GDPR vs US Discovery: US Court Makes Clear Non-US Entities Can’t Avoid Discovery
Global organizations with presences both in the US and Europe can find themselves facing difficult questions in connection with US litigation and investigations. They often want to know whether they are entitled to provide records containing EU personal data to US lawyers, investigators, regulators and courts. A new US ruling makes it clear that the tension between the EU’s General Data Protection Regulation (GDPR) and US demands for information remains strong.
On 13 January 2020, a New York federal judge ordered Telegram Group Inc. (a British Virgin Islands-based instant messaging service) to release a series of “highly sensitive” bank records, despite the company’s concerns that doing so might cause it to violate GDPR. This reflects wider trend in US discovery. While some US judges have shown sympathy towards attempts to limit discovery when it conflicts with non-US laws, they have largely rejected a party’s reliance on overseas data privacy regulations to avoid discovery altogether.
The GDPR protects personal data (broadly defined as any data relating to an identifiable person) from disclosure and transfer to certain countries, including the United States, absent an exception. The obligations under GDPR are rightfully not taken lightly by non-US parties in US litigation as the consequences for noncompliance are severe. A violation could result in regulatory actions and monetary penalties of up to the greater of 20 million euros, or 4% of annual worldwide turnover for the preceding financial year.
The Telegram case began in October 2019, when the US Securities and Exchange Commission (SEC) filed a civil action against Telegram alleging that its distribution of its cryptocurrency (the “Gram”) in the US market was an illegal securities offering (see here for the SEC’s Complaint). As part of its investigation, the SEC issued Telegram a subpoena to produce relevant bank records, which the company declined to comply with. Even after the SEC moved to compel Telegram to hand over the bank records - which contain personal data and sensitive information regarding the amounts, sources and use of funds raised from Telegram’s activities - Telegram refused. Telegram argued that disclosing unredacted records would violate GDPR, and that complying with GDPR by redacting all personal data would significantly burden it, particularly “given the limited relevance of the information sought” by the SEC.
The court initially denied the SEC’s motion, but then granted it in part after the SEC had renewed its motion to compel, stressing that Telegram’s data privacy claim was too vague and revealed “Telegram’s broad, amorphous invocation of ‘data privacy’ for what it is - a smokescreen aimed at improperly withholding relevant, responsive documents from the SEC.” The SEC asserted that Telegram could not overcome the “the presumption in favor of discovery that applies in federal courts.” The court ultimately ordered Telegram to release the records to the SEC despite the applicability of the GDPR, and other US courts have reached similar conclusions. But the decision represents a measured approach—denying the SEC immediate access to the unredacted records and granting Telegram until the end of February to redact personal data in accordance with GDPR. The court also ordered Telegram to provide a log explaining the rationale for each redaction, but otherwise left it to the company to assess how to apply the redactions to balance the interests of complying with GDPR while satisfying its discovery obligations. Non-US entities that find themselves in a similar situation should consult legal counsel to conduct a legitimate interest assessment (LIA) and, if needed, a data protection impact assessment (DPIA), under GDPR to analyze and demonstrate their compliance with obligations under the GDPR. It is critical to demonstrate in this risk-based assessment that entity making the disclosure has acted reasonably and proportionally in the event of a regulatory inquiry.
It is clear that US courts may take a varied approach to GDPR, which puts non-US companies in a difficult position. If doing business in the US, foreign entities should expect potential litigation and be prepared for these discovery issues. The options left to parties embroiled in civil litigation and forced to comply with the GDPR are not many. They can: negotiate the scope of discovery; seek a Protective Order from the court, so that information cannot be widely disseminated, and viewed by only specific persons as in the Mizuho Bank case; and/or redact personal data to comply with GDPR, as Telegram intends to do. While the third option is likely the most cumbersome and expensive, the Telegram case is strong indication that it may be the surest way for those seeking to comply with their GDPR obligations to do so. Seeking individuals’ consent for disclosing their personal data is another possibility, but it is one that likely is impractical because even if obtained, it can be withdrawn at any time.
The Telegram case is an important reminder that non-US entities will not be immune from US discovery simply because of potential conflicts with GDPR. It will continue to be necessary for organizations to take an informed, risk-based strategic approach, balancing the risks of non-compliance with both GDPR and US court orders. This will usually involve conducting reasonable and well-grounded privacy assessments that strike the right balance and give appropriate weight to individuals’ expectations of privacy, as well as carrying out sensibly scoped search and redaction exercises in response to what can be extremely wide-ranging requests for disclosure, especially during US discovery. It is usually possible for experienced practitioners to find a practical solution, although that can be a time-consuming and expensive exercise, particularly if it is not thought through early enough.
It is clear from the Telegram case that the burden and expense of redacting for compliance with GDPR is not a good enough excuse for not disclosing the requested documents. In order to mitigate the cost of these exercises, it is crucial that GDPR considerations are considered up-front, prior to any large-scale document review exercise being carried out. We have seen cases in which documents already reviewed by US counsel have needed to be re-reviewed for GDPR redaction – in extreme cases, costing clients millions. Cases like these need not arise if conflicts between GDPR and US discovery requests are spotted and treated early. Therefore, taking a strategic, practical approach (by excluding less relevant personal data and applying necessary redactions) is critical for non-US entities that find themselves with disclosure obligations in US litigation or facing regulatory scrutiny.
By Caitlin Potratz Metcalf, Adam Lurie, Doug Davison and Aviva Kushner