Cross-border discovery and the battle between relevance and data privacy issues | IproTech
[author: Doug Austin, Editor of eDiscovery Today]
With so many multinational organizations today and an expanding global regulatory environment in recent years thanks to GDPR and other data privacy laws, it was inevitable that we were going to see more cases involving cross-border discovery. It was also inevitable that we would see more disputes over whether potentially responsive data from custodians in foreign jurisdictions is protected by data privacy laws.
And inevitably, we are seeing these disputes play out more frequently in US courts. Let’s look at a few of these cases here.
Giorgi Global Holdings, Inc. v. Smulski
In this case against defendants alleging civil violations of the Racketeer Influenced and Corrupt Organizations Act (RICO), plaintiffs requested by letter that defendant Wieslaw Smulski be ordered to produce documents pursuant to federal rules of civil procedure. without regard to Polish law and/or GDPR. Defendant Smulski claimed that he could not produce otherwise detectable documents in the case because the GDPR and/or Polish privacy law prohibited him from doing so. Smulski lived in Poland but was an American citizen.
But the Court disagreed. Pennsylvania District Judge Jeffrey L. Schmehl ruled that the defendant, “a US citizen prosecuted in the United States bears the burden of proving that the GDPR and/or Polish privacy law prohibits the production of…relevant documents” who “he can’t do”. Accordingly, Schmehl J. held that the “The GDPR and/or Polish privacy law do not preclude Smulski from producing relevant documents in this case.”
Cadence Design Sys., Inc. vs. Syntronic AB
In this case alleging unlicensed use of plaintiff’s software, defendants argued that China’s relatively new Personal Information Protection Law (PIPL) (which came into force on November 1, 2021) prohibits the transfer computers in China across international borders without the consent of former employees, who refused to accept.
California Magistrate Judge Joseph C. Spero rejected the defendants’ claim that the exception in Section 13 of the PIPL “where necessary to fulfill legal obligations and responsibilities or legal obligations” to require consent to processing of personal data specified in Article 39 was limited to Chinese law, stating: “The Court declines to limit the legal obligation exception of Article 13 to obligations under Chinese law” and found “the Court’s order to produce computers for inspection in the United States creates sufficient legal obligation to invoke the Section 13 exception and proceed without the consent of individual employees under Section 39.”
While every case is different, and not all result in a court order to produce disputed data in a US case, many cases I’ve seen have weighed in favor of a data production order. Article 49(1)(e) of the GDPR, for example, allows the transfer of personal information across borders where such “transfer is necessary for the establishment, exercise or defense of a right to justice”. It is important to know the laws of each jurisdiction, which include exceptions to data privacy laws.