Navigating the Potentially Conflicting Demands of U.S. Discovery Obligations and EU Data Protection Laws

Companies with operations in the EU can be pulled in different directions when confronted with U.S. discovery demands for documents and information located in the EU. Complying with U.S. discovery demands can involve enormous effort and expense, even in the best of circumstances. But the process can become even more difficult when EU data protection laws prohibit the disclosure of the requested information. On the one hand, U.S. courts can seek to compel litigants and third-party witnesses to produce documents and other information, and impose serious sanctions for failure to do so. On the other hand, data protection authorities in the EU can view the disclosure, whether court ordered or not, as itself violating data protection rules, and can impose penalties for complying with the demands. In fact, a balanced view of the issue suggests a way forward that should satisfy both sides of the conflict.

Sources of the Conflict

One of the roots of U.S.-EU cross-border discovery conflicts is the substantially different notions of “personal data” adopted under U.S. and EU law, and the different protections accorded such data.

The EU generally embraces a broad view of “personal data.” The 1995 Data Protection Directive protects individuals against the unauthorized processing of personal data, which is defined as any information relating to an identified or identifiable individual. It includes within its scope reference to an identification number or to any factors specific to an individual's physical, physiological, mental, economic, cultural or social identity. (See Directive 95/46/EC of Oct. 24, 1995 [1995] OJ L 281/31.) This includes documents created at work, like work-related e-mails or reports. By contrast, the United States takes a more piecemeal approach ' unless there is specific legislation that prevents it, an organization remains free to collect, use, transfer, and retain personal data. The United States also takes a narrower view of what constitutes “personal information” ' it is generally restricted to specific types of sensitive information, such as medical information, social security numbers, information relating to children, and financial information. Other information (such as information created at work) is not generally covered by U.S. data protection rules. Courts in the United States ' unless educated by the litigants ' may have a hard time weighing discovery against privacy if for no other reason than EU notions of privacy are truly foreign to them.

The other major root of the conflict stems from different notions of litigation discovery. EU jurisdictions (especially civil law jurisdictions in Continental Europe) generally impose only limited disclosure obligations on litigants. The ability to require non-party discovery is even more limited. By contrast, U.S. discovery is broad, and busy trial courts generally resolve doubts in favor of permitting discovery.

Two particular aspects of U.S. discovery increase the potential conflict between U.S. discovery demands and EU data protection laws. First, the physical location of a document is generally not dispositive or even particularly relevant to whether the document will be deemed discoverable. If an entity subject to U.S. jurisdiction has “possession, custody, or control” of documents located abroad, those documents are just as much subject to U.S. discovery obligations as documents in the United States.

Second, U.S. courts often require the U.S. entity to produce documents of parent, subsidiary and affiliated entities located abroad, because the U.S. entity is deemed to “control” such documents. “Control” extends beyond the legal right to obtain documents; it also includes situations where, as a purely practical matter, one entity has the ability to access another's documents. In deciding these issues, courts examine things like common ownership; common employees, officers, or directors; sharing documents in the ordinary course of business; and a host of other factors in a highly fact-specific analysis.

The target of the discovery request cannot simply ignore the request for “foreign” documents. Discovery sanctions for failing to comply can be severe, and include monetary sanctions, evidentiary sanctions, or even termination of the proceedings in favor of the requesting party. There has been an increase in “adverse inference” sanctions imposed by courts recently, which means that the fact-finder assumes that whatever documents were not produced contained evidence harmful to the company.

The 'Blocking Statute' Precedents

EU data protection laws are not the first instances of non-U.S. laws that affect the U.S. discovery process. Many jurisdictions have adopted “blocking statutes” to deal with what was perceived in non-U.S. jurisdictions as overreaching U.S. discovery processes or interventionist U.S. antitrust and other policy goals. (See, e.g., Westinghouse Electric Corp. v. Rio Algom Ltd., 480 F. Supp. 1138 (N.D. I11. 1979) (describing blocking statutes in Canada, Australia, and South Africa as having been enacted “for the express purpose of frustrating the jurisdiction of the United States courts over the activities of the alleged international uranium cartel”).) EU data protection laws are different, however, because they were adopted to achieve EU public policy objectives separate and apart from any concern over U.S. discovery or the extraterritorial application of substantive U.S. law. U.S. courts' perception of the motivation for these kinds of statutes, however, continues to color the approach to conflicts between U.S. discovery and EU data protection laws.

While no single standard governs the impact of blocking statutes in U.S. courts, many courts apply a balancing test derived largely from the Restatement (Third) of Foreign Relations Law. Under that test, courts consider:

• The importance of the requested documents or other information to the litigation;
• The degree of specificity of the request;
• Whether the information originated in the United States;
• The availability of alternative means of securing the information; and
• The extent to which noncompliance with the request would undermine important interests of the state where the information is located.

Some courts (including those in the Second Circuit) add two additional factors:

• The good faith of the party resisting discovery; and
• The hardship of compliance on the party from whom discovery is sought.

U.S. courts, focusing more on day-to-day case management than theoretical issues of comity, tend to emphasize the fifth factor after finding that the other factors point in different directions, and find that it favors enforcement of the discovery requests. In part, this is because U.S. courts come to the question assuming that blocking statutes are motivated by a desire to block U.S. discovery in order to protect non-U.S. companies or individuals (e.g., bank secrecy laws) or to defeat substantive U.S. laws (e.g., U.S. antitrust laws), and openly doubt the bona fides of such laws.

For example, the French blocking statute prohibits disclosure of economic, commercial and technical documents, except where the Hague Convention requires such disclosure. One court dismissed its application by noting that U.S. products liability laws prevail over French interests in the blocking statute, “if any really exist in the first place.” (In re Aircrash Disaster, 172 F.R.D. 295, 310 (N.D.Ill. 1997).) Another held that “France's real interests in promulgating [the law] are dwarfed by American interests in complete discovery.” (Compagnie Francaise v. Phillips Petroleum Co., 105 F.R.D. 16, 30 (S.D.N.Y. 1994).) This skepticism has led many U.S. lawyers to ignore the French law altogether.

In another case involving a Malaysian blocking statute, the court concluded:

[T]he documents are vital to the litigation, the requests are direct and specific, the documents are not easily obtained through alternative means, the interest of the United States outweighs that of Malaysia under the circumstances, and the likelihood that [the New York branch] would face civil or criminal penalties is speculative. Although [it] has acted in good faith, and the documents are located abroad, this is insufficient to overcome those factors weighing in favor of disclosure. (Gucci Amer., Inc. v. Curveal Fashion, 2010 WL 808639 (S.D.N.Y. Mar. 8, 2010).)

There are, of course, cases that go the other way. In SEC v. Stanford International Bank Ltd., 2011 WL 1378470 (N.D.Tex. Apr. 6, 2011), a Swiss non-party bank located in the United States was served with a subpoena seeking banking records located in Switzerland. The bank resisted, arguing that Swiss law required the discovery to first proceed through the Hague Convention. The district court agreed. It acknowledged that the records were “vital” to the litigation, but declined to find that the U.S. interest in full discovery outweighed Switzerland's interest in its banking privacy laws, concluding that the very act of balancing was itself “political,” and “especially inapposite in this case, where the legislative authorities of both nations essentially have spoken by adopting the Convention.” Refusing to read U.S. law as giving litigants a “green light to generally 'discard[ ] the treaty as an unnecessary hassle,'” it found that “comity” required the requesting party to go through the Hague Convention “at least in the first instance.”

But cases like Stanford are rare. And, notably, the court did not specify what might happen if resort to the Hague Convention “in the first instance” did not lead to discovery from the Swiss bank.

The Balancing Test and Data Protection

EU data protection laws are different from traditional blocking statutes. They are motivated not by some generalized antipathy to U.S. discovery or substantive U.S. law (like antitrust, or the pursuit of financial crimes), but rather by an affirmative view of the substantive privacy rights of EU citizens. In other words, they are good faith attempts to forward affirmative EU policy goals, not merely to block U.S. policy goals.

Parties should advocate for a balancing test that recognizes both: 1) their own good faith in seeking to balance conflicting legal obligations and 2) the good faith of the EU in pursuing the public policy reflected in data protection laws that apply equally to both U.S. and EU conduct that would implicate data protection issues. Existing balancing tests can work, but only if U.S. courts are persuaded to look closely at the EU data protection laws rather than simply equating them with traditional blocking statutes.

For example, the Bavarian data protection authority (“DPA”) recently reported on a U.S. court decision that effectively reconciled competing discovery and data protection demands. In the case, the U.S. plaintiff issued a broad document request to a Bavaria-based defendant. The defendant asked the DPA for guidance. The DPA concluded that the plaintiff had a legitimate need for some of the discovery, but specified that some data should be redacted, and other data withheld altogether. The U.S. court reportedly accepted this approach. The U.S. court and the parties were not identified due to a confidentiality agreement between the DPA and the defendant.

Recommendations

Organizations faced with potentially conflicting U.S. discovery and EU data protection mandates should consider the following to minimize the risks:

Plan Ahead. A U.S. court will be far more impressed by your inability to provide discovery without violating foreign law if it can be persuaded that you did everything possible beforehand to mitigate your exposure. Employees should be informed about the possibility that data may need to be retained and shared for discovery purposes, and informed about discovery requests where appropriate. In some countries, works council or public authorities also need to be informed. Data protection officers should be consulted regularly.

Raise Potential Restrictions Early in the Process, and Think Creatively to Solve Problems. If you wait until the production date to raise issues, you will face a hostile audience when you ask the court for protection. Raise issues promptly. Your willingness to work toward a solution with the other side will be viewed favorably by both the U.S. court and the EU authorities. For example, you can agree that sensitive data could be withheld, “anonymized,” or redacted. Eventually, the judge is going to ask if you acted in good faith, so act in good faith early and often.

Use Existing Balancing Tests, But Adapt Them to Data Protection Laws. Notwithstanding what appears to be a one-sided line of cases, there is nothing inherently wrong with the balancing tests being applied by U.S. courts. However, it is vital to emphasize that EU data protection laws protect “important interests of the state where the information is located,” and are nothing like the historical blocking statutes viewed with such suspicion by U.S. courts.

Remember Your Data Protection Obligations During the Discovery Process. If you produce documents potentially subject to EU privacy laws, protect the data with appropriate security.

• Use protective orders: Protective orders can restrict who may access the discovery and for what purposes, and impose sanctions for noncompliance.
• Cooperate with EU authorities: Official guidance from EU authorities may help convince U.S. courts of the need to account for EU obligations. Be careful ' you do not want the U.S. court to conclude that you are “conspiring” with the EU authority to defeat the discovery.

Educate U.S. Judges on the Importance of EU Laws. Judges in the United States are likely to be unfamiliar with EU data protection regimes, and to view them with some suspicion. As the entity at the sharp end of the stick when it comes to the need to strike the right balance, it is up to the target of the conflicting legal obligations to make sure the judge becomes familiar with these rules, and how they can be balanced with litigation needs.

Advocate for a Solution. In the long term, without a stronger, clearer, and streamlined compliance mechanism, these issues will continue to arise. Both sides would do well to follow the example set when the Sarbanes-Oxley Act required U.S. public companies to establish “whistle blowing” hotlines. Those hotlines allowed employees to report violations anonymously ' but EU authorities concluded that the hotlines ran afoul of EU privacy laws. Through direct negotiations, the United States, EU, and various member states issued guidelines that reconciled the conflicting requirements. Authorities on both sides of the ocean need to give more deference to the laws of other jurisdictions.

Final Considerations

There is one additional consideration each lawyer should keep in mind. Perhaps most importantly, lawyers confronted with these sometimes conflicting demands on behalf of their clients need to always remember what it looks like from the other side of the Atlantic:

For the U.S. Lawyer: Do not underestimate the importance of complying with EU data protection laws, or the seriousness with which EU regulators and courts view these laws even in the face of a contradictory mandate from across the ocean. Failure to comply can do significant damage.

For the EU Lawyer: Do not underestimate the importance of complying with U.S. discovery obligations, or the seriousness with which U.S. courts view these obligations even in the face of a contradictory mandate from across the ocean. Failure to comply can do significant damage.

Michael Miller is a partner in Morrison & Foerster LLP's New York office. His practice includes all aspects of complex antitrust and commercial litigation in federal and state courts, at both the trial and appellate levels and in administrative proceedings. Miller also frequently counsels clients on antitrust and data security-related issues. He can be reach at [email protected]. Karin Retzer is of counsel based in the firm's Brussels office. Retzer's practice focuses on the legal aspects of electronic commerce and data protection, technology licensing, and intellectual property law. She can be reached at [email protected].

Companies with operations in the EU can be pulled in different directions when confronted with U.S. discovery demands for documents and information located in the EU. Complying with U.S. discovery demands can involve enormous effort and expense, even in the best of circumstances. But the process can become even more difficult when EU data protection laws prohibit the disclosure of the requested information. On the one hand, U.S. courts can seek to compel litigants and third-party witnesses to produce documents and other information, and impose serious sanctions for failure to do so. On the other hand, data protection authorities in the EU can view the disclosure, whether court ordered or not, as itself violating data protection rules, and can impose penalties for complying with the demands. In fact, a balanced view of the issue suggests a way forward that should satisfy both sides of the conflict.

Sources of the Conflict

One of the roots of U.S.-EU cross-border discovery conflicts is the substantially different notions of “personal data” adopted under U.S. and EU law, and the different protections accorded such data.

The EU generally embraces a broad view of “personal data.” The 1995 Data Protection Directive protects individuals against the unauthorized processing of personal data, which is defined as any information relating to an identified or identifiable individual. It includes within its scope reference to an identification number or to any factors specific to an individual's physical, physiological, mental, economic, cultural or social identity. (See Directive 95/46/EC of Oct. 24, 1995 [1995] OJ L 281/31.) This includes documents created at work, like work-related e-mails or reports. By contrast, the United States takes a more piecemeal approach ' unless there is specific legislation that prevents it, an organization remains free to collect, use, transfer, and retain personal data. The United States also takes a narrower view of what constitutes “personal information” ' it is generally restricted to specific types of sensitive information, such as medical information, social security numbers, information relating to children, and financial information. Other information (such as information created at work) is not generally covered by U.S. data protection rules. Courts in the United States ' unless educated by the litigants ' may have a hard time weighing discovery against privacy if for no other reason than EU notions of privacy are truly foreign to them.

The other major root of the conflict stems from different notions of litigation discovery. EU jurisdictions (especially civil law jurisdictions in Continental Europe) generally impose only limited disclosure obligations on litigants. The ability to require non-party discovery is even more limited. By contrast, U.S. discovery is broad, and busy trial courts generally resolve doubts in favor of permitting discovery.

Two particular aspects of U.S. discovery increase the potential conflict between U.S. discovery demands and EU data protection laws. First, the physical location of a document is generally not dispositive or even particularly relevant to whether the document will be deemed discoverable. If an entity subject to U.S. jurisdiction has “possession, custody, or control” of documents located abroad, those documents are just as much subject to U.S. discovery obligations as documents in the United States.

Second, U.S. courts often require the U.S. entity to produce documents of parent, subsidiary and affiliated entities located abroad, because the U.S. entity is deemed to “control” such documents. “Control” extends beyond the legal right to obtain documents; it also includes situations where, as a purely practical matter, one entity has the ability to access another's documents. In deciding these issues, courts examine things like common ownership; common employees, officers, or directors; sharing documents in the ordinary course of business; and a host of other factors in a highly fact-specific analysis.

The target of the discovery request cannot simply ignore the request for “foreign” documents. Discovery sanctions for failing to comply can be severe, and include monetary sanctions, evidentiary sanctions, or even termination of the proceedings in favor of the requesting party. There has been an increase in “adverse inference” sanctions imposed by courts recently, which means that the fact-finder assumes that whatever documents were not produced contained evidence harmful to the company.

The 'Blocking Statute' Precedents

EU data protection laws are not the first instances of non-U.S. laws that affect the U.S. discovery process. Many jurisdictions have adopted “blocking statutes” to deal with what was perceived in non-U.S. jurisdictions as overreaching U.S. discovery processes or interventionist U.S. antitrust and other policy goals. ( See, e.g. , Westinghouse Electric Corp. v. Rio Algom Ltd. , 480 F. Supp. 1138 (N.D. I11. 1979) (describing blocking statutes in Canada, Australia, and South Africa as having been enacted “for the express purpose of frustrating the jurisdiction of the United States courts over the activities of the alleged international uranium cartel”).) EU data protection laws are different, however, because they were adopted to achieve EU public policy objectives separate and apart from any concern over U.S. discovery or the extraterritorial application of substantive U.S. law. U.S. courts' perception of the motivation for these kinds of statutes, however, continues to color the approach to conflicts between U.S. discovery and EU data protection laws.

While no single standard governs the impact of blocking statutes in U.S. courts, many courts apply a balancing test derived largely from the Restatement (Third) of Foreign Relations Law. Under that test, courts consider:

• The importance of the requested documents or other information to the litigation;
• The degree of specificity of the request;
• Whether the information originated in the United States;
• The availability of alternative means of securing the information; and
• The extent to which noncompliance with the request would undermine important interests of the state where the information is located.

Some courts (including those in the Second Circuit) add two additional factors:

• The good faith of the party resisting discovery; and
• The hardship of compliance on the party from whom discovery is sought.

U.S. courts, focusing more on day-to-day case management than theoretical issues of comity, tend to emphasize the fifth factor after finding that the other factors point in different directions, and find that it favors enforcement of the discovery requests. In part, this is because U.S. courts come to the question assuming that blocking statutes are motivated by a desire to block U.S. discovery in order to protect non-U.S. companies or individuals (e.g., bank secrecy laws) or to defeat substantive U.S. laws (e.g., U.S. antitrust laws), and openly doubt the bona fides of such laws.

For example, the French blocking statute prohibits disclosure of economic, commercial and technical documents, except where the Hague Convention requires such disclosure. One court dismissed its application by noting that U.S. products liability laws prevail over French interests in the blocking statute, “if any really exist in the first place.” (In re Aircrash Disaster, 172 F.R.D. 295, 310 (N.D.Ill. 1997).) Another held that “France's real interests in promulgating [the law] are dwarfed by American interests in complete discovery.” ( Compagnie Francaise v. Phillips Petroleum Co. , 105 F.R.D. 16, 30 (S.D.N.Y. 1994).) This skepticism has led many U.S. lawyers to ignore the French law altogether.

In another case involving a Malaysian blocking statute, the court concluded:

[T]he documents are vital to the litigation, the requests are direct and specific, the documents are not easily obtained through alternative means, the interest of the United States outweighs that of Malaysia under the circumstances, and the likelihood that [the New York branch] would face civil or criminal penalties is speculative. Although [it] has acted in good faith, and the documents are located abroad, this is insufficient to overcome those factors weighing in favor of disclosure. (Gucci Amer., Inc. v. Curveal Fashion, 2010 WL 808639 (S.D.N.Y. Mar. 8, 2010).)

There are, of course, cases that go the other way. In SEC v. Stanford International Bank Ltd., 2011 WL 1378470 (N.D.Tex. Apr. 6, 2011), a Swiss non-party bank located in the United States was served with a subpoena seeking banking records located in Switzerland. The bank resisted, arguing that Swiss law required the discovery to first proceed through the Hague Convention. The district court agreed. It acknowledged that the records were “vital” to the litigation, but declined to find that the U.S. interest in full discovery outweighed Switzerland's interest in its banking privacy laws, concluding that the very act of balancing was itself “political,” and “especially inapposite in this case, where the legislative authorities of both nations essentially have spoken by adopting the Convention.” Refusing to read U.S. law as giving litigants a “green light to generally 'discard[ ] the treaty as an unnecessary hassle,'” it found that “comity” required the requesting party to go through the Hague Convention “at least in the first instance.”

But cases like Stanford are rare. And, notably, the court did not specify what might happen if resort to the Hague Convention “in the first instance” did not lead to discovery from the Swiss bank.

The Balancing Test and Data Protection

EU data protection laws are different from traditional blocking statutes. They are motivated not by some generalized antipathy to U.S. discovery or substantive U.S. law (like antitrust, or the pursuit of financial crimes), but rather by an affirmative view of the substantive privacy rights of EU citizens. In other words, they are good faith attempts to forward affirmative EU policy goals, not merely to block U.S. policy goals.

Parties should advocate for a balancing test that recognizes both: 1) their own good faith in seeking to balance conflicting legal obligations and 2) the good faith of the EU in pursuing the public policy reflected in data protection laws that apply equally to both U.S. and EU conduct that would implicate data protection issues. Existing balancing tests can work, but only if U.S. courts are persuaded to look closely at the EU data protection laws rather than simply equating them with traditional blocking statutes.

For example, the Bavarian data protection authority (“DPA”) recently reported on a U.S. court decision that effectively reconciled competing discovery and data protection demands. In the case, the U.S. plaintiff issued a broad document request to a Bavaria-based defendant. The defendant asked the DPA for guidance. The DPA concluded that the plaintiff had a legitimate need for some of the discovery, but specified that some data should be redacted, and other data withheld altogether. The U.S. court reportedly accepted this approach. The U.S. court and the parties were not identified due to a confidentiality agreement between the DPA and the defendant.

Recommendations

Organizations faced with potentially conflicting U.S. discovery and EU data protection mandates should consider the following to minimize the risks:

Plan Ahead. A U.S. court will be far more impressed by your inability to provide discovery without violating foreign law if it can be persuaded that you did everything possible beforehand to mitigate your exposure. Employees should be informed about the possibility that data may need to be retained and shared for discovery purposes, and informed about discovery requests where appropriate. In some countries, works council or public authorities also need to be informed. Data protection officers should be consulted regularly.

Raise Potential Restrictions Early in the Process, and Think Creatively to Solve Problems. If you wait until the production date to raise issues, you will face a hostile audience when you ask the court for protection. Raise issues promptly. Your willingness to work toward a solution with the other side will be viewed favorably by both the U.S. court and the EU authorities. For example, you can agree that sensitive data could be withheld, “anonymized,” or redacted. Eventually, the judge is going to ask if you acted in good faith, so act in good faith early and often.

Use Existing Balancing Tests, But Adapt Them to Data Protection Laws. Notwithstanding what appears to be a one-sided line of cases, there is nothing inherently wrong with the balancing tests being applied by U.S. courts. However, it is vital to emphasize that EU data protection laws protect “important interests of the state where the information is located,” and are nothing like the historical blocking statutes viewed with such suspicion by U.S. courts.

Remember Your Data Protection Obligations During the Discovery Process. If you produce documents potentially subject to EU privacy laws, protect the data with appropriate security.

• Use protective orders: Protective orders can restrict who may access the discovery and for what purposes, and impose sanctions for noncompliance.
• Cooperate with EU authorities: Official guidance from EU authorities may help convince U.S. courts of the need to account for EU obligations. Be careful ' you do not want the U.S. court to conclude that you are “conspiring” with the EU authority to defeat the discovery.

Educate U.S. Judges on the Importance of EU Laws. Judges in the United States are likely to be unfamiliar with EU data protection regimes, and to view them with some suspicion. As the entity at the sharp end of the stick when it comes to the need to strike the right balance, it is up to the target of the conflicting legal obligations to make sure the judge becomes familiar with these rules, and how they can be balanced with litigation needs.

Advocate for a Solution. In the long term, without a stronger, clearer, and streamlined compliance mechanism, these issues will continue to arise. Both sides would do well to follow the example set when the Sarbanes-Oxley Act required U.S. public companies to establish “whistle blowing” hotlines. Those hotlines allowed employees to report violations anonymously ' but EU authorities concluded that the hotlines ran afoul of EU privacy laws. Through direct negotiations, the United States, EU, and various member states issued guidelines that reconciled the conflicting requirements. Authorities on both sides of the ocean need to give more deference to the laws of other jurisdictions.

Final Considerations

There is one additional consideration each lawyer should keep in mind. Perhaps most importantly, lawyers confronted with these sometimes conflicting demands on behalf of their clients need to always remember what it looks like from the other side of the Atlantic:

For the U.S. Lawyer: Do not underestimate the importance of complying with EU data protection laws, or the seriousness with which EU regulators and courts view these laws even in the face of a contradictory mandate from across the ocean. Failure to comply can do significant damage.

For the EU Lawyer: Do not underestimate the importance of complying with U.S. discovery obligations, or the seriousness with which U.S. courts view these obligations even in the face of a contradictory mandate from across the ocean. Failure to comply can do significant damage.

Michael Miller is a partner in Morrison & Foerster LLP's New York office. His practice includes all aspects of complex antitrust and commercial litigation in federal and state courts, at both the trial and appellate levels and in administrative proceedings. Miller also frequently counsels clients on antitrust and data security-related issues. He can be reach at [email protected]. Karin Retzer is of counsel based in the firm's Brussels office. Retzer's practice focuses on the legal aspects of electronic commerce and data protection, technology licensing, and intellectual property law. She can be reached at [email protected].