Caught Between Courts and Continents: The 2026 Guide to Cross-Border eDiscovery in the Age of GDPR, China's PIPL, and Fragmented Data Privacy

By Sid Newby | April 2026

In twenty-plus years of litigation technology work, I've watched the geographic scope of discovery expand from filing cabinets in a single office to data centers spanning every continent. What I haven't seen -- until now -- is a moment where the regulatory frameworks governing that data have become so numerous, so contradictory, and so aggressively enforced that a single cross-border production can expose a party to sanctions in the producing jurisdiction, GDPR fines in Europe, and criminal penalties in China. We've entered an era where the question isn't whether your litigation involves cross-border data -- it almost certainly does -- but whether your team has the legal sophistication and technical infrastructure to navigate the collision of U.S. discovery obligations with an increasingly hostile global privacy landscape. The stakes in 2026 are higher than they've ever been, and the margin for error is razor thin.

The new reality: every case is a cross-border case

A decade ago, cross-border eDiscovery was a specialized practice area -- the domain of large multinational disputes and a handful of firms with international offices. That era is over. The combination of cloud computing, distributed workforces, and global SaaS platforms means that even routine commercial litigation now routinely involves data stored across multiple jurisdictions.

Consider the mechanics of a typical 2026 workplace: a company headquartered in Texas has employees in Dublin using Microsoft 365, contractors in Shanghai communicating via WeChat, a customer database hosted on AWS servers in Frankfurt, and Slack channels with participants in Toronto, London, and Singapore. When litigation hits, the discovery obligation extends to all of this data -- and every jurisdiction where that data resides has its own rules about whether and how it can be transferred.^[1]

The numbers underscore the scope of the challenge. More than 150 countries now have comprehensive data protection laws, up from approximately 80 a decade ago.^[2] The EU's GDPR remains the most influential, with fines of up to ${'\u20AC'}20 million or 4% of annual worldwide revenue for violations including unauthorized cross-border data transfers.^[1] China's Personal Information Protection Law (PIPL) -- often called "China's GDPR" -- imposes its own restrictions with criminal penalties for serious violations. And in the United States, the patchwork of state privacy laws continues to expand, with comprehensive statutes now active or pending in more than 20 states.

For litigation teams, this means that the act of collecting, reviewing, and producing documents -- the bread and butter of eDiscovery -- now requires navigating a multi-jurisdictional regulatory maze before a single document changes hands.

Figure 1: The expanding patchwork of global data privacy regulations affecting cross-border eDiscovery in 2026.

The three-front regulatory war

To understand the cross-border discovery challenge in 2026, you need to understand three regulatory regimes that are simultaneously evolving in contradictory directions.

Front 1: The European Union -- GDPR meets U.S. discovery

The tension between GDPR and U.S. discovery obligations has been simmering since 2018, but 2026 has brought it to a boil.

Under Article 48 of the GDPR, court orders from non-EU jurisdictions -- including U.S. federal and state courts -- are not, by themselves, a sufficient legal basis for transferring personal data out of the EU.^[1] The regulation requires one of several approved transfer mechanisms: the EU-US Data Privacy Framework (for certified organizations), Standard Contractual Clauses (SCCs), Binding Corporate Rules, or one of several narrow derogations under Article 49.

The EU-US Data Privacy Framework (DPF), adopted by the European Commission in July 2023, was supposed to resolve this tension -- at least for U.S. companies that self-certify. And for now, it remains in effect. But the framework is built on an executive order (EO 14086) rather than legislation, which means a future president could revoke it with a stroke of a pen. The privacy advocacy group noyb, led by Max Schrems -- the same activist whose legal challenges invalidated the two prior EU-US data transfer frameworks -- has publicly criticized the DPF's structural vulnerability.^[3] The 2026 reauthorization of Section 702 of FISA, currently under debate, is being closely watched in Brussels for any changes that might trigger a new adequacy review.

For litigation teams, the practical implication is that the legal basis for EU-to-US data transfers remains structurally fragile. Organizations that rely solely on the DPF without maintaining alternative transfer mechanisms are taking a risk that could materialize during the life of active litigation.

Front 2: China -- the PIPL's three-pathway framework

China's cross-border data regime reached a new level of maturity on January 1, 2026, when the Measures for Certification of Cross-Border Personal Information Transfer took effect, completing the three-pathway framework established under the PIPL.^[4]

Organizations seeking to transfer personal information out of China now must use one of three mechanisms:

Table 1: China's three-pathway framework for cross-border personal information transfers under the PIPL. Source: Arnold & Porter advisory.[^4]

For eDiscovery practitioners, China presents the most restrictive environment globally. Unlike the EU, where legitimate interests and legal claims derogations provide a pathway for litigation-related transfers, China's framework offers no explicit litigation exception for cross-border data transfers.^[5] A U.S. court order compelling production of documents stored in China does not, under Chinese law, authorize the transfer. And the penalties for unauthorized transfers can include criminal liability for responsible individuals.

The practical consequence: litigation teams with data in China need to build compliance infrastructure before litigation hits, not after. Waiting until a discovery dispute to figure out whether your data can leave China is a recipe for sanctions on one side of the Pacific or criminal exposure on the other.

Front 3: Blocking statutes and sovereign data assertions

Beyond GDPR and PIPL, litigation teams must contend with a growing number of blocking statutes -- laws that explicitly prohibit parties from complying with foreign court orders for document production.

France's Loi de Blocage (Blocking Law of 1968, strengthened in 2022) is the most well-known, but similar statutes exist in China, Switzerland, Germany, and several other jurisdictions. These laws create a direct legal conflict: a U.S. court orders production, while the jurisdiction where the data resides prohibits it. The party holding the data is caught in a genuine legal impossibility.^[1]

U.S. courts have historically been skeptical of blocking statute defenses. The dominant framework for resolving these conflicts is the five-factor comity analysis from the Restatement (Third) of Foreign Relations Law, which considers:^[1]

• The importance of the documents to the litigation
• The degree of specificity of the request
• Whether the information originated in the United States
• The availability of alternative means of obtaining the information
• The balance of national interests (weighted most heavily)

In practice, U.S. courts have overwhelmingly resolved this balancing test in favor of compelling production, even when doing so exposes the producing party to foreign penalties. But recent decisions suggest a gradual -- if slow -- evolution toward more robust comity analysis, particularly when national security, constitutional privacy protections, or sovereign data interests are implicated.^[1]

The courts weigh in: recent decisions reshaping the landscape

Several recent court decisions illustrate the evolving judicial approach to cross-border discovery conflicts.

The OpenAI data preservation order (2025)

In a significant May 2025 decision, a U.S. court ordered OpenAI to preserve user chat data for litigation purposes despite acknowledging that the data might be subject to deletion obligations under privacy laws in multiple jurisdictions worldwide.^[6] The court declined to conduct a detailed comity analysis, ordering preservation and deferring any transfer-specific privacy issues to a later stage. The decision reinforced the U.S. judiciary's strong tendency to prioritize domestic procedural interests -- litigation holds and preservation obligations -- over foreign privacy norms, at least at the preservation stage.

For litigation teams, the implication is clear: U.S. courts will impose preservation obligations on data regardless of where it's stored or what foreign laws say about retention. The compliance challenge of maintaining a litigation hold on data subject to GDPR's right to erasure or PIPL's data minimization requirements is left to the parties to figure out.

The Israeli data protection decision (S.D.N.Y.)

In a recent Southern District of New York decision, the court concluded that Israeli data protection law did not bar production of documents to the United States. The court noted that Israeli law incorporates GDPR-style protections but also provides affirmative defenses for complying with certain legal obligations.^[7] The decision illustrates a pattern in cross-border discovery: U.S. courts will examine foreign privacy laws with care, but where those laws contain exceptions for legal proceedings or compliance with legal obligations, courts will use those exceptions to compel production.

The Xarelto precedent

The In re Xarelto Products Liability Litigation decision remains the gold standard for robust comity analysis in cross-border discovery.^[1] Judge Eldon Fallon's detailed application of the Restatement factors -- including his finding that the balance of national interests required production with protective measures rather than outright denial -- has been cited in dozens of subsequent cases. The decision established a practical middle ground: courts can compel production while implementing safeguards (in camera review, protective orders, data minimization) that partially address foreign privacy concerns without excusing the producing party from its discovery obligations.

The practical playbook: navigating cross-border discovery in 2026

For litigation teams facing cross-border discovery in 2026, the regulatory complexity demands a structured, proactive approach. Here's the framework that works.

Step 1: Map your data geography early

Before litigation hits -- ideally as part of information governance planning -- organizations need to know where their data lives. This means:

• Identifying all cloud service providers and the geographic locations of their data centers
• Mapping employee and contractor locations against the data they generate and access
• Cataloging SaaS platforms and their data residency configurations
• Documenting which jurisdictions' privacy laws apply to which data sets

The FTI/Relativity General Counsel Report found that 53% of corporate legal departments now have formalized technology roadmaps -- more than double the prior year.^[8] Data mapping should be a core component of those roadmaps, not an afterthought.

Step 2: Engage local counsel before discovery disputes

The Judicature article on cross-border discovery makes a recommendation that cannot be overstated: retain qualified counsel in every country where data is located before discovery disputes arise.^[1] Local counsel can assess the available legal bases for transfer, identify specific risks and penalties, and help construct compliance arguments that will satisfy both the foreign regulator and the U.S. court.

This is not optional. U.S. courts routinely reject vague assertions that "foreign law prohibits production." They expect -- and increasingly require -- detailed, expert-supported analysis of the specific foreign law provisions at issue, the available exceptions, and the actual risk of enforcement. A party that shows up to a discovery hearing without a foreign law expert is a party that will lose.

Step 3: Build a transfer impact assessment protocol

Borrowing from GDPR's Transfer Impact Assessment (TIA) requirement, litigation teams should develop a standardized protocol for evaluating the risks and legal bases for each cross-border data transfer. The assessment should cover:

• Legal basis: Which transfer mechanism applies (adequacy decision, SCCs, derogation, etc.)?
• Data scope: What personal data is involved, and can it be minimized or anonymized?
• Risk assessment: What are the specific enforcement risks in the source jurisdiction?
• Protective measures: What safeguards can be implemented (encryption, access controls, protective orders)?
• Documentation: How will the organization demonstrate compliance if challenged?

Step 4: Use the Sedona Conference framework

The Sedona Conference Working Group 6 has developed a three-stage harmonization approach that remains the most practical framework for resolving cross-border discovery conflicts:^[1]

• Special Protections Stipulation: Parties stipulate (or the court orders) special safeguards for privacy-protected data -- things like enhanced protective orders, access limitations, and return-or-destroy obligations
• Phased Discovery Scheduling: The court scheduling order permits time for data protection compliance and identifies non-protected alternative sources that can be produced first
• Legitimization Plan: Parties implement a coordinated approach that maximizes simultaneous compliance with both foreign data protection law and U.S. discovery obligations

This framework works because it treats foreign privacy laws as legitimate constraints to be accommodated rather than obstacles to be overridden -- which is increasingly what courts expect from the parties.

Step 5: Leverage technology for privacy-compliant review

Technology can significantly reduce the friction of cross-border discovery. Key approaches include:

• In-country review: Processing and reviewing documents within the source jurisdiction before any cross-border transfer, so only responsive and non-privileged documents need to cross borders
• AI-powered redaction: Using AI tools to identify and redact personal data that isn't relevant to the litigation before transfer, reducing the privacy footprint of produced documents
• Data minimization through analytics: Using technology-assisted review (TAR) and AI-powered relevance classification to narrow the document set before transfer, producing only what's truly necessary
• Anonymization and pseudonymization: Replacing personal identifiers with pseudonyms where the underlying identity isn't relevant to the dispute

These aren't just nice-to-have features. Under GDPR's principle of data minimization and PIPL's proportionality requirements, demonstrating that you've taken steps to minimize the personal data transferred is often a prerequisite for successfully invoking a legal basis for the transfer.

The emerging AI wrinkle

There's one more dimension to cross-border eDiscovery in 2026 that most practitioners haven't fully grappled with: the interaction between AI-powered review tools and foreign data protection laws.

When an AI model processes documents containing EU personal data for eDiscovery purposes, several GDPR questions arise:

• Does the AI processing constitute a new "purpose" that requires its own legal basis?
• If the AI model is hosted outside the EU (as many cloud-based eDiscovery platforms are), does processing constitute a cross-border transfer?
• What transparency and documentation obligations apply when AI makes relevance or privilege determinations about documents containing personal data?
• If the AI model was trained on data from prior matters, could residual personal data in the model's weights constitute a data protection issue?

The EU AI Act, which begins full enforcement of its high-risk provisions in August 2026, adds another layer. AI systems used in the "administration of justice" are classified as high-risk, potentially subjecting eDiscovery AI tools used in litigation to additional compliance obligations including transparency requirements, human oversight mandates, and accuracy documentation.^[9]

For litigation teams, the practical guidance is straightforward: if you're using AI-powered review tools on documents that contain EU personal data, you need a documented analysis of how the AI processing fits within your GDPR transfer mechanism. If you're using AI on documents containing Chinese personal information, you need an even more careful analysis given PIPL's stricter framework. This isn't theoretical -- it's the kind of issue that a sophisticated opposing party or a data protection authority could raise to challenge the admissibility or propriety of your review process.

What this means for litigation support providers

The cross-border discovery landscape in 2026 presents a genuine inflection point for litigation support providers.

The firms and service providers that will thrive are the ones that can offer integrated, jurisdiction-aware workflows -- not just technology, but the combination of technical capability, legal expertise, and operational process that enables compliant cross-border production. This means:

• In-country processing capabilities in the jurisdictions where data resides, not just in the United States
• Privacy-compliant review workflows that document the legal basis for each cross-border transfer and implement appropriate safeguards
• AI tools that are configured for compliance with both GDPR and the EU AI Act, with documentation that demonstrates proportionality and necessity
• Relationships with local counsel networks in key jurisdictions (EU member states, UK, China, Japan, Brazil) who can provide the jurisdiction-specific analysis that courts require

For PlatinumIDS, this landscape reinforces a core belief: litigation technology isn't just about processing speed or review efficiency. It's about providing the complete workflow -- from data mapping through production -- that enables litigation teams to meet their discovery obligations without creating new regulatory exposure. In a world where every case is a cross-border case, the providers who understand both the technology and the regulatory landscape will be the ones that earn the trust of sophisticated litigation teams.

Looking ahead: the fragmentation will accelerate

If there's one prediction I'd make with confidence, it's this: the cross-border eDiscovery landscape will get more complicated before it gets simpler.

The EU is planning a consultation in Q1 2026 for new Standard Contractual Clauses for international transfers, with implementation expected later in the year.^[3] China's certification regime is still maturing, with accredited certification bodies and detailed implementation guidance still being developed. India's Digital Personal Data Protection Act is progressing through its rulemaking process, and when it takes full effect, it will add the world's most populous country to the list of jurisdictions with cross-border transfer restrictions. Brazil's LGPD continues to evolve, with the Brazilian Data Protection Authority issuing increasingly specific guidance on international transfers.

At the same time, U.S. courts show no signs of softening their approach to compelling overseas production. The trend toward detailed comity analysis is real but gradual, and in the vast majority of cases, U.S. discovery obligations will continue to prevail.

The litigation teams that navigate this successfully will be the ones that stop treating cross-border discovery as a problem to solve reactively and start treating it as a core competency to build proactively. Data mapping. Transfer impact assessments. Pre-lit compliance infrastructure. Local counsel relationships. Privacy-compliant AI workflows. These aren't luxuries -- they're the minimum requirements for responsible cross-border practice in 2026.

The alternative -- winging it and hoping foreign regulators don't notice -- is a strategy with a rapidly shrinking shelf life.