Antitrust and Unfair Competition Law

Competition: Spring 2019, Vol 29, No. 1


By Lesley E. Weaver and Anne K. Davis1


The European Union’s General Data Protection Regulation2 took effect on May 25, 2018, resulting in significant attention from legal analysts in the lead-up to its effective date. Articles discussing the GDPR’s scope, impact, potential penalties, extraterritorial application, and challenges for U.S. companies with GDPR compliance obligations abound, but little attention, comparatively, has been paid to the impact of the GDPR on U.S. e-discovery. Some have speculated that the GDPR would pose an obstacle to discovery in U.S. courts because of the new substantive rights granted to individuals to control personal data and because of stiff new potential penalties for GDPR violations. Nearly one year after the GDPR’s effective date, what has the GDPR meant for litigants seeking e-discovery in the U.S. courts from entities with European operations? A recent order by a magistrate judge in the Northern District of California suggests that the GDPR has not significantly altered the U.S. discovery landscape.3 Nonetheless, attorneys and litigants in U.S. courts who have electronic and other information that falls within the GDPR’s protections need to undertake careful planning to preserve and produce discoverable information in a manner that complies with both the EU privacy regulations and broad U.S. discovery principles.

This article hopes to provide practical assistance. It provides a brief overview of the GDPR, the legal bases for complying with the GDPR in connection with U.S. e-discovery requests, and the legal landscape with respect to U.S. courts’ deference to non-U.S. privacy regimes. It also proposes steps that can minimize the likelihood that unexpected GDPR-related discovery disputes will arise, avoiding court intervention.

[Page 159]


The GDPR is the EU’s unified privacy protection regime, designed to harmonize privacy protections for residents within the EU and the larger European Economic Area.4The GDPR centers on the rights of individuals by adding transparency requirements and requiring "data minimization." (GDPR Art. 5(1)(c)). The GDPR protects individual privacy by limiting the collection, storage, processing, use and transfer of "personal data," and by imposing obligations and potential liability on data controllers5 and data processors,6 alike. (GDPR Arts. 4, 24, 28, 82).

Significant for litigants in the U.S. seeking discovery from EU entities, the GDPR applies to processing of personal data and to personal data transfers made by organizations operating within the EU/EEA and outside the EU/EEA that employ or offer goods or services to individuals resident in the EU/EEA.7 The GDPR grants EU/EEA residents new substantive rights to control electronic data containing their "personal data." While the general principles protecting individual privacy have not changed from the EU’s prior privacy regime (under the 1995 Data Protection Directive)8 the GDPR newly codifies individual rights to control personal data, includes a variety of enforcement mechanisms, and provides for new and significant penalties—up to € 20 million (about $22.8 million) or 4% of annual global revenue, whichever is higher—for failure to comply with the GDPR. (GDPR, Art. 49, 83(5)). This means that litigants with GDPR compliance obligations may face conflicting requirements when responding to U.S. e-discovery requests, raising the specter of potential sanctions for violating the GDPR, or for failing to comply with U.S. discovery requirements. Litigants seeking discovery from EU/EEA entities may face delays in obtaining discovery to which they are entitled, and all parties may incur additional costs should it be necessary to involve the U.S. courts in mediating GDPR-compliance-driven discovery disputes.

[Page 160]


The GDPR defines personal data as "any information relating to an identified or identifiable natural person." (GDPR, Art. 4(1)). The GDPR restricts the processing of personal data to circumstances where a Data Controller can provide a lawful basis for processing. The scope of information defined as personal data is significantly broader than the types of information typically afforded protection by U.S. courts ("Personally Identifiable Information," or "PII"), such as tax-identification numbers, social security numbers, or individually identifying information combined with health records or financial account numbers.9 While PII as it is defined in the U.S. falls within the scope of the personal data protected by the GDPR, under the GDPR, any information sufficient to identify an individual "directly or indirectly" is protected.10 Id. This means information incidentally present in electronically stored information ("ESI") relevant to a legal dispute, such as email signature blocks, employee address books, or some types of metadata, falls within the types of personal information protected by the GDPR. Because such information is frequently integrated into ESI, rather than stored separately such that it can be easily culled or produced in protected form, complying with the GDPR can require additional and expensive measures such as redaction or anonymization. And while redacting personal data may comply with the GDPR, it may also conflict with U.S. discovery requirements.


In the EU, protection of personal data is a fundamental right.11 The GDPR includes provisions to ensure that individuals can effectively protect their personal data, such as the right to be informed, the right of access to their personal data, the right to demand correction, the right to demand deletion (in circumstances where the data is no longer necessary for the original purpose for which it was collected and there is no overriding legitimate interest), and the right to object to the collection, processing, storage, or transfer of their personal data at the behest of the Data Controller. (GDPR, Arts. 14, 15, 16, 17, 21, and 49). The GDPR also includes a notice requirement for individuals whose personal data is to be "processed" beyond the initial use for which it was collected, which notice must be detailed and easily understood, using plain and clear language.12 (GDPR Arts. 5, 13, 14). Among other circumstances, processing in response to a discovery request from litigation in a U.S. court triggers the notice requirement. (GDPR Art. 6). Practitioners should be mindful that under the GDPR, processing includes all aspects of handling personal data—from collection to destruction—including the technical processes associated with e-discovery and the act of document review. Individuals also have the right to lodge complaints with a "Data Protection Authority" ("DPA"). (GDPR Art. 77).

[Page 161]


Discovery under the U.S. Federal Rules of Civil Procedure is considerably broader than in the EU and EEA—indeed, it is "the most expansive of any common law country."13 Under F.R.C.P. Rule 26, U.S. litigants may obtain discovery regarding any non-privileged matter relevant to a party’s claims or defenses, subject to case-specific proportionality considerations and protections for sensitive business information such as trade secrets, or PII. In contrast, in many EU/EEA countries, discovery, if allowed at all, is limited to documents admissible at trial or to documents narrowly and specifically described.

Under U.S. discovery rules, when an EU/EEA entity is on notice of legal claims, it is obliged to take steps to preserve all relevant documents, including ESI. Where a U.S. litigant brings a civil suit against an entity with locations or employees in one or more EU/EEA member states, seeks ESI in discovery that is in the possession of a litigant’s EU/ EEA office or parent company, or seeks ESI that concerns EU/EEA-resident employees, the processing of that information falls under the GDPR’s protections, to the extent that it includes personal data. Under the GDPR, preservation of ESI is an act of processing data.

Typically, an entity facing U.S. discovery will send out a hold notice to employees, notifying them of their preservation obligations. Under the GDPR, the individual recipients of such a hold notice have the right to inspect the ESI subject to preservation. If the ESI contains their personal data, individuals have the right to object to the preservation of their personal data, and to seek to prevent its collection, processing or production, subject to a balancing of their individual interests against the legitimate interests of the entity. U.S. discovery obligations may put the entity in the position of having to choose between violating its U.S. discovery obligations and violating the GDPR.

The European Commission has made it clear that U.S. discovery requests must qualify as lawful under the GDPR independent of any U.S. court order. In the context of U.S. discovery, there is little guidance from the EU courts as to balancing the interests of entities in developing or defending legal claims or other "legitimate interests" with the rights of the individual. How the EC and enforcing agencies will balance the interests of entities in abiding by U.S. discovery orders against the fundamental rights of individuals remains to be seen.14

[Page 162]


The GDPR framework for lawful processing of personal data requires, among other things, that personal data be processed for a specific purpose and in a transparent manner. If, as is frequently the case when personal data is processed in response to a U.S. discovery request, additional processing of personal data is to take place for a reason different than the reason for the original collection of that personal data, there must be an independent legal basis for the processing.15 (GDPR Art. 6(1)). Once an entity has established the lawful basis for processing personal data in connection with U.S. litigation, the lawful basis to transfer personal data for discovery purposes must be established.

Transfers of data to the U.S. for purposes of U.S. discovery are, under the GDPR, transfers to a Third Country. The GDPR permits Data Controllers to effect personal data transfers to Third Countries subject to certain compliance conditions. (GDPR Arts. 44, 45). Because the United States is not among the nations found to provide adequate protection for personal data, transfers to the U.S. may only take place when appropriate safeguards and limitations can be demonstrated. Absent that, under the GDPR, data cannot be transferred.16

As relevant to U.S. discovery requests, the likely legal bases for processing and transferring personal data are set forth in GDPR Article 49, and include (a) processing and transfer with the express consent of the data subject; (b) processing and transfer in connection with the establishment, exercise, or defense of legal claims; and, as a "last resort," (c) processing and transfer where there is a compelling legitimate interest, which interest is not "overridden by the interests or rights and freedoms of the data subject."17 (GDPR, Arts. 6(1)(c), 6(3), 49(1), 49(1)(a) and 49(1)(e)).

Litigants that wish to rely on the consent of the individual must be able to show that consent was voluntary, unambiguous, obtained after a notice that conveyed the request for consent in clear and plain language, specific for the particular data processing and transfer, demonstrated through a clear statement or affirmative action, and the consent must be revocable. (GDPR Arts. 4(11), 7, 49(1)(a)). Consent must be obtained from each individual with personal data subject to processing, which may not be practical for U.S. discovery. Because employee-employer relationships may be seen as coercive, it may be difficult for employers to demonstrate that consent was voluntarily given without fear of retaliation. In circumstances where the reasons for processing and transfer cannot be fully disclosed, consent cannot be obtained. Additionally, the revocable nature of the consent may make it difficult for a producing party to comply with the GDPR throughout the lifecycle of U.S. litigation. As such, it may be difficult to obtain consent in a manner and scope sufficient to provide a lawful basis for processing in U.S. litigation.

[Page 163]

Under Article 49(1)(e), data transfers are permissible where they are "necessary for the establishment, exercise, or defense of legal claims." Because the Derogations Guidelines specifically mention data transfers for the purpose of formal pre-trial discovery in civil litigation as falling within this derogation, it provides the most likely legal basis for processing and transfer to the U.S. in connection with e-discovery. This derogation cannot be used where legal proceedings are a mere possibility, but can be used by a Data Controller to institute proceedings in a Third Country.18 To comply with GDPR, there must be a close connection between the personal data and the legal proceeding and the transfer must be necessary for the "establishment, exercise or defense" of the legal claim.

Where a data transfer cannot be based on safeguards such as binding corporate rules, participation in the Privacy Shield Program, or other derogations, Article 49(1) § 2 provides that personal data can be transferred if it is "necessary for the purposes of compelling legitimate interests." (GDPR Arts. 45, 46, 49). The Derogations Guidelines note that this derogation is meant as a "last resort," dependent on the Data Controller’s ability to demonstrate both that there were no other possible bases to support the data transfer, and that there is a compelling and legitimate interest at stake for the Data Controller. Because this derogation can only be used in a non-repetitive manner and can only involve a "limited number of data subjects," and so may not be appropriate for complex U.S. e-discovery requests.19


Although the GDPR’s stiff new penalty provisions heighten the stakes for EU/EEA entities facing U.S. discovery requests, conflicts between the U.S. discovery regime and European law are nothing new. U.S. courts historically have prioritized U.S. legal interests over conflicting foreign law. Following the comity analysis set forth by the U.S. Supreme Court in Société Nationale Industrielle Aérospatiale v. U.S. District Court for the Southern District of Iowa, 482 U.S. 522 (1987), courts weigh the interests of the litigants, the hardship for the producing party, the interests of the United States in enforcing its discovery regime, the interests of the foreign sovereign under applicable law, and the likelihood of enforcement action against a producing party under the foreign law at issue.20 U.S. courts have afforded limited deference to foreign privacy regimes, typically compelling production in compliance with the U.S. discovery regime.21 Given the GDPR’s codification of new individual rights and the new potentially stiff penalties associated with non-compliance, some commentators have suggested that the balancing of the interests by U.S. courts must shift with respect to the protections U.S. courts afford entities subject to the GDPR.

[Page 164]

Finjan Inc. v. Zscaler Inc., No. 17-cv-6946, 2019 WL 618554 (N.D. Cal. Feb. 14, 2019), is one of the first U.S. decisions to test that theory in the context of the GDPR. The Finjan court concluded that the GDPR "does not preclude the Court from ordering Defendant to produce the requested e-mails in an unredacted form, subject to the existing protective order."22 As with decisions pre-dating the GDPR’s effective date, the Finjan court affirmed that a concrete showing of hardship, or at least a showing of actual likelihood of a GDPR-related enforcement action, is necessary to support a claim of undue burden to shield documents from production.23

In Finjan, the defendant asserted that it could not produce e-mails of a U.K. citizen employee without violating the GDPR, claiming that personal data contained within the ESI captured by the plaintiff’s search terms would result in the production of personal data irrelevant to the litigation.24 Because any irrelevant personal data would need to be redacted or anonymized to comply with the GDPR, and the costs associated with GDPR compliance would pose an undue burden, defendant also proposed cost sharing for anonymization and redaction, if plaintiff was unwilling to narrow its request or forgo production in favor of U.S. sources. The plaintiff opposed defendant’s requests, asserting that an "Attorney’s Eyes Only" production would satisfy the GDPR, and that other measures would impede its review.25

The Finjan court applied the Aérospatiale test applicable in the Ninth Circuit to consider (1) the importance of the documents or other information requested to the litigation; (2) the degree of specificity of the request; (3) whether the information originated in the United States; (4) the availability of alternative means of securing the information; (5) the extent to which noncompliance would undermine important interests of the United States; (6) the extent and the nature of the hardship that inconsistent enforcement would impose upon the person; and (7) the extent to which enforcement by action of either state can reasonably be expected to achieve compliance with the rule prescribed by the state.26Concluding that first three factors weighed in favor or production, because the documents at issue were directly relevant to the litigation, the requests was sufficiently tailored, and the defendant’s status as a U.S. company, the Court turned to the defendant’s assertions regarding alternative means of accessing the information at issue, and the Court’s task of balancing national interests, and weighing the burden posed by the requests.27

[Page 165]

Here, the Finjan court made clear that entities seeking protection from U.S. courts under the GDPR must provide more than bare assertions regarding the GDPR’s applicability and any burden that would result. For example, the defendant in Finjan asserted that the production at issue would be duplicative of other ESI present in its U.S. operations, but failed to show that this assertion was based on its review of the ESI at issue.28 Similarly, while the defendant claimed that the GDPR barred the production of personal data contained within the ESI, it failed to show on what bases production was purportedly barred, and failed to make any showing regarding the extent to which the U.K. enforced the GDPR. In the absence of any showing regarding the U.K. interest in preventing production, the strong American interest in protecting its patents weighed strongly in favor of production. Given all these factors, and considering the presence of an existing and effective protective order for the matter, the Court found no grounds to deny the plaintiff’s request for production, in unredacted form.29


Following Finjan, where litigants seek narrowly-tailored discovery of non-duplicative documents directly relevant to the subject matter of the litigation from an entity subject to the jurisdiction of U.S. courts, and have entered into a protective order limiting access to documents containing personal information, the GDPR appears to present no barrier to the production of unredacted documents.30 If EU/EEA entities that respond to U.S. discovery requests face enforcement actions and fines, U.S. courts’ hardship analysis may change. In the absence of enforcement actions in the EU/EEA, the legal landscape for U.S. litigants seeking discovery from EU/EEA litigants in U.S. courts appears largely unchanged by the GDPR, from the perspective of court intervention.

[Page 166]

Practitioners representing EU/EEA clients should evaluate the risks associated with U.S. e-discovery as soon as practicable after discovery is reasonably anticipated—before transferring any data to the U.S—including a source-by-source evaluation of the amount and type of personal data covered by the GDPR that may be subject to processing for review and transfer. Where possible, U.S. data sources should be identified and prioritized. The Sedona Conference recommends measures including consideration of the Hague Evidence Convention and letters rogatory for the taking of evidence to justify data transfer, incorporating the Standard Contractual Clauses set forth by the EU Commission in agreements relating to data processing and transfer, developing a processing plan that considers protection of personal data (including data minimization, redaction or anonymization), and—where feasible—conducting in-country data processing and review. At all stages, practitioners should ensure careful documentation of all steps taken to protect the privacy of individuals.31

Litigants can take steps to avoid the need for court intervention by raising issues pertaining to GDPR-compliance early in litigation, including meeting and conferring regarding data sources, retention, and scope.32 Litigants should also consider safeguards such as protective orders33 incorporating agreements regarding the handling of personal data in litigation and specifically addressing documents and information (such as metadata) subject to the GDPR, a phased discovery schedule that allows time to implement GDPR-compliant ESI processing, selecting vendors that are experienced in facilitating GDPR compliant Third Country data-transfers, and should think ahead to the treatment of personal data during motion practice and at trial, particularly given the common law presumption of public access to judicial documents.34

[Page 167]



1. Lesley Weaver is a partner at Bleichmar, Fonti & Auld, LLP, where she focuses on antitrust, consumer and privacy law litigation matters, including In re Volkswagen "Clean Diesel" Consumer Litigation and In re German Autos Antitrust Litigation. Anne Davis is an associate in the firm; she focuses her practice on complex investigations and litigation of antitrust, consumer, privacy, and securities matters.

2. Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation ("GDPR")).

3. Finjan Inc. v. Zscaler Inc., No. 17-cv-6946, 2019 WL 618554 (N.D. Cal. Feb. 14, 2019).

4. The European Economic Area ("EEA") includes non-EU member states Iceland, Liechtenstein, and Norway. Entities that are not physically located in the EU/EEA, but have employees in the EU/EEA, provide goods and/or services to EU residents and transfer personal data outside the EU, or maintain electronic records of EU/EEA employers on servers outside the EU/EEA, are all subject to the GDPR. See Guide to the General Data Protection Regulation (GDPR), Information Commissioner’s Office ("ICO Guide"), International Transfers, (last visited Mar. 26, 2019). Thus, U.S. employers, companies, educational institutions, and similar organizations that employ EU/EEA residents, sell products or services to persons residing in the EU, or have EU/EEA residents as students in their school programs or as members of their organizations are all subject to the GDPR.

5. A "Data Controller" is a person or entity which "determines the purposes and means of the processing of personal data." GDPR Art. 4(7).

6. A "Data Processor" is a person or entity which processes personal data on behalf of the Data Controller. Id. Art. 4(8).

7. ICO Guide.

8. Directive 95/46/EC of the European Parliament, Official Journal L 281, Nov. 23, 1995, P. 00310050 ("1995 Directive"). Unlike the 1995 Directive, which required implementing legislation by EU member states, the GDPR is a regulation, and is directly enforceable.

9. See, e.g., Fed. R. Civ. P. 5.2 (providing for the redaction in court filings of identifiers such as social security number, tax-payer identification number, date of birth, financial account numbers, and information pertaining to the identification of a minor person).

10. The GDPR also provides protection for certain "special categories of data," including personal data revealing racial or ethnic origin, protected viewpoints, trade union membership, genetic and biometric data, and data concerning health, sex life, or sexual orientation. GDPR Art. 9. The processing of Art. 9 data is strictly prohibited, subject to limited exceptions such as express consent. Id. Art. 9.2. Article 9 data is outside the scope of this article.

11. Amicus Brief at 1; see also, Charter of Fundamental Rights of The European Union, Art. 8(1), 2012 O.J. (C 326/02) (stating that all people have "the right to the protection of personal data concerning him or her.").

12. The GDPR defines Data Processing as: "[a]ny operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." GDPR Art. 4.

13. Sedona Conference, The Sedona Conference Practical In-House Approaches for Cross Border Discovery & Data Protection (2016)

14. See Brief of the European Commission on Behalf of the European Union as Amicus Curiae in Support of Neither Party, at 14-15, United States v. Microsoft Corp., No. 17-2 (S. Ct. Dec. 13, 2017) ("EC Brief") ("Article 48 makes clear that a foreign court order does not, as such, make a transfer lawful under the GDPR . . . GDPR thus makes "mutual legal assistance treaties," or "MLATs," the preferred option for transfers . . . a transfer to a third country thus could proceed only if it qualified under Article 49 [derogations for specific situations].) The Microsoft case involved the Stored Communications Act and overseas data transfer, which dispute was mooted by superseding law.

15. See, ICO Guide, Lawful basis for processing; see also Article 29 Data Protection Working Party, Working Document 1/2009 on pre-trial discovery for cross border civil litigation,

16. Transfers outside of the EU/EEA are referred to as "Third Country Data Transfers." GDPR Art. 44. A "Cross Border" transfer occurs when data is transferred within the EU/EEA. Id. Art. 4.

17. European Data Protection Board, Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/6779, Sections 2.1, 2.5, and 2.8 ("Derogations Guidelines").

18. Derogations Guidelines, Section 2.5.

19. Id., Section 1.

20. See, e.g., Aerospatiale, 482 U.S. at 544, n.29 (rejecting a French blocking statute that called for criminal penalties for production of certain documents, setting forth a comity analysis, and holding that foreign statutes do not deprive American courts of the power to order production of documents, even where the production might violate the statute.), citing Societe Internationale Pour Participations Industrielles et Commerciales, S.A. v. Rogers, 357 U.S. 197, 204-206 (1958).

21. See, e.g., St. Jude Med. S.C. v. Janssen-Counotte, 104 F. Supp.3d 1150, 1162 (D. Or. 2015) (German Data Privacy Act held not to be an impediment to U.S. discovery; U.S. has substantial interest in vindicating rights of U.S. citizens); Pershing Pacific West, LLC v. Marinemax, Inc., 2013 WL 941617, at *8-9 (S.D. Cal. Mar. 11, 2013) (U.S. interests in vindicating rights of its citizens held to outweigh provisions of German Data Privacy Act). See also, Sant, Geoffrey (2019) "Courts Increasingly Demand That Businesses Break the Law," Akron Law Review: Vol. 52: Iss. 1, Article 4 (reviewing recent cases applying the Aerospatiale test, finding that courts typically order production).

22. Finjan, at *3, citing cases ("the burden of showing that the law bars production is not satisfied where there is no evidence of the extent to which the government enforces its laws.").

23. Id.

24. Id. at *1.

25. Id.

26. Id. at *1. See also, Sant, 128-130 (discussing circuit split on the factors considered in conducting a comity balancing test following Aerospatiale, noting that in the Ninth Circuit, courts apply a seven-factor balancing test, citing Richmark Corp. v. Timber Falling Consultants, 959 F.2d 1468, 1475 (9th Cir. 1992)).

27. Finjan, at *2.

28. Id.

29. Id. Other courts, pre-GDPR, have reached similar conclusions. See, e.g., Royal Park Investments SA/NV v. HSBS Bank USA N.A., 2018 WL 745994, at *2 (S.D.N.Y. Feb. 6, 2018) (holding that plaintiff improperly withheld document custodial information and redacted individual names and email addresses in deference to Belgian Data Privacy Act; comity analysis found to weigh in favor of compelling bank to produce documents in unredacted form, with custodial information restored).

30. Id. at *1.

31. Sedona Conference, The Sedona Conference International Principles on Discovery, Disclosure & Data Protection in Civil Litigation (Transitional Edition) (2017)

32. Id.

33. Id. at 33 (Model U.S. Federal Court Order Addressing Cross-Border ESI Discovery)

34. See Kamakana v. City and County of Honolulu, 447 F.3d 1172, 1178 (9th Cir. 2006) (discussing the right of public access to judicial records).

Forgot Password

Enter the email associated with you account. You will then receive a link in your inbox to reset your password.

Personal Information

Select Section(s)

CLA Membership is $99 and includes one section. Additional sections are $99 each.