Cross-border eDiscovery is the highest-risk, highest-value scenario in modern litigation, and the reason is structural: it sits at the intersection of three legal regimes that were drafted in isolation from one another and that do not fully align. US Federal Rules of Civil Procedure impose broad pretrial discovery obligations on any party subject to the jurisdiction of a US court, including the production of electronically stored information held abroad. The EU General Data Protection Regulation (and its UK GDPR analogue) restricts the processing and onward transfer of personal data of EU and UK data subjects, with administrative fines of up to 4% of global annual turnover for non-compliance. And the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters (1970) provides a treaty-based mechanism for one signatory state to request evidence from another — a mechanism that, in theory, was supposed to mediate exactly these conflicts.
The problem for in-house counsel and litigators is that these three regimes do not defer to one another. A US court can compel production of documents sitting on a server in Frankfurt under Federal Rule 34. The German producing party can be exposed to liability under the German Federal Data Protection Act (Bundesdatenschutzgesetz, or "BDSG") if it complies. And the Hague Convention — which the producing party will instinctively want to invoke as a more orderly path — turns out, after the Supreme Court's decision in Société Nationale Industrielle Aérospatiale v. United States District Court, 482 U.S. 522 (1987), to be optional rather than exclusive.
The practical consequence is that the producing party is left to navigate a comity analysis on the record in the US court, with the burden of proving foreign-law exposure resting squarely on its own shoulders. Doing that defensibly requires planning the review workflow around the conflict from day one — not arguing about it after the data has already been collected. The remainder of this article walks through the four cases and one statute you actually need to understand to do that work, and closes with how DecoverAI's data residency posture maps onto each of them.
The starting point for any cross-border discovery analysis is Société Nationale Industrielle Aérospatiale v. United States District Court for the Southern District of Iowa, 482 U.S. 522 (1987). The case arose out of an Iowa airplane crash; US plaintiffs sued two French state-owned aerospace companies and sought broad pretrial discovery of documents and witness testimony located in France. The French defendants argued that the Hague Evidence Convention was the exclusive mechanism for obtaining evidence located in a signatory's territory, and that French blocking statutes prohibited compliance with the Federal Rules. The Supreme Court rejected the exclusivity argument.
Justice Stevens, writing for the Court, held that "The Convention does not provide exclusive or mandatory procedures for obtaining documents and information located in a foreign signatory's territory" and that "International comity does not require in all instances that American litigants first resort to Convention procedures before initiating discovery under the Federal Rules." 482 U.S. at 544–46. The Court grounded its reading in the permissive language of the Convention itself (which uses "may" rather than "shall") and in the practical concern that an exclusive rule would create unfair asymmetries between domestic and foreign litigants.
What Aérospatiale left in its wake is a case-by-case comity analysis that the lower courts have applied with notoriously inconsistent results. The Supreme Court declined to articulate a bright-line rule and instead instructed courts to perform a "prior scrutiny" of the facts, the sovereign interests at stake, and the likelihood of effective Hague-channel discovery before deciding whether to require resort to the Convention. In modern practice, that means the producing party objecting to US discovery on foreign-law grounds bears the burden of marshaling a Restatement (Third) of Foreign Relations Law § 442 balancing analysis — the framework the Court endorsed and which has been the operative test for almost forty years.
The most usable modern blueprint for handling a foreign blocking-statute objection is the multidistrict litigation in In re Xarelto (Rivaroxaban) Products Liability Litigation, MDL No. 2592 (E.D. La.). In a series of 2016 orders before Judge Eldon E. Fallon, the Plaintiffs' Steering Committee moved to compel personnel files of two German-resident Bayer employees who had been involved in the development of the anticoagulant Xarelto. Bayer opposed on the ground that the German Federal Data Protection Act (BDSG) functioned as a blocking statute, prohibiting the transfer of personal data and exposing Bayer to civil and criminal penalties.
Judge Fallon ruled that "the German Data Protection Act functions as a 'blocking statute,' and efforts to produce German personal data implicate the Société [Nationale] comity analysis." In re Xarelto, MDL No. 2592, Order & Reasons (E.D. La. May 16, 2016) (Doc. 3237). Critically, the court did not treat the BDSG as an automatic bar. Instead, the court applied the five-factor balancing test from the Restatement (Third) of Foreign Relations Law as endorsed in Aérospatiale, and held that Bayer had failed to prove a high likelihood of foreign enforcement of penalties — squarely placing the burden on the producing party to demonstrate concrete prosecution risk.
The procedural toolbox the court used is what makes Xarelto the modern playbook. Judge Fallon ordered Bayer to produce a privacy log first, then conducted an in camera review of the disputed documents to assess the actual scope of "personal data" implicated, and ultimately ordered targeted production with redactions and a protective order. See In re Xarelto, MDL No. 2592, Order & Reasons (E.D. La. Sept. 16, 2016) (Doc. 4165). The takeaway for in-house counsel is that a defensible cross-border response is built around three artifacts — a privacy log, a targeted redaction protocol, and a protective order — rather than around a categorical refusal to produce.
The English authorities have moved in the same direction. The leading modern case is Dixon v North Bristol NHS Trust [2022] EWHC 3127 (KB), in which Mr Anthony Dixon sought an interim injunction to restrain an NHS Trust from disclosing an outcome letter and a review document containing personal data to third-party solicitors involved in clinical-negligence claims. Dixon argued that disclosure would breach his rights under the UK GDPR and the Data Protection Act 2018. Nicklin J refused the injunction in unambiguous terms: "the data protection legislation must be read purposively not mechanically. It does not give a data subject a 'veto' on what data can be disclosed." [2022] EWHC 3127 (KB).
The court reasoned that Article 6(1)(c) and (e) of the UK GDPR, read alongside the Schedule 2 exemptions in the DPA 2018, render disclosure lawful where it is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims. The result is that GDPR functions as a balancing factor, not a categorical bar. The earlier Court of Appeal authority in Durant v Financial Services Authority [2003] EWCA Civ 1746 supports the same direction of travel by narrowing the definition of "personal data" to information that genuinely "relates to" an individual in a way affecting their privacy — a holding still used to resist over-broad data-protection objections to inspection.
The burden allocation is set by Gurieva v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB), which holds that the data controller bears the burden of proving that a statutory exemption applies and must show that disclosure would be "likely to prejudice" specified matters — with "likely" meaning a degree of probability higher than fanciful. Read together, Dixon, Durant, and Gurieva tell a producing party in England that data-protection objections will rarely defeat necessary disclosure, and that hand-waving about GDPR exposure will not satisfy the court. As with Xarelto, the defensible response is a documented balancing exercise, not a blanket refusal.
Cross-border matters carry a separate trap that is easy to miss: the definition of legal advice privilege is materially narrower in England than in the United States, and corporate documents that move between jurisdictions can lose privilege at the border. The English authority is Three Rivers District Council v Bank of England (No 5) [2003] EWCA Civ 474, [2003] QB 1556. There the Court of Appeal held that legal advice privilege extended only to communications between the Bank's outside solicitors (Freshfields) and a specifically designated "Bingham Inquiry Unit" within the Bank — "that unit, and no one else, was to be treated as Freshfields' client for privilege purposes." [2003] QB 1556, para. 37. Documents created by other Bank employees for a "presentational" purpose were held not to be privileged.
The US position is materially different. In Upjohn Co. v. United States, 449 U.S. 383 (1981), the Supreme Court rejected the narrow "control group" test and held that corporate attorney-client privilege protects communications between counsel and employees at any level of the corporate hierarchy when the communications are made at the direction of corporate superiors for the purpose of obtaining legal advice. Justice Rehnquist's opinion observed that "The control group test thus frustrates the very purpose of the attorney-client privilege by discouraging the communication of relevant information by employees of the client corporation to attorneys seeking to render legal advice to the client." 449 U.S. at 392. The Court also clarified that the privilege protects the communication, not the underlying facts. Id. at 395–96.
The practical effect for cross-border eDiscovery is sharp. A US in-house counsel email thread including a mid-level marketing manager would almost certainly be privileged under Upjohn. The same thread, sitting on a server in London and sought in English proceedings, may not be privileged under Three Rivers (No 5) because the marketing manager was not part of the formally designated client group. Custodian selection, document routing, and the construction of any privilege log have to account for this asymmetry. The safest approach is to identify which jurisdiction's privilege rules will govern each document set before review begins, and to log dual-track determinations where the answer differs.
The technical posture of the review platform is part of the comity analysis, not separate from it. DecoverAI is SOC 2 Type II certified and HIPAA compliant, and offers data-residency configurations that allow EU and UK personal data to be processed without onward transfer to US infrastructure — which is precisely the kind of mitigation a court will weigh in the Aérospatiale Restatement § 442 balancing exercise. See the security page for the full data-residency, encryption, and access-control posture.
On the workflow side, DecoverAI's privilege log generation supports per-document jurisdictional tagging so that Three Rivers (No 5) and Upjohn determinations can be made and recorded separately on the same document set. The platform's redaction and confidentiality-analysis tooling is designed to support the Xarelto playbook directly: a producing party can generate a privacy log of personal-data hits, present it to the court, and execute targeted redactions against an in camera protocol without re-touching every document by hand. The result is the kind of documented, defensible record that satisfies a comity analysis on the front end rather than litigating it on the back end.
The pricing is the same as it is for any other matter: $60 per gigabyte per month, all-in, no contracts, unlimited users. There is no separate cross-border surcharge, no per-jurisdiction fee, and no premium for data-residency configuration. See the pricing page for the full breakdown, or review the Tax Credit Investigation case study for an example of how the platform handles a privilege-heavy review at speed. To run your specific cross-border matter through the cost calculator, book a 30-minute demo and we will model the data-residency and review workflow on the call.