As explained in Part I and Part II of this series, U.S.-based commercial litigators should be aware that other countries’ privacy laws may affect their cases in unexpected ways. Perhaps the most likely stage for these issues to surface is during discovery, where materials of interest are located in another country, and that country’s privacy laws effectively prohibit counsel from removing those materials from the jurisdiction. This post provides an overview of some of the issues at the intersection of U.S. discovery practice and international privacy law.

Scope of Discovery

U.S.-based commercial litigators may have different expectations as to what materials are discoverable and how pretrial discovery should proceed than do their counterparts in other countries, which can lead to frustration or even conflicts with local and/or opposing counsel. In short, the scope of U.S. discovery tends to be much broader than that contemplated by other countries’ laws and practices. Consider the breadth of Federal Rule of Civil Procedure 26(b) in the United States, which provides that discovery may encompass “any nonprivileged matter that is relevant to any party’s claim or defense and proportional to the needs of the case,” and that materials “need not be admissible in evidence to be discoverable.” Parties in U.S. litigation generally engage in robust pretrial discovery and invoke Rule 26(b) as justification for making wide-ranging demands for documents or other potentially relevant materials. By contrast, in many civil law jurisdictions (including many European countries), pretrial discovery is much more limited and the onus is on the judges, rather than the attorneys, to investigate the facts and allegations at issue. As a starting point, then, it is important to keep in mind how the American approach to discovery may differ from that taken in other countries and to be prepared to address and accommodate foreign practices if necessary.

Privacy Laws and Blocking Statutes

Beyond basic differences in discovery practices, there are two types of laws that may prevent certain materials from leaving foreign jurisdictions. The first are privacy laws which, as this series has covered previously, can operate to prevent data containing individuals’ personal information from being transferred to a country that has privacy laws that are less than adequate in the eyes of the originating jurisdiction. The second are blocking statutes, such as French Law 68-678, which some countries have enacted specifically to thwart efforts at cross-border discovery. Although blocking statutes are an important consideration in international discovery, this post focuses primarily on the effect of privacy laws on discovery.

European Privacy Law vs. American Court Orders

European law tends to be the most problematic for many U.S.-based litigators both because of the volume of business (and, accordingly, litigation) conducted among American and European parties, as well as the strict nature of EU privacy laws. One of the more common conflicts in the cross-border discovery context is the conflict between, on the one hand, a subpoena or discovery order issued by a US court requiring production of materials located within an EU member state and, on the other hand, a local privacy law prohibiting the personal information contained in those materials from leaving the member state.

In general – and perhaps unsurprisingly – U.S. courts have ordered discovery at the expense of European privacy concerns. For example, in BrightEdge Techs., Inc. v. Searchmetrics, GmbH, the court weighed a number of factors set out in the Supreme Court’s decision in Societe Nationale Industrielle Aerospatiale v. US District Court, a cross-border discovery case predating the current EU data privacy regime, in analyzing whether production of certain German documents was warranted. The court considered, among other factors, the importance of the documents at issue and the ability to obtain the documents via other means, and ultimately ordered production of documents, in part finding defendant had not met its burden of showing that European and German privacy laws actually prohibited the transfer of the personal data to the U.S., because an exception under German law possibly applied allowing the transfer in that situation.

Meanwhile, the EU tends to prioritize its privacy concerns over American discovery demands, as the Article 29 Working Document 1/2009 on pre-trial discovery for cross border civil litigation warns data controllers subject to EU jurisdiction that “[a]n obligation imposed by a foreign legal statute or regulation may not qualify as a legal obligation” through which the controller could legitimize its processing of the data (i.e. storing it or otherwise manipulating it for purposes of U.S. discovery) as required by EU law, although it does recognize that controllers may otherwise be able to justify their compliance with a U.S. discovery order in some circumstances.

Parties who wish to invoke EU privacy laws in order to prevent the transfer of discovery materials from Europe to the U.S. aren’t without recourse, however, as some parties have successfully argued in the U.S. that EU privacy laws prohibit the export of the information at issue. For example, in Salerno v. Lecia, Inc., the court denied plaintiff’s motion to compel defendant to produce documents containing European employees’ personal information because such disclosure potentially violated the EU Data Directive and Germany’s Act on Data Protection.

Unfortunately, there are no definitive answers for parties involved in U.S. litigation who essentially are caught between a rock and a hard place when they have to decide whether they should violate a discovery order issued by a U.S. court so they may comply with European privacy law, or violate EU privacy laws in order to comply with a U.S. discovery order. These issues are complicated and need to be dealt with on a case-by-case basis. For parties that find themselves grappling with these issues, a close look at the foreign jurisdiction’s privacy laws with the help of experienced privacy counsel, as well as a call to local counsel in that country, may be in order.