Cornell Law Review


General Data Protection Regulation, GDPR, Comity, Discovery, Data privacy


The European Union's (EU) recently enacted General Data Protection Regulation (GDPR) is being billed as "the most important change in data privacy regulation in 20 years." The GDPR sets forth a stringent set of binding regulations that govern how data controllers and processors manage the private electronic data of EU citizens. In an audacious effort to ensure comprehensive privacy protection for EU citizens in a globally connected digital landscape, EU regulators have made the GDPR apply extraterritorially. The regulation extends beyond the borders of the European Union, reaching any entity that stores or processes the personal data of EU citizens regardless of where that data is stored or processed.

The GDPR's extraterritorial reach sets this groundbreaking regulation on a collision course with the equally far-reaching, party-driven discovery regime embraced by United States courts. The GDPR's rigorous protections-such as limits on transferability and a data subject's "[r]ight to erasure" -may make it impossible for a party to comply with both the requirements of the GDPR and a United States-issued subpoena duces tecum for electronically stored information (ESI) protected by the GDPR. In facing this conflict, U.S. courts may soon be asked to decide whether to uphold the United States' preference for expansive civil discovery or yield to principles of international comity and fairness to parties caught between a "rock and a hard place."