Cross-border data protection laws are increasingly affecting domestic U.S. discovery proceedings. Globalization has placed discoverable information beyond the boundaries of the U.S. and has often forced litigants to satisfy those laws in order to produce or obtain such information. To meet the challenges of foreign data protection laws, organizations will need to be prepared. As spotlighted in a recent article published by LegalTech News, this includes more effective information governance programs and litigation readiness measures, along with better advocacy on the issues in court.
Cross-Border Data Protection Laws Create Complexity in Discovery
The prevalence of data protection and privacy laws around the globe has substantially increased over the past several years. Not surprisingly, this trend corresponds with the growth of sensitive and confidential information about individuals that is now available on electronic devices. As the U.S. Supreme Court observed a few years ago, electronic devices such as mobile phones “hold for many Americans ‘the privacies of life.’”
Data protection laws—such as the European Union (EU) General Data Protection Regulation (GDPR)—are designed to protect individual privacy rights over such information. With those rights, however, come various responsibilities, particularly for organizations that collect and store personal information. Included among those responsibilities is the need to safeguard that information in litigation. Under some data protection laws such as the GDPR, appropriate safeguards may include anonymizing or pseudonymizing personal information before it is transferred across international borders. Some privacy laws—such as China’s Telecommunication Regulations—may forbid the transfer of personal information if an individual refuses to authorize its disclosure.
With relevant electronic information being available in any number of foreign countries, data protection laws can create complexity in discovery for clients, counsel, and the courts. This is particularly the case for responding parties, who can face burdensome or conflicting demands in litigation when asked to produce personal information and satisfy applicable laws. The menu of problematic options includes addressing weighty production burdens to comply with cross-border privacy strictures, disobeying a U.S. court’s production order, or violating a foreign data protection law. While several recent cases exemplify the Hobson’s Choice seemingly facing many companies on these issues, the Corel Software v. Microsoft Corporation and Brooks Sports v. Anta (China) Co. cases are particularly instructive on these issues.
Corel Software v. Microsoft Corporation
In Corel Software, defendant Microsoft sought a protective order to stave off a burdensome production of telemetry data. In its motion papers, Microsoft argued that plaintiff’s request for telemetry data—a type of “usage data” that individuals generate when they use Microsoft products and services—was disproportionate to the needs of the case. In particular, Microsoft asserted that the request created “tension” with the GDPR and “would require additional burdensome steps to anonymize the data.”
In response, the court found the requested Telemetry data was “directly relevant to the claims and defenses” in the action and ordered Microsoft to produce it in discovery. In so doing, the court rejected Microsoft’s argument regarding disproportionality and the GDPR. Finding the telemetry data was important to resolving the issues at stake in the litigation, the court observed that Microsoft also had sufficient resources to shoulder the production burden. Implicit in this observation was the fact that Microsoft did not provide metrics or other information that would substantiate the alleged challenges and burdens of complying with the GDPR. As a result of this production order, Microsoft was forced to produce approximately 14 terabytes of relevant Telemetry data and anonymize personal information within the production, a process it characterized as “complex and time consuming.”
Brooks Sports v. Anta (China) Co.
While Corel Software involved the challenge of an onerous cross-border production, the Brooks Sports case concerned discovery of relevant WeChat communications from mobile devices belonging to defendant Anta’s executives and employees. Anta declined to produce those WeChat discussions, arguing that “Chinese privacy law” forbade the company from turning over messages from China-based employees who refused to consent to their production. Anta relied on provisions from the Constitution of the People’s Republic of China (PRC) and Chinese Telecommunication Regulations, which respectively guarantee “privacy of correspondence” and “freedoms to use telecommunications and communication secrecy of telecommunication users.”
After Anta failed to obey multiple production orders for the messages (and made several misrepresentations to the court), the court imposed terminating sanctions against Anta. In reaching its decision, the court observed disapprovingly that Anta declined to establish an official communication system within the enterprise. Anta had instead allowed its employees and executives to use WeChat messages on their personal mobile devices to seemingly circumvent obligations in discovery:
Anta should not be able to conveniently use Chinese law to shield production of communications responsive to discovery requests when it could have set up Anta-controlled WeChat accounts for its employees’ use which would not have the same issues regarding Chinese privacy laws.
Looking at defendant’s communication system in the context of its overall discovery misconduct, the court found that defendant’s reliance on “Chinese privacy law” was merely a pretext to stymie its production duties.
Getting Prepared to Address Cross-Border Data Protection Laws
Corel Software and Brooks Sports both spotlight challenges with cross-border data protection laws that litigants should expect to confront in U.S. litigation. To be prepared for these challenges in future lawsuits, organizations can take action now on a variety of fronts.
Companies should first examine their information governance programs. Mapping corporate data, streamlining information retention policies, and minimizing company information are proactive, upstream measures that can better facilitate compliance with data protection laws in the reactive, downstream process of eDiscovery.
Businesses should also consider the manner in which their information systems generate, exchange, and store data. Like the defendant in Brooks Sports, the structure of those systems may impact an organization’s ability to comply with either cross-border privacy laws or U.S. discovery obligations. By undertaking such an analysis, an enterprise can determine if its information systems are appropriate for addressing cross-border data protection laws in connection with legal disputes.
Companies should additionally review their litigation readiness programs to determine whether litigation hold policies, along with measures for preservation, collection, and review, satisfy applicable cross-border data protection laws.
Finally, enterprises should ensure they can demonstrate to a court the heightened burdens of compliance with cross-border data protection laws. As suggested by Corel Software, a court’s decision on the issues may turn on how thoroughly the party has substantiated those burdens. For example, Microsoft could have demonstrated more effectively its production burdens under the GDPR with appropriate metrics that would have reflected its investment of resources (including time, manpower, and costs) in producing the requested telemetry data. By so doing, the company could have more readily established the disproportionality of producing the telemetry data.
 Riley v. California, 134 S. Ct. 2473, 2494–95 (2014).
 See General Data Protection Regulation, Recital 78, Article 25.1.
 See China Telecommunication Regulations, Article 66; Brooks Sports, Inc. v. Anta (China) Co., Ltd., No. 1:17-cv-1458, 2018 WL 7488924, *10, *13 (E.D. Va. Nov. 30, 2018).
 Corel Software, LLC, v. Microsoft Corp., No. 15-CV-00528, 2018 WL 4855268 (D. Utah Oct. 5, 2018).
 Defendant’s Short Form Discovery Motion Re: Protective Order, Corel Software, LLC, v. Microsoft Corp., No. 15-CV-00528, ECF No. 171 (August 3, 2018).
 It should come as no surprise that both the PRC Constitution and the Telecommunications Regulations have exceptions that allow the Chinese government to eavesdrop on user communications. See China Constitution, Article 40, Privacy of Correspondence; China Telecommunication Regulations, Article 66.