Foreign Data Protection Laws: Greater Impact on U.S. Discovery than Foreign Blocking Statutes
October 25, 2022
Litigants are increasingly relying on foreign data protection laws – especially new laws in China and the European Union – to resist discovery requests from courts in the United States. Historically, U.S. courts do not limit discovery just because the production of the requested materials or information would violate foreign laws. So far, as Bill Dodge and Katie Burghardt Kramer have explained, the response to new foreign data protection laws has been more of the same: discovery carries on pretty much as usual, even if the order of production would arguably force the disclosing party to violate foreign laws.
This may change, however. Commentators have not focused on a critical difference between the new data protection laws and the older laws that generated conflicts with discovery in the United States. The older laws were blocking statutes – their entire purpose was to prevent discovery in the United States – whereas the new Chinese and European laws have as their purposes the protection of individuals’ personal data or data collected by corporations. That protection may serve the goals of privacy, national security, or economic development, but the statutes were not enacted to thwart foreign litigation.
In other words, the foreign data protection laws may reframe the conflicts as not primarily about discovery – the classic point of friction between the United States and much of the rest of the world – but instead as ones about substantive values such privacy and the protection of data. Here, the lines are not so clear. California, for example, has recently enacted legislation allowing consumers to control some uses of their data.
Upshot: If the foreign data protection laws are enforced domestically (in the EU or China) to protect the same data that is sought in litigation in the United States, then U.S. courts can and should accord those laws significant weight in ruling on discovery requests. The issue should be treated as less procedural and more substantive, meaning that foreign data protection laws should have a greater potential impact on U.S. litigation than foreign blocking statutes have had.
Foreign Data Protection Laws
The European legislation, the General Data Protection Regulation (“GDPR”), protects the data and privacy of all citizens of the European Union (EU), in part by regulating the transfer of EU citizens’ personal data outside of the EU, including the transfer of data to the United States. The GDPR broadly defines personal data as “any information relating to an identified or identifiable natural person.”
China has enacted wide-ranging data protection laws over the past decade, including the 2021 Data Security Law (“DSL”), the 2021 Personal Information Protection Law (“PIPL”), the 2017 Cybersecurity Law7, and the 2014 Guarding State Secrets Law (“SSL”). Their purposes include the protection of national security and the public interest, as well as the promotion of economic development.
Although some U.S. courts have questioned whether the foreign data protection laws will actually be enforced, earlier this year China imposed a $1.2 billion fine on China’s largest ride-share service for violating Chinese data protection laws. The large fine suggests that some of these laws do indeed have teeth, even if the Chinese government’s motivations may have been political.
U.S. Discovery Issues
Parties raise foreign data protection laws as a defense to discovery in a wide array of cases. Some are intellectual property cases, as one might expect. In a recent patent infringement case, Finjan, Inc. v. Defendant Zscaler, Inc., the plaintiff sought production of e-mails from a UK employee of the defendant who used to work for the plaintiff. Those emails were between and among EU citizens. In Cadence Design Systems, Inc. v. Syntronic AB, the defendant allegedly used the plaintiffs’ software without a license; the plaintiff requested in discovery that the defendants’ computers be sent from China to the United States for inspection. A plaintiff in Juul Labs, Inc. v. Chou sought a forensic examination of various electronic devices of the defendants, several of which were physically located in China.
Other cases, however, do not involve intellectual property. In an Ohio employment discrimination case against a U.S. employer, a plaintiff sought the personnel files of other employees, several of whom were located in Europe. Similarly, a Fair Labor Standards Act case against an information technology company alleged that the company misclassified employees and did not pay them overtime to which they were entitled. At the damages phase of the trial, the plaintiffs sought information about the hours worked by remote employees located in Europe. A case involving the dog training and breeding industry, Rollins Ranches, LLC v. Watso, alleged defamation and tortious interference with existing and prospective business relationships. The plaintiffs sought information about the defendants’ social media accounts and telephone records, which included many followers and communications in Europe.
Foreign data protection laws also arise in cases brought under 28 USC § 1782, which permits applicants to obtain discovery for use in an existing or contemplated foreign proceeding. In in re Hansainvest Hanseatische Investment-GmbH., for example, a German party that was contemplating suing a German company in Germany in connection with the sale of that company in Germany sought documents from U.S. asset management companies. Some of those U.S. companies had documents located in Germany, which implicated the EU data protection regime.
Traditional Approaches to Foreign Blocking Statutes
Courts have historically ordered discovery even if compliance with the order might violate foreign law. The U.S. Supreme Court held in Société Nationale Industrielle Aérospatiale v. U.S. District Court (1987) that parties did not need to use the Hague Evidence Convention to discover evidence in France, notwithstanding a French statute that prohibited such discovery except pursuant to a treaty. The Aérospatiale opinion provided a balancing test to evaluate requests that conflict with foreign laws. Several of the factors identified by the Court are already, however, part of the standard proportionality test for discovery under FRCP 26 (amended since the Court’s 1987 decision), including the importance of the requested information to the litigation, the specificity of the request, and the availability of information from some other source. Reconsidering these factors through yet another proportionality balancing test – in addition to those in FRCP 26(b)(1), FRCP 26(b)(2)(B) and FRCP 26(C) – seems to be of dubious value.
Other Aérospatiale factors differ from the standard proportionality factors. Courts are instructed, for example, to consider the interests of the United States, and the list of factors is non-exclusive. Nevertheless, as Maggie Gardner explained in a 2015 article, Parochial Procedure, U.S. courts have interpreted the interests of the United States broadly as to always point in favor of U.S.-style discovery. As the court put it in Giorgi Glob. Holdings, Inc. v. Smulski., the United States has an interest in “fully and fairly adjudicating matters before its courts – an interest only realized if parties have access to relevant discovery – and in vindicating the rights of American plaintiffs.” The Aérospatiale test, in other words, has proven a dead end for litigants seeking to limit or avoid U.S. discovery in light of foreign laws.
So Far, Discovery as Usual
When invoking foreign law to prevent discovery, the burden falls upon the party relying on foreign law to demonstrate that the foreign law in fact bars production. Often, litigants fail to make this showing – in part because they have difficulty showing that the foreign laws are actually enforced and/or that they might actually be enforced against them. In other cases, like Rollins Ranches, defendants cite to foreign data protection laws and quote their language but do no more, Courts give these unsupported references little to no weight.
Several courts have also cited language from Chinese and European laws suggesting those laws will not bar discovery in all cases. Article 49 of the GDPR, for example, contains an exception for the production of information “necessary for the establishment of, exercise, or defense of legal claims.” The scope of that exception is unclear, but courts have nonetheless pointed to it in refusing to limit U.S. discovery. Furthermore, China’s Personal Information Protection Law (PIPL) has an exception for data transfers necessary to fulfill statutory obligations. A judge relied upon this exception to hold in Cadence Design Systems, Inc. that that the PIPL did not bar compliance with the court’s discovery order. The judge interpreted the exception to apply to all “obligations provided by law,” not just statutory obligations.
Courts that do give weight to the foreign data protection laws generally do so in nuanced ways. For example, judges may order in camera review of the discovery to determine how important or burdensome production would be – an action that would itself violate the foreign laws. Courts may impose other confidentiality conditions on the production of such information. In other cases, the judge may shift costs to the party seeking discovery. In in re Hansainvest Hanseatische Investment-GmbH., for example, the court ordered that the applicants assume the costs of production, including the necessary review of compliance with the GDPR, and it also ordered that the applicants indemnify the respondent against any potential breaches of EU law.
Big Changes on the Horizon?
The data privacy laws are new and, as many courts and commentators correctly reason, a great deal depends upon the actions of the EU and the Chinese government. If these governments begin to enforce these protections against entities and individuals that turn over data, or if they even provide regulatory guidance with greater specificity about when enforcement would happen and how the laws apply, then the foreign statutes will have greater effect on U.S. litigation. The laws on the books threaten substantial civil penalties and even – in the case of China – criminal sanctions for intentional or negligent disclosure under “serious”circumstances for illegally obtaining state secrets or unlawfully holding state secrets.
The data protection statutes may have greater impact than the older blocking statutes because they are not geared towards foreign litigation – that is, they are not specifically intended to interfere with foreign legal proceedings. Instead, they are across-the-board efforts to protect personal data and data related to national security. In disregarding foreign statutes, courts usually cite the policy behind U.S. laws, such as prohibiting employment discrimination or enforcing product liability laws. For the blocking statutes, there is no substantive policy on the other side, other than disagreement with U.S. discovery rules. The protection of data is different, and I think courts will and should give greater weight to the foreign regulatory interests behind these laws – especially as their scope becomes clearer and if the laws are enforced generally, beyond just the context of U.S. discovery.
To be sure, we can still expect U.S. courts to order the discovery necessary to provide a fair forum for litigation, especially in cases against foreign defendants that market and sell products in the United States – foreign legal protections notwithstanding. But the analysis (and sometimes the outcome) should afford greater respect for foreign privacy and data protection laws than it has in the past for foreign blocking statutes.