14 May 2018, Washington, D.C. — In less than two weeks, the General Data Protection Regulation (GDPR) will go into effect in the European Union—solidifying the most expansive overhaul of privacy regulations in a generation. In addition to the risk of major data breaches, cybercrime and mismanagement of personal data, privacy is now front of mind for governments across the globe. And the question many are asking: should GDPR become the single global standard for privacy regulation? Given Europe’s prominence in the global privacy debate, it’s a reasonable question.
At IBM, we do not think there is a one-size-fits-all approach to privacy. Our company has long recognized the power data holds for our clients. It is the key to their competitive advantage. Today, it’s powering AI systems, helping companies develop deeper insights, unlocking new discoveries and making decisions exponentially faster. However, as more and more organizations interact with and manage data, all have an obligation to do so responsibly.
What works for one country or region will not necessarily work for another. IBM has worked closely with the European Union to ensure the GDPR addresses privacy concerns without undermining innovation, and we appreciate the EU’s desire to provide a unified approach across the EU and bring outdated regulations in line with 21st century challenges. But we do not agree with every component of the GDPR. As other countries consider their own privacy challenges, we do not believe that GDPR should be simply grafted onto privacy systems where its relatively prescriptive approach may not work – particularly in the United States.
Instead, IBM believes the United States should pursue a third way–one with a track record of success. Instead of government mandates, we believe a collaborative public-private approach, led by industry together with government, is the most feasible way to develop a framework of data privacy standards tailored to America’s needs.
There is recent precedent for such an approach. In 2013, in the aftermath of comprehensive cybersecurity legislation failing in Congress and cyber intrusions into critical infrastructure increasing, the Obama Administration issued an executive order calling on the National Institute for Standards and Technology (NIST) to lead a collaborative effort between government, industry, and academia to develop cybersecurity standards. A year later, the NIST Cybersecurity Framework was released and quickly became the blueprint for cybersecurity in the private sector. In 2014, the bipartisan Cybersecurity Enhancement Act of 2014 supported NIST’s continued work on this voluntary Framework. And in 2017, President Trump mandated use of the NIST Framework by U.S. Government agencies to manage their cyber risk.
This is a model for success, and what worked a few years ago for cybersecurity could address the issues we now face with data privacy. In fact, privacy already has been identified as an area NIST would like to build out within its Cybersecurity Framework, so all that would be needed to advance the effort would be a critical mass of interest and commitment from government, industry, and other stakeholders. Additional government participants, such as the Commerce Department’s National Telecommunications and Information Administration (NTIA), or the Federal Trade Commission (FTC), could also be drawn into the effort.
Today, IBM is bringing over 100 of our top leaders from across the country to meet with Members of Congress and discuss important issues as part of our annual Washington fly-in. It’s the tenth year we’ve held this fly-in and this year, the issue of data privacy will be at the top of our list. And we will be encouraging Members to embrace this collaborative, public-private approach.
Data privacy is a global priority, but one that must be addressed locally. We applaud Europe for taking early action. Yet a different – but no less effective – approach may be the best way to assure Americans that their digital privacy is being protected.
– Christopher A. Padilla, Vice President, IBM Government and Regulatory Affairs
Rachel R. Thomas