GDPR-Based Objections to U.S. Discovery Requests: 2019 Year in Review

Initial rulings addressing the tension between the broad scope of data protected by GDPR and the similarly broad scope of discovery under U.S. Federal Rule of Civil Procedure 26 revealed substantial skepticism that complying with a U.S. discovery request would expose parties to significant enforcement risk in the EU. Nor do courts appear particularly sympathetic to the burdens associated with fulfilling discovery requests in a way that complies with GDPR.

Below, we take a look at what arguments parties put forth in the past year, and make a few suggestions for how litigants can avoid violating one jurisdiction's law to satisfy another's courts.

GDPR-Based Objections Implicate Comity

Coming into 2019, only a couple of decisions had addressed this issue, and none was particularly instructive. For example, in Corel Software, LLC v. Microsoft Corp., Microsoft sought unsuccessfully to avoid producing 14 terabytes of telemetry data that Microsoft argued would need to be anonymized in order to comply with GDPR. The District of Utah court concluded that the information sought was relevant and proportional under Rule 26, but (because the parties did not raise the issue) the court did not apply the comity analysis laid out in Société Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa, which U.S. courts have traditionally used to analyze discovery requests that conflict with foreign law. Had it done so, the Microsoft court would have had to analyze five factors: 1) importance of the discovery to the litigation; 2) the specificity of the request; 3) whether the information sought originated in the U.S.; 4) the availability of alternative means to obtain the information; and 5) whether the foreign jurisdiction's interest in maintaining confidentiality outweighs U.S. interests.