General Data Protection Regulation in U.S. Litigation through Mid-Summer 2019

Originally published by International Association of Defense Counsel (IADC), Defense Counsel Journal Volume 86, No. 4

IN JANUARY 2012, the European Commission set out plans for data protection reform across the European Union. One of the key components of the reforms was the introduction of the General Data Protection Regulation (GDPR).1

The GDPR is a comprehensive set of rules designed to give European Union citizens more control over their personal data. The GDPR applies, generally, to any organization operating within the European Union, as well as organizations outside of the European Union which offer goods or services to customers or businesses in the European Union among others. Almost every major corporation in the world is affected by this legislation. This legislation came into force across the European Union in May 2018.

There has been considerable uncertainty how GDPR will be addressed in litigation commenced in the United States. However, as a year has passed, motions relating to GDPR are beginning to be adjudicated, and trends are starting to occur. This article provides a detailed summary of courts’ treatment of GDPR-related arguments and summarizes the potential impact of GDPR on United States litigation.

I. Impact of GDPR currently

As of July 19, 2019, eleven federal cases reference “GDPR” or the “General Data Protection Regulation.” No state court cases appear. Of the cases returned, four are from the United States District Court for the Southern District of New York,2 and two are from California,3 one  from the Central District of California and the Northern District of California. The remaining five cases originate from District Courts in Washington, Maryland, Alabama, Utah, and Florida.4

These eleven cases generally involve discovery disputes, often in intellectual property matters. In these scenarios, the responding party has raised GDPR as a bar or impediment to

Read More

GDPR Issues in U.S. and International Litigation and Arbitration

On November 30, 2018, I had the privilege of serving as a panel member on an International Association of Defense Counsel (IADC) presentation addressing GDPR in International Dispute Resolution.   The other panel members were: Robert Bond, of Bristows, in London, England; Alexandra Simotta, of Six-Group, in Vienna, Austria; and Janis Block, of CMS in Cologne, Germany.  The panel’s objective was to explore the issues arising under the GDPR in international dispute resolution, whether in arbitration or court litigation.   My responsibility was to offer a U.S. trial counsel’s response to the subject.   This article shares a few of the ideas raised during the panel, and a few which have occurred to the author in response to hearing from my fellow panel members. 

Read More

An Approach for U.S. Companies to the GDPR

By. Michael H. Gladstone, Esq. 

Once GDPR applicability is determined, a host of significant responsibilities apply to US Controllers and Processors of EU subject personal data. The duties extend to the data subject, the EU and its supervising authority, and between Controllers and Processors. Significant adjustments may be required on both the security and informational side of Controller and Processor technology to comply with the notice and subject response obligations imposed on Controllers and Processors. The security by design concepts of the regulation will expose many gaps in current processing capacity. GDPR compliance management will become an administrative function in covered businesses whether or not they operate at a level requiring data processing assessments or designation of a DPO. Companies that resist compliance risk not just enforcement but loss of business relationships with customers obliged to comply.

Read More

GDPR Effective Date Imminent-Is Your Business Ready?

By: Michael H. Gladstone, Esq. 

On May 25, 2018, the European Union (EU)  “General Data Protection Regulation” (GDPR)  becomes effective.  Many U.S. businesses are just waking up to the possibility that this regulation may pertain to them. For U.S. entities with any contact with EU subjects and their personal data, the question whether the GDPR applies to them is a serious one which should be carefully studied. 

The GDPR imposes an extensive set of duties and burdens on “covered entities," and sets out breathtaking penalties for violation of the regulation. Breathtaking here means 4% of worldwide revenue, or 20 million Euros, not counting damages to the violated data subject. The scope of personal data covered by the regulation and utilized by data recipients and users (called “controllers” and “processors” of personal data) coupled with the GDPR’s  expanded territorial reach (compared to the predecessor EU rules concerning protection of personal data) ensures a significant number of U.S. businesses, which might intuitively or superficially conclude otherwise, may be covered by the regulation. The GDPR presents an unprecedented effort by a governmental unit to protect the privacy of its subjects’ personal data.  

Read More