Importantly for U.S. companies, the General Data Protection Regulation may significantly impact the way discovery is conducted in connection with U.S. litigation. The GDPR specifically limits the circumstances under which EU personal data may be exported from the EU. As a result, any document review conducted outside of the EU that involves personal data collected or located in the EU must be done in compliance with the GDPR. Furthermore, many global companies outsource e-discovery and litigation document review to service providers outside the EU. As a result, litigation support providers are scrambling to fully grasp the implications of the General Data Protection Regulation on their operations.
If the transfer of data to the U.S. for discovery purposes is necessary, litigants must implement safeguards, such as use of search terms and data restrictions, to limit the amount of data that is collected and transferred to the U.S. In light of the financial penalties available under the GDPR, companies should make a careful case-by-case assessment of the basis for transferring personal data to the U.S. or elsewhere outside the EU for use in discovery, or government or internal investigations.
Source: Law Technology Today