Legal News January 2023: When the GDPR protects European companies from US procedures
Sometimes, a very restrictive regulation, such as the GDPR, can may conceal unexpected advantages: as an example, a groundbreaking decision of the New York District Court dated May 23, 2022 acknowledging the GDPR's power to defeat, under certain conditions, an American pre-trial discovery.
- Short reminder:
We are well aware of the extraterritorial effects of American laws and procedures, in particular "pre-trial discovery", which allow to compel the defendant (even a foreign company) to disclose information and documents located outside the United States.. By refusing to comply with such a request, the defendant incurs the risk of being held in contempt of court or of the judge considering the facts alleged by the plaintiff as duly established.
One of the only ways for a foreign company to oppose such a production order is to evidence that this forced disclosure is prevented by its local law. When this plea is raised, the U.S. judge must balance the competing interests of the United States and the foreign state, taking into consideration the important drawbacks for the defendant to comply with such injunction.
In the past, the French "blocking" law of July 16, 1980, prohibiting the disclosure of information that could undermine France’s sovereignty, security and essential economic interests, has been raised to reject U.S. discovery, but without much success, as this law suffered from not being sufficiently applied by the French authorities themselves.
- Kashef v. BNP Paribas S.A: a turning point?
In a decision dated May 23, 2022, the New York District Court rules for the first time that the General Data Protection Regulation (GDPR) may constitute, under certain conditions, a valid defense against pre-trial discovery.
In the context of a civil action brought by victims of the genocide in Sudan against the French bank BNP Paribas, and following a criminal investigation during which the company admitted its responsibility and reached a settlement with the Department of Justice (DOJ), the plaintiffs requested, among other things, the de-pseudonymization of French documents that they believed could be useful to them in order to obtain compensation for their damage.
BNP Paribas, as defendant, argued that granting this request would be contrary to French and European banking secrecy regulations and to the GDPR and that such disclosure would expose it to severe penalties by the French authorities.
The U.S. judge agreed with BNP PARIBAS' argument. He considered that the balancing of the interests at stake, respectively those of the United States and France, showed that the need to comply with the GDPR outweighed the need for these de-pseudonymised documents to resolve the dispute and that the plaintiffs also had other means to get the relevant documents. Therefore, based on the constraints imposed by the GDPR, the U.S. judge refused to compel BNP Paribas to disclose the requested documents.
- What can we learn from this decision in practice?
This decision seems to mark a turning point in the perception by the U.S. judge of the importance of the European regulation on personal data protection. In the eyes of the American judge, the GDPR takes its place among the fundamental international standards and becomes, for European companies involved in foreign lawsuits, an interesting procedural tool.
By Sarah Temple-Boyer (Attorney) and Simon Monat (Legal Trainee)