The federal statute 28 U.S.C. § 1782 allows discovery in the United States, under the broad US discovery rules, for use in a foreign proceeding. In light of Section 1782’s expanding use (which you can read about here) and its application even to documents held overseas (which you can read about here and here), many practitioners may wonder how Section 1782 applies to documents that are subject to the European Union’s General Data Protection Regulation (aka the GDPR). (You can access Seyfarth Shaw’s GDPR Resource Library here).
Although there are few reported decisions addressing the interplay between Section 1782 and the GDPR, the decisions to date hold important lessons. US courts have uniformly held that entities responding to a Section 1782 subpoena must produce documents regardless of whether those documents are subject to the GDPR. Where courts differ is how they attempt to minimize the burden on the responding party—if at all.
A decision issued within the past month by a New York federal court considered the responding entity’s argument that “some of the discovery sought would likely be subject to” the GDPR.1 The court held that “while [it] acknowledges that [respondent’s] efforts to comply with the GDPR will likely impose some additional compliance costs, it has not demonstrated that compliance would impose a financial burden on [respondent] that is disproportionate to the needs of the case.”2 Although skeptical that the respondent would face any expenses for potentially breaching the GDPR, the court “agree[d] that incurring any such liability in response to this Order would be unfair” and directed that the party seeking discovery “must indemnify” respondent for “any liability resulting from fines for breach of European privacy law.”3
Earlier decisions on this topic varied widely. In a case where the respondent had not “provided any reason to expect document production . . . would violate its confidentiality obligations or EU law,” the Second Circuit Court of Appeals declined to provide the respondent with any protection, holding that “if issues arose, they could be resolved through a protective order.”4 Another New York federal court was more generous, holding that not only were the respondents entitled to indemnification for any breaches, but that the party seeking discovery had to actually “assume the costs of the document production, including the costs of compliance with the GDPR or other applicable European data privacy laws.”5 A Massachusetts federal court recently directed that, although “it is not convinced that compliance would be unduly burdensome for” a sophisticated entity, the parties must confer and “submit a proposed discovery order, detailing their compliance with the GDPR and agreed-upon procedures regarding costs and indemnification in the event of non-compliance.”6
Based on these decisions, parties seeking discovery should be prepared to explain whether their subpoenas implicate the GDPR at all, and to outline the potential financial impact, if any, on the responding party of GDPR-compliance in responding to the Section 1782 subpoena. For parties responding to Section 1782 subpoenas, they should not expect that the invocation of the GDPR will allow them to avoid producing documents or even obtain indemnification for the costs of GDPR compliance, but should be prepared to provide details on why the subpoenas implicate the GDPR and how compliance will cause additional financial burdens on the responding party.
1. In re Polygon Global Partners LLP, 2021 U.S. Dist. LEXIS 98800, at *33 (S.D.N.Y. May 25, 2021).
3. Id. at *33-34.
4. In re Accent Delight Int’l, 791 F. App’x 247, 252 (2d Cir. 2019).
5. In re Hansainvest Haneastiche Investment-GmbH, 364 F. Supp. 3d 243, 252 (S.D.N.Y. 2018).
6. In re Valitus, Ltd., 2020 U.S. Dist. LEXIS 203522, at *24 (D. Mass. Nov. 2, 2020).