An interesting article by Caitlin Metcalf, Adam Lurie, Doug Davison and Aviva Kushner from Linklaters looking at the recent Telegram case where on 13 January a New York federal judge ordered Telegram Group Inc to disclose bank records containing sensitive data despite the concerns raised that in doing so, could violate the GDPR. It is fair to say that there is a fundamental conflict between GDPR and U.S. discovery rules and when parties are caught in the middle they must find a way of managing that conflict.
The case makes it clear that a party cannot simply use GDPR or other privacy/data protection legislation to shield itself from U.S. discovery rules, and that cost alone will not be an acceptable excuse for not disclosing documents. What is essential, as the article sets out, is that these issues are dealt with early on in the process, ensuring that appropriate privacy assessments are performed.
As the article also sets out, there are generally practical solutions that can be applied to resolve some of the issues around this conflict. This can involve specific processing steps, a more targeted approach to scope and also performing much of the work within the party's infrastructure/premise.
This is something that we have regularly had to deal with and with our global team of experts and resources we are familiar with the challenges and solutions available to present a clear path forward in these situations. If you would like to know more about our global capabilities, please let me know.
The Telegram case is an important reminder that non-US entities will not be immune from US discovery simply because of potential conflicts with GDPR. It will continue to be necessary for organizations to take an informed, risk-based strategic approach, balancing the risks of non-compliance with both GDPR and US court orders. This will usually involve conducting reasonable and well-grounded privacy assessments that strike the right balance and give appropriate weight to individuals’ expectations of privacy, as well as carrying out sensibly scoped search and redaction exercises in response to what can be extremely wide-ranging requests for disclosure, especially during US discovery. It is usually possible for experienced practitioners to find a practical solution, although that can be a time-consuming and expensive exercise, particularly if it is not thought through early enough.
https://www.linklaters.com/en/insights/blogs/digilinks/2020/january/gdpr-vs-us-discovery
