Academic journal article Defense Counsel Journal

General Data Protection Regulation in U.S. Litigation through Mid-Summer 2019

Academic journal article Defense Counsel Journal

General Data Protection Regulation in U.S. Litigation through Mid-Summer 2019

Article excerpt

IN JANUARY 2012, the European Commission set out plans for data protection reform across the European Union. One of the key components of the reforms was the introduction of the General Data Protection Regulation (GDPR). (1)

The GDPR is a comprehensive set of rules designed to give European Union citizens more control over their personal data. The GDPR applies, generally, to any organization operating within the European Union, as well as organizations outside of the European Union which offer goods or services to customers or businesses in the European Union among others. Almost every major corporation in the world is affected by this legislation. This legislation came into force across the European Union in May 2018.

There has been considerable uncertainty how GDPR will be addressed in litigation commenced in the United States. However, as a year has passed, motions relating to GDPR are beginning to be adjudicated, and trends are starting to occur. This article provides a detailed summary of courts' treatment of GDPR-related arguments and summarizes the potential impact of GDPR on United States litigation.

I. Impact of GDPR currently

As of July 19, 2019, eleven federal cases reference "GDPR" or the "General Data Protection Regulation." No state court cases appear. Of the cases returned, four are from the United States District Court for the Southern District of New York, (2) and two are from California, (3) one from the Central District of California and the Northern District of California. The remaining five cases originate from District Courts in Washington, Maryland, Alabama, Utah, and Florida. (4)

These eleven cases generally involve discovery disputes, often in intellectual property matters. In these scenarios, the responding party has raised GDPR as a bar or impediment to a full discovery response. In general, courts have proceeded under a normal Rule 26 analysis in evaluating the discovery requests and/or objections, while paying additional attention to the objections involving the GDPR or similar and/or related European laws. The extent of the discussion of the GDPR hinges, generally, on the significance of the discovery sought and accuracy of the assertion of the regulation as a bar or impediment to the discovery sought. This discussion is often accompanied by an analysis of the evidence supplied by the objecting party related to the precise requirements and burdens of the GDPR on the party, the risks those requirements create for the party if responses were made as demanded, and the costs of complying with the requirements.

Not surprisingly, where respondents provided little specificity concerning the regulation or supporting evidence of burdensomeness, the arguments received less credence. Some responding parties concede GDPR is not a bar to responding, but stress the costs of a GDPR-compliant response. However, given the level of the courts' discussion of the GDPR in these eleven cases, it is sometimes difficult to determine from the opinions the detail with which the regulation was briefed and argued. A review of selected discovery briefings suggests that arguments as to burden have not been significantly developed, for example through itemization of GDPR connected costs. Based on the cases so far, mere citation of the GDPR or another foreign state's data protection regime provides no categorical basis for relief from United States discovery.

Parties seeking discovery resist the responsive party's arguments grounded in the GDPR as vigorously as arguments grounded in any other basis offered to block or limit discovery. In the apparent interest of fairness, however, some courts have already added protective terms to discovery orders to limit the dissemination of personal or proprietary data, even where the reasoning leading to the court's decision would not have suggested it would implement such measures. In one case, shortly after the GDPR came into effect, the United States District Court for the District of Maryland acknowledged the parties' efforts to address issues arising under the GDPR by supplementing the protective order to add language governing the processing and handling of data from foreign custodians covered by the GDPR. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.