An interesting article by Katalina Bateman and Karen Lee Lust from Reed Smith looking into two recent U.S. cases where the conflict between U.S. discovery and the GDPR comes into focus. There is nothing new in the conflict between U.S. discovery and European privacy rules, and it certainly predates the GDPR, but it is interesting to see that these two forces still come into conflict with each other.
Most of the conflict appears to come from a macro level difference in how privacy is considered and regulated in the different jurisdictions. In Europe it is considered a human right and therefore warrants the protection provided to it under the GDPR and other legislation, whereas in the U.S., it tends to be regulated at an industry level - with different industries (e.g. healthcare and finance) having higher levels of protection than others. This leads to inevitable tension and conflict.
From a technology perspective, it is always interesting to consider these challenges and look at how a solution can be developed to bridge the gap between the two. Generally through intelligent use of processes and technology, most of the challenges can be overcome to allow for all parties to get comfort with the solution. There are many different ways in which that these can play out - but inevitably there tends to be a focus on in-country work and enhanced precautions to segregate and target specific data sets.
With the number of jurisdictions implementing legislation that has a GDPR look and feel, this is something that people need to get more familiar with and understand both the challenges and how they may be overcome.
Litigants involved in U.S. discovery obligations do therefore need to consider the GDPR and how best to comply with both their EU data protection and U.S. discovery obligations. Whilst a level conflict remains between these laws, there are a number of practical steps that organizations can undertake to comply with U.S. discovery demands whilst reducing their data compliance risk in the EU and beyond...It is also advisable that any measures taken to protect personal data in these circumstances should be documented for accountability purposes. It is clear though that these practical and considered measures will provide for a more compliant approach to avoid the risk of violating either U.S. discovery demands or facing potential regulatory inquiries in the EU.