On January 13, 2020, U.S. District Court Judge Castel of the Southern District of New York in SEC v. Telegram Group Inc. et al., No. 19 Civ. 9439 (PKC) granted the motion of the U.S. Securities and Exchange Commission (“SEC”) to compel Telegram Group Inc., a technology company best known for its secure messaging app, to produce overseas bank records (Dkt. 67). The SEC had sought these records “fully unredacted” on an expedited basis in support of its claim that Telegram engaged in an unregistered securities offering (Dkt. 52). Telegram objected to any production, asserting that the records were of questionable relevance, that they contained banking and personal information protected by a host of foreign laws, and that it would be unduly burdensome to “to cull through these records and redact the personal information of non-U.S. persons and entities subject to foreign data privacy law protections.” (Dkt. 55). In a short decision, the Court ordered Telegram to produce the records on a tight timeline, holding that “[o]nly redactions necessitated by foreign privacy laws shall be permitted, and a log stating the basis for any redaction shall be produced at the same time the redacted documents are produced.”
There are a few key takeaways from this decision. First, the Court recognized foreign data privacy laws as legitimate grounds for withholding otherwise discoverable information. Defendant was not given a blank check to redact; rather, the Court required Telegram to log the basis for any privacy assertions, and one can expect the SEC will closely question Telegram on the redactions. At the same time, the Court clearly did not agree with the SEC’s characterization of data privacy laws as “blocking statutes” to be ignored, and was not swayed by its complaints that Telegram had not shown that such laws require deference. This is consistent with an observed general heightened sensitivity to data privacy and data security interests in the U.S. and abroad.
Judge Castel’s approach represents a change from U.S. courts’ prior dismissive treatment of similar disclosure objections. Courts traditionally would apply a multi-factor comity analysis that generally prioritized U.S. discovery interests over those of conflicting foreign laws and ultimately required unredacted production. See, e.g., Laydon v. Mizuho Bank, Ltd., 183 F. Supp.3d 409 (S.D.N.Y. 2016) (requiring unredacted production of data protected by the then EU privacy regulation, the 1995 EU Directive 95/46/EC, based on comity analysis set out in Société Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa, 482 U.S. 522, 544 n.29 (1987) (hereinafter “Aerospatiale”)). Certainly, the SEC pushed for the customary approach, but Judge Castel appears implicitly to have to have resolved in short form (or skipped over) the Aerospatiale comity analysis and accepted the legitimacy of foreign restrictions on disclosure in U.S. proceedings.
Second, parties continue to struggle in asserting proportionality objections under Fed. R. Civ. Proc. 26(b)(1) based on the cost and burden of complying with foreign data privacy and protection laws. Some courts have been receptive to well delivered objections and have struck offending discovery requests. See, e.g., In Re Bard IVC Filters Products Liability Litigation, 317 F.R.D. 562 (D. Ariz. 2016) (denying as disproportionate plaintiffs’ request for defendant’s foreign communications with foreign regulators to determine consistency with communications with U.S. regulators where the discovery sought was only marginally, “potentially” relevant, the costs of complying with foreign data privacy laws and burden of producing from foreign custodians in multiple countries over extended time period would be substantial, and acceptable alternatives existed). In general, however, courts have required at least redacted productions even where the costs are significant – in particular where the objecting party appears to have deep pockets. See, e.g., Corel Software, LLC v. Microsoft Corp., No. 2:15-cv-00528, 2018 WL 4855268, at *1 (D. Utah Oct. 5, 2018) (ordering retention and production of data relevant in a patent infringement case that Microsoft claimed “raises tension” with the GDPR and would require burdensome steps to anonymize).
Third, when advancing proportionality/burden arguments, it helps to put your best foot forward. Some best practices are as follows:
- Show your work: Objections should to be supported by sufficiently detailed information as to the costs, timing, resources involved and alternatives, in a form acceptable to the court. Courts are unwilling to accept conclusory assertions of excessive burden, whether in weighing the Aerospatiale factors or in conducting a proportionality analysis. Telegram revealed the number of individuals and transactions that would require data privacy assessment, but gave no details – much less supporting information in evidentiary form – as to projected costs and effort of the assessment and compliance process. Telegram now faces an expensive and involved redaction project.
- Make a qualified argument: To back up assertions of foreign data privacy and protection, parties should specifically identify the jurisdictions and particular laws implicated and also consider submitting legal expert declarations demonstrating the conflict and consequences of non-compliance. The SEC here made much of the “vague” nature of Telegram’s assertions of data privacy, arguing that they were non-specific, unfounded, pretextual, and designed solely to keep relevant information from the SEC’s eyes. Indeed, while Telegram asserted that at least 16 foreign jurisdictions’ data privacy laws were implicated, it did not name a single one of them, and did not provide support of experts in their laws as to why production would be illegal. This may have been strategic – the location of Telegram’s transactional partners is of interest to the SEC. However, a specific and authoritative explanation of the variety of laws and the difficulties of navigating them in this particular dataset may have helped to convince the Court that the cost and effort required was not proportionate. In fact, this fight may only have been postponed, as the SEC may pursue un-redaction as specifics emerge.
- Minimize the scope: A party seeking to avoid production should show that it has taken the needed steps to narrow the field of protected information potentially subject to production, e.g., with careful attention to sources and computer-based screening. This not only shows reasonableness and good faith, but also is generally consistent with the minimization, legitimate purpose, and use requirements of many data privacy and protection laws (like GDPR). Of course, eliminating unneeded data before you anticipate litigation is one of the best ways of complying with data privacy laws and preservation obligations.
- Propose an alternative: Convincing the court that your position is reasonable (and that your opponent’s is not) may involve compromise. Consider strategies for limiting the impact of conflicting laws, such as disclosing non-conflicted sources. This may also include phased discovery, looking for parallel information in unrestricted locations, and data anonymization and minimization measures. Parties may also consider proposing production in a controlled database that minimizes data security and confidentiality concerns.
The referenced case documents may be found at the following links.