In two May 2020 decisions, US federal courts ruled that the European Union’s General Data Protection Regulation (“GDPR”) does not necessarily serve to protect parties from the obligation to produce relevant documents legitimately requested during the discovery process. In one case the parties took steps sufficient to satisfy the court that personal data was being protected, and the other case involved a citizen of the UK resident in the US trying to invoke GDPR.
In Giorgi Global Holdings, Inc. v. Smulski, the US District Court for the Eastern District of Pennsylvania ordered the defendant in a fraud and racketeering case to comply with discovery requests, in spite of his objection that producing the documents would violate the GDPR and Polish law. Smulski, a US citizen residing in Poland, allegedly deleted information from his company computer that may have been responsive to plaintiffs’ document requests. To determine whether foreign statutes could excuse Smulski’s noncompliance, the court used a multi-factor test from the Restatement (Third) of Foreign Relations Law § 442(1)(c), to examine 1) the importance of the documents requested; 2) the degree of specificity of the request; 3) whether the information originated in the US; 4) whether there are alternative means to obtain the information; and 5) the extent to which the noncompliance would affect the interests of the US. After considering each factor, the court determined that there was a substantial likelihood that any documents received from the defendant would be important because Smulski had not produced any documents to date. The court also found that plaintiffs’ requests for documents were sufficiently specific; that there were minimal – if any – methods to obtain the information elsewhere since the data had been deleted from the company server years before the litigation; and that the US had a substantial interest in the fair adjudication of the matter. Importantly, the court recognized thatPoland had an interest in protecting the data of its citizens, but concluded that the parties had taken adequate measures to protect the personal data of any Polish third parties. The only factor that weighed against production was the fact that most of the documents sought by the plaintiffs originated in Poland or elsewhere outside of the US. Because four of the five factors weighed in favor of production, and Smulski had not demonstrated how the GDPR and/or Polish privacy law barred production, the court held that production of the documents was warranted and compliance with the production request was required.
In Rollins Ranches LLC v. Watson, the US District Court for the District of South Carolina granted plaintiffs’ motion to compel discovery, ordering the pro se defendant in the post-judge phase of a defamation and tortious interference case to comply with requests for email, telephone logs, bank records, and access to electronically-stored information from her social media accounts. Watson, a citizen of the UK who resides in South Carolina, invoked protection under the GDPR, but the court granted plaintiffs’ motion to compel discovery, holding, in accordance with the Supreme Court’s decision in Societe Nationale, that foreign statutes do not limit the power of a US court to order a party under its jurisdiction to produce evidence. The court also concluded that Watson had failed to demonstrate sufficiently how the GDPR prohibited the requested information.