Image Credit: MarkThomas from Pixabay.
[Originally published as a Feature Article: Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts?, by Amira Bucklin and Lily Li, in Orange County Lawyer Magazine, May 2021, Vol. 63 No.5, page 40.]
by Amira Bucklin and Lily Li
In 2020, when lockdown and shelter-at-home orders were implemented, the world moved online. Team meetings, conference calls, even court hearings entered the cloud. More than ever, consumers used online shopping instead of strolling through malls, and online learning platforms instead of classrooms. “Zoom” became a way to meet up with friends over a glass of wine, or conduct job interviews in a blouse, suit jacket, and yoga pants.
This has had vast consequences for personal privacy and cybersecurity. While most consumers might recognize the brand of their online learning platform, ecommerce store, or video conference tool of choice, most consumers don’t notice the network of service providers that work in the background. A whole ecosystem of connected businesses and platforms that collect, store, and transfer data and software, all governed by a new set of international privacy rules and contractual commitments. Yet, many of these rules have not been tested in the courts, and they have several implications in the context of privacy.
The Privacy Conundrum
This month marks the three-year anniversary of the EU’s General Data Protection Regulation (GDPR). As expected, its consequences have been far-reaching, and fines for violations have been staggeringly high.
The GDPR requires companies in charge of personal data (“data controllers”) to enter into data processing agreements with their service providers (or “data processors”), including, at times, standard data protection clauses drafted by the EU Commission. These data processing mega-contracts (ranging from 1-100+ pages) impose a series of foreign data protection and security obligations on the parties.
A unique challenge presented by these contracts is the fact that such data processing agreements and model data protection clauses often include their own choice of law provisions, calling for the applicability of EU member state law, and requiring the parties to grant third-party beneficiary rights to individuals in a wholly different country.
This challenge is not just limited to parties contracting with EU companies, either. Due to the GDPR’s extraterritorial scope, two U.S.-based companies can enter into a contract subject to the laws of the State of California, but which includes a data processing addendum or security schedule that is subject to the laws of the United Kingdom, France, or Germany.
What happens if there is a dispute between these parties regarding their rights and responsibilities, which are subject to foreign data protection laws? How will U.S. courts treat these disputes? How much deference will—and should—a U.S. court provide to foreign interpretations of law?
Foreign Law in Federal Courts
To answer this question, we first look at how U.S. courts have treated disputes involving foreign law in the past.
The issue of foreign law in U.S. courts far predates the GDPR, or most privacy regulations, and is addressed, among others, in the Federal Rules of Civil Procedure Rule 44.1.
Rule 44.1 provides:
A party who intends to raise an issue about a foreign country’s law must give notice by a pleading or other writing. In determining foreign law, the court may consider any relevant material or source, including testimony, whether or not submitted by a party or admissible under the Federal Rules of Evidence. The court’s determination must be treated as a ruling on a question of law.
Since the rule’s promulgation in 1966, the issue of foreign law in federal courts is not a question of fact, but one of law. Federal courts can independently research foreign law and supplement party presentations. As drafted, it appears that courts should, whenever possible, apply foreign law in order to adjudicate cases on the merits. By shifting to de novo appellate review and allowing foreign law to be raised outside of the pleadings—as long as the reliant party provides reasonable notice—the rule sought to avoid procedural roadblocks for litigants who previously had to plead the foreign law to a jury and prove it as a fact. This approach, which ensures that foreign law is determined by those trained in interpreting laws, very much mirrors what is most common in civil law jurisdictions. This rationale is reflected in the reasoning handed down in the 1966 Advisory Committee’s Note to Rule 44.1:
[T]he new rule provides that in determining this law the court is not limited by material presented by the parties; it may engage in its own research and consider any relevant material thus found. The court may have at its disposal better foreign law materials than counsel have presented, or may wish to reexamine and amplify material that has been presented by counsel in partisan fashion or in insufficient detail.
The Aérospatiale and Vitamin C Decisions
Although the Advisory Committee’s Note is informative, judicial opinions illustrate the application of the rule in real cases. In situations where the U.S. is not bound by treaty or international law, these disputes have generally centered on the principle of “international comity”—namely, that the U.S. may effectuate foreign law out of courtesy and international harmony, but may refuse to follow it due to national interests.
The principle of international comity was largely established in the U.S. Supreme Court decision Société Nationale Industrielle Aérospatiale v. United States Dist. Court for S. Dist. of Iowa, 482 U. S. 522 (1987), over thirty years ago. In Aérospatiale, an airplane which had been sold by corporations owned by the Republic of France crashed during a flight in Iowa. Three individuals brought negligence claims against the French corporations in the U.S. District Court for the Southern District of Iowa. During discovery, one of the issues presented to the court was a French penal law, or “blocking statute” that prevented the corporations from responding to discovery requests.
The magistrate and court of appeals, after balancing the competing national interests, ordered the French corporations to comply with the discovery requests, despite the French blocking statute. On certiorari, the U.S. Supreme Court agreed that such a statute did not deprive the district court of the power to order a party to produce evidence—even though the act of production might violate the statute, but noted that such a statute was relevant to the comity analysis. The Supreme Court noted that the statute was relevant to identifying the nature of the sovereign interests in nondisclosure, and in a footnote, described the factors relevant to the comity analysis:
(1) (T)he importance to the … litigation of the documents or other information requested;
(2) the degree of specificity of the request;
(3) whether the information originated in the United States;
(4) the availability of alternative means of securing the information; and
(5) the extent to which noncompliance with the request would undermine important interests of the United States, or compliance with the request would undermine important interests of the state where the information is located.
It has become common consensus between the courts applying the Aérospatiale test, that the balancing of national interests—the fifth factor—shall carry the most weight in the comity analysis. Richmark Corp. v. Timber Falling Consultants, Inc., 959 F.2d 1468, 1476 (9th Cir. 1992).
Justice Ruth Bader Ginsburg clarified Rule 44.1 and the comity analysis in Animal Science Products, Inc. v. Hebei Welcome Pharmaceutical Co., 585 U.S. __ (2018) (also known as the Vitamin C decision). In Vitamin C, the U.S.-based petitioners filed a class action suit against Chinese manufacturers, alleging that the Chinese corporations had agreed to fix the price and quantity of Vitamin C exports to the United States, thereby violating the Sherman Antitrust Act. The Chinese sellers moved to dismiss the claim on the ground that Chinese law required them to fix the price and quantity, thus shielding them from liability under U.S. law. The Ministry of Commerce of the People’s Republic of China (Ministry) filed an amicus brief in support of the motion to dismiss, explaining that it is the administrative authority responsible for the regulation of foreign trade, and that the alleged conspiracy was actually a pricing regime mandated by the Chinese government. The district court denied the motion, concluding that it did not regard the Ministry’s statement as conclusive. The Second Circuit, however, reversed and held that foreign courts were “bound to defer” to a foreign government’s construction of its own law, whenever reasonable.
Justice Ginsburg, writing for a unanimous Supreme Court, vacated the Second Circuit’s judgement, citing the principles of international comity and held that while a federal court “should accord respectful consideration” to a foreign government’s submission, it is “not bound to accord conclusive effect” to the foreign government’s statement. Citing to Rule 44.1, the Court emphasized that district judges have wide discretion and were neither bound to adopt the foreign government’s characterization of the foreign law nor required to ignore other relevant materials. Justice Ginsburg held that “[r]elevant considerations include the statement’s clarity, thoroughness, and support; its context and purpose; the transparency of the foreign legal system; the role and authority of the entity or official offering the statement; and the statement’s consistency with the foreign government’s past positions.”
What Does This Mean for Foreign Data Protection Law in U.S. Courts?
What do these tests developed in Vitamin C and Aérospatiale mean for foreign data protection laws in U.S. courts?
As described above, there will be situations where two U.S.-based parties to a contract are trying to apply foreign law, such as the GDPR. In addition, jurisdictions around the world are following GDPR’s example and imposing contractual obligations on the parties. Notable examples are Brazil’s Lei Geral de Protecao de Dados (LGPD), Japan’s Act on Protection of Personal Information, Thailand’s Personal Data Protection Act (PDPA), China’s Cybersecurity Law, and a vast number of draft bills which are currently under review.
Applying the Aérospatiale test to these international issues suggests that U.S. courts would engage in a comity analysis in situations where foreign laws conflict with U.S. law, giving the most weight to domestic interests. While the foreign nation’s interest is substantial, namely the protection of its citizens’ and residents’ data privacy rights (indeed, in a large number of civil law countries, the right to (data) privacy is anchored in the state’s constitution, thereby warranting the highest level of protection granted by the legislative and judicative arm of these countries), U.S. courts will likely not defer to the foreign body’s opinion or interpretation of its own law, especially where inconsistent. Instead, U.S. courts will maintain “respectful consideration” of these foreign laws, and will likely give them the most weight when they align with similar domestic interests (for example, the California Consumer Privacy Act).
While this is the natural consequence of Rule 44.1 and subsequent case law, it’s questionable how desirable this result is. There are vast differences between the United States’ common law jurisdiction and European Union civil law jurisdictions such as most of the European countries. Where American courts are left to interpret ambiguous terms in data protection addenda, or to decide what is reasonable and appropriate in terms of technical and security measures, the chances that said court will opine in a way that is congruent with what the foreign lawmakers had in mind, or the protections which the foreign law intended to grant, are slim.
Data Protection Laws in U.S. Discovery Disputes
Where foreign data protection laws are invoked merely as a (procedural) defense to a discovery request, U.S. courts’ deference to foreign law is even lower. Since Aérospatiale, U.S. courts have repeatedly held that they will not defer to foreign blocking statutes where they interfere with American discovery rules.
In the recent case of Finjan, Inc. v. Zscaler, Inc., (N.D. Cal. 2019), the United States District Court for the Northern District of California applied the Aérospatiale test when the defendant raised the GDPR in defense of a production request. In addition to the five factors developed by the Aérospatiale court, the court found that courts must also consider “the extent and the nature of the hardship that inconsistent enforcement would impose upon the person” as well as “the extent to which enforcement by action of either state can be expected to achieve compliance with the rule prescribed by the state.” In Finjan, the district court compelled production, finding that all factors weighed in favor of the plaintiff. Most importantly, when considering the national interests, the court recognized the UK’s interest in protecting the privacy of its citizens but found that the party relying on foreign laws has the burden of showing that such laws bar production and that the defendant had not pled to this in detail. The court further noted that the defendant showed no evidence of the extent or likelihood of the foreign government’s enforcement of its laws.
This last note should give contracting entities under GDPR cause for concern. It is true that, to this date, the public has not become aware of sanctions imposed by a data protection authority for violation of data protection laws where a party complied with a discovery request imposed on it by U.S. courts. The District Court’s opinion allows the assumption that, once such precedent has been set, a party raising the enforcement of data protection as a defense to discovery requests may see more success. This raises the following question, however: Who wants to be the one setting the multi-million dollar precedent?
In another case predating the implementation of the GDPR, the U.S. District Court for the Eastern District of Louisiana also recognized the foreign state’s (here Germany’s) interest in protecting the privacy of its citizens—even discussing it in length—but still held that such interests could be met in other ways (by way of in camera review, redactions, and other precautions). In Re: Xarelto (Rivaroxaban) Products Liability Litigation, Case No. 2:14-md-02592 (E.D. La. Jul. 21, 2017). When faced with Germany’s former Data Protection Act raised as a blocking statute in a discovery dispute, the District Court found that the third factor of the Aérospatiale test—whether the information originated in the United States—weighed in favor of Germany’s protective interest, but concluded that the factor was of “limited weight” because the defendants willingly entered into a commercial partnership with an American corporation, and “significantly benefited from availing [themselves] of [U.S.] markets.”
In light of the district court’s statements, one may argue that the parties from our example willingly subjected themselves to the GDPR’s data protection laws and thereby should bear the consequences. It should be noted, however, that due to some laws’ (including the GDPR’s) broad extraterritorial scope of application, and the wide reach of technology in today’s unprecedented times, falling subject to at least some foreign data protection law becomes harder and harder to avoid. It is questionable how voluntary such choice of law really is when parties exporting data from the EU are almost always required to enter into model data protection clauses which impose a choice of EU member state law onto the parties.
Where Does That Leave Us (and the EU)?
Looking at how U.S. courts have treated foreign laws in the past, it is likely that, when faced with a substantive GDPR issue (or the like), courts will consider guidance by the EU Commission or European data protection authorities but will not simply defer to them. Federal courts can choose not to apply EU guidance when interpreting data processing addenda or security schedules, especially if the terms are vague, or if there’s conflicting guidance coming out of the EU. Companies entering into data protection agreements will do well to draft these contracts as precisely as possible, including definitions for key terms, leaving little to no room for interpretation or ambiguity. In addition, companies should avoid the “kitchen sink” approach—citing to a long list of foreign local laws and guidance that further reduce the “clarity” and “transparency” of foreign requirements.
Furthermore, current U.S. jurisprudence should encourage foreign governments to seek bilateral or multilateral agreements governing data privacy with the United States. With an international treaty in place, as opposed to contractual stopgaps, GDPR or GDPR-like obligations would be imposed by rule of (international) law, rather than international comity or “respectful consideration.” Ironically, the United States and the EU had such an agreement in place, Privacy Shield, before it was struck down by the EU courts for not having strong enough protections of EU privacy rights abroad. In effect, EU courts may have inadvertently reduced the enforceability of GDPR abroad by their own privacy efforts. Perhaps this is a perfect time for the United States and Europe to rethink their data privacy relationship—maybe over a glass of wine on Zoom.
Amira Bucklin is an associate at Metaverse Law Corporation, CIPP/E and CIPP/US. She is provisionally licensed in California and licensed in Germany.
Lily Li is a cybersecurity lawyer, CIPP/E, CIPP/US, GCFA, and founder of Metaverse Law Corporation. She can be reached at firstname.lastname@example.org.
The views expressed herein are those of the Author(s). They do not necessarily represent the views of the Orange County Lawyer magazine, the Orange County Bar Association, The Orange County Bar Association Charitable Fund, or their staffs, contributors, or advertisers. All legal and other issues must be independently researched.