previous case law stating that the United States’ interest in conducting discovery pursuant to its own laws is often an overriding principle.[4] The court was unwilling to oppose this precedent, especially when considering the protections afforded by a binding protective order.[5] In evaluating the language of the GDPR to protect the privacy rights of its data subjects, the court noted that there are opportunities within the regulation that allow for transfer of similar data out of the European Union. Therefore the GDPR does not create a total ban on transfers, but such transfers need to be protected.

Weighing all of the factors and concluding that the requested data was narrowly identified, relevant to the primary issues of the case, only available from the United Kingdom, and protected with a protective order, the court concluded that the GDPR would not preclude production of this data. The court also found that producing the data would not impose a significant burden on the defendant, and that the GDPR would allow the data to be transferred under the circumstances identified by the plaintiff. Further, the court was not convinced that such a data transfer would result in any further damage or penalty to the defendant under the GDPR. Therefore, the defendant was ordered to produce the data as requested.

This opinion restates very clearly the view of US courts that consistently rejected the use of foreign data privacy regulations as a shield against discovery in US litigation. The GDPR is no exception.

[1] Case No. 17-cv-06946-JST (KAW), 2019 WL 618554 (N.D. Cal. Feb. 14, 2019).

[2] 482 U.S. 522, 544 n.29 (1987).

[3] 959 F.2d 1468, 1475 (9th Cir. 1992).

[4] See Work v. Bier, 106 F.R.D. 45, 55 (D.D.C. 1985); Dyson, Inc. v. SharkNinja Operating LLC, No. 1:14-cv-779, 2016 WL 5720702, at *3 (N.D. Ill. Sept. 30, 2016).

[5] Masimo Corp. v. Mindray DS USA, Inc., Case No.: SACV 12-02206-CJC(JPRx), 2014 WL 12589321, at *3 (C.D. Cal. May 28, 2014); see also United States v. Vetco Inc., 691 F.2d 1281, 1289 (9th Cir. 1981).