General Data Protection Regulation in U.S. Litigation through Mid-Summer 2019.

• Author: Gladstone, Michael H.

IN JANUARY 2012, the European Commission set out plans for data protection reform across the European Union. One of the key components of the reforms was the introduction of the General Data Protection Regulation (GDPR). (1)

The GDPR is a comprehensive set of rules designed to give European Union citizens more control over their personal data. The GDPR applies, generally, to any organization operating within the European Union, as well as organizations outside of the European Union which offer goods or services to customers or businesses in the European Union among others. Almost every major corporation in the world is affected by this legislation. This legislation came into force across the European Union in May 2018.

There has been considerable uncertainty how GDPR will be addressed in litigation commenced in the United States. However, as a year has passed, motions relating to GDPR are beginning to be adjudicated, and trends are starting to occur. This article provides a detailed summary of courts' treatment of GDPR-related arguments and summarizes the potential impact of GDPR on United States litigation.

1. Impact of GDPR currently

   As of July 19, 2019, eleven federal cases reference "GDPR" or the "General Data Protection Regulation." No state court cases appear. Of the cases returned, four are from the United States District Court for the Southern District of New York, (2) and two are from California, (3) one from the Central District of California and the Northern District of California. The remaining five cases originate from District Courts in Washington, Maryland, Alabama, Utah, and Florida. (4)

   These eleven cases generally involve discovery disputes, often in intellectual property matters. In these scenarios, the responding party has raised GDPR as a bar or impediment to a full discovery response. In general, courts have proceeded under a normal Rule 26 analysis in evaluating the discovery requests and/or objections, while paying additional attention to the objections involving the GDPR or similar and/or related European laws. The extent of the discussion of the GDPR hinges, generally, on the significance of the discovery sought and accuracy of the assertion of the regulation as a bar or impediment to the discovery sought. This discussion is often accompanied by an analysis of the evidence supplied by the objecting party related to the precise requirements and burdens of the GDPR on the party, the risks those requirements create for the party if responses were made as demanded, and the costs of complying with the requirements.

   Not surprisingly, where respondents provided little specificity concerning the regulation or supporting evidence of burdensomeness, the arguments received less credence. Some responding parties concede GDPR is not a bar to responding, but stress the costs of a GDPR-compliant response. However, given the level of the courts' discussion of the GDPR in these eleven cases, it is sometimes difficult to determine from the opinions the detail with which the regulation was briefed and argued. A review of selected discovery briefings suggests that arguments as to burden have not been significantly developed, for example through itemization of GDPR connected costs. Based on the cases so far, mere citation of the GDPR or another foreign state's data protection regime provides no categorical basis for relief from United States discovery.

   Parties seeking discovery resist the responsive party's arguments grounded in the GDPR as vigorously as arguments grounded in any other basis offered to block or limit discovery. In the apparent interest of fairness, however, some courts have already added protective terms to discovery orders to limit the dissemination of personal or proprietary data, even where the reasoning leading to the court's decision would not have suggested it would implement such measures. In one case, shortly after the GDPR came into effect, the United States District Court for the District of Maryland acknowledged the parties' efforts to address issues arising under the GDPR by supplementing the protective order to add language governing the processing and handling of data from foreign custodians covered by the GDPR. (5)

2. Analysis of the Case Law

   Of the eleven federal cases, eight seem worth exploring in greater detail. This article discusses these cases in chronological order below.

   Ironburg Inventions v. Valve Corp. Three months after the GDPR went into effect, the United States District Court for the Western District of Washington addressed the GDPR and the European Convention on Human Rights (ECHR) in the context of deposition marking. In Ironburg Inventions, Ltd. v. Valve Corp. (6) the dispute concerned deposition testimony marked as confidential during a deposition. The parties disagreed as to which designations ought to continue to be confidential and require filing under seal and moved for different parts of the deposition testimony to either be placed under seal or de-designated. (7)

   Ironburg raised the GDPR and the ECHR in arguing that its witness, Simon Burgess, a United Kingdom citizen, was entitled to heightened protection of his personal information. (8) Ironburg argued certain medical information concerning Burgess' ability to testify competently and provide accurate answers was revealed in the deposition, and if the information were disseminated it would cause the witness persistent embarrassment. (9) Ironburg argued the medical information demonstrated good cause to maintain Burgess' deposition transcript under seal. (10) Any less restrictive alternative, Ironburg argued, would leave Burgess vulnerable to public embarrassment, as no portion of his deposition transcript could be disclosed without disclosing the medical...