Privacy & Cybersecurity Law Blog

The American Bar Association’s (“ABA’s”) House of Delegates adopted a non-binding resolution urging courts to consider foreign data protection and privacy laws when resolving discovery issues. The full text of the resolution is as follows:

“RESOLVED, That the American Bar Association urges that, where possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation.”

This text is narrower than the original proposal, which was not limited to the civil litigation context and applied to additional categories of data. The report that accompanied the proposed resolution lamented the dilemma faced by litigants and third parties who must choose between disclosure requirements in U.S. discovery proceedings and the data protection laws of the foreign jurisdictions that may prohibit such disclosure, in particular, the laws in European jurisdictions. Under the EU Data Protection Directive, personal data may only be processed (including mere storage) and transferred outside of the EEA on limited legal bases, with compliance with a foreign law obligation -- such as U.S. discovery requirements -- not providing such a basis. Further, certain European jurisdictions (such as France) have enacted blocking statutes which prohibit persons from seeking disclosure of information for the purposes of constituting evidence in foreign proceedings. In 2007, a French lawyer was fined €10,000 for attempting to obtain discovery in France pursuant to a U.S.-based litigation (Cour de Cassation Chambre Criminelle, Paris, Dec. 12, 2007, Juris-Data no. 2007-332254).

The ABA’s adopted resolution, while non-binding, may at least encourage U.S. courts to be mindful of the ongoing tension between U.S. discovery laws and non-U.S. data protection laws and to try to limit the burden placed on affected litigants and third parties. While a solution to the problem has not yet presented itself (and the problem looks to remain unresolved by the European Commission’s draft proposals replacing the EU Data Protection Directive), data controllers required to transfer personal data from the EU to U.S. for discovery purposes can follow the Article 29 Working Party guidance on compliance with EU data protection obligations.