Foreign Data Protection Laws in U.S. Litigation and International Arbitration
Foreign data protection laws such as the European Union’s General Data Protection Regulation (“GDPR”) prevent information or documents from being transferred outside the country except through certain procedures. Many courts, businesses and governments are still trying to understand the effects of the GDPR, including how it impacts U.S. domestic litigation and international arbitration. Often, the GDPR may be at odds with U.S. litigation where discovery plays an important role. A party subject to GDPR requirements should be aware how U.S. courts and arbitral tribunals may handle the GDPR in relation to those proceedings.
U.S. Domestic Litigation
Before the GDPR came into force in May 2018, federal courts had been faced with the question of whether foreign data protection laws can prevent disclosure of information in U.S. litigation. In 1987, the U.S. Supreme Court held that “[i]t is well settled that such statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.”1 From this decision and its progeny, federal courts have developed a balancing test, guided by the general principle of international comity, to determine whether to require a party to comply with a discovery request that may violate a foreign law, such as the GDPR. This balancing test generally includes five non-exhaustive factors:
(1) the importance of the documents or other information requested to the litigation;
(2) the degree of specificity of the request;
(3) whether the information originated in the United States;
(4) the availability of alternative means of securing the information; and
(5) the extent to which noncompliance would undermine important interests of the United States.2
Some circuits, including the Second and the Ninth, consider additional factors such as (6) hardship and (7) good faith attempts to comply.3
In applying this test, federal courts have largely held that foreign data protection laws do not prevent disclosure in domestic proceedings. After the implementation of the GDPR, courts have continued requiring disclosure of information even when a party alleges that the GDPR or another foreign data protection statute prevents that disclosure.4 However, at least one federal court held that the GDPR prevented certain information from being disclosed in response to a discovery request.5
This trend in requiring compliance with disclosure requests in U.S. litigation may have a substantial effect on foreign or multinational entities. The E.U. has shown a willingness to enforce the GDPR requirements by imposing multi-million-dollar fines on companies that fail to comply. This can force companies bound by the GDPR to make a difficult choice – either comply with the disclosure requirements in U.S. litigation and potentially pay a fine to the European Data Protection Board, or refuse to comply with the U.S. discovery requirements and potentially face sanctions or a contempt order.
However, even if forced by a court or tribunal to disclose certain information, the GDPR provides several avenues for transferring personal data outside the E.U., including the implementation of adequate safeguards pursuant to Article 46 of the GDPR,6 or reliance on the derogations under Article 49 of the GDPR.7 These procedures may permit a party to disclose that information subject to the GDPR without violating their GDPR obligations.
International Arbitration
Data protection laws, including the GDPR, can also affect international arbitration proceedings in various ways. To determine whether a data protection law prevents the disclosure of certain information, the arbitral tribunal must determine the procedural law of the arbitration, which is often the law of the seat, or country where the arbitration is held.8 The tribunal would then look to how that procedural law determines this question.
New York, London and Paris are three common seats for international arbitration. In the case where the procedural law is New York law, the tribunal may apply U.S. federal precedent to determine whether a foreign data protection law prevents disclosure, because New York courts look to federal case law on this issue.9 However, a tribunal may not necessarily apply the balancing test in the same way as a federal or state court, given that the interests of the tribunal may be different from a domestic court, and a tribunal may be less willing to force a party to violate its’ country’s laws.
International arbitral organizations, such as the ICC, have recently implemented certain measures to address the GDPR. This includes a requirement in the ICC Note to Parties and Arbitral Tribunals on the Conduct of Arbitration (“ICC Note”) to discuss the application of the GDPR at an early stage of the proceedings and “Arbitral tribunals are encouraged to include in the Terms of Reference a data protection protocol to that effect [complying with the GDPR].”10 Recently, the International Council for Commercial Arbitration (“ICCA”) and the International Bar Association (“IBA”) created a joint task force designed to produce a guide to complying with data protection laws in international arbitration proceedings.11 This will likely provide guidance for arbitral tribunals and practitioners relating to the GDPR.
Conclusion
There is still some uncertainty in how the GDPR will affect U.S. litigation and international arbitration. When engaged in litigation in the U.S. or arbitration applying U.S. law, a party subject to the GDPR or other data protection statutes should be aware that those laws may not prevent disclosure in the proceeding.
1 Societe Nationale Industrielle Aerospatiale v. U.S. Dist. Ct. for S. Dist. of Iowa, 482 U.S. 522, 544 n.29 (1987).
2 Finjan, Inc. v. Zscaler, Inc., No. 17CV06946JSTKAW, 2019 WL 618554, at *1 (N.D. Cal. Feb. 14, 2019) (citing Richmark Corp. v. Timber Falling Consultants, 959 F.2d 1468, 1475 (9th Cir. 1992)).
3 Strauss v. Credit Lyonnais, S.A., 249 F.R.D. 429, 439 (E.D.N.Y. 2008).
4 See, e.g., In re Accent Delight Int'l Ltd., No. 18-1755-CV, 2019 WL 5960348, at *4 (2d Cir. Nov. 13, 2019) (“The district court explained that Sotheby’s had not, (and it still has not on appeal,) provided any reason to expect document production pursuant to Petitioners’ § 1782 application would violate its confidentiality obligations or EU law.”); Finjan, Inc, 2019 WL 618554, at *3 (“Taken together, the Court concludes that the GDPR does not preclude the Court from ordering Defendant to produce the requested e-mails in an unredacted form, subject to the existing protective order.”); In re Grand Jury Investigation of Possible Violations of 18 U.S.C. § 1956 & 50 U.S.C. § 1705, 381 F. Supp. 3d 37, 78 (D.D.C.), aff'd sub nom. In re Sealed Case, 932 F.3d 915 (D.C. Cir. 2019) (holding that “On balance, international comity is not a reason to refrain from compelling compliance with the subpoenas. . . . Application of the factors redound strongly in favor of compelling compliance” with subpoenas to Chinese banks); In re Hansainvest Hanseatische Inv.-GmbH, 364 F. Supp. 3d 243, 252 (S.D.N.Y. 2018) (granting application for disclosure of documents held by foreign custodians in face of GDPR and European data privacy laws); Shields v. Fed'n Internationale de Natation, No. 18-CV-07393-JSC, 2019 WL 6841159, at *26 n.13 (N.D. Cal. Dec. 16, 2019) (“Defendant also fails to make a showing that the material falls within the scope of . . . the European Union General Data Protection Regulation, or the Swiss Federal Data Protection Act.”).
5 See, e.g., Pearlstein v. BlackBerry Ltd., 332 F.R.D. 117, 122 (S.D.N.Y. 2019), on reconsideration in part, No. 13CV07060CMKHP, 2019 WL 5287931 (S.D.N.Y. Sept. 20, 2019) (“However, Defendants have represented that, under the European Union's General Data Protection Regulation, they are unable to disclose his address without his consent, which they have not received. Thus, the Court denies Plaintiffs' request to compel Defendants to provide the witness's address.”).
6 GDPR, recital 109; GDPR art. 46(2)(c).
7 GDPR art. 49.
8 See, e.g., Karaha Bodas Co. v. Perusahaan Pertambangan Minyak Dan Gas Bumi Negara, 364 F.3d 274, 291 (5th Cir. 2004) (“Under the New York Convention, an agreement specifying the place of the arbitration creates a presumption that the procedural law of that place applies to the arbitration.”).
9 Peters v. Peters, 127 A.D.3d 656, 658 (1st Dept 2015) (citing federal case law); Orlich v. Helm Bros., 160 A.D.2d 135, 144 (1st Dept 1990) (same).
10 ICC Note to Parties and Arbitral Tribunals on the Conduct of the Arbitration under the ICC Rules of Arbitration (Jan. 1, 2019), paras. 80-91.
11 ICCA-IBA Joint Task Force on Data Protection in International Arbitration Proceedings, ICCA, https://www.arbitration-icca.org/projects/ICCA-IBA_TaskForce.html.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.
