This article originally appeared in the Fall 2018 edition of The Middle Ground, the semi-annual newsletter of the North Carolina Middle District Chapter of the Federal Bar Association.
On May 25, 2018, the EU implemented the General Data Protection Regulation (more commonly known as the GDPR). Steep penalties for GDPR violations are capturing the attention of US companies. Violators can be fined up to 20,000,000 euros or 4% of worldwide annual revenue, whichever is higher.
The GDPR can apply to US-based businesses even if they do not have a single office or employee in the EU. Importantly, there is no “threshold” number of individuals that must be affected by a company’s activities before triggering application of the GDPR. For example, consider a North Carolina based company with no employees or physical location in the EU who operates an online website and sells its products to customers located in France and Spain. The company has always focused on the US market, but recently EU consumers have shown an interest in the products and the company is slowly expanding into the European market. The company accepts orders from EU customers, ships the products to the EU and dedicates some marketing space on the website to target customers in the EU. The GDPR applies to this North Carolina company’s activities—even though EU customers represent only a small percentage of the company’s customer base. The GDPR would also apply to a US-based company offering products or services to customers in the EU even if those products or services are offered for free. The GDPR even applies to US companies that merely monitor the behavior of individuals located in the EU.
The GDPR spans 99 Articles and many more Recitals and incorporates guidance documents issued by EU regulators. However, the most basic objective of the GDPR is to protect individuals with regard to the personal data that organizations process, store, collect, share and otherwise use. All of the obligations of the GDPR flow from these basic objectives.
Under the European view of privacy, an individual has a fundamental right and freedom to the protection of his or her personal data, and the GDPR defines “personal data” far more broadly than any US law. In shorthand, “personal data” is any data that relates to an individual directly or indirectly. This definition encompasses far more data than most businesses initially believe. To go back to the NC company described in the example above, the personal data at issue includes at a minimum: the customer’s name, physical address, email address, phone number, billing address and payment information. The company likely collects other personal information as the customer spends time on the website, such as the user’s IP address. If the customer creates an online account, the company likely collects other categories of personal information (such as gender, date of birth, location data, etc.). All of this information is protected by the GDPR.
Because of the broad obligations the GDPR imposes, compliance is no small undertaking. In external communications, a business must be transparent and provide notice to customers and website visitors about the type of data it collects and how it uses such data. (This is the reason for all of the updated privacy policies you may have received.) Behind the scenes, the company should map all of its data flows and create a detailed record of the data it collects, who has access to it, where the data is located, and the legal bases and purposes of such collection. The company should identify each third party that it shares the personal data with, such as service providers and partners, and will likely need to update its contracts with each such party to include GDPR-required language. The company will need to refresh or create policies and procedures to respond to security incidents, data retention requirements, requests from individuals to exercise certain rights (explained below) and document its information security policies. The company will need to implement a mechanism to lawfully transfer data outside of the European Union and to the US (or to other non-EU countries if the company uses third party providers or contractors in India, for example). The above list of action items is not exhaustive, but provides insight into the type of work that many companies across North Carolina and the world have been engaged in since the GDPR was announced several years ago.
In addition to the proactive steps listed above, a company will also have to be reactive in certain instances. EU customers have enhanced rights under the GDPR, and a company must be able to respond to requests from customers to enforce these rights (generally at no cost, and within 30 days from the request). For example, under the GDPR an individual has the right to access the personal data held by the company, to request correction of the personal data, and to withdraw consent or object to the processing of the personal data. There are exceptions and nuances to the individual rights required under the GDPR, but a company must tell the EU consumers that these rights exist and be able to efficiently respond to requests (which requires putting policies and procedures in place to identify the requests when they are received and to ensure that employees respond to them in accordance with the requirements of the GDPR).
GDPR’s Impacts on Litigation
The potential for regulatory enforcement actions in the EU based on GDPR violations are obvious and, in fact, the filing of such actions began in several European countries within hours of the GDPR’s implementation. Perhaps less obvious is the potential for US-based litigation flowing out of the GDPR but not based on GDPR compliance or noncompliance, directly. For example, one major social media platform has already been targeted by a shareholder class action suit based not on the company’s GDPR compliance but on its alleged misrepresentations about the extent to which the GDPR is expected to affect the company’s financial outlook.
The GDPR has the potential to impact the litigation process even more broadly whenever European companies are involved as parties, witnesses, or documents custodians. Take the scenario in which a European company or its US-based subsidiary is served with requests for production under Fed. R. Civ. P. 34 or a subpoena commanding the production of documents under Fed. R. Civ. P. 45 relating to litigation in a US court. Responding to such a request will usually include the collection of electronically-stored information and documents, including emails, contracts, invoices, billing documentation, and the like. Under the GDPR, arguably each individual whose personal data is included in this collection has a right to review the data, including individuals outside the responding organization. Questions then arise about the extent to which these individuals have the right to demand that their personal data be omitted or deleted and the amount of time a responding party should be given to comply with its GDPR obligations before producing the documents. In short, the company’s obligations under the GDPR may be in severe tension with its obligations under the Federal Rules of Civil Procedure. And, though the GDPR includes theoretical exceptions based on the need to comply with legal obligations or to establish or defend against legal claims, the lack of meaningful guidance on what these exceptions cover coupled with the potential for huge penalties for GDPR violations makes reliance on the exceptions a daunting proposition.
Adding to a European company’s concerns when faced with US discovery is the fact that US courts, including in the Middle District, generally have not been sympathetic to discovery objections based on foreign law. See, e.g., Rich v. KIS California, Inc., 121 F.R.D. 254, 258 (M.D.N.C. 1988). In Rich, the Court explained that (1) under Supreme Court precedent, the foreign defendants could not require the plaintiff to use the Hague Convention on Taking Evidence Abroad rather than the discovery mechanisms allowed under the Federal Rules of Civil Procedure and (2) a French law designed to protect French businesses from foreign discovery was broad, vague, and not entitled to deference. Id. In the only federal court decision in which the GDPR’s impact on discovery appears to have been addressed, to date, the Court was not persuaded by a party’s objection to preserving and producing certain data based in part on the burdens imposed by the GDPR. COREL SOFTWARE, LLC v. MICROSOFT CORPORATION, No. 2:15-cv-00528, 2018 WL 4855268 (D. Utah. Oct. 5, 2018). In that infringement action, Microsoft argued that it should not be required to continue to retain and produce certain data in part because of the costs and burden associated with anonymizing the data to comply with the GDPR. Id. At *1. Based on an analysis of the proportionality factors set forth in Fed. R. Civ. P. 26, the Court disagreed and ordered Microsoft to produce without addressing the GDPR specifically. Id. At *2-3.
In sum, that the GDPR has the potential to significantly impact US litigation is clear, but the extent to which that potential will be realized is yet to be worked out in the Courts both here and abroad.