United States: Privacy: What You Should Know About New Laws

The increased focus on protecting personal privacy may pose a new challenge to the bounds of e-discovery in U.S. litigation as courts reconcile whether and how new data protection laws apply to a litigant's obligation to produce relevant information.

Discovery in the U.S.

Traditionally, U.S. litigation has favored broad civil discovery, permitting litigants a wide berth to explore the factual underpinnings of their cases. Until its amendment in 2015, Federal Rule of Civil Procedure 26(b) (1) was read to empower litigants to obtain discovery with respect to any non-privileged matter provided it generally was "relevant" to a party's claim or defense. However, partially in response to the burden associated with the exponential growth of electronic discovery, this rule as amended now underscores that discovery not only be relevant, but also "proportional to the needs of the case." Fed. R. Civ. P. 26(b)(1). Some state rules, including in New York's Commercial Division, have followed suit by emphasizing proportionality in discovery.

In theory, this focus on proportionality could result in discovery requests and productions that are more tailored to the issues and electronically stored information (ESI) in question. What potentially complicates the process, however, is that relevant information can be mixed with certain additional data of both a business and personal nature; accordingly, even under a proportionate approach, that data may be swept up in a production. The U.S. legal system typically addresses any resulting privacy concerns with confidentiality agreements or protective orders and in limited instances redactions, but this approach may still result in some personal information—that may not otherwise be relevant to the case— being reviewed and produced.

A new challenge to the bounds of U.S. discovery, therefore, will be addressing the intersection of discovery with the increased awareness and focus on privacy and data protection.

General Data Protection Regulation

The European Union's (EU) General Data Protection Regulation (GDPR) became effective on May 25, 2018, and already is presenting a significant testing ground for how U.S. discovery can be reconciled with data protection requirements.

The GDPR addresses individuals' "fundamental ... right to the protection of personal data." GDPR, art. 1(2). It covers the personal data of individuals in the European Economic Area (EEA) (data subjects) and any processing of personal data by organizations directly (data controllers) or those acting under written instructions of data controllers (data processors), even if the entity is not located in the EEA but provides goods and services to data subjects in the EEA or monitors data subjects' behavior taking place in the EEA. GDPR, art. 3. As such, the GDPR impacts crossborder discovery sought in U.S. litigation because its requirements could reach parties that are foreign organizations, or domestic entities with a presence abroad, that have relevant sources of information located in the EEA. Given the global economy, this scenario is increasingly common.

This article describes some of the primary ways in which U.S. practitioners engaging in cross-border discovery may encounter the GDPR's requirements, but practitioners who may handle data covered by the GDPR would be well advised to understand the intricacies, and practical implications, of this comprehensive regulation.

Personal Data. As a threshold matter, the GDPR defines "personal data" far more broadly than what typically is understood as personal information in the United States and includes "any information relating to an identified or identifiable natural person," such as "a name, an identification number, location data, an online identifier" or "one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity" of a person. GDPR, art. 4(1). At least some of this information may be included in such mundane places as the signature block of an email, a type of ESI that necessarily would be produced in many cases.

Processing Personal Data: The GDPR governs "processing" of personal data, which covers a wide range of actions, including "collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." GDPR, art. 4(2).

In terms of U.S. discovery of GDPR protected data, processing encompasses, at a minimum, collection, review, deletion, production and cross-border transfer of that data. Under the GDPR, personal data must be processed "lawfully, fairly and in a transparent manner" and in accordance with the data minimization principle, which requires that processing be "adequate, relevant and limited to what is necessary in relation to the purpose" for which the data is processed. GDPR, art. 5(1). There are six lawful bases for processing, including consent, where it is necessary for the legitimate interests of a data controller or third party, compliance with a legal obligation or a contractual obligation. GDPR, art. 6(1).

Notably, litigants may have a legitimate interest in accessing information that is necessary to make or defend a legal claim, subject to demonstrating that the data subject's privacy rights do not override the litigant's legitimate interests in processing the data. Moreover, corporations may have a legitimate interest in conducting internal investigations and in responding to government investigations. Where special categories of personal data are present—such as data that reveals racial or ethnic origin, political, religious or philosophical beliefs, or health or biometric data—litigants also will be required to fulfill additional conditions.

In exceptional circumstances, consent by the data subject can serve as a basis for processing, but it must be a "freely given, specific, informed and unambiguous indication of the data subject's ... agreement to the processing of personal data." GDPR, art. 4(11). Consent should be relied on cautiously because (1) it is unlikely to be valid in the common employer and employee context due to an imbalance of power and (2) if a data subject does not consent (or later withdraws consent), the litigants can no longer process the data.

Practitioners should be aware of the GDPR's heightened transparency requirements. Data subjects must be provided with notice of the intended processing activity, which should be communicated to data subjects prior to processing any of their personal data. The notice must be "concise, transparent, intelligible," in "clear and plain language," and may be incorporated directly or by reference into legal hold notices. GDPR, art. 12(1).

Transferring Personal Data. There are additional requirements for the cross-border transfer of personal data outside of the EEA, such as to the United States for use in a litigation. Generally, transfer is only permitted to a country that the European Commission (EC) has designated as providing an adequate level of protection, or through a valid transfer mechanism providing for appropriate safeguards. The EC does not consider the United States to offer an adequate level of protection, so impacted parties must make the transfer to the United States subject to appropriate safeguards or rely on one of the legal exceptions or "derogations." GDPR, arts. 46, 47 and 49. In some cases, organizations transferring data may rely on appropriate standard contract clauses or the EU-U.S. Privacy Shield, a framework allowing U.S. companies that have aligned with certain provisions of the GDPR to self-certify and transfer data from the EEA to the United States.

Explicit consent by the data subject can be a basis for transferring data to a country that is not considered by the EC to offer an appropriate level of protection, but, as with processing, this method should be used cautiously. Moreover, derogations to the transfer requirements should only be relied upon sparingly and in addition to other safeguards, if applicable.

Potential Fines. The GDPR is notable in terms of the fines it prescribes for violation: up to €20 million (approximately $23.5 million) or 4 percent of the violating company's total annual global revenue, whichever is higher. GDPR, art. 83(5). The GDPR also grants individuals the right to compensation for material and non-material damage caused by a data controller's or processor's breach of the GDPR requirements, as well as discretion for EEA countries to legislate for additional criminal sanctions for infringements.

The threat of these penalties, even if remote, makes it even more crucial to understand, and comply with, the GDPR in the context of cross-border discovery.

Protections in Other Jurisdictions

A number of other jurisdictions, including in the United States, also have passed privacy and data protection laws which may impact discovery of covered data.

U.S. Jurisdictions. On June 28, 2018, California became the first state to enact comprehensive data protection legislation with the California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code §§ 1798.100 to 1798.199, which will become operative in approximately one year, on January 1, 2020. Like the GDPR, the CCPA has an expansive definition of covered personal information for California residents. The CCPA applies to businesses that, among other things, do business in California with annual gross revenue exceeding $25 million, as well as certain service providers processing personal information on behalf of a covered company. The CCPA focuses on the sale of personal information and includes giving consumers the right to know specifics about the personal information a business has collected from them and to have that personal data deleted. The CCPA prescribes that in case of any conflict with another California law, the law that affords the greatest privacy protections shall control. The CCPA also instructs that the new law "shall be liberally construed to carry out its purposes."

Notably, although the U.S. does not have comprehensive national data protection legislation, in mid-January 2019, a new bill was introduced in Congress aimed at creating federal privacy standards in the context of consumer protection, which could (if enacted) pre-empt state laws such as the CCPA. Laws such as these might impact the preservation, collection and production of personal information for e-discovery purposes.

Foreign Jurisdictions. Laws that may impact the processing and transfer of data exist in foreign jurisdictions in addition to the EU—including in Canada, Latin America, and Asia. As but one example, Brazil's first General Data Protection Law, which goes into effect in February 2020, applies not only to companies that collect or process data in Brazil but also extraterritorially to companies that process data related to persons in Brazil or for the purpose of offering goods or services in Brazil. Therefore, when conducting crossborder discovery in these or other jurisdictions, privacy or data protection requirements should be carefully considered.

Reconciling U.S. Discovery Rules and Various Data Protection Laws

Undoubtedly, U.S. courts will continue to examine the breadth of permissible discovery and balance it against the need to protect personal privacy, particularly as electronic data and the technology that handles it proliferate. However, how U.S. courts specifically will enforce discovery rules in response to the breadth of the GDPR requirements or new national privacy legislation may be somewhat unchartered territory. In reconciling foreign data protection laws with U.S. discovery rules, courts have, to date, applied a balancing test the U.S. Supreme Court established in its 1987 decision, Société Nationale Industrielle Aerospatiale v. U.S. District Court for the Southern District of Iowa, which held that a French blocking statute did not preclude American courts from ordering discovery from a party subject to U.S. jurisdiction. 482 U.S. 522 (1987). More recently, courts have continued to hold that the interests of U.S. discovery outweigh foreign data protection laws. See, e.g., Royal Park Invs. SA/NV v. HSBC Bank USA, N.A., No. 14 Civ. 8175, 2018 WL 745994 (S.D.N.Y. Feb. 6, 2018) (Belgian Data Privacy Act); Knight Capital Partners Corp. v. Henkel AG & Co., 290 F. Supp. 3d 681 (E.D. Mich. 2017) (German Data Protection Act); Laydon v. Mizuho Bank, Ltd., 183 F. Supp. 3d 409 (S.D.N.Y 2016) (EU privacy laws). In a different test of privacy concerns, the New York Court of Appeals, while recognizing privacy rights, has held that photographs and information posted under a privacy setting on Facebook were material and necessary evidence subject to civil discovery. Forman v. Henkin, 30 N.Y.3d 656 (2018).

In one of the first cases involving the GDPR since it became effective, Microsoft recently argued that retention and production of data relevant in a patent infringement case "raises tension" with the GDPR and would require burdensome steps to anonymize the personal data. Corel Software, LLC v. Microsoft Corp., No. 2:15-cv-00528, 2018 WL 4855268, at *1 (D. Utah Oct. 5, 2018). Nonetheless, the court ordered retention and production, finding that the benefit of the data, which was relevant and proportional, outweighed the burden or expense of compliance.

Originally published in New York Law Journal

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Akin Gump Strauss Hauer & Feld LLP
In association with
Practice Guides
by Mondaq Advice Centers
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Akin Gump Strauss Hauer & Feld LLP
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions