Government Access To Data: Getting The Facts Straight
Share this post:
By Martin Jetter, IBM Chairman of Europe, Middle-East and Africa
Brussels, 2 June 2021
IBM has over 100 years of commitment in Europe, with many cloud data centres, research labs, innovation spaces and centres of excellence spread across Europe. We not only have one of the longest standing history of any technology company supporting major clients across all sectors in Europe, we also have, as a result, deep and persistent relationships with European customers. Moreover, Vice-President of IBM Cloud in EMEA Agnieszka Bruyère has today published a story on digital sovereignty and our EU-only service offering. There are legitimate concerns about data privacy in cross-border data flows, among EU institutions, European governments and our European clients. As recent as last Friday, the EU Commission started gathering information on how to mitigate the risks resulting from government access to non-personal data of companies established in the EU, held by cloud computing service providers. Therefore, it is very important that we set out the facts concerning IBM in Europe and how we respond to these important issues.
IBM entities based in Europe are individual companies incorporated in the relevant Member State[s]. These entities are distinct from their mother and sister companies, are subject to national jurisdiction, and will reject claims from authorities that have no jurisdiction over them (be that the US government or ANY other foreign government), to access the data entrusted to them by enterprise or public sector clients. Whilst IBM as a global company publicly declared its strict commitments to safeguard clients’ data in the event of government requests well before the GDPR entered into force, I want to reiterate and highlight what these commitments mean for IBM entities in Europe.
IBM European entities are not different from any other European entities
IBM European entities operate subject to EU law and the national laws of the country where they operate, which includes all protections, including privacy, that are mandated by those laws.
This is no different from other European companies. Our adherence to local law is unaffected by IBM European entities’ corporate relationships.
The US government has no jurisdiction over IBM European entities to demand data entrusted to us by our enterprise and public sector clients merely because these entities have a parent company based in the US. Neither the US Cloud Act nor any other similar law changes that.
IBM European entities will contest any demands they receive beyond the lawful jurisdiction of the requesting government.
IBM and the US Cloud Act: what are the facts?
Since the US Cloud Act became effective in March 2018, neither IBM Corporation nor any of our IBM related-companies have provided any client content under the Act. In fact, looking across the entire global family of IBM-related companies, IBM has received a total of 1 request involving client content located in Europe under the Cloud Act. For that request, IBM determined the request was inconsistent with the principles IBM has long advanced to our clients about government access to data, and IBM US declined to provide data located outside of the US.
Instead, IBM insisted the US government either contact the client directly or work through the internationally recognized Mutual Legal Assistance Treaties process (MLATs). Faced with the IBM position, the US government pursued the MLAT process. In our view, this would have been the same result prior to the passage of the Cloud Act.
IBM also reiterated its position that the US government does not have jurisdiction to force IBM subsidiaries — each separate legal entities — to disclose client data simply because there is a common corporate relationship.
Furthermore, the US Cloud Act is only used in a very specific way: to seek electronic data from digital services companies and platforms to combat serious crime, including terrorism and such electronic data may contain evidence of a serious crime. IBM is not a digital platform controlling massive amounts of user data – IBM is a cloud service provider to businesses and governments.
IBM is very different from other cloud companies
Firstly, we are different from digital consumer platforms. The nature of our main activities and customers sets us apart from other big platforms in the industry, especially the ones whose business model primarily consists of direct interaction with consumers, and who collect and control vast amounts of consumer data.
Also, IBM’s activities do not involve providing traditional telephone or Internet-based communication services to the general public. IBM instead deals primarily with business data that would provide little use for national security intelligence purposes, and generally is not the target of third country authorities’ requests.
Thanks to our differentiated business model, IBM European entities have to date received a very low number of requests for client data from third country authorities.
Secondly, IBM differs from other enterprise cloud providers.
For instance, our history with the Cloud Act puts IBM, having received so few Cloud Act requests, in a unique position on the Enterprise Cloud Market. Furthermore, IBM is uniquely positioned as the only leading Enterprise Cloud provider without a consumer platform business which can draw thousands of additional government demands for client data every year. Additionally, our principles and practices that our customers’ data belongs to those customers and not IBM, also sets IBM apart, even from other Enterprise Cloud Providers.
But let us look at the numbers.
All of this is confirmed by our latest transparency report: in 2020, with one exception, no IBM entity provided (or was even asked to provide) data associated with a client other than subscriber information allowing the authorities to contact the customer directly. Also, this one exception did not involve the Cloud Act or any authority in the United States. This request, like all other request IBM has been faced with, was resolved in full compliance with local law.
Continuing to build a Trusted Cloud in Europe
While others are now starting to look into how to improve their own capabilities, IBM has been relentlessly driving trust in how data is handled in Europe’s Cloud ecosystem and has already implemented innovations and safeguards.
Thanks to our EU-only offering for storing and processing data in Europe, combined with our new technological advances, such as ‘Keep Your Own Key’ encryption technology and Confidential Computing, and our engagement in EU policy efforts and industry initiatives, such as the EU Cloud Code of Conduct and GAIA-X, IBM continues to lead in supporting Europe, building a Trusted Cloud environment.
Authored by Martin Jetter
IBM Chairman Europe, Middle-East and Africa