How a Tax Subpoena in Ohio Tests European Privacy Law

In 2023, the U.S. District Court for the Northern District of Ohio ordered Eaton Corporation  to submit 10 employee performance reviews to the Internal Revenue Service as part of an ongoing investigation into the company’s activities. There was a problem, however: The reviews sat on servers in Dublin, and the company insisted that turning over the files could breach the European Union’s General Data Protection Regulation (GDPR). In response, the judge in charge of the case carried out a comity analysis, noted that the records were not “special-category” data under Article 9, found them corporate rather than intimate in nature, and held that the IRS’s audit interest outweighed any privacy concern. On that basis, the court refused to quash the subpoena.

To many American litigators the ruling appears routine: A domestic court demanded documents, the company objected, the objection failed, and production of the documents is likely to follow. To privacy lawyers on both sides of the Atlantic, however, the case presents a larger question: Under what circumstances does the GDPR really block U.S. subpoenas, regulatory demands, or law enforcement requests for evidence based in Europe?

The short answer is that the GDPR prohibits fewer transfers than commonly assumed by the legal and academic communities—but only when the party receiving the order walks carefully through four separate hurdles. First, it must ask whether the material is “personal data,” meaning any information that identifies a living person directly or indirectly. Second, it must identify a lawful basis of processing the personal data. Third, it must select a valid international transfer mechanism under Chapter V. Finally, it must show that the disclosure is necessary and proportionate to the stated purpose. Fail any step, and the target risks contempt in the United States or potentially steep administrative penalties in the European Union. Succeed on all four and the data can cross the Atlantic.

A Brief GDPR Primer

The regulation, effective since 2018, applies whenever personal data is “processed,” a term that includes collecting, storing, sharing, or disclosing information. Its cross-border scheme rests on four distinct pillars. Article 4 defines personal data broadly; Article 6 and Article 9 supply lawful bases for processing personal data or special categories of personal data, respectively; Chapter V (Articles 44 through 50) covers the requirements to transfer personal data outside of the European Economic Area; and Article 5 imposes overarching principles, chief among them data minimization and proportionality. In Europe, privacy is an enumerated fundamental right—so even if there is a lawful basis for the transfer and a transfer mechanism in place to carry it out, an excessive or poorly targeted demand will not meet the requirements of European law.

American counsel sometimes equate “personal data” with highly sensitive facts like medical history. The GDPR, and the Court of Justice of the European Union (CJEU), however, take a much broader view of personal data. In Breyer, the court held that a dynamic IP address can constitute personal data. In Nowak, it ruled that an exam script, including an examiner’s handwritten comments on the exam script, is personal data. Performance reviews, which tie specific assessments to named employees, fit easily within that definition. Once the existence of personal data is established, the entirety of GDPR applies.

The Four-Step Test in Detail

The performance reviews at the heart of Eaton are not themselves evidence of fraud. The IRS suspects Eaton of shifting intellectual-property rights to an Irish affiliate while keeping de facto control in Ohio. By studying how the firm evaluates key employees in Ireland, auditors hope to prove that Eaton Corporation, not the Irish subsidiary, actually runs the IP. Ten sets of performance reviews stored in Dublin therefore become critical exhibits in an American tax inquiry in Ohio. Because each review identifies a specific person, the material counts as personal data and triggers the protections of the GDPR.

To ascertain whether the GDPR allows the transfer of the data to the United States, there are four key steps that must be carried out. These determine the nature of the data, the grounds for a transfer, the lawful basis for the processing of personal data, and its necessity. All steps must be satisfied in order for the transfer to be lawful and compliant with the GDPR.

Step 1: Confirm the information in question relates to personal data. The definition is broad, and Eaton’s performance reviews meet it. If the answer were no, the GDPR would not apply; if yes, all further steps apply.

Step 2: Choose an international transfer mechanism under Chapter V. Three possibilities dominate. The first is Article 48, which recognizes a foreign court order only when it rests on “an international agreement, such as a mutual legal-assistance treaty” (MLAT). A request that travels through the U.S.-Ireland MLAT fits neatly, because Irish officials can compel production locally. Eaton, however, received a domestic subpoena addressed to the U.S. parent rather than the Ireland-based entity; Article 48 was therefore not applicable.

The second route is an adequacy agreement. The EU–U.S. Data Privacy Framework allows self-certified U.S. companies to receive personal data in the same manner as if they were Europe-based companies, but it excludes public bodies like the IRS.

Standard contractual clauses (SCCs) and binding corporate rules (BCRs) can justify intragroup transfers. SCCs are boilerplate agreements adopted by the European Commission, while BCRs are bespoke policies approved by a lead data-protection authority for intragroup flows. However, the CJEU’s judgment in Schrems II warns that these safeguards collapse when the data will land with a U.S. authority whose surveillance powers exceed EU standards.

The third and often final path lies in Article 49’s derogations. Paragraph 1(d) allows transfers “necessary for important reasons of public interest” recognized in EU or member-state law. Ireland’s double-tax treaty with the United States is enacted in Irish legislation and expressly covers exchange of information relevant to taxation, so a strong public-interest ground exists in the context of the Eaton request. Paragraph 1(e) allows transfers “necessary for the establishment, exercise or defence of legal claims,” a phrase broad enough to include IRS audits, provided the disclosure is occasional rather than systematic. European guidance highlights Recital 111, which warns that controllers may not rely on 49(1)(e) for routine or large-scale flows. Ten files in a single audit seems to meet that threshold.

Step 3: Choose a lawful grounds for processing. After a transfer mechanism is in place, the controller still needs a legal foundation under Article 6 (or, for sensitive material, under Article 9). Article 6(1)(c)—which states that “processing is necessary for compliance with a legal obligation to which the controller is subject”—works only when that obligation stems from EU or member-state law. Because an order issued by a U.S. court is not such an obligation, Eaton cannot rely on Article 6(1)(c).

That leaves Article 6(1)(f), the “legitimate interests” ground. This basis can be used only for ordinary categories of personal data and is not available for special categories of personal data (such as health or political information). Recital 113 and European Data Protection Board guidance confirm that occasional, nonrepetitive transfers in response to foreign proceedings may rest on a controller’s compelling legitimate interest, provided that interest is not overridden by the rights of the data subjects. The Court in Rīgas Satiksme distilled the legitimate-interest test into three questions: Is the interest lawful, clearly articulated, and present? Is the processing necessary to pursue it? And, after balancing all circumstances, do the data subjects’ rights prevail?

In the Eaton example, there appear to be two strong potential legitimate interests claims. The first is that of the data controller—the Ireland-based Eaton entity. Ignoring the specific arguments of the Eaton case, it is plausible that they have a general interest in assisting the U.S. Eaton entity in complying with a domestic court order.

The second interest here is the IRS audit. The interests can be those of a third party—in this case, the IRS, which has a strong interest in processing the personal data of the 10 Irish employees. However, this assertion is not without controversy. Under EU law, public authorities are not allowed to use legitimate interests as a lawful basis for processing personal data. Recital 47 outlines this reasoning: “Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks.” However, public authorities are not actually defined within the GDPR, and despite some discussion as to the meaning of the term by the CJEU, it is unclear whether or not third-country public authorities are bound by this restriction.

However, given that the recital explicitly states that it is up to legislators (in this context, European legislators) to grant specific legal bases for public authorities to process personal data, it follows that public authorities can be construed as European public authorities—which would suggest that the legitimate interests of the IRS can be considered as a lawful basis for processing personal data, subject to the normal balancing test.

Finally, the Meta v. Bundeskartellamt judgment shows the limits of Article 6(1)(f): A controller cannot invoke that basis where the requested processing is unrelated to its business. If the Department of Homeland Security had sought the same reviews to probe visa fraud (an aim disconnected from Eaton’s commercial interests), the company could not lean on legitimate interests. In short, Article 6(1)(f) is available in this case because the IRS’s purpose aligns with Eaton’s own tax-compliance obligations and the transfer is narrowly tailored; had the data been special-category information, or had the purpose been unrelated to Eaton’s economic activity, a different lawful basis would have been required.

Step 4: Prove necessity and proportionality. Article 5 requires processing “limited to what is necessary.” European courts look for overbreadth. In Digital Rights Ireland, the CJEU invalidated a directive that required indiscriminate retention of all phone records. In Schrems II, it condemned “generalised access” by U.S. intelligence agencies. Supervisory authorities apply the same logic to subpoenas: If narrower means exist, the controller must try them first.

Behrens v. Arconic: A Hague Evidence Convention Template

Eaton is not the first instance in which the GDPR has been examined in transatlantic discovery. There are other cases that provide guidance on how to effectively meet the requirements of the GDPR while transferring data across the Atlantic.

In the mass-tort action Behrens v. Arconic, Inc.—a products-liability suit arising from the 2017 Grenfell Tower fire in London, U.K.—the U.S. District Court for the Eastern District of Pennsylvania confronted discovery requests aimed at Arconic’s French affiliate. Rather than compel production under ordinary federal rules, the court appointed a French-law expert as special master and, on the master’s recommendation, ordered both sides to route document requests through the Hague Evidence Convention and to designate the special master as a Hague “commissioner.”

This procedure allowed the commissioner to screen each document for relevance, responsiveness, and conformity with French data-protection law; in several instances the master flagged records that “contained personal data that implicated the GDPR,” ensuring those materials were handled in a way that respected EU privacy requirements while still reaching U.S. litigants.

The decision shows that even sweeping discovery demands can be squared with the GDPR when a U.S. court (a) invokes a treaty mechanism the foreign state already treats as binding and (b) layers in proportionality safeguards through a neutral overseer. By contrast, Eaton faced a purely domestic subpoena with no Hague framework, no treaty citation, and no special master filter, leaving the company to juggle a direct U.S. order against EU transfer rules on its own. The juxtaposition underscores how much smoother cross-border evidence gathering becomes when U.S. requesters build treaty channels and privacy guardrails into their initial request.

Lessons for U.S. investigators

Eaton offers practical guidance for U.S. investigators on obtaining evidence from European data controllers or processors in a manner that avoids conflicts between data subpoenas and the GDPR. In applying the lessons of Eaton to future cases, U.S. investigators should employ several strategies.

First, investigators should invoke the treaty. Where an international request is being made, a cover letter that quotes the exact MLAT or treaty article reduces friction: European counsel can slot the request under Article 48 and move on.

Second, investigators should be discerning and identify only the data needed. Asking for “all performance reviews” invites a proportionality fight, whereas “the most recent performance appraisal and bonus metrics for ten named engineers” shows necessity.

Third, investigators should offer mitigation, including accepting redacted salaries or pseudonyms for initial review and unredacted versions under a protective order later.

Fourth, investigators should supply a relevance statement the controller can share with its supervisory authority. A short paragraph explaining why the files matter can help to demonstrate to European regulators that the transfer is legitimate, necessary, and proportionate.

***

The GDPR is not a blocking statute against U.S. subpoenas, but it insists on certain requirements being satisfied before personal data can be transferred. A company that skips the lawful-basis inquiry or ignores proportionality invites potential fines in Europe; one that stalls without reason risks contempt at home. By mapping data, selecting the right gateway, and documenting why every field matters, firms can turn potential standoffs into routine compliance. Investigators who anchor their demands in a treaty clause or explain their Article 49 reasoning make the path easier for everyone. Careless drafting converts an ordinary production order into a genuine conflict of laws. The lesson from Eaton’s tax dispute is therefore simple: Meticulous GDPR navigation is no longer optional—it is table stakes for cross-border evidence gathering.