By Erich Clementi
At IBM we take concerns about data privacy and security very seriously. We have a long leadership history in these areas and throughout our business and client relationships have always adhered to the highest relevant standards in data protection.
We enjoy a good working relationship with data protection authorities in Europe and elsewhere. We are, for example, working with various regulatory authorities around the world to enhance interoperability between legal systems to enable cross border data flows.
When it comes to transferring personal data from EU to non-EU member states, we have used EU Model Clauses with clients since their introduction more than 10 years ago. This was the way that the EU Commission wanted tech companies to handle personal data and that’s what IBM has done consistently.
Recently, some of our competitors have asked EU data protection authorities to approve variations on the Model Clauses. This has led to confusion in the marketplace — the misconception among clients and prospects being that solely those vendors receiving variation approvals were compliant with EU regulations.
This is not the case.
At IBM, we therefore sought clarification from EU authorities regarding legal requirements and the need for approval of the standard EU Model Clauses.
The response from Isabelle Falque-Pierrotin, Chair of the EU’s Article 29 Working Group and of CNIL, the French Data Protection Authority, was unequivocal. Ms. Falque-Pierrotin responded* to IBM as follows:
“Companies that have complied with their declaration obligations and which have implemented European model contractual clauses to frame their data transfers do not have to proceed with any additional notification of compliance to their authority.
“Companies that choose to change the model clauses run the risk of facing a different interpretation of their clauses by the various data protection authorities. Consequently, they have to use the procedure provided for by document WP 226 in order to ensure that such altered clauses comply with the European model clauses.”
This confirms that IBM, by using the required procedures, adheres to the highest relevant standards in data protection and requires no specific additional approvals from EU data protection authorities.
We have a strong track record of handling our clients’ data securely. Our employees who deal with sensitive data from every sector, day-in and day-out, work in a culture of stringent data stewardship. We continually strive to further build and improve a strong data privacy culture.