Extract from Diane D. Reynolds, Jena M. Valdetero and David A. Zetoony’s article “Is a Company Permitted To Transfer PI From Europe to the US for a Discovery Request?”
The Federal Rules of Civil Procedure, as well as state procedural rules, permit parties to a lawsuit to conduct discovery, in search of information and documents that may be relevant to the litigation. Parties can issue requests for documents, information (called interrogatories), and admissions of fact to other parties to the lawsuit; parties may use subpoenas to issue requests to third parties. When discovery issued in a U.S. civil proceeding seeks personal information regarding Europeans, or personal information that is held by an entity that is established in Europe, three main privacy questions arise:
• Whether under the GDPR there is a lawful basis to process personal information in the context of the discovery request?;
• Whether the country in which the personal data resides has legislation that specifically prohibits the transfer of information to the United States for purposes of civil discovery?; or
• Assuming that the processing has a lawful basis and is not outright prohibited, whether the GDPR permits the transfer of such information to the United States.
The following describes the legal considerations that underpin each issue.
Lawful Basis of Processing Personal Information
In order to process personal information under the GDPR, a controller must rely upon one of six lawful purposes of processing: consent, performance of a contract with the data subject, compliance with a legal obligation, necessity to protect the vital interests of a person, necessity to perform a task in the public interest (e.g., on behalf of a member-state government agency), or necessity to promote the legitimate interest of the controller so long as that interest is not overridden by the fundamental rights or freedoms of individuals.