Editor’s Note: This article was first published by Artificial Lawyer.
Many privacy advocates around the world applauded when Europe’s General Data Protection Regulation (GDPR) became effective in May 2018. The grand plan to harmonize and strengthen data privacy and data protection in the member states of the European Union and the European Economic Area was met with great fanfare and some trepidation.
It’s not just the Europeans. Stronger data privacy laws have spread across the world, including Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), which became effective in September 2020 with enforcement beginning in August of 2021, and amendments to Singapore’s Personal Data Protection Act (PDPA) in 2021.
But what about the United States?
Despite a veritable cornucopia of US state and federal data privacy laws, the lack of a comprehensive federal data privacy law often leaves the US out of the discussion. US government data demands are cited often, but, as the UK’s Vodafone has reported for years, governments around the world demand data for law enforcement purposes.
Another data privacy consideration of the United States is the substantial requirement for producing data during discovery in US litigation, known commonly as “e-discovery” or electronic discovery, when data—including email, texts, chats, social media, and more—are produced to opposing parties.
However, although the United States allows substantial—some would argue excessive—discovery of data in civil litigation, the US Federal Rules of Civil Procedure provide mechanisms for limiting discovery, and courts use the protective order provisions of Rule 26(c) to protect privacy.
Limiting the Scope of Discovery
The Federal Rules of Civil Procedure govern civil litigation in US courts. As Rule 1 states, the purpose of the rules is “to ensure the just, speedy, and inexpensive determination of every action and proceeding.”
The rules were promulgated in 1938, and they have been amended continuously over the years, with notable e-discovery amendments in 2006 and 2015.
Admittedly, massive amounts of data are produced in US courts. However, multiple rules limit the scope of data that must be produced, including Federal Rule of Civil Procedure 26(b), which limits discovery in civil actions by requiring that discovery not include data protected by the attorney-client privilege and requiring that discovery must be “proportional to the needs of the case.” See Rule 26(b)(1). In addition, discovery of electronically stored information (ESI) is not required if it is “not reasonably accessible due to undue burden or cost.” See Rule 26(b)(2)(B).
Although the six-pronged proportionality test to limit discovery in Rule 26(b)(1) does not include privacy specifically, judges have wide discretion in limiting discovery as evidenced by the rule’s “unless otherwise limited by court order” language.
Nevertheless, there is an important tool for limiting discovery and protecting privacy in e-discovery in Federal Rule of Procedure 26(c), which provides for protective orders. The rule provides, in part:
The court may, for good cause, issue an order to protect a party or person from annoyance, embarrassment, oppression, or undue burden or expense.
Although privacy doesn’t appear specifically in this language, the US Supreme Court has held that it is “implicit in the broad purpose language of the Rule.” See Rhinehart below.
Rule 26(c)(1) gives courts a comprehensive list of eight methods for limiting discovery—and thus, protecting data privacy—with protective orders. These options range from prohibiting the discovery entirely to limiting it in various ways. The methods are:
(A) forbidding the disclosure or discovery;
(B) specifying terms, including time and place or the allocation of expenses, for the disclosure or discovery;
(C) prescribing a discovery method other than the one selected by the party seeking discovery;
(D) forbidding inquiry into certain matters, or limiting the scope of disclosure or discovery to certain matters;
(E) designating the persons who may be present while the discovery is conducted;
(F) requiring that a deposition be sealed and opened only on court order;
(G) requiring that a trade secret or other confidential research, development, or commercial information not be revealed or be revealed only in a specified way; and
(H) requiring that the parties simultaneously file specified documents or information in sealed envelopes, to be opened as the court directs.
Protective Orders Privacy in Action
The use of protective orders to protect privacy has a long history in US litigation, but it’s important to remember that civil discovery doesn’t occur in a vacuum. In addition to discovery requirements, the freedom of speech provisions of the First Amendment to the US Constitution can be a factor as they were in the US Supreme Court’s 1984 decision in Seattle Times Co. v. Rhinehart, a landmark case in the law of protective orders.
In Rhinehart, a religious group and its spiritual leader sued the Seattle Times Company and others, arguing they were defamed by a series of articles in The Seattle Times. During discovery, a trial court issued an order requiring the religious group to produce membership and donation information.
However, after the religious group claimed the discovery order violated its right to privacy and freedom of religion, the court also issued a protective order—under a state law provision modeled after Rule 26(c)—preventing the newspaper from publishing, disseminating, or using the information in any way except to prepare for the case.
The newspaper appealed the issuance of the protective order, arguing it was an unconstitutional prior restraint on free speech in violation of the First Amendment, but both the state’s supreme court and the US Supreme Court affirmed, upholding the protective order. Justice William Brennan wrote in a concurring opinion that the religious group’s “interests in privacy and religious freedom are sufficient to justify this protective order and to overcome the protections afforded free expression by the First Amendment.”
More recently in cases involving electronic data, courts across the nation have issued protective orders on data privacy grounds. In St. Frances Acad. v. Gilman Sch., Maryland’s Court of Special Appeals upheld competing motions—one for an order to compel discovery of the mobile devices of football coaches after a player’s injury and a protective order governing the procedure for extraction of the data.
Even when courts allow extensive discovery, protective orders provide privacy protections. In 2021 in Sinclair v. San Jose Unified Sch. Dist. Bd. of Educ., a California federal court permitted substantial discovery into allegations of misconduct in a school district, but held a protective order was warranted to protect any personnel records from public dissemination.
A Panacea for Privacy?
By their very nature, protective orders provide a compromise between a litigant’s need for evidence and the privacy of others. Thus, they are certainly not a panacea for privacy. No law, regulation, or rule in any nation is. Nevertheless, protective orders in US discovery are a mechanism for protecting privacy, and US courts have used them to ensure confidential data remain confidential.
Graphics for this article were created by Kael Rose.