Cornell Law Review

The European Union’s (EU) recently enacted General Data Protection Regulation (GDPR) is being billed as “the most important change in data privacy regulation in 20 years.”^{11. The GDPR, EUGDPR.ORG, https://eugdpr.org/ [https://perma.cc/WZC2DJFA] (last visited Mar. 20, 2019).} The GDPR sets forth a stringent set of binding regulations that govern how data controllers and processors manage the private electronic data of EU citizens.^{22. GDPR Key Changes, EUGDPR.ORG, https://eugdpr.org/the-regulation/ [https://perma.cc/KU3F-T26B] (last visited Mar. 20, 2019).} In an audacious effort to ensure comprehensive privacy protection for EU citizens in a globally connected digital landscape, EU regulators have made the GDPR apply extraterritorially.^{33. Id.} The regulation extends beyond the borders of the European Union, reaching any entity that stores or processes the personal data of EU citizens regardless of where that data is stored or processed.^{44. See Commission Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC, ¶ 22 (General Data Protection Regulation), 2016 O.J. (L119) 1 (EU) [hereinafter GDPR].}

The GDPR’s extraterritorial reach sets this groundbreaking regulation on a collision course with the equally far-reaching, party-driven discovery regime embraced by United States courts. The GDPR’s rigorous protections—such as limits on transferability and a data subject’s “[r]ight to erasure”^{55. Id. art. 17.}—may make it impossible for a party to comply with both the requirements of the GDPR and a United States-issued subpoena duces tecum for electronically stored information (ESI) protected by the GDPR. In facing this conflict, U.S. courts may soon be asked to decide whether to uphold the United States’ preference for expansive civil discovery or yield to principles of international comity and fairness to parties caught between a “rock and a hard place.”^{66. See In re Vitamin C Antitrust Litig., 584 F. Supp. 2d 546, 551 (E.D.N.Y. 2008) (“The defense of foreign sovereign compulsion . . . focuses on the plight of a defendant who is subject to conflicting legal obligations under two sovereign states. Rather than being concerned with the diplomatic implications of condemning another country’s official acts, the foreign sovereign compulsion doctrine recognizes that a defendant trying to do business under conflicting legal regimes may be caught between the proverbial rock and a hard place where compliance with one country’s laws results in violation of another’s.”)}

In examining this issue, a number of practitioners and scholars have noted that the foreign-state compulsion defense may be available to a party caught between U.S. discovery obligations and the requirements of the GDPR.^{77. See What to Do When You Can’t Comply: Foreign Sovereign Compulsion as a Potential Defense to Conflicts Between U.S. Discovery Obligations and the GDPR, ASS’N CORP. COUNSEL (July 24, 2018), http://www2.acc.com/legalresources/quick counsel/conflicts-between-us-discovery-and-gdpr.cfm?makepdf [https:// perma.cc/T65M-GQ4Z].} The foreign-state compulsion defense is a discretionary doctrine that allows a U.S. court to excuse or moderate sanctions for breaches of U.S. law when a party would violate foreign law by complying with U.S. law.^{88. Don Wallace, Jr. & Joseph P. Griffin, The Restatement and Foreign Sovereign Compulsion: A Plea for Due Process, 23 INT’L L. 593, 593–94 (1989).} While many of these commentators have written about the availability of the foreign-state compulsion defense for extraterritorial U.S. discovery (i.e., the discovery of evidence located abroad),^{99. See generally Melinda Levitt, GDPR and U.S. eDiscovery—Who Will Win the Game of Chicken, FOLEY & LARDNER LLP (June 20, 2018), https://www.foley.com/ en/insights/publications/2018/06/gdpr-and-us-ediscovery—who-will-win-thegame-of-c [https://perma.cc/KUP2-Z5HP] (concluding that U.S. courts will likely continue to compel extraterritorial discovery even if it requires a party to violate the GDPR); David J. Kessler et al., The Potential Impact of Article 48 of the General Data Protection Regulation on Cross Border Discovery from the United States, 17 SEDONA CONF. J. 575 (2016) (assessing how U.S. courts may respond to Article 48 of the GDPR, which regulates data requests from a court, tribunal, or other administrative agency outside of the European Union).} very few have examined the application of the doctrine to territorial discovery (i.e., the discovery of evidence located within the territorial jurisdiction of the United States). This gap in the literature leaves a critical question unexamined and unanswered: Can a party invoke the doctrine of foreign-state compulsion to defend against a discovery request that would require the party to disclose GDPR-protected information when the information sought to be discovered is presently located in the United States?

This Note in no way answers the myriad questions surrounding the probable conflict between U.S. civil discovery and the GDPR, and this Note refrains from speculating as to how U.S. courts may ultimately treat discovery motions that would require a party to violate the GDPR.^{1010. See generally Finjan, Inc. v. Zscaler, Inc, No. 17-cv-06946-JST, 2019 WL 618554, at *1–3 (N.D. Cal. Feb. 14, 2019) (applying the factors listed in Richmark Corp. v. Timber Falling Consultants, 959 F.2d 1468, 1475 (9th Cir. 1992) and ordering discovery of information potentially protected by the GDPR); Corel Software, LLC v. Microsoft Corp., No. 2:15-cv-00528-JNP-PMW, 2018 WL 4855268, at *1–3 (D. Utah Oct. 5, 2018) (denying Microsoft’s petition for a protective order despite Microsoft’s claim that the retention and production of GDPR-protected telemetry data would be unduly burdensome and disproportionate to the needs of the case).} Rather, this Note aims to make two contributions. First, this Note addresses a series of threshold descriptive and normative questions that are mostly unaddressed by scholars, the Restatements of Foreign Relations Law, and the courts: Is the doctrine of foreign-state compulsion available to defend against a territorial discovery order or is the foreign-state compulsion defense limited to extraterritorial acts? How have courts applied the doctrine to territorial discovery, if at all? Should the foreign-state compulsion defense be territorially limited? Second, if the foreign-state compulsion defense is available to defend against a territorial discovery order, how do courts account for the fact that the information is presently located in the United States when applying the doctrine? Should courts account for the present location of ESI, and, if so, how much weight should the present location of data be given in a court’s analysis?

In Part I, this Note begins by detailing the GDPR’s extraterritorial reach, expansive privacy protections, and severe penalties for breach. Part II examines the foreign-state compulsion doctrine in the context of U.S. discovery. Part III asks whether a party can defend against a territorial discovery order by in- voking the doctrine of foreign-state compulsion. In answering this question, this Note points out the lack of caselaw addressing this particular issue and addresses inconsistencies in the Fourth Restatement of Foreign Relations Law’s discussion of possible territorial limits on the doctrine of foreign-state compulsion. This Note then argues that a party should be able to invoke the foreign-state compulsion doctrine to defend against a territorial discovery order because the principles underlying the doctrine—international comity and fairness to the parties— are implicated regardless of whether the violation of foreign law is said to take place in the United States or abroad. Ultimately, this Note concludes that, in the context of U.S. discovery, the foreign-state compulsion defense should be domesticated. That is, the defense should be available whenever an actual conflict exists between two sovereigns with legitimate claims to jurisdiction over the party to be compelled or the discoverable materials at issue, even if the discoverable materials are located in or controlled from the United States.

Part IV proceeds with the assumption that the foreign-state compulsion defense is available for territorial discovery. Under the comity-balancing test articulated by the Supreme Court in Aérospatiale, U.S. courts are not explicitly directed to account for the present location of discoverable information when applying the doctrine of foreign-state compulsion.^{1111. See Socíeté Nationale Industrielle Aérospatiale v. U.S. Dist. Court for the S. Dist. of Iowa, 482 U.S. 522, 544 n.28 (1987).} Nonetheless, a number of courts have considered the present location of the discoverable materials at issue when deciding whether to compel discovery despite a contrary foreign law.^{1212. See SEC v. Stanford Int’l Bank, Ltd., 776 F. Supp. 2d 323, 333 (N.D. Tex. 2011).} This Note concludes that, when it comes to GDPR-protected ESI stored in the United States, the present location of the discoverable data should not be independently considered in the courts’ comity-balancing test. Rather, a court should account for the present location of data only if the present location is relevant to the court’s assessment of an enumerated Aérospatiale factor—such as the availability of an adequate alternative mechanism for obtaining the information.

To read more, click here: Domesticating Comity: Territorial U.S. Discovery in Violation of Foreign Privacy Laws.