A recent preservation order in the OpenAI litigation revives a longstanding transatlantic legal conflict. This article examines the legal collision between U.S. litigation holds and GDPR erasure rights and the limits of practical mitigation.
Can a court order from one jurisdiction lawfully compel a company to preserve personal data that another legal system mandates must be deleted? The preservation order issued on 13 May 2025 by the US District Court for the Southern District of New York in In re: OpenAI, Inc. Copyright Infringement Litigation (the OpenAI case), No. 25-md-3143 (SHS)(OTW), resurfaces a decades-old transatlantic legal conflict: the incompatibility between US discovery obligations and European data protection regimes.
In Europe, this decision conflicts with the GDPR’s provisions on data minimisation (Article 5(1)(e)) and the right to erasure (Article 17) . The GDPR did not create the problem, but it certainly amplified the stakes. Now, with AI developers like OpenAI facing large-scale litigation involving user data, the collision between litigation holds and the GDPR is once again in sharp focus.
This article examines the legal incompatibility between US litigation holds and GDPR erasure rights, and considers the limits of practical mitigation strategies in resolving the conflict.
-
Legal incompatibility: When GDPR erasure obligations collide with US discovery rules
We unpack the scope and force of US preservation orders and explain why the GDPR’s limited derogations provide insufficient relief in this context.
1.1. The extraterritorial reach of US preservation orders
In US litigation, once proceedings are reasonably foreseeable, parties are subject to a duty to preserve relevant data. This obligation is legally binding and enforceable under Federal Rule of Civil Procedure 37(e) , with serious sanctions for non-compliance. In Aerospatiale (1987), the US Supreme Court ruled that US courts are not automatically constrained by foreign blocking statutes or privacy laws when ordering discovery.
In the OpenAI case, the court ordered preservation of user chat data despite acknowledging that the data might be subject to deletion under "privacy laws around the world." OpenAI filed a motion for reconsideration on 15 May 2025, citing disproportionate burdens, raised international compliance risks under the GDPR and other laws, and lacked sufficient justification under US discovery principles. The motion was denied on 16 May. The court did not engage in a detailed comity analysis, reaffirming the US judiciary’s tendency to favour domestic procedural interests over foreign privacy norms.
In practice, data controllers subject to US jurisdiction are routinely ordered to retain or produce personal data located in the EU or UK, notwithstanding conflicting obligations under data protection law. Protective orders and sealed filings may be used as safeguards, but they do not resolve the core legal contradiction.
1.2. The limits of GDPR derogations in a US litigation context
The GDPR’s right to erasure is not absolute as it offers a narrow legal exemption from erasure under Article 17(3)(e)where processing is necessary for the establishment, exercise or defence of legal claims. However, whether this exemption extends to non-EU/UK litigation remains unresolved. European Data Protection Authorities, including the CNIL and the European Data Protection Board, have not conclusively determined if foreign proceedings qualify as justifications for data retention, particularly when the data subject is not a party or the litigation is unconnected to EU legal systems.
Further complications arise under Article 48 GDPR, which prohibits reliance on third-country court or administrative orders from serving as basis for personal data processing or transfers unless pursuant to an international agreement. No such agreement currently exists between the US and EU or UK in this context. Therefore, US discovery orders, standing alone, cannot lawfully justify retention of data that would otherwise be deleted. In the OpenAI case, the preservation order arguably places the controller in breach of Article 48 if the personal data is retained for US legal compliance without an appropriate transfer mechanism.
-
Responding to conflict: legal mitigation vs. regulatory exposure
We consider the practical value of common GDPR safeguards and the specific vulnerabilities of AI platforms in the face of litigation holds.
2.1. The role and limits of GDPR risk-based mitigation strategies
Controllers often seek to reconcile these competing obligations using GDPR-compatible safeguards and mitigation strategies: limiting the scope of preservation, using data minimisation and pseudonymisation, conducting legitimate interest assessments and ensuring transparency and notice. The Sedona Conference Commentary on Managing International Legal Holds (2023) recommends these approaches. Yet the GDPR does not permit indefinite retention based solely on a possibility of litigation abroad.
Such measures offer only partial compliance. A data controller that receives an erasure request while under a US preservation obligation may find itself without a lawful basis under GDPR to continue processing. A legitimate interest assessment under Article 6(1)(f) may justify temporary preservation but is unlikely to provide an enduring lawful basis in the face of explicit erasure requests. Similarly, reliance on Article 17(3)(e) without a concrete connection to legal claims in the EU or UK remains on uncertain footing. Redaction or pseudonymisation may not either always satisfy Article 17 obligations, particularly when data remains re-identifiable. The existence of a US preservation order alone does not eliminate the controller’s duty to respond to erasure requests or to uphold the storage limitation principle. The risk of the UK ICO enforcement or private complaints under Article 79 GDPR remains material.
2.2. Are AI platforms becoming a focal point for cross-border data conflict?
Generative AI platforms like OpenAI, Anthropic, and Meta’s Llama increasingly rely on large volumes of user-generated content that may qualify as personal data. These systems often process personal data at scale to train and refine large language models (LLMs), blurring the boundary between user content and training data. If those systems are subject to litigation holds, such as in copyright or model bias cases, they may be ordered to retain and disclose user datasets that under the GDPR should be erased on request or due to data minimisation principles.
The preservation order in the OpenAI case illustrates the unique exposure of generative AI platforms. This introduces a structurally irreconcilable conflict.
Compliance with a US preservation order may directly breach Articles 5 and 17 GDPR which may lead to litigation sanctions. There is currently no viable path to reconcile these obligations. While OpenAI’s attempt to limit the scope of the US preservation order was denied, the implications will resonate across the AI sector and beyond.
An intensifying conflict with no clear resolution
The right to erasure, first codified in the 1995 Data Protection Directive and now enshrined in Article 17 GDPR, has always sat uneasily alongside the broad discovery obligations under US litigation. What’s different today is the volume, velocity, and sensitivity of data processed by AI systems, and the growing frequency of transatlantic litigation targeting those systems.
Organisations developing or deploying AI must now factor litigation hold scenarios into their data governance frameworks. Retention policies must be legally risk-assessed and supported by DPIAs, along with contingency planning for regulatory inquiries and cross-border discovery requests.
As the OpenAI case illustrates, the future of transatlantic AI compliance may turn not on questions of model safety or copyright, but on who controls the underlying data, how long it is retained, and under which jurisdictional mandate. The challenge for multinational businesses is to navigate this emerging clash of legal obligations without defaulting into non-compliance on either side.