The Intersection of European Data Privacy and Domestic Discovery
In 2016, the European Union (“EU”) adopted the General Data Protection Regulation (the “GDPR”), which replaced its Data Protection Directive that was adopted in 1995. Described as “the toughest privacy and security law in the world,” it purports to “impose[] obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.”1 For domestic litigators, one might assume that the GDPR’s purported extraterritorial jurisdiction would be of no consequence when litigating in the United States. Indeed, the GDPR’s broad assertion of jurisdiction is arguably contrary to domestic principles and common law regarding permissible discovery. So while it is less than clear how the GDPR will or could be enforced in connection with potential violations in U.S. litigation, litigators would be wise to, at a minimum, be aware of its reach and potential consequences for violations.