On May 25, 2018, the European Union's General Data Protection Regulation ("GDPR") went into effect. The GDPR is a new data privacy regulation designed to create binding, consistent protections for EU citizens across all EU Member States, but its effects will be felt far outside of the EU. As one important example, companies subject to both U.S. discovery obligations and the requirements of the GDPR - a category that includes any U.S. corporation that stores the personal data of EU citizens - face a real risk that they may be subject to contradictory obligations under U.S. and EU law. For instance, under U.S. law, a company may be subpoenaed for documents within its "possession, custody, or control," regardless of where those documents are located. But it may not be possible for that company to comply with the subpoena if the responsive information is in the EU because the GDPR strictly limits the transfer of personal data to countries outside the EU. Depending on the violation, failing to comply with the GDPR can subject a company to potentially massive penalties - up to 4% of worldwide annual revenues - making noncompliance unpalatable.
To reconcile these competing legal obligations, the doctrine of foreign sovereign compulsion offers a potential solution. This doctrine was historically invoked to mitigate penalties faced by litigants subject to contradictory obligations under U.S. and foreign law. To invoke the doctrine, a party must face severe sanctions for failing to comply with a foreign law and have sought to avoid the conflict in good faith.
For the past 60 years, foreign sovereign compulsion has had little traction in resolving disputes between U.S. and European law relating to civil discovery, but the novel circumstances presented by the GDPR might give rise to new applications of the doctrine. This QuickCounsel will discuss these potential changes and offer advice to companies for how best to situate themselves to invoke the defense.
New Potential for the Foreign Sovereign Compulsion Doctrine in Discovery Disputes
The leading case on foreign sovereign compulsion involving U.S.-style discovery is Société Internationale pour Participations Industrielles et Commerciales, S.A. v. Rogers. 357 U.S. 197 (1958). The Rogers case arose out of events during World War II, and involved a suit by a Swiss company called I.G. Chemie against the successors of a U.S. agency, which Chemie claimed had improperly seized its property. To marshal its defense, the U.S. sought discovery under Federal Rule 34 to obtain "a large number of banking records" held in Switzerland. Chemie argued that production of those documents would violate Swiss penal law. When the district court ordered the discovery anyway, Chemie produced some documents, but did not fully comply with the district court's discovery order. The U.S. government moved to have the Swiss company's case dismissed under Rule 37 as a sanction for its noncompliance. Despite finding that full compliance with the discovery order would violate Swiss law, that there was no proof of collusion between Chemie and the Swiss government, and that there had been a good faith effort by Chemie to comply with the discovery order, the district court dismissed the case, which ultimately was taken on appeal to the U.S. Supreme Court.
The Supreme Court unanimously reversed the dismissal. Relying principally on the fact that the failure to comply was "due to inability, and not to willfulness, bad faith, or any other fault" of its own, and that the "fear of criminal prosecution constitutes a weighty excuse for nonproduction," the Supreme Court reversed the district court's decision to dismiss the case while also noting lower courts' "wide discretion" to issue other, less severe penalties. 357 U.S. at 211-12.
Cases following Rogers have found that the compulsion defense is available even in the absence of criminal penalties. E.g., United States v. First National City Bank, 396 F.2d 897 (2d Cir. 1968) (noting that "criminal sanctions" are not necessary to invoke a compulsion defense). However, U.S. courts have consistently resisted application of the foreign sovereign compulsion defense in the face of so-called foreign "blocking statutes," which are specifically designed to thwart or limit U.S. discovery of documents stored abroad.
But the GDPR is not a blocking statute. It differs in at least three critical ways, which impacts the analysis. First, the privacy rights enshrined in the GDPR are considered to be "fundamental human rights" by both the European Court of Justice and by the EU Member States that are bound by the regulation. Unlike blocking statutes, therefore, the GDPR identifies specific and significant sovereign interests, which will affect how U.S. courts view the relative value of the foreign regulation. And while the blocking statutes were rarely enforced, the likelihood that the GDPR will be enforced is high. The EU's recent actions - including its threats to challenge the newly created EU-U.S. Privacy Shield pact - suggest that it is serious about enforcing privacy rights. Finally, as described above, the potential penalties for violations of the GDPR are massive.
Preparing a Foreign Sovereign Compulsion Doctrine Defense
To present a defense based on conflicting U.S. and foreign sovereign obligations, a party should be prepared to show, first, that it is "likely to suffer severe sanctions for failing to comply with foreign law" and, second, that it "has acted in good faith to avoid the conflict." Restatement (Fourth) of Foreign Relations Law § 222 (Tentative Draft No. 2, Mar. 22, 2016).
Parties attempting to prove that they are "likely to suffer severe sanctions" may struggle to make this showing until the EU has developed a track record of enforcement. In the meantime, parties in this situation can emphasize that, given the magnitude of the potential penalties under the GDPR, even a small likelihood of enforcement still represents considerable risk and that bearing that level of risk is itself a severe sanction.
To show that it has "act[ed] in good faith to avoid the conflict," a party should be prepared to demonstrate that it does not qualify for any of the potential workarounds (known as "derogations") that are written into the GDPR. In the case of prohibited data transfers - the scenario most likely to cause issues for companies attempting to comply with a discovery request - several derogations offer possible mechanisms to transfer the requested data to the U.S. without violating the GDPR. The party should be prepared to argue that none of these apply before it invokes the foreign sovereign compulsion defense:
- Article 49(d) ("the transfer is necessary for important reasons of public interest"): While the argument has been made that this derogation would allow data transfers in at least some types of cases - in fact, the U.S. government made such an argument before the Supreme Court last year in United States v. Microsoft Corp. - other provisions in Article 49 make clear that the "public interests" which are to be considered are those of EU member states. This derogation might not be of use to civil litigants in the U.S., but because it has been misinterpreted by U.S. authorities in the past, parties attempting to raise a compulsion defense may want to show the court why this derogation does not apply.
- Article 49(e) ("the transfer is necessary for the establishment, exercise or defence of legal claims"): Prior EU regulations on transfers included similar provisions to Article 49(e), but the general rule was that discovery did not qualify as "the establishment, exercise or defence" of a legal claim. However, in February 2018, the Article 29 Data Protection Working Party issued guidelines which suggest that a transfer could be made when it is necessary for pre-trial discovery. Civil litigants in the U.S. will need to wait for further guidance to determine whether this derogation will assist them in fulfilling their discovery obligations. In the meantime, litigants might seek to rely upon the prior understanding to support the argument that the derogation does not apply.
- Article 49(1) (legitimate interests "not overridden by the interests or rights and freedoms of the data subject"): When a transfer cannot be based on any of the other provisions of the GDPR, this fallback provision allows for transfers which are 1) not repetitive; 2) concern only a limited number of data subjects; 3) are necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject; and 4) where the transferor has provided suitable safeguards for data protection.
Past practice suggests that there might be ways to transfer documents to the U.S. under this provision if they are sufficiently redacted to remove personal data. For instance, some of the practical techniques that were used to address earlier European privacy laws - such as sending attorneys to the country where the documents were located to conduct responsiveness review and redact personal data before sending a limited set of the documents to the U.S. - may still be an option under this derogation. However, because this provision is so malleable, companies relying on Article 49(1) might be subjecting themselves to the risk that their transfers will be judged not to fall within the derogation. Yet to make a good faith showing that it attempted to comply with its U.S. discovery obligations, a company should at least demonstrate that it has considered whether pre-GDPR techniques are still a viable option for compliance.
Because these provisions are new and many questions of interpretation have not been resolved, a party that believes it can comply with discovery requests by invoking a derogation may be running a substantial risk that its transfer will later be deemed not to fall within the derogation. To minimize that risk, the better strategic choice may be for the company to first attempt to be excused from its discovery obligations by arguing that the foreign sovereign compulsion doctrine applies. For purposes of invoking the doctrine, a party should argue a narrow interpretation of the derogation to the U.S. court to show that it cannot clearly comply with both the U.S. discovery request and the GDPR. That argument, of course, must be based on a reasonable interpretation of the derogation, because the party will not be able to show that it attempted to comply in good faith if it adopts an unreasonably narrow interpretation of a potentially applicable derogation.
Foreign sovereign compulsion doctrine is by no means a surefire method to resolve competing obligations under U.S. discovery law and the GDPR. Yet in light of the potential penalties for non-compliance with GDPR provisions, it presents an avenue for relief worth serious consideration.
GDPR Portal, https://www.eugdpr.org
European Commission, The GDPR: New Opportunities, New Obligations, https://ec.europa.eu/commission/sites/beta-political/files/data-protect…
European Commission, Data Transfers Outside the EU, https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-…
Article 29 Working Committee, Guidelines on Article 49 of Regulation 2016/679, ec.europa.eu/newsroom/article29/document.cfm?doc_id=49771
American Banker, EU's New Data Privacy Law Creates Headaches for U.S. Banks, https://www.americanbanker.com/news/eus-new-data-privacy-law-creates-he…
Francesca Bignami and Giorgio Resta, Transatlantic Privacy Regulation: Conflict and Cooperation, https://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=4747&conte…
SCOTUSblog, United States v. Microsoft Corp., http://www.scotusblog.com/case-files/cases/united-states-v-microsoft-co…