GDPR in United States Litigation Through Summer 2020: GDPR-Subject Companies Must Produce

• Published in: Defense counsel journal Vol. 87; no. 4; pp. 1 - 14
• Main Author: Gladstone, Michael H
• Format: Journal Article
• Language: English
• Published: Chicago International Association of Defense Counsels 01.10.2020; International Association of Defense Counsel
• Subjects: Attorneys; Breach of contract; Citizens; Confidentiality; Consumer fraud; Data integrity; Data security; Discovery (Law); International relations; Laws, regulations and rules; Personal information; Privacy; Privacy, Right of; Remedies; Restraining orders; Right of privacy; State court decisions; Surveys; Poland; United States > US
• ISSN: 0895-0016; 2376-3906

Each party offered their view of the role of GDPR on the question.4 The dispute arose from defendant EU companies' resistance to plaintiff's discovery seeking the identity of EU data subjects and their employment and contact information in a matter alleging RICO violations and consumer fraud.5 Relying on the broad definition of "personal data" in the GDPR, the defendants asserted their right to redact all personal data from otherwise relevant documents from EU sources, and sought to defer consideration of their anticipated redactions until after defendants' initial, redacted production.6 Defendants offered no proof, however, that their production of the information sought would lead to hardship or enforcement action by an EU GDPR supervisory authority or an authority demonstrating an EU propensity to prosecute civil litigation-connected GDPR data transfers.7 Plaintiffs conceded defendants' right to redact objectively irrelevant and intimate, private, personal information concerning the EU data subjects, and pointed to the benign character of the data they sought - identity, employment, and business contact information routinely produced in U.S. litigation - in opposition to defendants' position.8 Plaintiffs also pointed to an existing "Confidentiality Order" which contained a "Highly Confidential" category as providing adequate protection to the EU data subjects' privacy concerns.9 The Special Master analyzed the dispute following an analysis now familiar in United States cases addressing the role of GDPR in discovery disputes. Concerning Factor III - whether the information originated in the U.S. - the Special Master assumed the majority of the documents subject to the GDPR originated in the EU.17 Factor III weighed against production.18 As to Factor IV - the availability of alternative means of securing the information sought - he noted Defendants' failure to suggest any alternative source, and found such did not exist, thereby favoring production.19 Concerning Factor V, the Special Master cited Finjan20 and Richmark Corp. v. Timber Falling Consultants21 for his duty to assess the interests of each nation in requiring or prohibiting disclosure and whether disclosure would affect important substantive policies or interests.22 Noting other countries' awareness of broad U.S. discovery, and their recognition that the final decision concerning evidence used in U.S. courts must be made by those courts,23 and noting the U.S.'s significant interest in maintaining its discovery processes, the Special Master emphasized the U.S.'s interest in its discovery processes and in protecting its citizens under RICO claims and from consumer fraud.24 Together, these points supported his conclusion that the Confidentiality Order provisions allowing protected production of the limited data sought adequately balanced the EU's interest in protecting its subjects' private data.25 The court cited Finjan for the proposition that U.S. protective orders preventing further disclosure of private data "diminish" the weight of the EU's foreign privacy interest.26 Dissatisfied with the Special Master's ruling, the defendants appealed to the Magistrate. "34 Concerning Factor II - the degree of specificity of the request - the Magistrate noted the information sought was narrowed to relevant identities, positions, and business contact information commonly produced in U.S. litigation and did not constitute irrelevant sensitive personal information.35 The Magistrate, citing AstraZeneca, deemed Factor V - the extent to which non-compliance with the discovery request would undermine important U.S. interests or compliance would undermine important foreign interests - the most important of the five factors.36 Approving the Special Master's citation of Finjan for the point that a U.S. protective order diminishes the foreign privacy interest, the Magistrate re-emphasized the serious nature of the consumer fraud claims and concluded the Special Master properly weighed the national interests at issue favoring production.37 The Magistrate expressly rejected the defendant's arguments that the EU's "weighty interest in protecting its citizens' privacy" was under-valued by the Special Master and that violation of the GDPR put them in "legal jeopardy," threatened them severe "reputational harm," and would damage the morale of their workforce.38 In a footnote, the Magistrate noted the absence of evidence that the ordered production would result in an enforcement action by a GDPR supervisory authority, or that such had ever been prosecuted within the EU.39 The Magistrate stated: "[s]imilar to the court in Finjan, the Special Master found that, on balance, the U.S. had a stronger interest in protecting its consumers than the EU did in protecting its citizens' private data, particularly with a Discovery Confidentiality Order provision allowing producing parties to designate and protect foreign private data as 'Highly Confidential' information. "40 II.Citizen Smulski's Prohibition Claim In late May 2020, the United States District Court for the Eastern District of Pennsylvania addressed GDPR-based objections raised by the defendant - a United States citizen residing in Poland - as a barrier to production of GDPR protected data. 41 Notably, the defendant took the position, initially, that the GDPR forbade production of any protected data, and the Polish data privacy law subjected him to criminal penalty for violations. 42 The parties squared off with GDPR privacy law experts from Poland.43 In this RICO and breach of contract suit, plaintiff sought information which would have required Smulski to produce GDPR protected personal information.44 Though living in Poland, Smulski was sued by several U.S. companies.45 Smulski resisted production of the requested documents, arguing the GDPR and Polish privacy laws prohibited him from producing them.46 Both parties filed expert opinion reports on the question of whether or not GDPR prohibited production of the requested information.47 Plaintiff's November 20, 2019 Letter Motion provides an