In a recent case; Accessdata Corp. v. ALSTE Tech. GMBH, 2010 WL 3184777 (D. Utah Jan. 21, 2010), the Plaintiff, an American company, sought to compel defendant’s production of documents, including information related to customer complaints and defendant’s technical support of non-customers. Defendant objected to the interrogatories and requests for production on the grounds that they were overly broad, unduly burdensome, and seeking irrelevant information and because “disclosure of information relating to third parties’ identities would violate German law.”
The defendant’s main argument was that German law prohibits the production of third-party personal information and that, if it complied with the discovery requests at issue, it would “subject itself to civil and criminal penalties for violating the German Data Protection Law … and the German Constitution.”
In this case the court found that ESI asked for from a German company should be turned over in discovery even though the defendant stated that German privacy laws prohibit customer data being turned over without the customer’s approval.
In this specific case, the court found:
While defendant asserts that providing personal information about its customers and their employees “would be a huge breach of fundamental privacy laws in Germany,” defendant has failed to demonstrate the verity of this assertion. Defendant has not cited to the particular provisions of the German Data Protection Act (”GDPA”) and/or German Constitution that would prohibit disclosure of personal third-party information. Based on the court’s brief review of the GDPA, it appears that it does not necessarily bar discovery of personal information. In particular, Part I, Section 4c of the GDPA, entitled “Derogations,” provides that the transfer of personal information to countries that do not have the same level of data protection “shall be lawful, if … the data subject has given his/her consent [or] … the transfer is necessary or legally required … for the establishment, exercise or defence of legal claims.” The GDPA further states that “[t]he body to which the data are transferred shall be informed that the transferred data may be processed or used only for the purpose for which they are being transferred.” ALSTE has not demonstrated that it has been unable to obtain consent from its customers or that it has even attempted to seek consent. ALSTE has also failed to address this particular provision of the GDPA or explain why it would not apply in the instant case.
On the face of it, this case looked like the United States District Court was imposing its will upon a foreign government and its privacy laws. In reality, the two main points of this particular case was:
- The defendant did not cite the particular provisions of German privacy law and did not try to obtain the customer’s approval to have their personal data transferred.
- The German laws actually make provisions for the possibility of ESI transfer to another countries jurisdiction; the GDPA does not necessarily bar discovery of personal information. In particular, Part I, Section 4c of the GDPA, entitled “Derogations,” provides that the transfer of personal information to countries that do not have the same level of data protection “shall be lawful, if … the data subject has given his/her consent [or] … the transfer is necessary or legally required … for the establishment, exercise or defense of legal claims.”