[author: Doug Austin, Editor of eDiscovery Today]
With so many multi-national organizations today and global regulatory environment expanding significantly in recent years through GDPR and other data privacy laws, it was inevitable that we were going to see more cases involving cross-border discovery. It was also inevitable that we were going to see more disputes over whether potentially responsive data from custodians in foreign jurisdictions is protected through data privacy laws.
And inevitably we are seeing those disputes more frequently play out in American courts. Let’s look at a couple of those cases here.
Giorgi Global Holdings, Inc. v. Smulski
In this case against the defendants alleging civil violations of the Racketeer Influenced and Corrupt Organizations Act (RICO) among other things, the plaintiffs requested via letter that defendant Wieslaw Smulski be ordered to produce documents in compliance with the Federal Rules of Civil Procedure without regard to Polish law and/or GDPR. Defendant Smulski claimed that he couldn’t produce otherwise discoverable documents in the case because the GDPR and/or Polish privacy law prohibit him from doing so. Smulski lived in Poland but was an American citizen.
But the Court disagreed. Pennsylvania District Judge Jeffrey L. Schmehl ruled that the defendant, “an American citizen sued in the United States, bears the burden of showing that the GDPR and/or Polish privacy law bar production of…relevant documents” which “he cannot do”. As a result, Judge Schmehl ruled that the “GDPR and/or Polish privacy law does not bar Smulski’s production of relevant documents in this matter.”
Cadence Design Sys., Inc. v. Syntronic AB
In this case alleging unlicensed use of the plaintiff’s software, the defendants argued that China’s relatively new Personal Information Protection Law (PIPL) (which became effective on November 1, 2021) prohibited transfer of computers in China across international borders without the consent of current and former employees, who declined to agree.
California Magistrate Judge Joseph C. Spero rejected the defendants’ claim that the exception in Article 13 of PIPL “Where necessary to fulfill statutory duties and responsibilities or statutory obligations” for requiring consent to handle personal data specified in Article 39 was limited to Chinese law, stating: “The Court declines to limit Article 13’s legal obligation exception to obligations under Chinese law” and found “the Court’s order to produce computers for inspection in the United States creates a legal obligation sufficient to invoke the exception of Article 13 and proceed without the individual employees’ consent under Article 39.”
Conclusion
While every case is different and not all will result in a Court order to produce data subject to litigation in an American case, many of the cases I’ve seen have weighed in favor of ordering production of the data. Article 49(1)(e) of GDPR, for example, permits the transfer of personal information abroad where such “transfer is necessary for the establishment, exercise or defence of legal claims.” It’s important to know the laws of each jurisdiction, which includes exceptions to data privacy laws.
[View source.]
