Insights & Analyses

IBM heads to Washington in campaign against GDPR

May 16, 2018

Big Blue has some big ideas for how the U.S. government should handle data privacy, and the company has a strong message for regulators: GDPR is not the right solution for the American market.

This week, more than 100 IBM executives visited Capitol Hill for the company’s annual “fly-in.”The team met with more than 200 staffers and members of Congress on Monday and Tuesday to discuss the tech giant’s corporate priorities and how they intersect with the world of policy. IBM reports that data privacy was a focal point for this year’s meetings, but that the company has doubts about the feasibility of adopting a GDPR-like regulatory approach in the U.S.

“We do not agree with every component of the GDPR,” Christopher Padilla, vice president for IBM’s Government and Regulatory Affairs, said in a blog post. “As other countries consider their own privacy challenges, we do not believe that GDPR should be simply grafted onto privacy systems where its relatively prescriptive approach may not work — particularly in the United States.”

GDPR, the EU’s General Data Privacy Regulation, will go into effect next week on May 25. It sets strict new standards for consent, transparency, and data processing for all companies handling the data of EU residents. Companies around the world are spending millions on compliance.

Beyond the immediate cost implications of adhering to a data protection regime as extensive as GDPR, Padilla’s statement indicates that IBM’s stance also stems from concerns about data access to fuel the company’s extensive AI projects, and that more sweeping statutes around issues like user consent, data portability, and the right to be forgotten may slow the pace of innovation.

Instead of GDPR’s “prescriptive” mandates, IBM is pushing for a more “collaborative” approach in which the public sector works alongside companies to develop voluntary standards. Padilla cites the NIST Cybersecurity Framework as an example of the route U.S. should take to more effective data protection.

“GDPR may work for Europe, but that doesn’t mean it should become a global standard,” Padilla said.

OWI Take: The idea of self-regulation for tech firms is increasingly unpopular among the American public. Despite this, there have been no major moves at the federal level to enact the kind of sweeping changes the EU will see as GDPR becomes enforceable this month. In that sense, IBM doesn’t have much to worry about in the short term — no one’s really suggesting “grafting” GDPR wholesale into American law. What we have seen, however, is that many multinationals are changing their data processing standards to adhere to a single GDPR-compliant standard for all users worldwide. In reality, GDPR is raising the bar globally for data protection, despite Padilla’s assertions to the contrary. We don’t believe that innovation and data protection are conflicting goals, and that thoughtful adoption of GDPR principles can actually be a competitive advantage for firms. For more, download our Survivor’s Guide to GDPR-mageddon.