Schrems II may force companies obligated to produce EU personal data to the task of determining whether to comply with US discovery obligation rules that risk fines under the GDPR for illegal data transfers or to defy the US courts. In this installment of The eData Guide to GDPR we explore recent case law that specifically considers whether the GDPR can prevent or restrict the production of personal data to the United States in support of domestic litigation, and the potential impact the Schrems II ruling will have on those transfers.
Parties to US litigation at times argue that foreign data protection laws, in particular the European Union’s General Data Protection Regulation (GDPR), prohibit the discovery of personal identifying information about European data subjects. US courts usually reject this argument, relying on established Supreme Court precedent of more than 30 years. The recent Court of Justice of the European Union (CJEU) landmark Schrems II judgment of July 16 (C-311/18) invalidating the EU-US Privacy Shield, however, could trigger a new challenge for such data transfers.
The following recent US court decisions ruled that the GDPR is not a bar to the production of documents in discovery.
In the patent infringement suit Finjan, Inc. v. Zscaler, Inc., the plaintiff sought discovery of the emails of a former employee currently employed by the defendant. This person had been the chief director of sales for the plaintiff’s licensed products in Europe and elsewhere. In attempting to determine whether the defendant had intimate knowledge of the technical aspects of the potentially infringed product, the plaintiff wished to view the former employee’s current emails.
Weighing all of the factors and concluding that the requested data was narrowly identified, relevant to the primary issues of the case, only available from the United Kingdom, and protected with a protective order, the court concluded that the GDPR would not preclude production of this data. For a more detailed description of this opinion, please see our previous article, California Federal Court Rejects GDPR as a Means to Block Discovery.
In the matter In re Mercedes Benz Emissions Litigation, the judge decided that a ruling of whether the GDPR prevents any discovery was within the purview of the court’s Special Master’s authority pursuant to his appointment. The Special Master did not abuse his discretion in the GDPR ruling. For instance, the defendants described a scenario where “a responsive email containing marketing materials could be contained in a 100-page email chain forwarded to hundreds of employees and third parties.” The judge ruled that if the defendants’ posited scenario does arise, the defendants could designate and protect such information as “highly confidential” pursuant to the appropriate discovery confidentiality order provision.
Based on the court’s own international comity analysis, as well as an analysis conducted by the Special Master, the court found that the Special Master conducted a well-reasoned international comity analysis. He did not abuse his discretion by prohibiting the parties from redacting the names, positions, titles, or professional contact information of relevant current or former employees of any defendant or third parties identified in relevant, responsive documents produced in discovery.
In Phillips v. Vesuvius USA Corp. et al., referencing both the Finjan and the Mercedes Benz cases above, the court rejected the assertion that the GDPR precludes disclosure during discovery of EU residents’ data. Specifically, the court refused to block a former Vesuvius USA Corp. worker’s demand for access to six EU citizens’ personnel files as part of his age discrimination and retaliation suit against the engineering company.
In Giorgi Global et al. v. Smulski, the court found that although much of the requested data originated in Poland, the information was protected by the electronically stored information (ESI) protocol and protective order. The court used the five-factor test outlined in the Restatement (Third) of Foreign Relations Law Section 442(1)(c) in determining whether foreign statutes excuse obligations set forth in US litigation.
Therefore, the court concluded that “Smulski may not rely upon the GDPR and/or Polish privacy law to avoid production of relevant, discoverable documents in this matter.” As a result, the defendant had to produce the requested documents regardless of their locations within 30 days.
The US courts turn to the US Supreme Court’s decision in Societé Nationale Industrielle Aérospatiale v. US District Court for Southern District of Iowa for guidance when dealing with the general proposition that the GDPR restricts a US court from requiring production of documents and information in the course of litigation. The comity analysis of the courts under this established case law generally allows them to consider the interest of a foreign country not to send personal data into the United States.
This is a high hurdle to overcome for a party that does not want to produce certain documents located in the European Union (or the United Kingdom) in a civil litigation. Courts frequently rely on protective orders and other legal means to protect the data, rather than interfering with the production of discoverable materials from the European Union/United Kingdom. The GDPR generally places tight limits on the transfer of personal data outside the European Union, but an exemption (derogation) in its Article 49 of the regulation allows for such data exchanges to take place when it is “necessary for the establishment, exercise or defense of legal claims.”
The European Data Protection Board, comprising the data protection regulators from each member state, clarified in its May 2018 guidance that this exception was not an absolute allowance. The regulators have noted that data transfers for the purpose of pretrial discovery in civil litigation “may fall” under the derogation in certain cases where there is a “close and substantial connection” between the data transfer and the purpose for which this information is being sent. In this respect, the GDPR has not changed the burdens imposed on the parties in a US litigation since the Aérospatiale case and the GDPR’s predecessor, the EU Data Protection Directive. Given that many discoverable documents are directly accessible from the United States, the argument that the GDPR “blocks” a data transfer becomes practically less and less relevant in US courts.
The CJEU’s recent Schrems II judgment, while invalidating the EU-US Privacy Shield, puts all EU data transfers to the United States on the radar of data protection agencies and courts in Europe. The justices in Luxembourg do not address data transfers for discovery purposes directly. They are, however, particularly concerned about “the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States”
The CJEU judgment will therefore probably lead to a narrow interpretation of GDPR Article 49 by the regulators. In particular, the judgment may require that data exporters demonstrate that the transferred data will be kept safe and not be accessible to US authorities. General data protection audits on US data transfers in Europe following Schrems II may uncover that companies have also transferred EU personal data to the United States for discovery purposes. Such audits may put a burden on these companies to justify transfers under Article 49 of the GDPR. In the worst case, data exporters could be fined up to 4% of their annual turnover.
To date, there has not been a case where any European data protection agency has fined a company under the GDPR for sending documents out of the European Union in support of a litigation to the United States. Whether this general restraint will change in light of the CJEU Schrems II judgment remains to be seen. Blocking or restricting the data flow would mean that the data protection agencies would expose litigants to sanctions of a US court. The biggest risk for such data exports is that an individual may sue the transferor for damages in Europe if he or she believes that European data protection laws will be violated.
The Schrems II decision may provide individuals with additional legal arguments and embolden them to raise these claims. The data exporters could mitigate this risk by filtering documents in Europe for relevance before they are provided to the requesting parties, and by agreeing on a protective order as well as reasonable processing (filtering) standards and a time scale for the production of such data as part of the meet and confer process.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Dr. Axel Spies
 Societé Nationale v. District Court, 482 U.S. 522 (1987).
 Cf. Morgan Lewis LawFlash, The End of the US-EU Privacy Shield, but Standard Contractual Clauses Remain Valid, and, specifically for Germany, No More Data from Germany? European Court of Justice Invalidates the EU-U.S. Privacy Shield.
 Finjan, Inc. v. Zscaler, Inc., Case No. 17-cv-06946-JST (KAW) (N.D. Cal. Feb. 14, 2019).
 In re Mercedes-Benz Emissions Litig., Civil Action No. 16-cv-881 (KM) (ESK) (D.N.J. Jan. 30, 2020).
 Phillips v. Vesuvius USA Corp., 2020-Ohio-3285.
 Giorgi Glob. Holdings v. Smulski, Civ. Action No. 17-4416 (E.D. Pa. May 21, 2020).
 Societé Nationale v. District Court, 482 U.S. 522 (1987).
 Data Protection Commissioner v. Facebook Ireland Ltd & Maximilian Schrems (Schrems II), Case C-311/18 at 185.