I discover with my little eye… a GDPR breach?

“Recent court rulings suggest that companies still face a Catch-22 when getting involved in U.S. discovery. There have been several cases … in which a party has objected to discovery based on GDPR concerns,” write Dr. Matthias Artzt and Gary D. Weingarden for IAPP – International Association of Privacy Professionals.

“The SchremsII decision makes U.S. discovery from EU sources even more fraught … parties are likely to find themselves with an unpleasant dilemma: Violate a U.S. court order or violate the GDPR or a different data protection law.”

Even when relying on an Art 49 derogation, “the bottom line is that the party disclosing personal data to the U.S. court needs to thoroughly assess its relevance to the particular matter before transferring the data,” they say.

To-do list:
  • assess necessity & document it
  • have a plan (policies and procedures)
  • review the Sedona conference guidelines
  • involve data protection counsel
  • involve your supervisory authority
  • see if Hague Convention mechanisms could work
  • get the requesting party to sign Standard Contractual Clauses
  • get indemnity

Details from the IAPP.