EMERGING CONFLICTS BETWEEN THE GDPR AND US CIVIL DISCOVERY REQUESTS

In the time since the European Union’s General Data Protection Regulation (GDPR) came into force in 2018, companies and courts have been grappling with its implications, including in the realm of US civil litigation. Companies subject to the GDPR must abide by their obligation to protect European Economic Area (EEA) personal data by limiting disclosure to what is “strictly necessary” while simultaneously complying with the broad document demands that typify US civil discovery. This article explores interplay between the GDPR and US civil discovery and offers suggestions for companies navigating the inherent tension between the two competing legal regimes.

Competing legal regimes

Discovery in US civil litigation is uniquely broad and intensive. Parties to a civil lawsuit may request from their adversaries virtually any material that may be relevant to the case, so long as the request satisfies the proportionality and relevance requirements of Rule 26 of the Federal Rules of Civil Procedure. It is not uncommon for document production to ultimately encompass millions of documents. Failing to comply with discovery requests can undermine a party’s case, with possible sanctions including waiver of legal rights in the case, substantial fines or even contempt of court.

The GDPR, by contrast, mandates that EEA personal data be strictly protected, and threatens hefty fines for failures to do so. Any entity that is established in the EEA and processes the personal data of EEA-based individuals, or any business which targets EEA-based individuals through the offering of goods or services, is subject to the GDPR. “Processing” encompasses a broad range of actions, including collection, recording, storage, consultation, use, erasure or destruction.

Oct-Dec 2020 issue

Skadden, Arps, Slate, Meagher & Flom LLP

Join our free mailing list to read the full article