The EU GDPR and The Borg

For those of a certain generation the concept of “The Borg” invokes a seemingly inevitable force that pulls opponents into the “Collective” through a process of assimilation. According to the inestimable source, Wikipedia, the purpose of the Borg was to achieve perfection. This is a very brief post today to get that thought into your head and to see how we in the US – whether we like it or not –will be assimilated to the GDPR, directly or indirectly.

Arguably the ‘direct’ method of assimilation would be for the passage of a GDPR-like federal law. Given the difficulties of Congress producing consensus on a limited federal consumer breach notice statute, the prospects for a broader federal law, with preemption of less protective state laws and application to a broad range of personal information, are dim. We do not doubt the likelihood of federal consumer protection bills making progress, but skeptics abound on any eventual passage.

More likely is that organizations within the US will be assimilated indirectly.

First, consider the massive investments made by US-based multinationals to prepare for and implement something close to ‘compliance’ for the GDPR. In order to continue to manage effectively the employee, consumer, and business partner personal data originating from the E.U., these firms had to adapt to the GDPR. Although it would be premature to suggest that these firms have applied GDPR’s rights and obligations to all personal information they hold, it is likely true that managing data according to a single set of rules is substantially easier than adapting rules on a country-by-country basis.

Second, consider the “local” US-only businesses that have no presence in Europe but have consumer users among the (currently) 28 member states. Or perhaps these smaller firms are service providers to larger, international clients, who in turn demand that vendors managing personal data must comply with the EU standards of data protection.

Third, suppose one does business only in North America. Surely that would help a business to avoid the assimilative forces of the EU generally and Brussels specifically. It is correct to say that Canada’s PIPEDA is not a mirror image of the GDPR or the Data Protection Directive that preceded it. However, the European Commission has determined that Canada’s PIPEDA offers “adequate” protections for personal information and thus is substantively close enough. Last Spring, in May 2018, the Office of the Privacy Commissioner of Canada published guidance on what constitutes appropriate “consent” under Canada’s federal rules, as well as those of Alberta, British Columbia, and Ontario. Some would find the May 24, 2018 date of the publication to be coincidental with the May 25 effective date of the GDPR. While the Canadian guidance became effective only this year in January 2019, nonetheless it means that the substantive protections of the GDPR are not so far away culturally or geographically.

And as a final observation, major trading partners such as Japan and Israel have similar adequacy determinations, such that obtaining personal information from those countries requires substantially similar protections for the collection, use, sharing, and protection of personal data.

As noted at the top, this does not mean that the US will ever adopt a comprehensive privacy model, let alone one that is deemed ‘adequate’ by European standards. However, the rest of the world – containing our business affiliates, vendors, distributors, and customers – has moved or is moving in that direction. So to borrow again from entertainment with perhaps a more familiar theme, it is not too early to cue that famed soundtrack from the movie Jaws.