Privacy and Security TidBits

US District Court’s Desicion Based on Inaccurate Interpretation of EU and German Data Privacy Laws

US District Court Requires Production of Overseas Data Notwithstanding  Applicable Foreign Data Protection Law

by Joseph Baker, Andrew Nicely and Tim Wybitul

Mayer Brown, LLP

Many foreign countries have enacted privacy laws and “blocking” statutes that limit the disclosure of personal data and other information maintained within their borders. Violation of these statutes can result in fines, civil penalties and, in some countries, criminal sanctions.

Parties involved in US litigation frequently find themselves in a quandary when they are directed to produce documents stored overseas that fall within the protection of a foreign privacy or blocking statute; US courts have generally been unsympathetic to such parties, commonly ordering production of overseas documents notwithstanding the obstacle posed by foreign law. Continuing this trend, a federal district court in Utah recently ordered a litigant to disclose certain data maintained in Germany that the resisting party contended were exempt from disclosure under the German Data Protection Act (GDPA).

AccessData, a US software developer, brought suit against its German reseller, Alste Technologies, to recover certain royalties due from the sale of one of its products. See AccessData Corp. v. Alste Techn. Gmbh, 2010 WL 318477 (D. Utah Jan. 21, 2010). Alste argued that it should not have to pay because, although many copies of the software product had been sold, the product was defective and had generated scores of complaints from customers. In addition, Alste alleged in a counterclaim that it had not been paid for technical support services that it had provided under its contract with AccessData.

To explore Alste’s contentions, AccessData issued interrogatories and document requests seeking information about the customer complaints Alste had received and the support services it claimed to have provided. Alste objected to the discovery requests, arguing that the disclosure of information about its customers “would be a huge breach of fundamental privacy laws in Germany” — specifically, the GDPA. Alste contended that the discovery could be obtained only through the procedures established in the Hague Convention for the Taking of Evidence Abroad.

Alste did not specify the applicable GDPA provisions. Nevertheless, the court examined the statute and observed that Part I, Section 4c permits the transfer of personal information to foreign countries — even those that do not have the same level of data protection — if the “subjects” of the personal data consent, or if “the transfer is necessary or legally required … for the establishment, exercise or defence of legal claims.”

To continue reading, follow the link below: