Table of Contents >> Show >> Hide
- What the 6th Circuit Actually Decided
- Why This Ruling Matters for Multinational Companies
- The Legal Collision Course: Tax Enforcement vs. Privacy Law
- Why Transfer Pricing Turns Boring HR Files Into Hot Legal Potatoes
- The Ruling’s Bigger Message for EU-U.S. Data Flows
- What Companies Should Do Now
- Experience in the Real World: What This Feels Like Inside Companies
- Conclusion
Cross-border business used to sound glamorous. Then lawyers arrived with binders, tax auditors arrived with questions, and privacy officers arrived with expressions that suggested nobody would be sleeping well that quarter. That is the mood around United States v. Eaton Corp., the case now driving fresh anxiety over whether the IRS can reach into Europe for employee data during a U.S. tax audit.
The headline version is dramatic: the 6th Circuit granted the IRS access to EU personal data. The more accurate version is narrower, but still important. In the Eaton dispute, the court allowed the IRS to obtain certain employee performance evaluations from Eaton’s Irish affiliate during a transfer pricing audit. Those records were treated as personal data under Europe’s privacy framework, and Eaton argued that turning them over could create GDPR trouble. The court was not impressed enough to stop the summons.
That matters because multinationals now have a bright, uncomfortable example of what happens when U.S. tax enforcement collides with EU data protection. The result is not a simple victory for tax authorities or a simple loss for privacy law. It is something messier: a reminder that companies can be trapped between two legal systems, both of which believe they are being perfectly reasonable. Spoiler alert: both legal systems cannot always win.
What the 6th Circuit Actually Decided
The case was narrower than the headline
The Eaton ruling did not give the IRS a magical skeleton key to every database in Europe. The case focused on a specific request in a specific transfer pricing audit. The IRS wanted performance evaluations for certain employees at Eaton’s Irish affiliate because it believed those records could help determine who actually contributed to the intellectual property at issue, and therefore whether Eaton’s royalty arrangement and IP transfer reflected arm’s-length pricing.
That detail matters. Transfer pricing cases are rarely built on one dramatic email labeled “Tax SchemeDo Not Forward.” They are built on mosaic evidence: org charts, job descriptions, interview testimony, draft reports, and sometimes the paper trail of who really did the work. In Eaton, the IRS argued that employee evaluations could show who controlled or developed the intellectual property. Eaton argued the records had limited value and that the same information could be gathered through interviews or written questions. The court sided with the IRS.
Why Eaton fought so hard
Eaton’s resistance was not some theatrical corporate hobby. The company argued that the requested records were protected under EU data protection law and that producing them could violate the GDPR. On reconsideration, the district court actually accepted a key part of that argument: it concluded that the GDPR blocked production, but still held that the records had to be produced after applying international comity principles. The 6th Circuit then affirmed the result, effectively saying that even assuming GDPR concerns existed, the lower court did not abuse its discretion by allowing disclosure anyway.
That procedural path is a big reason the case is getting attention. The appellate court did not declare GDPR irrelevant. It did something more unsettling for compliance teams: it acknowledged the foreign-law conflict and still let the U.S. demand move forward. That is the corporate-law equivalent of hearing, “Yes, your concern is real. No, it does not save you.”
Why This Ruling Matters for Multinational Companies
IRS summons power is built wide on purpose
One reason the IRS won is that its summons authority is broad by design. In U.S. tax law, the agency does not have to prove a document is a slam-dunk smoking gun before it can ask for it. The standard is whether the information may be relevant. That is a low bar, and courts have long treated it that way. If a document could help the IRS understand a taxpayer’s liability, the agency usually gets a lot of room to ask for it.
In Eaton, that broad standard mattered enormously. The courts did not require the IRS to prove the employee evaluations would be decisive. “Potential relevance” was enough. From an SEO perspective, that is the phrase companies should remember. From a sleep perspective, it is unfortunately also the phrase companies should remember.
GDPR does not evaporate at customs
At the same time, GDPR concerns were not fantasy. Employee performance reviews are plainly the kind of records privacy lawyers do not casually toss into an email labeled “FYI.” The courts recognized that the records involved personal information and took steps to narrow the production, review relevance, and preserve redactions for truly sensitive categories such as health, religion, or similar protected information.
By the later stages of the case, the dispute had narrowed sharply. What began as a much broader fight ended with a smaller production set, which helps explain why the court was comfortable saying Ireland’s privacy interest in the remaining records was relatively weak compared with the U.S. interest in tax enforcement. That narrowing is important. The opinion does not say all EU employee data is fair game. It says courts may compel production of targeted records, even when foreign privacy law points the other way, if the balancing test comes out in favor of the United States.
The Legal Collision Course: Tax Enforcement vs. Privacy Law
The comity balancing test did the heavy lifting
The real engine of the decision was international comity. When a U.S. court is asked to order production of information that may violate foreign law, it does not always stop cold. Instead, it often balances several factors, including the importance of the information, how specific the request is, where the information originated, whether good alternatives exist, and how strongly each country’s interests are implicated.
That sounds balanced and elegant in a law-school way. In practice, it means judges must compare unlike things. How do you weigh a tax audit against a privacy regime? How do you compare the value of contemporaneous business records with the dignity interests attached to employee data? It is a little like comparing a fire extinguisher to a lockbox. Both are useful. They just solve very different problems.
Why the court leaned toward the IRS
Two parts of the comity analysis stand out. First, the court was not persuaded that interviews and written responses were substantially equivalent substitutes for the evaluations themselves. Contemporaneous records are often more reliable than later testimony, especially when memories fade and witnesses become, shall we say, strategically forgetful. Second, the court saw the U.S. interest in tax enforcement as extremely strong, while viewing Ireland’s privacy interest in the narrowed set of records as comparatively limited, especially with redactions and a protective order in place.
This is why the case matters beyond tax specialists. It shows that once a U.S. court believes a request is targeted and the records are potentially useful, GDPR objections may become part of the balancing exercise rather than a hard stop. For privacy teams, that is the unnerving part. A legal conflict that feels absolute at the policy stage may become negotiable in litigation.
Why Transfer Pricing Turns Boring HR Files Into Hot Legal Potatoes
At first glance, employee performance evaluations do not sound like the center of an international tax fight. They sound like the documents everyone promises to finish before year-end and then quietly avoids until January. But in transfer pricing disputes, those records can become surprisingly important.
Why? Because transfer pricing is really about economic reality. When a U.S. company shifts intellectual property to a foreign affiliate and pays that affiliate royalties, tax authorities want to know who actually controlled, developed, enhanced, maintained, protected, and exploited the asset. Fancy legal structure is one thing. Who did the real work is another. Performance reviews, manager comments, project responsibilities, and employee goals can all help paint that picture.
That is why this case should get the attention of HR leaders, not just tax directors. Data created for people management can become evidence in transfer pricing, investigations, internal disputes, or cross-border litigation. The function that created the record and the function that later needs the record are often living in completely different galaxies. HR thinks in confidentiality and fairness. Tax thinks in documentation and control. Legal gets to referee while everyone else develops a migraine.
The Ruling’s Bigger Message for EU-U.S. Data Flows
The EU-U.S. Data Privacy Framework does not magically solve this problem
Some executives may look at the broader EU-U.S. data transfer landscape and assume there is a neat policy escape hatch. There is not. Even though the EU-U.S. Data Privacy Framework has recently survived a major challenge and remains a meaningful transfer mechanism for participating U.S. organizations, that does not mean every compelled disclosure to a U.S. authority becomes painless. Government access to data remains one of the most politically and legally sensitive issues in transatlantic privacy law.
So, no, companies should not read the Eaton decision and conclude that existing transfer frameworks make everything fine. The DPF helps with certain commercial transfers. It does not erase the tension that appears when a U.S. agency demands records and an EU privacy regime warns that disclosure could be problematic.
A broader European mood of caution is still very real
The Eaton case also lands in a climate where European scrutiny of U.S.-bound data transfers remains intense. The history of Safe Harbor and Privacy Shield taught companies that today’s acceptable transfer structure can become tomorrow’s compliance headache. Meanwhile, related tax-data questions are still surfacing in Europe, including litigation around FATCA-related transfers. In other words, the regulatory weather forecast is not “clear skies.” It is more like “sunny, windy, and keep an umbrella in the trunk.”
That broader context is why the case has triggered so much concern. It is not just about Eaton. It is about whether multinational companies can be forced to choose between a U.S. court order and an EU privacy risk assessment, all while being told to move quickly, document everything, and please avoid making the situation worse. Very comforting.
What Companies Should Do Now
First, map where sensitive employment and operational data lives. If your most revealing records sit in Europe but are routinely needed in U.S. audits or disputes, that is not just an IT fact. It is a legal-risk fact. Companies need to know what categories of personal data exist, which systems hold them, and which affiliates control them.
Second, design records with dual-use risk in mind. A performance evaluation written for manager feedback may later be read by tax auditors, regulators, or litigators. That does not mean companies should sterilize every document into useless mush. It does mean internal drafting practices should be disciplined, factual, and proportional.
Third, build a cross-functional response plan. Tax, privacy, HR, legal, information governance, and security should not meet for the first time when a summons arrives. Companies need a playbook covering legal basis, minimization, redaction protocols, escalation paths, and the possibility of challenging or narrowing requests.
Fourth, do not treat interviews as a guaranteed substitute. Eaton shows that courts may prefer contemporaneous documents over later testimony. If a company plans to argue that interviews or interrogatories are enough, it should be ready to explain why those alternatives are genuinely equivalent, not merely more convenient.
Fifth, think internationally, not just domestically. The right answer under U.S. tax procedure may still create exposure under EU privacy law, and vice versa. Good advice in this space is rarely delivered by one department acting alone. If only one team is handling the issue, that is usually a warning sign, not a success story.
Experience in the Real World: What This Feels Like Inside Companies
In practice, cases like Eaton rarely arrive with dramatic music. They usually begin with an ordinary request that slowly becomes the office version of a kitchen grease fire. A tax team receives a demand for documents. Someone notices the records sit in Ireland, Germany, or France. A privacy lawyer says the material contains personal data. HR points out the files were never created with cross-border disclosure in mind. Security asks how the transfer would even happen. Then a senior executive asks the worst possible question: “Can’t we just send it?”
That is where the real experience of this issue lives. Not in abstract doctrine, but in the scramble between departments that speak totally different professional languages. Tax wants speed and completeness. Privacy wants legal basis, minimization, and purpose limitation. HR wants fairness to employees and protection of sensitive content. IT wants to know who is authorized, what system is involved, and whether anyone understands the retention schedule. Outside counsel, naturally, wants everyone to keep calm while the billable hours jog quietly in the background.
For multinational companies, the hardest part is often not the law itself. It is timing. U.S. authorities move on audit timetables. Internal data reviews move on reality timetables. Extracting records from regional systems, checking local employment restrictions, consulting local counsel, and applying redactions is not a one-afternoon project. By the time the business realizes that, the request already feels urgent. That pressure is exactly why a case like Eaton rattles people. It suggests that a court may ultimately say, “We understand the conflict, but produce the records anyway.”
There is also an employee-relations dimension that companies sometimes underestimate. Performance evaluations are not just data points. They are personal assessments, written in a context that employees assume is tightly controlled. Even when a disclosure is lawful or court-compelled, people inside the organization may see it as a breach of trust. That can affect morale, manager candor, works-council discussions, and future documentation practices. In-house teams know this problem well: once employees suspect review materials may travel far beyond the original purpose, those documents can become flatter, more guarded, and less useful.
Another real-world experience is that not all data is equally risky, even when it is all technically “personal data.” A narrow set of business-focused evaluations, scrubbed of health details and other special-category material, is easier to defend than a broad export of mixed HR records. That is why minimization matters so much. The companies that handle these disputes best are usually the ones that can isolate what is actually needed, explain why it matters, and remove what clearly does not belong. Courts tend to respond better to a scalpel than a shovel.
Finally, companies living through these disputes often come away with the same lesson: governance decisions made years earlier suddenly become litigation facts. Where data was stored, how reviews were written, who controlled access, whether redaction protocols existed, and whether teams had practiced cross-border response scenarios all become painfully important. That is the practical legacy of Eaton. It is not just a case about one summons. It is a warning that cross-border compliance is now operational. The companies that treat it as an annual training slide will struggle. The companies that treat it as part of enterprise design will sleep a little better, or at least upgrade from panic to concern.
Conclusion
The 6th Circuit’s ruling should not be read as a broad declaration that EU privacy law has no weight in U.S. tax disputes. It should be read as something more precise and more useful: a warning that broad IRS summons power, targeted document requests, and a strong U.S. interest in tax enforcement can outweigh GDPR-based objections in the right case.
For multinational businesses, that means cross-border data strategy can no longer sit in separate silos. Transfer pricing documentation, employment records, privacy compliance, and dispute readiness are now deeply connected. The Eaton case is a reminder that a single set of employee reviews can become the battleground for bigger questions about sovereignty, surveillance, tax enforcement, and trust. And while that may sound like a lot to ask from a performance evaluation, welcome to modern compliance, where even the annual review can accidentally become international law.
