GDPR-Centric Compliance vs. CCPA-First Adaptation: Which Strategy Best Shields Multinational Corporations?

How International Privacy Regulations Impact High-Asset Divorce Discovery

Understanding the Regulatory Framework

GDPR and CCPA were designed primarily to protect individual privacy rights, not to facilitate discovery. However, their data mapping, retention, and access provisions can intersect with legitimate divorce discovery under specific circumstances and with significant limitations.

Your digital footprint is evidence. Learn how family law courts use it.

• GDPR Article 15 Subject Access Requests: Individuals can request access to their personal data held by organizations. However, this right applies only to the data subject themselves—not to third parties seeking their spouse's information. In Dawson-Damer v. Taylor Wessing LLP [2017] EWCA Civ 74, the UK Court of Appeal clarified that subject access requests cannot be used as a "fishing expedition" in litigation, and data controllers can refuse requests that infringe on others' privacy rights.
• CCPA's Right to Know: California residents can request disclosure of personal information categories collected about them. The California Attorney General's office has emphasized this is an individual right that cannot be exercised by third parties. Courts have consistently held that CCPA does not create new discovery mechanisms beyond existing civil procedure rules.
• Data Retention Obligations: While corporations must retain certain data for compliance purposes, GDPR's data minimization principle (Article 5(1)(c)) actually requires deletion of data no longer necessary for its original purpose. This creates a narrower window for discovery than many assume.

Legitimate Discovery Applications and Their Limits

There are documented instances where privacy regulation compliance intersected with divorce discovery, though these cases reveal both opportunities and significant constraints. In In re Marriage of Boblitt, 2020 IL App (2d) 190238-U, an Illinois appellate court addressed discovery requests targeting corporate records of a spouse's business activities. The court upheld traditional discovery standards while noting that corporate data retention policies could be relevant to spoliation claims—but only when the requesting party could demonstrate specific relevance and proportionality under Illinois Supreme Court Rule 201(b)(1).

Similarly, in the California case In re Marriage of Cadwell-Faso and Faso (2011) 191 Cal.App.4th 1513, the court addressed attempts to obtain corporate records through third-party subpoenas. The ruling emphasized that privacy protections—including those later codified in CCPA—limit discovery to information directly relevant to marital assets and income, with courts required to balance discovery needs against privacy interests.

Dr. Michelle Finneran Dennedy, former Chief Privacy Officer at Cisco and McAfee, explains: "Corporate data protection officers are legally obligated to reject requests that lack proper legal authorization. A divorce attorney cannot simply invoke GDPR or CCPA to access someone else's data—these regulations actually create additional barriers to third-party access, not shortcuts around them."

• Proper Legal Process Required: Courts must issue subpoenas or orders that satisfy both family law discovery standards and data protection requirements. This typically requires demonstrating specific relevance, exhaustion of other discovery methods, and compliance with jurisdictional requirements.
• Article 6 Lawful Basis Challenges: Under GDPR, corporations can only process data with a lawful basis. "Compliance with legal obligation" (Article 6(1)(c)) requires a valid court order from a jurisdiction with proper authority. Data protection officers routinely challenge discovery requests lacking this foundation.
• Privilege and Confidentiality Protections: Corporate counsel communications, attorney work product, and trade secrets remain protected. In Hague v. Hague, 2019 IL App (2d) 180238-U, Illinois courts reaffirmed that discovery requests must respect established privilege doctrines regardless of how data is stored or processed.

Practical Barriers and Jurisdictional Challenges

Cross-border discovery involving GDPR-protected data faces substantial practical obstacles. The European Union's Blocking Regulation (Council Regulation 2271/96) restricts compliance with foreign discovery orders that conflict with EU law. Judge Thomas M. Donnelly of Cook County's Domestic Relations Division notes: "We've seen increasing resistance from European-based entities to U.S. discovery requests. Attorneys need to understand the Hague Evidence Convention and bilateral treaties—simply citing GDPR doesn't create a discovery right."

The procedural requirements for legitimate cross-border discovery include:

• Jurisdictional Prerequisites: Establish personal jurisdiction over the data controller or demonstrate that the data relates to marital assets subject to Illinois jurisdiction. This typically requires showing the corporation does business in Illinois or that the data concerns Illinois marital property.
• Proportionality Analysis: Under Illinois Supreme Court Rule 201(c)(3), discovery must be proportional to the case's needs. Courts consider the burden on the responding party, including international compliance costs that can range from $50,000 to $500,000 for complex cross-border requests.
• Letters Rogatory or Hague Convention Procedures: Formal international judicial assistance mechanisms may be required for data held in certain jurisdictions. These processes typically take 6-12 months and require demonstrating that the evidence is "necessary" rather than merely helpful.

When These Approaches Fail: Judicial Skepticism and Ethical Boundaries

Courts have increasingly rejected discovery requests that mischaracterize privacy regulations as discovery tools. In the Northern District of Illinois case In re Testosterone Replacement Therapy Products Liability Litigation, No. 14 C 1748, Judge Matthew F. Kennelly addressed attempts to use GDPR as a discovery mechanism, noting that "privacy regulations create obligations for data controllers, not discovery rights for litigants."

Attorney Sarah Downey, former privacy counsel at Abine and a data protection specialist, cautions: "I've seen divorce attorneys attempt to frame GDPR subject access requests as discovery tools. This fundamentally misunderstands the regulation and often backfires. Data protection authorities in the EU have explicitly stated that subject access rights cannot be exercised by proxy for litigation purposes."

Common reasons courts reject these discovery tactics include:

• Fishing Expeditions: Requests that seek broad categories of data without specific relevance to marital assets or income are routinely denied under existing discovery standards.
• Forum Shopping: Courts recognize and reject attempts to use international regulations to circumvent domestic discovery limitations or protective orders.
• Misrepresentation of Regulatory Purpose: Judges are increasingly sophisticated about data protection law and reject arguments that mischaracterize compliance obligations as negligence or discovery opportunities.

Legitimate Strategic Considerations

Despite these limitations, privacy regulations do create some legitimate strategic considerations in high-asset divorce cases. The key is understanding what actually works within legal and ethical boundaries:

• Corporate Device Policies: When a spouse uses company-issued devices, corporate retention policies may preserve communications and location data. However, accessing this requires proper subpoenas to the corporation, not the individual, and must overcome privacy objections. Expect corporate counsel to assert employee privacy rights and seek protective orders limiting disclosure.
• Spoliation Prevention: Litigation holds that reference corporate data retention obligations can help prevent destruction of relevant evidence. This works best when issued early and specifically identifies relevant data categories tied to marital assets.
• Third-Party Vendor Records: Expense management platforms, travel booking systems, and corporate credit card processors may maintain records relevant to lifestyle and income analysis. Standard third-party subpoenas under Illinois Supreme Court Rule 204 remain the appropriate mechanism, with CCPA/GDPR compliance documentation potentially supporting arguments against claims that records no longer exist.

Step-by-Step Procedural Guidance

For attorneys considering discovery involving multinational corporate data, the following procedural framework reflects current best practices:

Phase 1: Jurisdictional Analysis (Weeks 1-2)

• Identify the corporate entity's jurisdiction(s) of operation and data storage locations
• Determine whether Illinois courts have personal jurisdiction over the entity
• Research applicable data protection laws and any blocking statutes
• Estimated cost: $5,000-$15,000 in legal research and jurisdictional analysis

Phase 2: Targeted Discovery Requests (Weeks 3-6)

• Draft specific, narrow requests tied to identified marital assets or income sources
• Include proportionality analysis demonstrating need outweighs burden
• Prepare for privilege and privacy objections with supporting case law
• Sample motion language: "Pursuant to 750 ILCS 5/503 and Illinois Supreme Court Rule 201, Petitioner requests production of [specific document category] from [corporate entity], which documents are reasonably calculated to lead to discovery of marital assets because [specific connection to marital estate]. The request is proportional to the needs of this case given [valuation of marital estate] and is limited to [specific time period and data categories]."
• Estimated cost: $10,000-$25,000 in motion practice

Phase 3: International Compliance (Months 2-6, if required)

• If data is held in EU jurisdictions, consider whether Hague Convention procedures are required
• Engage local counsel in relevant jurisdictions to assess blocking statute implications
• Prepare for extended timelines and significant additional costs
• Estimated cost: $50,000-$200,000 for complex cross-border discovery

Balancing Discovery Rights with Privacy Protections

The intersection of international privacy law and divorce discovery requires careful navigation of competing interests. Courts consistently emphasize that legitimate discovery rights must be balanced against privacy protections—both for the spouse and for third parties whose data may be incidentally captured in corporate systems.

Judge Pamela McLean Meyerson, retired from Cook County's Domestic Relations Division, reflected in a 2022 Illinois State Bar Association presentation: "Technology has changed what data exists, but it hasn't changed the fundamental discovery standards. Relevance, proportionality, and privacy protections still apply. Attorneys who understand these principles—rather than looking for regulatory shortcuts—serve their clients most effectively."

The most successful approaches recognize that GDPR and CCPA create compliance obligations that can intersect with discovery, but they are not discovery tools themselves. When corporate data is legitimately relevant to marital assets or income, traditional discovery mechanisms remain the appropriate path—with privacy regulations informing, but not replacing, established civil procedure.

Moving Forward with Realistic Expectations

High-asset divorce cases involving multinational corporate structures require sophisticated legal analysis that respects both discovery rights and privacy protections. The key is developing targeted discovery strategies based on specific evidence of marital assets or income, using established civil procedure mechanisms, and preparing for the significant costs and timelines involved in cross-border discovery.

If you're facing a complex divorce involving international business interests, consult with counsel experienced in both family law and international discovery procedures. Bring documentation of your spouse's corporate structure, known international business activities, and specific concerns about asset disclosure. A realistic assessment of discovery options—including their costs, timelines, and likelihood of success—will help you make informed strategic decisions.

Effective representation in these cases requires understanding both the possibilities and the limitations of modern discovery in an era of international privacy regulation.