Volume 73, Issue 5, 1511-1538
Privacy and data protection law’s expansion brings with it opportunities for mischief as privacy rules are used pretextually to serve other ends. This Essay examines the problem of such co-option of privacy using a case study of lawsuits in which defendants seek to use the EU’s General Data Protection Regulation (“GDPR”) to frustrate ordinary civil discovery. In a series of cases, European civil defendants have argued that the GDPR requires them to redact all names from otherwise valid discovery requests for relevant evidence produced under a protective order, thereby turning the GDPR from a rule designed to protect the fundamental data protection rights of European Union (EU) citizens into a corporate litigation tool to frustrate and delay the production of evidence of alleged wrongdoing.
This Essay uses the example of pretextual GDPR use to frustrate civil discovery to make three contributions to the privacy literature. First, it identifies the practice of defendants attempting strategically to co-opt the GDPR to serve their own purposes. Second, it offers an explanation of precisely why and how this practice represents not merely an incorrect reading of the GDPR, but more broadly, a significant departure from its purposes—to safeguard the fundamental right of data protection secured by European constitutional and regulatory law. Third, it places the problem of privacy pretexts and the GDPR in the broader context of the co-option of privacy rules more generally, offers a framework for thinking about such efforts, and argues that this problem is only likely to deepen as privacy and data protection rules expand through the ongoing processes of reform.