Cross-Border Discovery and the Battle Between Relevancy and Data Privacy Concerns

Written by Doug Austin, Editor of eDiscovery Today

With so many multi-national organizations today and global regulatory environment expanding significantly in recent years through GDPR and other data privacy laws, it was inevitable that we were going to see more cases involving cross-border discovery. It was also inevitable that we were going to see more disputes over whether potentially responsive data from custodians in foreign jurisdictions is protected through data privacy laws.

And inevitably we are seeing those disputes more frequently play out in American courts. Let’s look at a couple of those cases here.

Giorgi Global Holdings, Inc. v. Smulski

In this case against the defendants alleging civil violations of the Racketeer Influenced and Corrupt Organizations Act (RICO) among other things, the plaintiffs requested via letter that defendant Wieslaw Smulski be ordered to produce documents in compliance with the Federal Rules of Civil Procedure without regard to Polish law and/or GDPR. Defendant Smulski claimed that he couldn’t produce otherwise discoverable documents in the case because the GDPR and/or Polish privacy law prohibit him from doing so. Smulski lived in Poland but was an American citizen.

But the Court disagreed. Pennsylvania District Judge Jeffrey L. Schmehl ruled that the defendant, “an American citizen sued in the United States, bears the burden of showing that the GDPR and/or Polish privacy law bar production of…relevant documents” which “he cannot do”. As a result, Judge Schmehl ruled that the “GDPR and/or Polish privacy law does not bar Smulski’s production of relevant documents in this matter.”

Cadence Design Sys., Inc. v. Syntronic AB

In this case alleging unlicensed use of the plaintiff’s software, the defendants argued that China’s relatively new Personal Information Protection Law (PIPL) (which became effective on November 1, 2021) prohibited transfer of computers in China across international borders without the consent of current and former employees, who declined to agree.

California Magistrate Judge Joseph C. Spero rejected the defendants’ claim that the exception in Article 13 of PIPL “Where necessary to fulfill statutory duties and responsibilities or statutory obligations” for requiring consent to handle personal data specified in Article 39 was limited to Chinese law, stating: “The Court declines to limit Article 13’s legal obligation exception to obligations under Chinese law” and found “the Court’s order to produce computers for inspection in the United States creates a legal obligation sufficient to invoke the exception of Article 13 and proceed without the individual employees’ consent under Article 39.”


While every case is different and not all will result in a Court order to produce data subject to litigation in an American case, many of the cases I’ve seen have weighed in favor of ordering production of the data. Article 49(1)(e) of GDPR, for example, permits the transfer of personal information abroad where such “transfer is necessary for the establishment, exercise or defence of legal claims.” It’s important to know the laws of each jurisdiction, which includes exceptions to data privacy laws.

The ABA Cross-Border Institute was created for attorneys and privacy professionals to understand the complex interplay between eDiscovery, cyber security, and privacy across and among jurisdictions with an emphasis on the difficulties and tensions for organizations doing business in the U.S., E.U., and U.K. Next week, IPRO will be participating in the ABA Cross-Border Institute 2022 event on July 21 & 22 at the Kimpton De Witt Hotel in Amsterdam, Netherlands.

The distinguished faculty of international data privacy, cybersecurity and eDiscovery thought leaders will offer:

  • discussions with European privacy regulators with interactive sessions that give everyone an opportunity to ask questions
  • an update on review of data privacy considerations as the world returns to “normal”, and
  • a robust ethics discussion.

And for more educational topics from me related to eDiscovery, cybersecurity and data privacy, feel free to follow my blog, eDiscovery Today!