Well, it has now happened. The European Union's new General Data Protection Regulation (GDPR) went into effect on May 25, 2018. In the lead up to G-Day, commentators published a voluminous amount of materials in legal journals, newsletters, and blogposts about what GDPR is, what it is supposed to accomplish, how to comply with it, the potential penalties for not complying, and the challenges that U.S. companies are facing in trying to re-work their entire data maintenance practices to keep pace with the GDPR's requirements. One topic, however, that has gotten scant attention is what the GDPR will mean for litigators seeking discovery from Europe. Well, here is a prediction - U.S. courts will have little patience for GDPR compliance requirements if the result is a failure to preserve electronically stored information (ESI), a substantial delay in producing requested documents and data, or an outright refusal to produce the materials requested.
First, let's examine - very briefly - what GDPR is and what it requires. (For more detailed descriptions, please refer to the aforementioned materials that have been published in recent months.) Simply put, the GDPR is a mandatory regulation designed to protect an individual's privacy by limiting how electronic information about that person may be maintained, processed, used, or transferred. The GDPR is applicable in all 28 EU member states, as well as in the slightly wider European Economic Area (EEA), which includes non-EU member states such as Iceland and Norway. Even if a company is not physically located in those countries but provides goods and services to individuals located in the EU/EEA on a regular enough basis, then the GDPR is applicable to that entity. So, yes - the GDPR applies equally to a business based in Paris, France selling over the internet to individuals in Italy, as well as a business located in Paris, Texas, offering goods or services to people located in in Ireland. Moreover - and probably most importantly in terms of ediscovery - the GDPR is applicable to employers of people located in the EU/EEA or entities that maintain electronic records of a European company's employees.
Two things make GDPR compliance - or the failure to comply - particularly daunting. First is the regulation's definition of "personal data" and the rights given to an individual to control the electronic data containing such personal information. More on this in a moment. . . . Second is the financial "bite" that EU regulators put into the GDPR, a bite which far exceeds any potential fines that theoretically existed under previous EU or individual country rules. Specifically, the GDPR allows for administrative fines for failure to comply with the GDPR's data transfer provisions of up to 20 million (about $23.5 million) or 4% of the violating company's annual worldwide revenue, whichever is higher - and that revenue amount can be calculated across the violating company's corporate worldwide parents, subsidiaries, and other affiliates. GDPR, Art. 83(5). Granted, fines at the highest level are reserved for the most egregious situations, but there can be no question that it was the potential threat of these hefty fines that caught the attention of companies throughout the world and led to the enormous efforts over the last year or so to develop GDPR-compliant data policies.
Turning back to the challenges raised by "personal data" under the GDPR, U.S. litigators should understand that the GDPR defines personal data as "any information relating to an identified or identifiable natural person." GDPR, Art. 4. This definition is much, much broader than what U.S. practitioners typically recognize as sensitive personal information worthy of protection - e.g., a person's name in conjunction with the person's social security number, or bank account numbers, or health records. The GDPR's reference to "any" information includes, at least, the person's name in conjunction with the person's email address (business or personal), a physical address or telephone number, or just about anything else that can directly or indirectly identify a specific person. For example, just think of the typical footer people often include at the end of business emails listing the person's name, company, title, business address, business telephone number, a mobile telephone number, and the person's email address. Under the GDPR, all of that information constitutes "personal data." Likewise, the GDPR definition is broad enough to capture an individual's IP address, which can be found in data logs or other electronic records - information that well could be caught up in ESI discovery requests.
As to an individual's rights over his/her personal data, the European Commission (EC) explained, in an amicus brief filed to the U.S. Supreme Court last December, that the EC regards "protection of personal data [as] a fundamental right" and that the GDPR is a reflection of the EU's interest to protect such a right(s).1 The GDPR requires...