European insurers frequently include a “service of suit” provision in insurance policies they issue to United States policyholders. In doing so, the insurers agree to submit to the jurisdiction of U.S. courts should a dispute arise. In practice, and absent a choice-of-law clause designating a different law, a service of suit provision should also be read as an agreement to abide by the discovery rules of U.S. courts. However, U.S. policyholders should be aware of the possibility that the EU General Data Protection Regulation (GDPR) may allow a European insurer to avoid complying with U.S. discovery rules. To date, no European insurer has successfully done so, but policyholders should be prepared to draft discovery and protective orders with the GDPR in mind.
The GDPR came into effect on May 25, 2018. GDPR, Art. 99.2. The GDPR “lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.” Id., Art. 1.1. The GDPR defines “processing” as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Id., Art. 4.2. “Personal data” is defined as “any information relating to an identified or identifiable natural person (‘data subject’).” Id., Art. 4.1.
The GDPR permits the processing of personal data under various circumstances. Processing of personal data is lawful if “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Id., Art. 6.1(a). Processing of special categories of personal data (including “data concerning health”) is lawful if “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes” or if “processing is necessary for the establishment, exercise or defence of legal claims.” Id., Art. 9.1, 9.2(a) & (f).
The GDPR also addresses when personal data may be transferred to the United States. The GDPR permits such transfers if “the data subject has explicitly consented to the proposed transfer” or if “the transfer is necessary for the establishment, exercise or defence of legal claims.” Id., Art. 49.1(a), (e).
Policyholders may seek information or documents containing the personal data of an individual located outside of the EU from a European insurer. According to the draft guidelines the European Data Protection Board (“EDPB”) published regarding the territorial scope of the GDPR, the GDPR applies to European companies that possess personal data of natural persons located outside of the EU. See EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR (Art. 3) (Nov. 16, 2018), https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf (“The EDPB therefore considers that any personal data processing in the context of the activities of an establishment of a controller or processor in the Union would fall under the scope of the GDPR, regardless of the location or the nationality of the data subject whose personal data are being processed.”). Discovery requests that seek the information of natural persons located outside of the EU are therefore potentially subject to scrutiny under the GDPR.
European insurers therefore may compile, review, and produce documents that fall under one of the permissible uses enumerated in Articles 6 and 9 of the GDPR. The GDPR does not specify that a court order is required to produce documents that seek the personal data of natural persons under these Articles. A European insurer therefore can respond to discovery requests that seek information or documents that are relevant because they are necessary for the establishment, exercise, or defense of legal claims, even in the absence of a court order. The same is true for discovery requests that seek documents or information containing personal data of an individual who has consented to the processing of his or her data. To be valid under the GDPR, consent “should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.” GDPR, Recital 32. If seeking to obtain personal data of an individual from a European insurer, policyholders should draft consent forms that comply with these requirements. Again, no court order is required to allow a response to a discovery request if the policyholder has provided a valid consent from the data subject.
If a discovery dispute arises, European insurers will have to demonstrate that not only does the GDPR apply, but that it also controls. Courts have frequently addressed whether parties to litigation in American courts can avoid their discovery obligations by invoking foreign laws. The United States Supreme Court has considered the issue twice. See Société Nationale Industrielle Aérospatiale v. U.S. Dist. Ct. for S. Dist. of Iowa, 482 U.S. 522 (1987); Société Internationale pour Participations Industrielles et Commerciales, S.A. v. Rogers, 357 U.S. 197 (1958). In Aérospatiale, the Court held that when determining whether to compel discovery notwithstanding the existence of contrary foreign legislation, a domestic court should consider and balance multiple factors bearing on international comity, including:
(1) the importance to the . . . litigation of the documents or other information requested;
(2) the degree of specificity of the request;
(3) whether the information originated in the United States;
(4) the availability of alternative means of securing the information; and
(5) the extent to which noncompliance with the request would undermine important interests of the United States, or compliance with the request would undermine important interests of the state where the information is located.
Id. at 544 n.28 (citation omitted); accord Restatement (Third) of Foreign Relations Law § 442(1)(c) (1987). Ultimately, the Court held that foreign “statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.” Aérospatiale, 482 U.S. 522 at n. 29.
Recently, a federal court applied the Aérospatiale factors in an analysis to determine whether a party could avoid responding to discovery requests because of the GDPR. In Finjan, Inc. v. Zscaler, Inc., 2019 WL 618554, at *1 (N.D. Cal. Feb. 14, 2019), the plaintiff propounded discovery requests seeking the production of e-mails of the defendant’s UK-based salesperson in a patent dispute. The defendant argued that it could not produce the e-mails without violating the GDPR. The court analyzed the issue under Aérospatiale. Id. at *1.
The court determined that the first Aérospatiale factor weighed in favor of the plaintiff because the documents were relevant and non-cumulative of other documents. The second Aérospatiale factor also weighed in favor of disclosure because the plaintiff agreed to the use of narrowly-tailored search terms. The court found that the third factor weighed in favor of the plaintiff, because the defendant was a U.S. company subject to U.S. discovery rules. While the defendant argued that the fourth factor should go its way because the e-mails could be obtained by requesting them from domestic custodians who had exchanged e-mails with the salesperson, the court disagreed because the defendant could not identify those domestic custodians given that it had not searched the salesperson’s e-mail. The fifth factor, the balancing of national interests, weighed “heavily” in favor of disclosure because there was a protective order in place that diminished the U.K.’s interest in protecting the privacy of its citizens. The court also noted that the GDPR specifically permits processing of data relevant to the claims or defenses at issue and disclosure would therefore not violate the GDPR. The interest of the U.S. in protecting its patents therefore outweighed the U.K.’s “diminished interest” in protecting the privacy of its citizens.
Finally, the court also analyzed the potential burden on the defendant if it was found to have violated the GDPR. It determined that there was no real risk of enforcement because the defendant had made no such showing on the likelihood of that happening. The court ultimately ordered the defendant to produce the e-mails.
Although outside of the insurance context, Finjan is particularly instructive in guiding policyholders and insurers alike in how U.S. courts may analyze the applicability of the GDPR in discovery disputes. When seeking discovery from a European insurer, policyholders should 1) draft narrowly tailored requests for relevant information; 2) obtain valid consent from the person whose data is being sought; 3) consider whether the information sought is obtainable from other sources; and 4) seek an order protecting the confidentiality of information potentially subject to the GDPR.