Think Policy

The future of cross-border data flows must include high standards of protection

Share this post:


The data security debate

While the pandemic has forced individuals, companies and governments to adapt to a world that is more virtual than ever before, increased internet access and data flows were fueling the digital transformation long before the present crisis. Meanwhile, concerns from governments about the safety, security, and use of data are increasing — underscoring the urgent need for new approaches to engender trust and confidence in the digital economy. Most recently, the European Court of Justice Ruling (CJEU) invalidating the ‘EU-US Privacy Shield’ (‘Schrems II’) has reignited the debate around data security and sovereignty in Europe.


IBM’s commitment to trusted cross-border data flows

With growing uncertainty about the future of cross-border data flows, IBM remains committed to preserving the integrity of client data regardless of where it resides. It is our firm belief that companies and governments should encourage and enable the free flow of data and increased internet access. Now more than ever. The pace of development of COVID-19 vaccines is proof of the crucial need for secure and uninterrupted international data flows. Access to large volumes of electronic health data and the supercomputing power to process that data gave doctors and researchers around the world the ability to develop vaccines at a pace unprecedented in human history.

However, cross-border data flows must be protected by high standards of privacy and security. IBM has always beencommitted to applying such high standards. We believe that clients’ data is theirs alone. For more than 100 years, we’ve put trust at the core of everything we do and we continue to protect our clients’ data regardless of where it resides in the data lifecycle.

As the first company in our industry to appoint a Chief Privacy Officer two decades ago, we’ve long been focused on data privacy. We are continuously developing and deploying leading edge security technologies so that we remain first-in-class in data protection, giving our clients the tools and capabilities to determine the most appropriate and secure ways to transfer and be in control of their data.


How do we securely protect data?

First, IBM has long been a world leader in encryption technologies.

  • Today, we protect our clients’ data through technical measures, such as encryption, both when it is in transit and “at rest”. For some services, Bring Your Own Key (BYOK) and Keep Your Own Key (KYOK) technologies allow clients to hold the encryption keys that protect and control access to their data.
  • Another key element of a protective encrypted environment, is ‘Confidential Computing‘. While encryption (including BYOK and KYOK technologies) protects data in transit and “at rest”, protecting ‘data-in-use’ has long been an issue companies have tried to solve. IBM’s Confidential Computing capabilities protect ‘data-in-use’, as it keeps data continuously encrypted, including when it is being processed in memory for business applications and processes. One example of this are IBM Cloud Hyper Protect Services, which provide protection throughout the computing lifecycle. That’s why we see Confidential Computing as the future of cloud security and data protection — and we’re bringing this technology to our clients already today. In fact, the IBM Cloud is the only public cloud to include this feature.
  • In addition, we’re also exploring other encryption technologies like “Homomorphic Encryption” which allows manipulation of data by permissioned parties while it remains encrypted, minimizing the time it exists in its most vulnerable state. Today, homomorphic encryption toolkits are available on GitHub for iOS, MacOS and Linux.
  • We have also announced QuantumSafe Cryptography Support, new capabilities around quantum-safe encryption, making it the industry’s most holistic quantum-safe cryptography approach to securing data available today.

Secondand most importantly, IBM does not voluntarily share data with governments requesting access to IBM clients’ data.

  • We have a strict process to safeguard clients’ personal data in the event of a government request, which we made clear in 2014, long before the entry into force of GDPR. At the heart of this policy is the core principle that if IBM receives a request from a government, we ask the government to directly approach our client.
  • In light of the CJEU ruling in ‘Schrems II’ and the subsequent recommendations from the European Data Protection Board, IBM is going one step further by incorporating our existing policy on government access to client data directly into our contracts.
  • Furthermore, IBM has not provided client data to the NSA or any other government agency under any surveillance program involving the bulk collection of content or metadata (such as PRISM or others). Nor have we ever provided client data stored outside the United States to the U.S. government under a national security order, such as a FISA order or a National Security Letter. IBM’s business does not involve providing traditional telephone or Internet-based communications services to the general public, which sets us apart from providers that regularly receive law enforcement access requests, such as consumer digital services. Instead, we deal primarily with corporate data that would provide little utility for national security intelligence purposes, and generally is not the target of such requests.

IBM will continue to work with clients to assess the risk of transferring data outside of the EU in light of their specific situation using all relevant criteria. We believe that such criteria, together with the above-mentioned technical and contractual measures, should also include the likelihood of access to data by a foreign government.


The free and secure flow of data

Paradoxically, even as digitization has become more essential, digital protectionism is growing across the globe, threatening the free flow of data. Safeguarding open markets in these significantly challenging economic times, will be essential to global recovery. At IBM, we strongly believe that facilitating the free flow of data while still ensuring data security and privacy are not mutually exclusive. Enhanced cooperation between like-minded countries and regions can promote transparency and enhance public trust in the very technologies that are transforming our economies.

The industry must play its part as well: in the era of cloud, we need to uphold high data privacy standards that are flexible and technology-agnostic, while guaranteeing adequate levels of protection. That is also why IBM will continue to invest in trusted data transfer mechanisms and offer several best-practices for enterprise-led solutions to protect our clients’ data across the globe.


By Christina Montgomery, IBM Chief Privacy Officer




More Think Policy stories

On Privacy Day, Remembering How Much Work Still Lies Ahead

International Data Privacy Day is meant to raise awareness about how personal data is being used, collected and shared in today’s digital society. That’s critically important, as we know that data privacy is increasingly top of mind for so many of us. A recent Morning Consult poll of consumers in the U.S. and E.U. commissioned […]

Continue reading

IBM Vision 2024: For a responsible, open and inclusive digital Europe

IBM is pleased to present Vision 2024: our priorities for technology policy in the EU for the new five-year mandate of the European Commission and the European Parliament.

Continue reading

Statement on the Indian Data Protection Bill

The conversation surrounding data protection is a global one. Given India’s globally established strength in the IT sector and constitutional provision of privacy as a fundamental right, a forward-looking data protection regime is essential.

Continue reading