The European General Data Protection Regulation, or GDPR, is a set of laws that govern how data is processed and controlled within the European Union, which became effective in 2018.
Touted as the “toughest privacy and security law in the world,”[1] the GDPR applies to any documents, data, or information collected or processed within the EU.
Most notably for U.S. litigants, the GDPR arguably requires the redaction of any personal identifying information — e.g., names, addresses, email addresses, phone numbers, employee identification numbers, etc. — from documents or data collected within the EU, unless certain exceptions apply or express consent from the person potentially identified is obtained.
Accordingly, compliance with the GDPR can be burdensome and tedious, encompassing a wide range of data processing requirements, limitations and practices that can be tough to balance in the context of open U.S.-based discovery.
For example, while the GDPR heavily restricts how personally identifying material may be processed and used, U.S. discovery traditionally promotes broad disclosure of all relevant information and does not permit nonprivileged redactions in the context of otherwise responsive documents.
The timing demands of U.S. discovery can also be strict. Thus, when U.S. litigants seek discovery of information that originated in the EU, challenges arise because U.S. courts expect that information to be produced promptly and mostly in full.
Litigants must balance timely producing the requested documents with GDPR compliance, which may require time-consuming — and expensive — redaction or anonymization. However, there is no consensus on how to balance GDPR requirements and compliance — or noncompliance — with U.S. discovery orders.
Driven by legitimate concerns from EU clients, U.S. litigants often redact or anonymize certain sensitive information from produced documents to comply with the GDPR. But these redactions come with risk if the court finds them unjustified or excessive.
Yet, ignoring the GDPR also comes with risks of enforcement for disclosing protected data, which can include hefty fines for EU-based entities.
Careful litigants can reduce both sets of risks by narrowly and timely applying redactions and proactively working with opposing counsel to agree on the scope of redactions — or otherwise approach the court with the issue.
This article places these practice tips in the context of U.S. Magistrate Judge Roy Payne’s recent ruling from the U.S. District Court for the Eastern District of Texas in Arigna Technology Ltd. v. Nissan Motor Co. Ltd.[2]
Risks From GDPR Redactions
The conflict between U.S. discovery and the GDPR was recently addressed in Arigna v. Nissan, a patent infringement case related to electronic circuits.
Arigna sought discovery of information about the corporate representatives of defendant Continental AG to be deposed by Arigna. Continental attempted to comply with both the GDPR and the discovery request by redacting employee names, images and emails.
But due to the time required to complete its redactions, Continental produced the requested documents after the discovery deadline. Arigna then moved to compel unredacted versions of all produced documents.
At a hearing on Arigna’s motion, Arigna showed examples of redactions of publicly available information and complained that Continental had produced documents after the discovery deadline. Continental argued that a European law firm provided an opinion advising the company that the redactions were necessary under the GDPR but never produced the opinion.
Judge Payne ultimately required Continental to produce the redacted documents in full, pay the fees and costs associated with reviewing the redacted documents, and answer additional questions related to the depositions of their corporate representatives.
Looking to Article 49(1) of the GDPR, which lists an exemption for information “occasional and necessary for the establishment, exercise or defense of legal claims,” Judge Payne found that Continental had not shown that GDPR compliance required the redactions Continental made.
Accordingly, Judge Payne’s decision should not be read as an answer to the conflict of law issue between the GDPR and the Federal Rules of Civil Procedure in every instance.
The Occasional and Necessity Exception Tests to Redacting Under the GDPR
As explained in the guidelines to the GDPR, “pre-trial discovery procedures in civil litigation may fall under [Article 49(1)],” and thus potentially be exempt from GDPR redactions.[3]
However, the guidelines emphasize that the data in question must be occasional and pass the necessity test to comply with the GDPR.[4]
Occasionality refers to the requirement that the data transfer must be irregular and occur outside of typical business activities. For example, the guidelines state that allowing a data importer direct access to a database will generally constitute nonoccasional data transfer.[5]
Limited, isolated discovery requests may qualify as occasional, but European clients may dispute whether systematic discovery requests throughout a litigation are occasional.
The necessity test requires “a close and substantial connection between the data in question and the specific establishment, exercise or defense of the legal position.”[6] Further, the GDPR’s principle of data minimization — collecting and processing only what is critical — weighs against broadly turning over all possibly relevant material in response to a discovery order.
Accordingly, the necessity test requires a case-by-case analysis the personal identification information to be produced — or redacted — is substantially connected to a legal position.
It is not hard to imagine that U.S. and EU courts would view the substantiality of the connection between personal data and legal claims differently.
Best Practice Guidelines for Balancing GDPR Compliance With U.S. Discovery
Guidance on how to balance the needs of EU clients to comply with the GDPR with the demands of U.S. discovery may be derived from the Arigna decision.
First, EU entities litigating in the U.S. should anticipate the need to redact information pursuant to the GDPR and work with opposing counsel to find mutually acceptable redaction strategies and expectations.
Reasonable counsel understand the demands of international litigation and the limited relevance of personal identifying information of employees with no direct knowledge or involvement in the subject matter of the litigation.
Including GDPR redaction provisions and procedures for resolving disputes in negotiated protective or discovery orders can go a long way in managing expectations and avoiding motion practice.
Second, documents redacted pursuant to the GDPR should be collected, redacted and produced in advance of any discovery deadlines.
This will allow the parties time to negotiate and work out solutions, such as providing redaction logs or obtaining permission from specific, relevant individuals to disclose personal information, before motion practice that demands all-or-nothing GDPR compliance — or noncompliance.
Third, redactions pursuant to the GDPR should be made conservatively to protect the legitimate interests of EU entities, but not unreasonably. Any redaction policy should be made with the understanding that it may have to be defended before a court.
Fourth, if the case demands production of some personal identifying information, provide the information needed by opposing counsel — if within reason — or involve the court early to avoid motion practice for completely unredacted materials.
For example, during deposition questioning that covers the identification of individuals with relevant knowledge, proactively seek:
1. Permission to disclose the names of such individuals beforehand; and
2. Agreement with opposing counsel to identify personal information that may implicate the GDPR and redact such information from later transcripts.
If witnesses are prepared to be able to provide the most relevant information about knowledgeable individuals, motion practice can usually be avoided.
Finally, if forced to defend GDPR redactions in a motion to compel, provide evidence that such redactions were necessary. Litigants may rely on various legal opinions, including from EU counsel or the discovery hotline available in the Eastern District of Texas.
Conclusion
Ultimately, Judge Payne’s ruling in Arigna does not eliminate or invalidate all GDPR redaction practices by European companies.
Instead, it provides guidance for litigants who believe in good faith that the GDPR requires redaction of personal identifying information about employees from U.S.-based discovery.
Proactive communication with opposing counsel will help lower the chance of contentious motion practice to compel fully unredacted materials. But, if negotiations with opposing counsel fail, litigants must be prepared to timely bring the issue to the court.
Redactions are laborious and slow, and courts will disfavor litigants who fail to make a good faith effort to avoid delay. Addressing GDPR issues early in litigation preserves time to modify or supplement redacted materials before the close of discovery.
When arguing in favor of redactions, litigants should show that the data sought is protected by the GDPR, and further, the data is either irrelevant or cumulative, and not occasional or necessary.
For example, personal data about employees who have no connection to or knowledge of the subject matter of the case is less likely to raise flags if the identity of the knowledgeable individuals and notice about potential redactions is provided up front.
Through proactive communication, timely production and arguments against disclosures, litigants can adequately comply with the GDPR and discovery orders all while continuing to protect sensitive information.
Originally printed in Law360 on September 9, 2022.
