SchremsII 

In 2015, Max Schrems, an Austrian activist and lawyer, filed a complaint against Facebook for concerns that his personal data could be accessed by the US authorities. Consequently, CJEU (Court of Justice of the European Union) invalidated the U.S.-EU Safe Harbor Framework which was later replaced by the EU-U.S. Privacy Shield.  

In 2020, Mr. Schrems, again, filed another complaint and the CJEU invalidated the Privacy Shield. 

In both cases, the complaints were related to concerns over personal data that could be accessed by US Intelligence agencies. This could be interpreted as a violation of the GDPR regulation that protects Personal Data (e.g Personal Identifiable Information, location, health, etc...)  of "data subjects" 

An additional area of complexity is the Cloud Act that was enacted in the United States in 2018. It empowers U.S. law enforcement authorities to request data stored by US cloud providers, even when hosted outside the US territory. 

So with so much turbulence in the market, what is IBM’s position? 

IBM position 

Clients around the world trust IBM with their data. IBM is confident in its ability to demonstrate that it adequately safeguards European personal data.  IBM is fundamentally an enterprise company. Its business model sets it apart from many of the companies associated with the surveillance laws highlighted in the CJEU’s decision. IBM deals mainly with business data and its client relationships are governed by contract, with clear roles and responsibilities assigned and understood by all parties.  

IBM also publishes statements on data responsibility and data trust on its Think Policy blog. The site clarifies IBM positions on various topics that governments and law makers are debating such as cyber threats cross border, data privacy and cross-border data flows. 

Long before the discussions of tech sovereignty began, IBM clarified its position on access to data. In 2014 IBM published an open letter to clients reiterating IBM's commitment to comply with local laws, including data privacy laws, in all countries where it operates. 

So, what does IBM provide as safeguards to reassure its European clients? 

Safeguards 

The EDPB (European Data Protection Board) published its six supplementary measures to tackle challenges of the SchremsII ruling. IBM helps client in each of these six steps. 

1. Know your transfers: IBM publishes the Data Processing Addendum (DPA) where it outlines aspects such as sub-processors and cross-border data processing. It also publishes the list of IBM affiliates along with their processing locations. Every cloud service has its DPA exhibit that lists IBM processing and hosting locations. Depending on the Cloud Service, IBM may be able to limit Processing of Content to a subset of these locations, upon client’s request. Finally, each cloud service DPA exhibit lists any third-party processors with their locations as well as their processing activities. 
2. Identify data transfer mechanisms:  IBM relies on Standard Contractual Clauses (SCCs) in our customer contracts, as well as on numerous supplementary measures, to help clients ensure an adequate level of protection when transferring personal data outside of the EU/EEA. The CJEU confirmed that Standard Contractual Clauses remain a valid data export mechanism.  Moreover, IBM quickly adopted back in September 2021 the new EU-approved SCCs to align more closely to GDPR and Schrems II ruling. 
3. Assess the third country law: IBM has long been clear about the steps to take if a government wants access to data held by IBM on behalf of our client. As an enterprise company, we expect governments to deal directly with our client, and not come to IBM. We do not provide access to enterprise client data stored outside the lawful jurisdiction of any government requesting such data unless the request is made through internationally recognized legal channels such as mutual legal assistance treaties (MLATs). If we receive a request for enterprise client data that does not follow processes in accordance with local law, we will take appropriate steps to challenge the request through judicial action or other means.  If we receive a government request for enterprise client data that includes a gag order prohibiting us from notifying that client, we will take appropriate steps to challenge the gag order through judicial action or other means.  IBM publishes the law enforcement transparency reports that reflects this commitment.   In parallel, clients must carry out the Transfer Impact Assessment. In this context, IBM publishes the Data Security & Privacy principles (DSP) which are IBM’s contractually binding security and privacy commitments that all IBM Cloud Services maintain.   
4. Identify and adopt supplementary measures: IBM implements controls such as separation of duties and data encryption when data is at rest or in transit. IBM maintains its certification in ISO27001 and SSAE SOC2 and can provide this evidence upon client request.  Another measure IBM took to reassure its European clients is the EU Cloud introduced since 2017. It consists of a set of additional technical and operational measures that ensure data stored and processed in an EU Cloud-enabled service remains within the EU at all times. It limits operations (e.g., patching) and customer support of EU Cloud-supported services to EU-based IBM personnel only. It places strict controls on access to systems and services by non-EU personnel should the need arise. Moreover, IBM delivers data residency and proximity via Cloud Satellite. Using this service, client's data and applications stay inside the country while capitalizing on the IBM Cloud capabilities. IBM Cloud has no access to client workloads residing in-country. A link between IBM data center and client's data centre serves as a management plane traffic such as logs. The Satellite link is maintained under the client’s control and has data encrypted using TLS 1.3. Satellite service enables client to meet data privacy and sovereignty requirements. Other measures such as data classification, data leak prevention, data pseudonymization/anonymization and geo-fencing are all tools either available from the IBM Cloud catalog or as IBM security add-ons such as IBM Guardium. 
5. Procedural steps if client identified supplementary measures: when appropriate supplementary measures are identified and implemented, client can then proceed to transfer data. Client must seek authorization from local data protection authority when supplemental measures contradict the SCCs. 
6. Re-evaluate at appropriate intervals: IBM helps its client to continuously monitor their workloads using Security and Compliance Center. The tool provides a dashboard to rate and grade the compliance posture of workloads regardless whether these are deployed on IBM cloud, any other cloud, or on-premise. On another front, clients can subscribe for notifications on any change in the third-party suppliers Processing Content using https://mycloudservices.ibm.com portal 

Conclusion 

IBM recognizes that client data is owned only by the client. As outlined in the DSP document, IBM treats all client data as confidential. The changes of the EU Privacy Board triggered by the Schrems II decision do not mandate that data remains in the EU.  Rather, it only changes the requirements on how data transfers must be legally handled, as well as the level of disclosures and transparency that a vendor must provide to their customers to enable customers to perform Transfer Impact Assessments. IBM took actions, prior to the date the Schrems II decision related changes took effect, to update its DPA and associated SCCs, change some of its internal processes, and modify its contracts specific for each offering (e.g. datasheets) to provide more details on processing activities to our customers.   For more information on how IBM protects data crossing borders, please visit this page.