Risk Update

On Governing Information — When Local Subpoenas Conflict with Global Data Privacy Laws

Best Practices for Responding to Subpoenas That Conflict With Foreign Data Privacy Laws” —

  • “Companies who do business in the United States and have documents located abroad must understand the potential conflicts between the broad extraterritorial discovery authorized by U.S. courts, and the major restrictions on the transferring of personal data in many foreign countries.”
  • “Consider this scenario: A company receives a subpoena for documents from the U.S. government or a U.S.-based regulator, but is concerned because some of its documents are hosted on a server in a foreign country with restrictive personal data protections. How should attorneys advise this company to comply with the subpoena without violating foreign data privacy laws?”
  • “This article discusses various considerations on how to respond to such subpoenas, including: (1) negotiating with the party issuing the subpoena or document request to narrow the scope of the requests; (2) determining if the same information can be obtained through means that do not implicate foreign data privacy concerns; (3) consulting with local counsel in the country where the data is located to more fully understand the obligations; (4) seeking U.S. court intervention; and (5) taking all reasonable steps to limit and protect data productions.”
  • “U.S. courts typically rule in favor of the broad discovery sanctioned by the Federal Rules of Civil Procedure (FRCP), rather than the limitations on production set by foreign data privacy laws… Knowing that U.S. courts are likely to grant broad extraterritorial discovery, respondents should take certain steps throughout the process to minimize conflicts. Counsel should work with their clients to understand if the same data exists on U.S. servers or databases. Attorneys should come prepared to the initial negotiations with the requesting party with an understanding of where client documents are stored, and any potential conflicts with foreign data protections.”
  • “Attorneys should consider that U.S. courts may not recognize the foreign data privacy protections, and nevertheless compel the production of documents. Steps should be taken to limit and protect such data productions, including entering into a robust confidentiality and protective order.”