ROYAL PARK INVESTMENTS SA/NV, Individually and on Behalf of All Others Similarly Situated, Plaintiff, v. DEUTSCHE BANK NATIONAL TRUST COMPANY, as Trustee, Defendant 14-CV-04394 (AJN) (BCM) United States District Court, S.D. New York Signed December 29, 2017 Counsel Arthur C. Leahy, Steven W. Pepich, Darryl J. Alvarado, Jeffrey James Stein, Joseph Marco Janoski Gray, Lucas F. Olts, Cody R. LeJeune, Jennifer Nunez Caringal, Juan Carlos Sanchez, Kevin S. Sciarani, Robbins Geller Rudman & Dowd LLP, San Diego, CA, Samuel Howard Rudman, Robbins Geller Rudman & Dowd LLP, Melville, NY, Christopher M. Wood, Robbins Geller Rudman & Dowd LLP, San Francisco, CA, for Plaintiff. Bernard J. Garbutt, III, Michael Stephan Kraut, Bryan P. Goff, Grant R. MacQueen, John Michael Vassos, Jonathan Herman Levy, Nathan Todd Shapiro, Regina Schaffer-Goldman, Kevin James Biron, Morgan, Lewis and Bockius LLP, Christopher James Stanley, Gila Sara Singer, Gregory P. Joseph, Peter R. Jerdee, Joseph Hage Aaronson LLC, New York, NY, Ashley Anelcha Krupski, Elizabeth Allen Frohlich, Rollin Bernard Chippey, Tera Marie Heintz, Cristina Ashba, Joseph Edward Floren, Phillip J. Wiese, Morgan, Lewis & Bockius LLP, San Francisco, CA, Motty Shulman, Paul Fattaruso, II, Robin Ann Henry, Boies, Schiller & Flexner LLP, Armonk, NY, for Defendant. Moses, Barbara, United States Magistrate Judge MEMORANDUM AND ORDER Before the Court is a letter-motion dated July 7, 2017 (Dkt. No. 410), filed by defendant Deutsche Bank National Trust Company (Deutsche Bank), seeking an order compelling plaintiff Royal Park Investments SA/NV (RPI) to produce documents from the files of three custodians, located in Belgium, in unredacted form. RPI asserts that the documents – which it obtained from its assignor BNP Paribas Fortis (BNPPF) – are subject to the protections of Belgian and European Union privacy laws, which generally prohibit the “processing” of personal information, including the names and business email addresses of BNPPF’s Belgian employees and the individuals with whom those employees were corresponding. See Pl. Letter dated July 11, 2017 (Dkt. No. 417) at 1. Therefore, RPI asserts, the documents can only be produced with numerous names and email addresses redacted. Id. The parties continued to argue the issue in a series of letter-briefs, see Def. Letter dated July 13, 2017 (Dkt. No. 420); Pl. Letter dated July 24, 2017 (Dkt. No. 426); Def. Letter dated July 25, 2017 (Dkt. No. 427); Pl. Letter dated July 28, 2017 (Dkt. No. 429); Def. Letter dated August 14, 2017 (Dkt. No. 437); Pl. Letter dated August 28, 2017 (Dkt. No. 444); Def. Letter dated August 31, 2017 (Dkt. No. 446), and have submitted competing declarations from Belgian law experts. See Declaration of Frederick Van Remoortel, dated July 14, 2017 (Dkt. No. 426-1); Declaration of Johan Vandendriessche, dated August 14, 2017 (Dkt. No. 437-4); Declaration of Etienne Kairis dated August 25, 2017 (Dkt. No. 444-1). For the reasons that follow, the motion to compel will be GRANTED. I. BACKGROUND A. Factual Background RPI is a Belgian limited liability company formed as a special-purpose vehicle during the 2008 financial crisis to take over a portfolio of distressed assets previously held by Fortis Bank SA/NV (Fortis Bank) and its affiliates (collectively the Fortis Entities), including certain residential mortgage-backed securities (RMBS) certificates that derive their value from pools of residential mortgages held in ten different trusts (Trusts) of which defendant Deutsche Bank serves as the trustee (Trustee). Compl. (Dkt. No. 1) ¶¶ 2, 33. In this action, RPI alleges that Deutsche Bank breached its contractual and fiduciary obligations regarding the Trusts, thereby diminishing the value of the RMBS certificates. See Compl. ¶¶ 206-219; Royal Park Invs. SA/NV v. Deutsche Bank Nat’l Trust Co., 2016 WL 439020 (S.D.N.Y. Feb. 3, 2016)(2/3/16 Order) (Dkt. No. 100), at 1-3.[1] RPI was created in order to facilitate the sale of Fortis Bank (at that time the largest financial institution in Belgium) to a French bank, BNP Paribas (BNPP), as part of a rescue plan financed in part by the Belgian government. Compl. ¶¶ 30-32; see also Declaration of Danny Frans, dated April 28, 2016 (Dkt. No. 131-4) ¶ 7 (“BNPP would not proceed with the purchase of Fortis Bank unless the entirety of BNPP’s exposure to [the distressed] assets were ‘ring-fenced’ into the special purpose vehicle that ultimately became Royal Park.”). RPI acquired the distressed assets from the Fortis Entities on May 12, 2009. Compl. ¶ 30; see also Royal Park Investments SA/NV v. Deutsche Bank Natl. Tr. Co., 2016 WL 4613390 (S.D.N.Y. Aug. 31, 2016) (8/31/16 Order) (Dkt. No. 261), at 2. RPI alleges that when it acquired the RMBS certificates at issue it also obtained an assignment of all of the sellers’ “litigation rights and claims,” enabling RPI to stand in the shoes of the Fortis Entities and bring whatever claims they could have brought. Compl. ¶ 32; see also Frans Decl. ¶ 8; 8/31/16 Order at 3. RPI has pressed those “litigation rights and claims” in various lawsuits in the United States, including five lawsuits in this District against the trustees of the various trusts holding the mortgages underlying RPI’s RMBS certificates. Kairis Decl. ¶ 1. *2 After RPI was formed, BNPP acquired control of most of Fortis Bank and renamed it BNP Paribas Fortis SA/NV (BNPPF). See 8/31/16 Order at 2. Thus, BNPPF now owns and controls all of the former Fortis Entities that transferred the RMBS certificates to RPI, id. at 7, and has physical possession of many of the Fortis Entities’ documents, id. at 8-11, including the employee email accounts now at issue. RPI itself is owned in part by the Government of Belgium, in part by Ageas NA/SV (the successor to Fortis Bank’s insurance operations, which were not acquired by BNPP), and in part by BNPP, which holds an 11.8% ownership stake in RPI and serves as one of RPI’s directors. 8/31/16 Order at 2; see also Kairis Decl. ¶ 1. I have previously held, in a series of discovery orders, that because RPI brings this suit as an assignee, it must assume the discovery obligations of its assignors, including the entity now known as BNPPF. This means, among other things, that RPI must produce otherwise-discoverable documents held by BNPPF “to the same extent that it would be required to produce those documents from its own files pursuant to Fed. R. Civ. P. 34.” See Royal Park Investments SA/NV v. Deutsche Bank Natl. Tr. Co., 314 F.R.D. 341 (S.D.N.Y. 2016) (2/5/16 Order) (Dkt. No. 104), at 10-11; see alsoDiscovery and Scheduling Order, dated August 12, 2016 (8/12/16 Order) (Dkt. No. 253), at 1-3 (declining to “revisit” prior holding and directing RPI to search the email accounts used on or before May 12, 2009, by certain employees of the Fortis Entities, and produce “all responsive and non-privileged documents thereby identified”); 8/31/16 Order at 18 (declining to “modify” prior holding and reaffirming RPI’s obligation to “search the email accounts of a reasonable number of appropriate assignor custodians”).[2] B. The Belgian Documents The documents that are the subject of the instant motion (the Belgian Documents) are emails (some with attachments) sent to or from three of the custodians identified in my 8/12/16 Order: Stefaan de Doncker, who worked for Fortis Ireland Group; Ralf Bauer, who worked for Fortis CDO Group Custodians; and Alex Overfeldt, who worked for Fortis Portfolio Group (the Custodians). See Def. Ltr. dated July 7, 2017, at 1; 8/12/16 Order at 2. BNPPF produced these documents to RPI, but only after redacting the names of all Belgian employees (including the Custodians themselves), as well as other individuals, in the “to,” “from,” “cc,” and “bcc” fields of the emails, and in the bodies of the emails and their attachments, and listing only “Central Files” as the custodian in the metadata (rather than the name of the actual Custodian). RPI, in turn, produced the documents, as redacted, to Deutsche Bank. Def. Ltr. dated July 7, 2017, at 1-2; Pl. Ltr. dated July 11, 2017, at 1. As an example, one of the emails was produced in the following form: Def. Ltr. dated July 7, 2017, Ex. 1.[3] During the pendency of the parties’ dispute, BNPPF obtained consent from two of the three Custodians to reveal their names and contact information, and on that basis removed some of its redactions.[4] However, a total of 1,478 documents, produced to Deutsche Bank from the files of the three Custodians, remain redacted to some degree. Pl. Letter dated Aug. 28, 2017, at 1, 4. Among the remaining redactions are “the names and email addresses of ... approximately 500 individuals, including non-Fortis employees.” Id. at 4; see also Kairis Decl. ¶ 2. According to RPI, BNPPF’s counsel applied these redactions because the Belgian Data Privacy Act of December 8, 1992 (DPA) prohibits an “EU-based entity from transmitting ‘personal data’ to a country outside of the European Union without first obtaining the relevant data subjects’ unambiguous consent, absent certain exceptions that do not apply here.” Def. Letter dated July 7, 2017, Ex. 2 (Dkt. 410-2) (email from Luke Olts to Nathan Shapiro, dated June 13, 2017). The parties agree, however, that many of the redacted documents are duplicates or near-duplicates of documents that were previously produced, in unredacted form, by RPI itself. Pl. Ltr. dated July 11, 2017, at 2; see also Def. Letter dated July 13, 2017, Exs. 4-5 (examples); Pl. Letter dated July 24, 2017, Ex. D (Dkt. No. 426-4) (listing 406 “duplicates” or “near-duplicates”). C. Belgian Data Privacy Act Data protection within the European Union is governed by E.U. Directive 95/46/EC (the Privacy Directive). Van Remoortel Decl. ¶ 4.[5] The Privacy Directive “binds Member States of the European Union ... but leaves the implementation to be determined by the Member States’ national legislators.” Id. The Privacy Directive has been implemented in Belgium by the DPA. Id. ¶ 5; see also Pl. Letter dated July 11, 2017, Ex. 2 (English-language translation of DPA); Def. Letter dated July 7, 2017, Ex. 3 (Dkt. No. 410-3) (same translation). Belgian courts have assigned the protections of the Privacy Directive and the DPA “quasi-constitutional” weight. Van Remoortel Decl. ¶ 5. *4 The DPA prohibits the “processing” of “personal data” by “data controllers,” subject to six limited exceptions, discussed below. Van Remoortel Decl. ¶¶ 8-11, 15. The DPA broadly defines “processing” as “any operation or set of operations which is performed upon personal data ... such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by means of transmission, dissemination or otherwise making [the data] available ....” DPA, art. 1, § 2. The parties do not dispute that the copying and production of the Belgian Documents at issue here constitutes “processing,” and that “personal data,” as that term is used in the DPA, includes employee names and professional email addresses. Van Remoortel Decl. ¶ 39; Vandendriessche Decl. ¶ 26. A data controller found to have violated the DPA’s processing requirements may be fined €100 to €100,000. DPA, art. 39. The DPA establishes a rebuttable presumption in favor of civil liability against the data controller for any damage caused by illegal processing. Van Remoortel Decl. ¶ 35; DPA, art. 15bis. Violators also may be subject to other civil and administrative sanctions, including injunctions, “publication of the judgment in one or more newspapers,” and “the prohibition for the violator to process any personal data going forward” for up to two years. Van Remoortel Decl. ¶ 34; DPA, arts. 40-41. Criminal penalties (which can only be imposed by a criminal court) multiply civil penalties eight-fold. Pl. Letter dated July 11, 2017, Ex. 3 (Dkt. No. 417-3); Van Remoortel Decl. ¶ 33. In addition, repeat offenders may be imprisoned for three months to two years. Van Remoortel Decl. ¶ 33; DPA, art. 41, § 2. There are six exceptions to the prohibition against processing personal data, all set forth in article 5 of the DPA.[6] At issue here is article 5(f), which permits the processing if it is “necessary for the promotion of the legitimate interests of the controller or the third party to whom the data is disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject claiming protection under [the DPA].” II. ANALYSIS “[W]here the alleged obstacle to production is foreign law, the burden of proving what that law is and demonstrating why it impedes production falls on the party resisting discovery.” S.E.C. v. Gibraltar Glob. Securities, Inc., 2015 WL 1514746, at *2 (S.D.N.Y. Apr. 1, 2015). To satisfy this burden, “the party resisting discovery must provide the Court with information of sufficient particularity and specificity to allow the Court to determine whether the discovery sought is indeed prohibited by foreign law.” Wultz v. Bank of China Ltd., 298 F.R.D. 91, 96 (S.D.N.Y. 2014) (citations omitted). Among other things, that party must identify “the provisions of the foreign law, the basis for its relevance, and the application of the foreign law to the facts of the case.” Id. (internal quotation marks and citation omitted). *5 If the foreign law is found to conflict with domestic law, the court must perform a comity analysis “to determine the weight to be given to the foreign jurisdiction’s law.” Laydon v. Mizuho Bank, Ltd., 183 F. Supp. 3d 409, 413 (S.D.N.Y. 2016) (quotation marks and citations omitted). In the absence of a “true conflict,” however, a comity analysis is “unnecessary.” Gibraltar Glob. Securities, 2015 WL 1514746, at *4. A. The DPA Does Not Prohibit the Production of the Unredacted Belgian Documents For the reasons that follow I find that RPI has not met its burden of showing that foreign law prohibits the production of the Belgian Documents in unredacted form. 1. Article 5(f) Article 5(f) of the DPA requires a balancing of the legitimate interests of the data controller, the third parties to whom the data is disclosed, and the data subjects (i.e., the individuals whose names and contact information were redacted from the Belgian Documents). DPA, art. 5(f); Van Remoortel Decl. ¶¶ 35, 56. Here, the data subjects’ privacy interests are minimal, are safeguarded by other protections already in place, and are outweighed by the legitimate interests of all of the other relevant actors – including BNPPF – in complying with this Court’s discovery orders. a. Identifying the Data Controller and the Third Parties As a threshold matter, the parties take somewhat different approaches to the question of whether BNPPF is the only relevant “data controller” under the DPA. One of plaintiff’s experts asserts that BNPPF, as “the” data controller, is alone entitled to determine whether and how it may process the Belgian Documents. Pl. Letter dated Aug. 28, 2017 (Dkt. No. 444) at 1-2; Van Remoortel Decl. ¶¶ 39, 43. Defendant’s expert opines that both RPI and Deutsche Bank are data controllers, Vandendriessche Decl. ¶¶ 36, 37, and does not commit himself as to whether BNPPF is also a data controller.[7] Plaintiff’s second expert states that BNPPF is “the relevant data controller vis-à-vis the data subjects,” and therefore that “the analysis must be conducted from BNPPF’s perspective and not from the perspective of RPI as hypothetical controller of this data set.” Kairis Decl. ¶¶ 5-6. RPI thus suggests, albeit in backhanded fashion, that this Court’s interest-balancing analysis might come out differently if RPI were viewed as the data controller, since BNPPF “is not a party” to this action, whereas RPI “initiated these litigations, thus creating a significant difference in interest and stakes” between BNPPF and RPI. Id. ¶ 6. Neither party provides any authority, beyond the text of the DPA itself, for its position.[8] *6 The DPA defines a controller as “any natural or legal person ... which alone or jointly with others determines the purposes and means of processing of personal data.” DPA, art. 1, § 4. I find, based on a plain reading of the DPA, that BNPPF is a data controller for purposes of the analysis under article 5(f). It is BNPPF’s processing – that is, BNPPF’s decision to redact the Belgian Documents before turning them over to RPI for production in this action – that is at issue here, and consequently its interests, as data controller, must be balanced against the “interests or fundamental rights and freedoms of the data subject[s].” DPA, art. 5(f). Moreover, although from the perspective of American law “the Belgian Documents are RPI’s documents” for discovery purposes, such that RPI will “bear[ ] the risks and burdens” of discovery from BNPPF’s files, Def. Letter dated July 13, 2017, at 1 (emphasis in the original), it is BNPPF that would likely bear any risk of civil or criminal penalties under the DPA. It is unnecessary to determine, for purposes of the present dispute, whether RPI and Deutsche Bank are also “data controllers” as to the Belgian Documents, or simply “third parties” to which the data will be disclosed. Compare Vandendriessche Decl. ¶¶ 36-38 (opining that RPI was “a controller,” Deutsche Bank was “both a third party to whom the data was disclosed and a controller,” and the Court was “also a third party to whom the data was disclosed”) (emphasis in the original) with Van Remoortel Decl. ¶¶ 51, 54, 56 (characterizing RPI as a “third party” to whom the data may be disclosed). Under article 5(f), the legitimate interests of data controllers and third parties must be taken into account, and both must be balanced against the “interests or fundamental rights and freedoms of the data subject[s] claiming protection under this Act.” DPA, art. 5(f).[9] b. Whether Litigation is a Legitimate Interest There is no dispute that a data controller or a third party may have a “legitimate interest,” as that term is used in article 5(f), in producing or obtaining personal data for purposes of litigation. See Vandendriessche Decl. ¶¶ 29-32; Van Remoortel Decl. ¶ 55 & Ex. 6 (Working Document 1/2009 on pretrial discovery for cross border civil litigation, dated February 9, 2009) (Working Document 1/2009).[10] Interpreting an analogous provision of the Privacy Directive, the WP29 notes explicitly that data may be processed to satisfy a party’s discovery obligations in connection with litigation pending in the United States. See Working Document 1/2009, at 2 (noting the need for guidance relating to “transborder discovery,” including production of “data held in Europe but required in relation to legal proceedings, for example, in the United States”); id. at 9 (“Compliance with the requirements of the litigation process may be found to be necessary for the purposes of a legitimate interest possessed by the controller or by a third party to whom the data are disclosed[.]”). *7 Although agreeing in principle that the DPA may, in some cases, permit the processing of personal data in connection with litigation in the United States, plaintiff’s expert draws the Court’s attention to a nonbinding opinion by the WP29 concluding that the Society for Worldwide Interbank Financial Telecommunication (SWIFT) violated the Privacy Directive, despite having a “legitimate interest” in obeying legal process served upon it, when it “compl[ied] with a large amount of subpoenas under U.S. law.” Van Remoortel Decl. ¶ 32. However, the WP29 SWIFT opinion is distinguishable on its facts from the case at bar.[11] Moreover, as defendant’s expert points out, the final decision of the Belgian Data Protection Commission on the matter held that SWIFT did not violate Belgium’s data protection laws and declined to impose any sanctions upon it. See Vandendriessche Decl. ¶¶ 78, 79, id. Ex. J (Belgium Data Protection Commission, Decision of 9 December 2008), at 74, ¶ 247. Consequently, the WP29 SWIFT opinion is of limited help to plaintiff in the present dispute, and certainly does not stand for the proposition that litigation pending in the United States cannot be a legitimate interest for purposes of article 5(f) of the DPA.[12] c. Interests of the Data Subjects The Court must now weigh the legitimate interests of both RPI and Deutsche Bank in obtaining the Belgian Documents (RPI so that it can comply with this Court’s orders and avoid potential sanctions in the forum it chose for its litigation; Deutsche Bank so that it can defend itself against RPI’s claims) against the interests of the data subjects. WP29 has suggested several inquiries useful in examining the impact of data processing on data subjects. See Van Remoortel Decl. Ex. 4 (Opinion 06/2014 on the notion of legitimate interests of the data controller under article 7 of Directive 95/46/EC, dated April 9, 2014) (Opinion 06/2014). The factors to be considered include “the nature of the personal data, the way the information is being processed, the reasonable expectations of the data subjects and the status of the data controller and data subject.” Opinion 06/2014, at 36. Here, the contested documents are work emails, all of them at least eight years old and many older. They all concern the business of the Fortis Entities, not the personal finances or private lives of the individuals whose names have been redacted. See Vandendriessche Decl. ¶ 67. No “sensitive” data is involved, see DPA, art. 6 (establishing special protections for data revealing “racial or ethnic origin, political opinion, religious or philosophical beliefs or trade-union membership,” as well as “data concerning sex life”); Opinion 6/2014 (noting that other categories can also require heightened protection, such as “biometric data, genetic information, communication data, [and] location data”) at 38, and RPI does not identify any financial, professional, or reputational risk that the data subjects will face if the Belgian Documents are produced in unredacted form. Moreover, contrary to the repeated claim of RPI’s expert, see, e.g., Van Remoortel Decl. ¶¶ 55-57, no “bulk” transfer is contemplated. A total of 1,478 documents are in dispute, all of them selected precisely because they fall within the parameters of this Court’s discovery orders and are therefore presumptively relevant to the claims and defenses in this action.[13] The “nature of the personal data” at issue thus suggests that the privacy rights of the data subjects weigh relatively lightly compared to the parties’ legitimate interests in producing or obtaining the Belgian Documents as ordered by this Court. *8 Nor does the “way in which the information is being processed” raise any alarms. Not only is the processing confined to a small number of presumptively relevant documents, both RPI and Deutsche Bank are subject to the heavily-negotiated Protective Order, which permits RPI (as well as non-parties responding to subpoenas) to designate individual discovery documents “Confidential” and thereby restrict their use and limit their further dissemination. Both parties have frequently availed themselves of the protections of the Protective Order, submitting multiple applications to file documents under seal – including in connection with the present dispute. Plaintiff’s expert asserts that since “none of the data subjects are directly involved in the litigation itself” and “many of them have no discernible link to the United States or the issues being litigated,” they could not have had “any reasonable expectation that their e-mail correspondence would be disclosed in an unredacted way to a third party for production in U.S. court proceedings.” Van Remoortel Decl. ¶ 56. But I cannot accept his premise. Van Remoortel could not possibly know which of the data subjects are involved in the litigation or have a “link to the United States,” unless, of course, he has reviewed unredacted copies of the Belgian Documents to ascertain who they are. Moreover, his assumption is demonstrably erroneous at least as to one subject, Ralf Bauer, who was designated a Custodian in part because RPI identified him as a potential witness but whose name and work email address apparently remain redacted, preventing the parties from authenticating – and perhaps even identifying – his relevant email correspondence. Even assuming that most of the data subjects have no particular connection to this forum or the pending lawsuit, I am not persuaded that their “reasonable expectations” militate against the production of the unredacted Belgian Documents. Plaintiff makes no showing, for example, that any of the data subjects were given any assurances at the time the data was collected (that is, when they wrote or received the business emails now at issue) that their names and their work email addresses (many of them now obsolete) would be kept confidential in any later production of those emails for litigation purposes. Finally, nothing about the “status of the data controller and data subject” shifts the balance for purposes of article 5(f). BNPPF is, to be sure, part of a “large multi-national company,” Opinion 06/2014, at 40, but there is no evidence here that it is using its “resources and negotiating power” to “impose on the data subject what it believes is in its ‘legitimate interest.’ ” Id. To the contrary: BNPPF has assiduously redacted the Belgian Documents, thus putting its affiliate RPI at risk of adverse consequences in this action (and putting its parent, BNPP, at risk of bearing 11.8% of those adverse consequences). Moreover, the data subjects are not children or otherwise in need of “special protection,” id. at 41. The purpose of the balancing exercise under article 5(f) “is not to prevent any negative impact on the data subject. Rather, its purpose is to prevent disproportionate impact. This is a crucial difference.” Opinion 06/2014, at 41 (emphasis in the original). After considering all of the relevant factors, I find that the processing at issue here is “necessary for the promotion of the legitimate interests of the controller or the third party to whom the data is disclosed,” and that those interests are not “overridden by the interests or fundamental rights and freedoms” of the individuals whose names and email addresses have been redacted by BNPPF. *9 My conclusion is reinforced by the fact that RPI struck the balance the same way when it produced duplicates or near-duplicates of many of the Belgian Documents from its own files (in Belgium), to Deutsche Bank (in the United States), without any privacy redactions. It may well be that RPI “cannot make a decision on behalf of BNPPF.” Van Remoortel Decl. ¶ 43. But it can and did make a decision, on its own behalf, that it was permitted to produce those documents without running afoul of the Belgian or E.U. privacy laws. Having done so, RPI can hardly expect this Court to accept its argument (which BNPPF has done nothing to support) that the same conduct would be unlawful if undertaken by BNPPF. Pl. Letter dated July 11, 2017, at 2. 2. Article 22 Even if otherwise permitted under article 5(f), RPI argues, the processing contemplated here would be unlawful under article 21 of the DPA, which bars the “transfer of personal data to a country outside of the European Community” unless “the country in question ensures an adequate level of protection and if the other provisions of this Act and its implementing decrees have been complied with.” DPA, art. 21, § 1.[14] However, article 22 sets out a “derogation from” (exception to) this prohibition, permitting the transfer of personal data even to the United States if “the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims.” DPA, art. 22, § 1, 4°. Plaintiff’s expert, citing no legal source, asserts that the derogation cannot be invoked here because the transfer is not “necessary” to BNPPF’sestablishment or exercise of its legal claims. Van Remoortel Decl. ¶ 60. However, the language of article 22 is not limited to cases where the data controller is itself a named party as to the legal claims that must be established or defended outside of the E.U. See Vandendriessche Decl. ¶ 91 (art. 22, § 1, 4° “is silent on whether the party transferring the documents must be a party to the lawsuit. It only requires that the transfer is ‘necessary’ or ‘legally required.’ ”). Here, the named party to the U.S. litigation is RPI, which is BNPPF’s assignee and affiliate (through BNPP). Moreover, since this Court has ordered RPI to produce the Belgian Documents, their transfer is “legally required” in order for RPI to establish its legal claims (and defend itself against Deutsche Bank’s motion for discovery sanctions).[15] Thus, even if the transfer from BNPPF to RPI – in Belgian – were deemed a transfer to the U.S. (because the “actual purpose” of that transfer is to enable RPI to forward the documents to Deutsche Bank, see Van Remoortel Decl. ¶ 56), it would not be prohibited by article 22 of the DPA. B. Comity Analysis *10 Because I find no true conflict between Belgian law, on the one hand, and the requirements of this Court’s discovery orders, on the other hand, there is no need for a comity analysis. See Yukos Capital S.A.R.L. v. Samaraneftegaz, 592 F. App’x 28, 29 (2d Cir. 2015) (quoting In re Maxell Comm’n Corp., 93 F.3d 1036, 1049 (2d. Cir. 1996)) (“International comity comes into play only when there is a true conflict between American law and that of a foreign jurisdiction.”); Gibraltar Glob. Securities, 2015 WL 1514746, at *4. Were a comity analysis required, however, it would not change my conclusion that RPI must produce the Belgian Documents without “privacy” redactions. When determining whether to issue an order directing the production of information or documents in contravention of foreign law, courts follow the Restatement (Third) of Foreign Relations Law § 442(1)(c), and consider the following factors: (1) the importance to the investigation or litigation of the documents or other information requested; (2) the degree of specificity of the request; (3) whether the information originated in the United States; (4) the availability of alternative means of securing the information; and (5) the extent to which noncompliance with the request would undermine important interests of the United States, or compliance with the request would undermine the important interests of the state where the information is located. Laydon, 183 F. Supp. 3d at 419-20; see also Wultz, 298 F.R.D. at 96. Courts in the Second Circuit consider two additional factors: (6) the hardship of compliance on the party or witness from whom discovery is sought; and (7) the good faith of the party resisting discovery. Laydon, 183 F. Supp. 3d at 420; see also Wultz, 298 F.R.D. at 96. The court may also consider “whether the person resisting discovery is a party to the litigation,” and whether the requirements of another country’s privacy laws are “absolute.” Laydon, 183 F. Supp. 3d at 420 (citing Tansey v. Cochlear Ltd., 2014 WL 4676588, at *2 (E.D.N.Y. Sept. 18, 2014)). With respect to the first factor, RPI suggests that the “substantial volume of information” that has been already produced weighs against the importance of the 1,478 disputed documents. Pl. Ltr. dated July 11, 2017, at 3. The fact that plaintiff has already produced many documents in discovery does not, however, relieve it of its obligation to produce additional responsive documents. Here, while Deutsche Bank does not argue that the outcome of this case will “stand or fall” on the Belgian Documents, see Campbell v. Facebook, Inc., 2015 WL 4463809, at *4 (N.D. Cal. July 21, 2015), neither does it concede that they are merely cumulative. At a minimum, they are relevant, long overdue, unavailable from any other source (except, of course, as to those already produced by RPI itself), and cannot be fully evaluated for impact until the redactions are removed. In the event of a true conflict, therefore, the first factor would not weigh heavily either in favor of or against production. The second factor favors production. As discussed above, the request is narrow and specific. RPI, as an assignee, is already under court order to produce the responsive documents, and BNPPF has already searched for them, identified them, logged them, and produced them, albeit in redacted form. The third factor goes the other way, as the parties do not dispute that the redacted documents originated in Belgium. See Tiffany (NJ) LLC v. Qi Andrew, 276 F.R.D. 143, 152 (S.D.N.Y. 2011); Laydon, 183 F. Supp. 3d at 421. *11 The fourth factor, however, weighs heavily in favor of production. As to the majority of the documents – those not produced in the same or similar form by RPI itself – BNPPF is the only known source from which they can be obtained. The fifth factor also militates in favor of production. I have already concluded that there is no true conflict between the DPA and U.S. law. Compliance with the request – that is, production of the Belgian Documents – therefore will not “undermine the important interests of the state where the information is located.” Wultz, 298 F.R.D. at 96. Noncompliance, on the other hand, would undermine the interest of the United States in enforcing its own procedural rules, including discovery rules, in cases brought by foreign plaintiffs in United States courts. See Laydon, 183 F. Supp. 3d at 423; Tansey, 2014 WL 4676588, at *4 (collecting cases). Moreover, Belgium’s interest in the privacy of its data subjects, while significant, is not absolute or unqualified and, “can be mitigated by the countervailing factors present in this case,” Wultz, 298 F.R.D. at 103, such as the limited scope of the required production and the limits imposed by the parties’ Protective Order. In assessing the sixth factor – the hardship of compliance on the party or witness from whom discovery is sought – courts look to whether production could expose the producing party to fines or criminal sanctions. See, e.g., Laydon, 183 F. Supp. 3d at 425. Plaintiff cites BrightEdge Techs., Inc. v. Searchmetrics, GmbH., in which a California district court held that “if a foreign company is likely to face criminal prosecution in a foreign country for complying with a United States court order, that is a weighty excuse for nonproduction.” 2014 WL 3965062, at *5 (N.D. Cal. Aug. 13, 2014). Since I do not believe that production of the Belgian Documents violates the DPA, however, I cannot conclude that BNPPF will face civil or criminal liability in Europe for turning over unredacted copies of 1,478 old business emails that it has already produced with redactions. The final factor, which is the good faith of the resisting party, is even less helpful to RPI. Although BNPPF possesses the disputed documents, it is RPI that has done all of the “resisting,” on grounds substantially undercut by its own inconsistent conduct as to overlapping documents within its own possession. Moreover, as I have previously noted, RPI contemplated the present litigation – or litigation very much like it – as early as 2009, when it received the RMBS from the Fortis Entities along with an assignment of the sellers’ claims. See 2/5/16 Order, at 11. Yet it repeatedly failed to secure, from its assignors, the documents necessary to litigate those claims in accordance with the Federal Rules of Civil Procedure. See 8/31/16 Order at 7-12. Its recent document production difficulties, therefore, “are largely of plaintiff’s making,” id. at 16, which militates against it in any comity analysis. See Minpeco, S.A. v. Conticommodity Services, Inc., 116 F.R.D. 517, 522-23 (S.D.N.Y. 1987) (“Another aspect of a resisting party’s good faith which is scrutinized by courts in this area is whether a party’s inability to produce documents as a result of foreign law prohibitions was fostered by its own conduct prior to the commencement of the litigation.”). Even if there were a true conflict of laws, therefore, comity would not prevent this Court from ordering RPI to comply with its long-standing discovery obligations. III. CONCLUSION *12 For the reasons set forth above, defendant’s letter-motion (Dkt. No. 410) is GRANTED. Plaintiff shall produce the Belgian Documents, without privacy redactions, on or before January 31, 2018. BNPPF’s continued refusal to make the documents available in that form will not be a defense to a motion for discovery sanctions against RPI, if otherwise warranted. See JPMorgan Chase Bank v. Winnick, 228 F.R.D. 505, 508 (S.D.N.Y. 2005); JPMorgan Chase Bank v. Winnick, 2006 WL 278192, at *3 (S.D.N.Y. Feb. 6, 2006). SO ORDERED. Footnotes [1] For consistency and ease of reference, all prior orders issued in this action (whether or not published) are cited by the date of the order. Pin citations are to the page numbers found in the original order as issued by the Court. [2] The 8/12/16 Order directed RPI to search the work email accounts of six former employees of various Fortis Entities, all of whom were involved in the arrangement, purchasing, and/or monitoring of the RMBS at issue in this action. See Def. Mem. in Supp. of Mtn. to Compel, dated April 29, 2016 (Dkt. No. 126), at 7, 17, 19-20, 22. The 8/31/16 Order limited and clarified the “appropriate scope of plaintiff’s document production obligations.” 8/31/16 Order at 18. I held, among other things, that while Deutsche Bank was “entitled to explore what RPI and/or its assignors knew, and what they did in response to that knowledge, if and to the extent such discovery concerns either the losses allegedly caused by Deutsche Bank’s breaches or plaintiff’s effort to mitigate those losses,” id. at 12-14, 18-40, the temporal scope of such discovery would be limited to “the period beginning six months prior to the date of the earliest losses that RPI claims to have suffered as a proximate result of Deutsche Bank’s breach of contract or breach of trust.” Id. at 38, 41. [3] Although the email, as redacted, lacks any intelligible content, it was apparently designated “confidential” when produced by RPI – pursuant to the parties’ Stipulation and Agreed Protective Order (Dkt. No. 77) (Protective Order) – thereby prompting Deutsche Bank to file it under seal. I reprint it here after concluding that a ten-year-old business email from “Redacted” to “Redacted,” reporting that “Redacted” had a conversation with “Redacted,” does not qualify for sealing under Lugosch v. Pyramid Co. of Onondaga, 435 F.3d 110, 113 (2d Cir. 2006), or its progeny. Whether an unredacted version of the same email would warrant sealing is not now before me. [4] See Pl. Letter dated July 24, 2017, at 2 & n.2; Pl. Letter dated July 28, 2017, at 1. However, BNPPF apparently did not obtain consent from the third custodian, Bauer (the record does not reveal whether his consent was sought), and even as to the individuals who did provide consent, BNPFF “unredacted” only their own names and contact information. The names of the individuals they corresponded with, and the names of the individuals mentioned in their correspondence, remained redacted. Def. Letter dated Aug. 14, 2017, at 4; id. Ex. 8 (example). [5] Plaintiff’s primary expert, Frederick Van Remoortel, is senior counsel and head of the Privacy and Cybersecurity Group at Crowell & Moring’s Brussels office. Van Remoortel Decl. ¶¶ 1, 2. RPI initially submitted his declaration in another of its lawsuits in this District, against another trustee. See Royal Park Invs. SA/NV v. U.S. Bank Nat’l Assoc., No. 14-CV-02590, Dkt. No. 284-2 (S.D.N.Y. July 14, 2017). Ten days later, RPI submitted the same declaration in this action. Defendant’s expert, Johan Vandendriessche, is a Belgian professor of data protection and privacy law, as well as an attorney and partner at Erkelens Law in Brussels. Vandendriessche Decl. ¶¶ 1, 7, 8; id. Ex. A Both experts have written extensively on Belgian privacy law issues. Plaintiff also submitted the declaration of Etienne Kairis, a partner in the Brussels office of Liederkerke Wolters Waelbroeck Kirkpatrick CVBA/SCRL. Kairis Decl. at 3. [6] These exceptions apply where: (a) the data subject has unambiguously given consent to the processing of his or her data; (b) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; (c) the processing is necessary for compliance with an obligation to which the controller is subject under or by virtue of an act, decree or ordinance; (d) the processing is necessary to protect the vital interests of the data subject; (e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller or in a third party to whom the data is disclosed; and (f) the processing is necessary for the promotion of the legitimate interests of the controller or the third party to whom the data is disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject claiming protection under the DPA. DPA, art. 5(a)-(f). [7] RPI is a data controller, in Vandendriessche’s view, because as BNPPF’s assignee it is responsible for producing the Belgian Documents pursuant to this Court’s prior orders, and because it previously “produced documents relevant to this litigation without redactions other than those permitted for legal privilege.” Vandendriessche Decl. ¶ 36. Deutsche Bank is also a data controller, according to its expert, because it “served document requests upon RPI and negotiated with RPI concerning the appropriate search terms.” Id. ¶ 37 & n.13. [8] Moreover, BNPPF itself has not made any motion or submitted any affidavit or other evidence to support RPI’s view that BNPPF is the only relevant data controller. Similarly, BNPPF is silent as to whether it has any legitimate interest in the production of the unredacted Belgian Documents. Compare Van Remoortel Decl. ¶ 53 (because neither BNPPF nor any of its current employees is a party to this action, BNPPF “has no specific, direct or indirect interest in the requested processing”) and Kairis Decl. ¶ 6 (BNPPF “has no interest in the Trustees litigations”) withVandendriessche Decl. ¶ 52 (because BNPP is a part-owner of RPI and “stands to benefit directly from any recovery RPI makes in this litigation,” BNPPF has an interest in “RPI complying with its discovery obligations”). [9] I reject plaintiff’s efforts to render Deutsche Bank’s interests “irrelevant for the assessment of the initial production of data by BNPPF.” Van Remoortel Decl. ¶ 51. My 8/12/16 Order directed RPI to produce the documents to Deutsche Bank. Thus, as plaintiff’s expert acknowledges a few paragraphs later, “even though the transfer of data by BNPPF would be done to RPI in Belgium as a first step, all parties involved know that the actual purpose is for RPI to transfer the personal data to the United States.” Id. ¶ 56. For Van Remoortel to focus only on the first leg of the data’s journey for purposes of the balancing test under article 5(f) is to elevate form over substance. Deutsche Bank must therefore be considered a “third party” as that term is used in the DPA, and its interests are properly taken into account along with those of BNPPF, RPI, and the data subjects. [10] Working Document 1/2009 was produced by the Article 29 Data Protection Working Party (WP29), an independent European advisory body that provides guidance on the interpretation of the Privacy Directive. Van Remoortel Decl. ¶ 6 n.13. Its guidance is non-binding but “highly authoritative.” Id. In Working Document 1/2009, WP29 “recognises that the parties involved in litigation have a legitimate interest in accessing information that is necessary to make or defend a claim, but this must be balanced with the rights of the individual whose personal data is being sought.” Working Document 1/2009, at 2. [11] SWIFT is a financial services intermediary, based in Belgium, responsible for processing instructions for millions of financial transactions between European and American financial institutions. See Vandendriessche Decl. Ex. I (Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), dated November 22, 2006) (Opinion 10/2006), at 1-6. In 2005 alone, SWIFT processed 2.5 billion messages containing personal data such as the “names of the beneficiary and the ordering customer.” Id. at 5-6, 8. Between 2001 and 2005, in response to 64 administrative subpoenas issued by the U.S. Treasury Department’s Office of Foreign Assets Control, SWIFT transferred mirrored versions of its entire database for specified periods of time to a “black box” owned by the Treasury Department, which then performed “focused searches” to extract terrorism-related information. Id. 5, 8-9, 24. The WP29 readily agreed that SWIFT had a “legitimate interest in complying with the subpoenas.” Id. at 18. However, it concluded, that this interest did not justify SWIFT’s conduct in “processing and mirroring its data in a ‘hidden, systematic, massive, and long-term manner,’ ” which was never disclosed to the users of its services. Id. at 19. In short, WP29 weighed SWIFT’s legitimate interest in complying with the subpoenas against the extraordinarily intrusive manner in which it chose to respond – which included the wholesale turnover of massive quantities of personal financial information without making any effort to narrow the production for relevance before doing so – and concluded that the balance weighed in favor of the data subjects. [12] To the extent that the court in Laydon took a different view of the issue, see 183 F. Supp. 3d at 417-18, it is not clear that that court was provided with the subsequent decision by the Belgian Privacy Commission. [13] Van Remoortel may not understand that the Belgian Documents have already been screened for litigation relevance. In addition, he may not fully appreciate the extent to which the redactions have rendered the emails, in some cases, wholly unintelligible. In his declaration, he notes that the documents “have already been produced in redacted form” and argues that there is little “added value for the parties to the litigation in having access to the bulk unredacted versions.” Van Remoortel Decl. ¶ 55. In fact, as demonstrated by the example reprinted infra at 5, some of the Belgian Documents will have no value at all unless the redactions are removed. [14] The parties agree that the United States is a third country that is not recognized as offering an adequate level of protection of privacy and data protection rights. Van Remoortel Decl. ¶ 56; Vandendriessche Decl. ¶ 86. [15] Plaintiff’s expert points to WP29’s “Working document on a common interpretation of the Article 26(1) of Directive 95/46/ED of 24 October 1995,” dated November 25, 2005) (WP 114)), which states that litigation exception must be subject to “strict interpretation,” such that (for example) while a European subsidiary could transfer specific data relating to an employee to its non-E.U. parent company, if necessary for the parent company to defend itself in a lawsuit brought by the employee, the subsidiary could not transfer “all the employee files” merely because “such legal proceedings might be brought one day.” WP 114, at 15. From this, Van Remoortel concludes that the derogation cannot be invoked “for a bulk transfer of unredactedBelgian Documents to a third party.” Van Remoortel Decl. ¶ 60 (emphases in the original). But no one is asking BNPPF for “all the files.” RPI, which is BNPPF’s affiliate and assignee, requires only the specific documents that it has already been ordered to produce in this action.