Data Privacy at a Crossroads
As privacy laws proliferate globally, the IRS expands its ability to seek and obtain taxpayer data

In recent years, two important legal developments have accelerated and are currently on a collision course. The first is the rapid proliferation of data-privacy laws across the globe. As explained below, these laws—such as the European Union’s recently enacted General Data Protection Regulation (GDPR)—broadly prohibit unauthorized collection and transmission of data under the threat of substantial financial and other penalties. Indeed, on January 21, 2019, France’s National Data Protection Commission fined Google €50 million for violating the GDPR.¹

The second development is the Internal Revenue Service’s expanding ability to seek and obtain data from taxpayers all over the world. The IRS has an increasingly diverse set of tools that generally require taxpayers to collect and transmit data to the IRS, also under the threat of substantial financial and other penalties.

What are taxpayers—who might be subject to one set of penalties if they transmit data to the IRS and another set of penalties if they do not—to do? This article examines that question and concludes with a handful of recommendations for taxpayers and one request of the IRS: that the IRS issue guidance clarifying its position on the looming collision between the proliferation of data-privacy laws and the IRS’ growing assortment of information-gathering tools. In short, finding ways to provide the IRS with the information it needs without risking fines and penalties for violating data-privacy laws is a laudable goal that taxpayers and the IRS should pursue.

Rapid Proliferation of Data-Privacy Laws Across the Globe

In the past year alone, there has been a significant and rapid development of privacy laws worldwide addressing the collection, use, and disclosure of personal data. The GDPR in Europe, which took effect in 2018, has led the way. Arguably the strictest privacy law in the world, the GDPR regulates how companies may collect and use the personal data of EU residents. In the United States, data-privacy laws have tended to be industry-specific—for example, the Gramm-Leach-Bliley Act governs nonpublic personal information collected by financial institutions,² the Health Insurance Portability and Accountability Act (HIPAA) governs medical data,³ the Family Educational Rights and Privacy Act (FERPA) governs privacy of student education records,⁴ and the Children’s Online Privacy Protection Act (COPPA) governs the online collection of information from children under age 13.⁵ But now a growing number of states are proposing and passing their own data-privacy laws seeking to regulate the use of personal data of their residents outside industry-specific contexts. The introduction of these laws by state legislatures—currently at an all-time high—reflects a developing trend toward regulating personal data and protecting the privacy of residents. One example is the recent California Consumer Privacy Act (CCPA), which bears similarities to the GDPR.

This article focuses in particular on the obligations imposed on businesses and restrictions on sharing personal data under the GDPR and the CCPA. However, other data-privacy laws may apply depending on whose data a taxpayer collects and where those subjects are located.

GDPR

The GDPR (2016/679), which went into effect on May 25, 2018, significantly changed how companies may collect and use the personal data of EU residents. This sweeping regulation applies to all organizations within the EU—as well as those outside the EU, if those organizations offer goods or services to, or monitor the behavior of, individuals residing in the EU.⁶ The extraterritorial scope of the GDPR represents a substantial expansion of data protection obligations to cover all processing activities relating to EU-based data subjects. As a result, the GDPR affects U.S. organizations with employees, customers, clients, or investors located in the EU or that collect personal data about individuals located in the EU.

The GDPR defines “personal data” broadly as any information that relates to an identified or identifiable natural person.⁷ Data that identifies a natural person refers to “a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”⁸ Under the GDPR, therefore, personal data can include basic information such as names, home addresses, email addresses, and work contact information.

The GDPR generally prohibits transfers of personal data to countries outside the EU if those countries have not been recognized by the European Commission as having adequate data protection.⁹ The United States, for example, is considered not to have an adequate level of data protection. This means that an organization cannot lawfully transfer personal data of individuals located in the EU (that is, data protected by the GDPR) to the United States unless one of the following mechanisms is in place: 1) an agreement containing the EU Standard Contractual Clauses; 2) the organization has Binding Corporate Rules (which govern intragroup data transfers); 3) the organization has an EU-U.S. Privacy Shield certification; or 4) where appropriate designations are satisfied, such as the explicit, informed consent of the data subject, where transfer is necessary to the performance of a contract between the individual and the organization, or where transfer is necessary for important reasons of public interest or to establish, exercise, or defend legal claims.¹⁰ Even if a data request derives from a non-EU governmental or regulatory body (for example, the IRS), such a request is enforceable only if it is based on an international agreement such as a mutual legal assistance treaty.¹¹

Moreover, to the extent that an organization relies on service providers or others to process the personal data of EU residents—whether for its own operations or where needed to respond to an inquiry from a governmental or regulatory body—the GDPR mandates that contracts with such processors include certain key clauses. These clauses typically apply to the processor and include a restriction on processing data other than on documented instructions, a requirement that those authorized to process personal data commit to maintaining its confidentiality, and the obligation to implement all measures to ensure appropriate security.¹² To comply with these requirements, many organizations execute data processing addenda with vendors.

Violations of the GDPR carry steep fines and penalties—up to the greater of four percent of a company’s global revenue or €20 million (nearly $23.5 million).¹³ Therefore, companies needing to collect, review, and transfer documents and information deriving from sources in the EU are strongly encouraged to first consider 1) does the data include personal data of individuals located in the EU, and, if so, 2) is there a lawful mechanism in place to transfer the data from the EU to the United States?

“GDPR-Lite” in the United States

Less than a year after the GDPR went into force, California enacted the CCPA. The law takes effect on January 1, 2020, although enforcement by the Attorney General’s Office is likely to be delayed until July 1, 2020. Although not as strict as the GDPR, the CCPA is a comprehensive consumer privacy law that, like the GDPR, broadly defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”¹⁴ Also like the GDPR, the CCPA provides California residents with the right to request access to, deletion of, and restrictions on sharing of their data.¹⁵ The CCPA allows businesses to share personal information with third parties or service providers for business purposes, so long as there is a written contract prohibiting those parties from selling the personal information or retaining, using, or disclosing it for any purpose outside the scope of the contract.¹⁶

Helpfully, although the CCPA restricts sharing and disclosure of a California resident’s personal information, it does not restrict a business’ ability “to comply with a federal, state, or local law” or “comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.”¹⁷ Accordingly, the CCPA would in many instances permit production of documents or information to the IRS that may contain covered personal data.

Other states are now looking to pass similar comprehensive laws to give consumers or residents rights that affect the collection and use of their personal information. For example, Hawaii, Maryland, Massachusetts, New Jersey, New York, and Pennsylvania have recently introduced data-privacy laws. More are expected in other states in the near future.

Growing IRS Data-Collection Toolkit

With help from Congress and the U.S. Treasury Department, the IRS has substantially enhanced its information-gathering toolkit in recent years. Many of these enhancements have focused on gathering information from foreign sources. This has largely been market-driven. It has occurred as taxpayers’ business activities and operations have become increasingly global in scope. As the Internal Revenue Manual instructs IRS employees:

The globalization of economic transactions means evidence or information from foreign countries is frequently needed in connection with settlement negotiations or trial preparation. There are two keys to success in obtaining information and admissible evidence from abroad: start early and always work through the office of the Associate Chief Counsel (International), Branch 7.¹⁸

Today, the IRS has a broad toolkit for gathering a wide range of data located in the United States and abroad. Some of these procedures apply before or during an IRS audit; others can be used in litigation. Some mechanisms have been around for years; others are new or gaining traction. Failure to comply with the IRS’ data-collection tools often carries substantial penalties or other consequences.

Taxpayers should expect the IRS to increasingly use these data-collection tools in audits and litigation. As one official from the IRS’ Large Business and International Division recently explained, taxpayers can expect “more purely international issues” as well as “[audit] campaigns that are international focused” and “a broader range of litigation in the international arena.”¹⁹

Although an exhaustive description of all of the IRS’ data-collection mechanisms is beyond the scope of this article,²⁰ a brief summary of several relevant procedures follows.

Country-by-Country Reporting

Recently promulgated Treasury regulations require certain U.S. parent entities of multinational enterprises to include with their annual federal income tax return (i.e., before an audit) detailed information about their operations in foreign jurisdictions.²¹ Generally, taxpayers are required to submit a so-called “country-by-country” (CbC) report for each tax jurisdiction where entities within the multinational enterprise reside.²²

Each CbC report must include each entity’s business activities, tax identification number, intercompany revenues, third-party revenues, profit or loss before tax, total income taxes paid on a cash basis to all tax jurisdictions, total accumulated earnings, total employees on a full-time equivalent basis, and net book value of tangible assets.²³

In addition to allowing the IRS to conduct risk assessments with respect to international tax compliance (for example, to help decide whether and what to audit), the CbC reporting requirements are designed to enable the United States to exchange CbC reports with jurisdictions with which the United States has an income tax treaty or tax information exchange agreement (a TIEA).²⁴ The CbC reporting requirements focus on large organizations—they do not apply to U.S. multinational groups with less than $850 million in annual revenues.²⁵

Failure to file a CbC report on time can result in a civil penalty of $10,000 for each violation and, in certain instances, up to $60,000.²⁶ Criminal penalties can also apply for willful failures to file a report or supply required information.²⁷

Information Document Requests

The IRS’ standard information-gathering mechanism during an audit is to issue an information document request (IDR) to the taxpayer under audit. IDRs often seek documents and answers to questions but are not themselves enforceable. However, failure to respond in a timely fashion can result in the issuance of a summons that, as described below, can be enforced by a court order.²⁸ Failure to respond to IDRs can have other consequences, such as creating tension between a taxpayer and IRS examiners and precluding a taxpayer’s ability to shift the burden of proof to the IRS in litigation.²⁹

Broad Summons Authority

The IRS has long had the statutory authority to issue summonses to taxpayers and third parties for testimony and information that “may be” relevant to ascertaining the correctness of any return or liability for tax, or to collecting tax liability.³⁰ This authority includes the ability to issue “John Doe” summonses to third-party recordkeepers (such as banks) where the identity of the individuals whose tax liability might be at issue is not yet known to the IRS.³¹

To enforce compliance with a summons, a U.S. district court generally must have personal jurisdiction over the summonsed person (e.g., the summonsed person must have certain “minimum contacts” with the United States).³² However, the records requested by the summons need not be located in the United States. They need only be in the summonsed person’s possession, custody, or control.³³

Failure to comply with an enforceable summons can result in contempt proceedings that give rise to fines or imprisonment.³⁴

Formal Document Requests

Where a taxpayer has not complied with an IDR seeking “foreign-based documentation,” the IRS also is statutorily authorized to issue a formal document request for those records.³⁵ Foreign-based documentation is “any” documentation outside the United States that “may be” relevant to the tax treatment of an item under examination.³⁶

Lack of custody or control of the documentation is a defense to a formal document request.³⁷ But, as with summonses, courts ask whether the taxpayer has “practical control” over the documentation at issue based on the facts and circumstances.³⁸

Unless the taxpayer successfully moves a district court to quash the formal document request, the taxpayer must “substantially comply” with the request.³⁹ If a taxpayer does not substantially comply with the request (and cannot show “reasonable cause” for failure to comply), the taxpayer can be precluded from introducing into evidence in a civil proceeding in court any of the foreign-based documentation covered by the request.⁴⁰

Tax Treaties and TIEAs

A growing set of tax treaties, TIEAs, and other bi- or multilateral agreements with foreign jurisdictions provide the IRS with a range of exchange-of-information programs.⁴¹ Broadly, these programs enable the IRS to “secure foreign based documents” and enable “foreign tax authorities to obtain U.S. based records” to “develop tax-related issues.”⁴² The information obtainable under treaties or TIEAs includes bank and brokerage records; information about income, expenses, and tax liability; business records; witness interviews; and property ownership information.⁴³ Tax treaties and TIEAs often allow the IRS to request specific information from a foreign tax authority about a particular taxpayer, which often requires the foreign tax authority to seek the information from the taxpayer.⁴⁴ Conversely, tax treaties and TIEAs often give foreign tax authorities the same ability to seek information from the IRS about a particular taxpayer, which the IRS might attempt to obtain by using some of the mechanisms above.⁴⁵

Discovery in U.S. Tax Court and Federal District Courts

Taxpayers litigating in the U.S. Tax Court or district courts are subject to those courts’ discovery rules.⁴⁶ These rules include the potential ability for the IRS to obtain from a taxpayer documents located abroad but subject to the taxpayer’s “possession, custody or control.”⁴⁷ Failure to comply with these discovery rules can result in various sanctions, including refusing to allow the disobedient party to support or oppose certain claims or defenses, striking pleadings, and ordering a party to pay the reasonable expenses caused by the failure to comply.⁴⁸

Federal district courts have the power to issue subpoenas requiring testimony from witnesses or the production of documents. By statute, this power extends to U.S. nationals or residents located abroad who may not be party to the litigation.⁴⁹ Failure to comply with such a subpoena can result in contempt proceedings, fines, and levying upon or seizing property in the United States.⁵⁰

The Tax Court also has the statutory power to subpoena testimony from witnesses or the production of documents and other evidence,⁵¹ but the IRS has explained that the Tax Court’s subpoena power “is generally limited to the boundaries of the United States.”⁵² However, the Tax Court does have the express authority to order any foreign corporation, trust or estate, or nonresident alien individual that has filed a petition in Tax Court (e.g., is a party to the litigation) to provide documents and information “wherever situated” that the Tax Court “may deem relevant” to the proceedings.⁵³ Failure to comply with such an order can result in striking pleadings, dismissing the case, or judgment by default in the IRS’ favor.⁵⁴ The Tax Court, like other federal courts, also has contempt powers “to punish by fine or imprisonment . . . disobedience or resistance to its lawful writ, process, order rule, decree, or command.”⁵⁵

What Can Taxpayers Do?

In today’s increasingly international business environment, taxpayers may well be forced to choose between violating data-privacy laws and failing to fully comply with a request for information during an IRS audit or tax litigation. Nevertheless, the IRS, the courts, and Congress have not comprehensively addressed how these rapidly proliferating data-privacy laws might affect IRS audits or tax litigation.

For example, the Internal Revenue Manual instructs IRS examiners to “consult” IRS counsel with questions concerning the interplay between the IRS’ summons authority and a select list of federal statutes, such as the Electronic Communications Privacy Act (1986), the Privacy Protection Act (1990), and the Gramm-Leach-Bliley Act (1999).⁵⁶ But neither foreign nor state laws are included in the list of statutes, and the consultation instruction applies only when the IRS’ summons authority is implicated (rather than other data-gathering tools).⁵⁷ And while the Internal Revenue Manual acknowledges that U.S. “courts are reluctant to require actions that violate the law of another country,” it also explains that taxpayers can be penalized for failing to produce information “even if production would violate the foreign country’s law.”⁵⁸

The judicial landscape is not necessarily any clearer. In 1958, in Société Internationale, the Supreme Court held that a district court improperly dismissed a Swiss company’s case based on a failure to produce records where production would have violated the Swiss Penal Code.⁵⁹ The Supreme Court noted that its ruling might not “apply to every situation where a party is restricted by law from producing documents.”⁶⁰ Thirty years later, in Société Nationale Industrielle, the Supreme Court clarified that the operation of foreign law “do[es] not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.”⁶¹ More recently, in reviewing a district court’s decision to compel the production of documents despite foreign bank secrecy laws and issue sanctions for failing to comply with a discovery order, the Court of Appeals for the Second Circuit found “sufficient support” in various cases for “compelling discovery, notwithstanding competing foreign legal obligations.”⁶² Similarly, a federal district court in California recently rejected a party’s efforts to block discovery of email files in the United States on the grounds that the GDPR barred the production of personal data.⁶³ The court weighed the relevant factors from Société Nationale Industrielle and concluded that the requested data was narrowly identified, relevant to the primary issues in the case, only available from the United Kingdom, and protected with a protective order. Therefore, the GDPR would not preclude production of the data.⁶⁴

Likewise, with respect to IRS formal document requests, Congress has expressly provided that “the fact that a foreign jurisdiction would impose a civil or criminal penalty on the taxpayer (or any other person) for disclosing the requested information is not reasonable cause” for failure to comply.⁶⁵ On the other hand, the statutes applicable to summonses contain no such provision.⁶⁶

Given the foregoing, guidance from the IRS would assist taxpayers in meeting their potentially competing obligations to provide the IRS with information it needs and not to run afoul of various data-privacy laws.

One approach might be to endorse a balancing test like that the Supreme Court envisioned in Société Nationale Industrielle—that the IRS should “exercise special vigilance” when notified that requests implicate data-privacy laws aimed at protecting taxpayers “from the danger that unnecessary, or unduly burdensome, [requests] may place them in a disadvantageous position.”⁶⁷ Such an approach might allow for narrowly tailored redactions that allow the IRS to receive the information it needs without forcing taxpayers to produce information (home addresses, email addresses with specific names, names and surnames, etc.) that would unnecessarily violate data-privacy laws. Such an approach already has some support in the Internal Revenue Manual’s directive that IRS examiners “consult” IRS counsel when a summons implicates a handful of data-privacy laws. Other potential approaches exist, but any guidance would help taxpayers and the IRS cooperate with respect to the interplay between gathering information and complying with data-privacy laws.

As it stands, taxpayers should proceed with caution in balancing the competing concerns of proliferating data-privacy laws and IRS data-gathering tools. Best practices to consider include:

• considering what personal data a taxpayer possesses and whether any data-privacy laws may be implicated;
• working with counsel to understand the various data-privacy laws that might restrict collection, transfer, and production of information;
• collaborating internally. Employees responsible for handling tax audits or tax litigation may not know about data-privacy laws or be responsible for managing compliance with them. Internal collaboration can prevent unwitting violations of data-privacy laws;
• engaging in a proactive dialogue with IRS examiners when an IRS request for information might implicate data-privacy laws. It may be possible to provide the IRS with the information it needs without violating data-privacy laws;
• to avoid confusion, disclosing to the IRS why you are redacting any protected information; and
• making sure, if you rely on a vendor or third party to produce documents or provide information to the IRS, that you have an adequate data security agreement in place that restricts the vendor’s use of your data, requires the vendor to maintain reasonable safeguards to protect your data, and gives you the right to audit the vendor’s data security practices.

Conclusion

Until the IRS provides clarifying guidance, taxpayers who are required to collect and transmit data to the IRS need to balance that obligation against the potential that data-privacy laws may be applicable. Close coordination with privacy counsel and implementation of the best practices suggested in this article are key steps to achieving that balance.

Michael D. Kummer is a partner and Kristin M. Hadgis is an associate with Morgan, Lewis & Bockius LLP in Washington, D.C.

Acknowledgment: The authors thank their colleague Jennifer Breen for sparking their interest in this topic.

Endnotes

1. “The CNIL’s Restricted Committee Imposes a Financial Penalty of 50 Million Euros Against GOOGLE LLC” (January 21, 2019), available at www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc.
2. 15 U.S.C. Section 6801 et seq.
3. See, for example, HIPAA Privacy Rule, 45 CFR Part 160 et seq.
4. 20 U.S.C. Section 1232g; 34 CFR Part 99.
5. 15 U.S.C. Section 6501 et seq.
6. Regulation (EU) 2016/679, Article 3.
7. Id. at Article 4, Section 1.
8. Id. at Recital 26.
9. Id. at Article 45, Section 1.
10. Id. at Articles 45–49.
11. Id. at Article 48.
12. Id. at Article 28(3).
13. Id. at Article 83, Section 4.
14. Cal. Civ. Code Section 1798.140(o)(1).
15. Id. at Sections 1798.100(a), 1798.105(a), 1798.120(a).
16. Id. at Sections 1798.140(v), (w).
17. Id. at Sections 1798.145(a)(1), (2).
18. Internal Revenue Manual Section 35.4.5.1(1) (last revised December 21, 2010).
19. Andrew Velarde, “Expect More International Litigation in Future, Official Says,” Tax Notes Today (June 16, 2017) (quoting then-IRS Large Business and International Division Counsel Thomas Kane).
20. In addition, although this article focuses on mechanisms enabling the IRS to obtain information directly from taxpayers or third parties, the IRS also has a wide range of tools to acquire information from other government agencies. See, for example, Internal Revenue Manual Section 35.4.2.3.1(1) (last revised December 14, 2010) (“Many cases involve factual or technical issues that are commonly encountered by agencies of Federal, State, tribal, or local governments other than the Service. If so, the Field attorney should consider seeking assistance from those governmental entities”).
21. See Treas. Reg. Section 1.6038-4.
22. Treas. Reg. Section 1.6038-4(d).
23. See Treas. Reg. Section 1.6038-4(d)(1), -(2).
24. T.D. 9773, 81 Fed. Reg. 42482, 42488 (June 30, 2016).
25. Treas. Reg. Section 1.6038-4(h).
26. I.R.C. Section 6036(b).
27. I.R.C. Section 6038(f); I.R.C. Section 7203.
28. See, for example, IRS LB&I Updated Guidance for Examiners on Information Document Requests Enforcement Process (February 28, 2014), www.irs.gov/businesses/large-business-and-international-directive-on-information-document-requests-enforcement-process, which provides guidance to IRS Large Business & International Division examiners regarding IDRs and steps to enforce compliance.
29. See I.R.C. Section 7491(a)(2) (preventing the burden of proof from shifting to the IRS unless, among other things, the taxpayer “has cooperated with reasonable requests by the Secretary for witnesses, information, documents, meetings, and interviews”).
30. I.R.C. Section 7602.
31. I.R.C. Section 7609(f) (providing specific requirements for John Doe summonses).
32. See, for example, United States v. Toyota Motor Corp., 561 F. Supp. 354, 356-60 (C.D. Cal. 1983) (enforcing summonses issued to a company headquartered and incorporated in Japan where the company “purposefully availed itself of the privilege of conducting activities in the forum”).
33. See, for example, First Nat. City Bank of N.Y. v. Internal Revenue Service, 271 F.2d 616 (2d Cir. 1959) (reversing nonenforcement of summons served on a third-party bank in the United States where the records at issue were located at a subsidiary branch in Panama).
34. See 18 U.S.C. Section 401(3) (empowering U.S. courts to punish by fine or imprisonment contempt for disobeying or resisting lawful orders). Although it is rarely invoked, the Code itself provides that failure to comply with a summons can be a crime. See I.R.C. Section 7610.
35. See I.R.C. Section 982(c)(1) (describing formal document requests).
36. I.R.C. Section 982(d)(1).
37. See United States v. Lui, 16-cv-969, 2017 WL 3232578, *5 (N.D. Cal. July 31, 2017) (noting that a taxpayer did not “possess[…] or ha[ve] the capacity to obtain” the documentation at issue).
38. Yujuico v. United States, 818 F. Supp. 285, 288 (N.D. Cal. 1993).
39. I.R.C. Section 982(a), (c)(2).
40. I.R.C. Section 982(a).
41. A full description of each of these types of agreements is beyond the scope of this article, but they include bilateral tax treaties (commonly called tax conventions), TIEAs, multilateral conventions (such as the OECD/Council of Europe Convention on Mutual Administrative Assistance in Tax Matters), mutual legal assistance treaties covering enforcement of criminal laws (including criminal tax laws), and others. See, for example, Internal Revenue Manual Section 40.60.1.1.1 (last revised October 15, 2018), which describes various international agreements providing for exchanges of information.
42. IRS LB&I International Practice Service Concept Unit, Overview of Exchange of Information Programs, at 3 (December 3, 2015), available at www.irs.gov/pub/int_practice_units/EOICUP_20.1_01R.pdf. See also Internal Revenue Manual Section 4.60.1 (last revised October 15, 2018) (describing various exchange-of-information programs).
43. IRS LB&I International Practice Service Concept Unit, Overview of Exchange of Information Programs, at 9 (December 3, 2015), available at www.irs.gov/pub/int_practice_units/EOICUP_20.1_01R.pdf.
44. See Internal Revenue Manual Section 4.60.1.2.1 (last revised October 15, 2018), which describes procedures for dealing with specific requests for information initiated by the IRS.
45. See Internal Revenue Manual Section 4.60.1.2.2 (last revised October 15, 2018), which describes procedures for dealing with specific requests for information initiated by foreign tax authorities.
46. Other potential information-gathering procedures—which are not discussed here—include judicial requests pursuant to The Hague Convention of 18 March 1970 on the Taking of Evidence Abroad in Civil or Commercial Matters and so-called “letters rogatory,” the “customary means of obtaining judicial assistance from overseas in the absence of a treaty or other agreement.” See U.S. Dep’t of State, Preparation of Letters Rogatory, available at https://travel.state.gov/content/travel/en/legal/travel-legal-considerations/internl-judicial-asst/obtaining-evidence/Preparation-Letters-Rogatory.html (accessed March 19, 2019).
47. See Gerling Intern. Ins. Co. v. Commissioner, 839 F.2d 131, 139-40 (3d Cir. 1988) (on the production of documents under Rule 72 of the Tax Court’s Rules of Practice and Procedure) and Bank of New York v. Meridien BIAO Bank Tanzania Ltd., 171 F.R.D. 135, 146-49 (S.D.N.Y. 1997) (on the production of documents under Fed. R. Civ. P. 34). See also Société Nationale Industrielle Aerospatiale v. U.S. Dist. Court for Southern Dist. of Iowa, 482 U.S. 522 (1987) (acknowledging the ability of federal district courts to order foreign discovery from foreign litigants under the Federal Rules of Civil Procedure).
48. See Rule 104 of the Tax Court’s Rules of Practice and Procedure (providing for sanctions for failure to comply with discovery orders in various instances) and Fed. R. Civ. P. 37(b) (providing for sanctions for failure to comply with discovery orders in various instances).
49. 28 U.S.C. Section 1783(a).
50. 28 U.S.C. Section 1784.
51. I.R.C. Section 7456(a)(1).
52. See Internal Revenue Manual Section 35.4.5.3.1 (last revised August 11, 2004) (“[T]he Tax Court subpoena power is generally limited to the boundaries of the United States”).
53. I.R.C. Section 7456(b). This provision applies to material that is “in the possession, custody or control” of the petitioner or “any person directly or indirectly under his control” or “subject to the same common control.” Id.
54. Id.
55. I.R.C. Section 7456(c).
56. See Internal Revenue Manual Section 25.5.1.4.4 (last revised September 10, 2014).
57. Id.
58. See Internal Revenue Manual Section 4.61.2.8, Ex. 4.61.2-1 (last revised May 1, 2006).
59. Société Internationale Pour Participations Industrielles et Commerciales, S.A. v. Rogers, 357 U.S. 197 (1958).
60. Id. at 205.
61. Société Nationale Industrielle Aerospatiale v. U.S. Dist. Court for the Southern Dist. of Iowa, 482 U.S. 522, 544 n.29 (1987).
62. Linde v. Arab Bank, PLC, 706 F.3d 92, 114 (2d Cir. 2013) (listing cases).
63. See, for example, Finjan, Inc. v. Zscaler, Inc., No. 17-cv-06946-JST (KAW), 2019 WL 618554, at *3 (N.D. Cal. February 14, 2019).
64. Id. at *2–3.
65. I.R.C. Section 982(b)(2).
66. I.R.C. Sections 7602–7613.
67. See Société Nationale Industrielle, 482 U.S. at 546.