Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

IBM protects personal data online with a global privacy policy [1999] PLBIRp 51; (1999) 51 Privacy Laws and Business International Report 5

IBM protects personal data online with a global privacy policy

ONLINE PRIVACY PROTECTION poses new challenges to most companies, but especially to multi-nationals. IBM has adopted a global privacy policy to address the privacy concerns of Internet users worldwide. How can one policy work for a number of countries which have different legal requirements?

IBM was one of the first companies to adopt and implement a global online privacy policy back in 1997. For an e-business that operates in 164 countries, it was sensible to try to establish a minimum level of online privacy. The company was also interested in making the best use of available self-regulatory measures. Privacy Laws & Business talked to Dr Armgard von Reden, Public Affairs Manager, Government programmes, IBM Europe, Middle East & Africa, and Dr Mark Watts, Staff Attorney, IBM Europe, Middle East & Africa to find out how the policy works for a variety of different countries.

PL&B: What kind of personal data does IBM collect online?

Mark Watts: For the most part, the details we collect online are businessto- business information, for example, contact details for individuals within companies we deal with, and/or technical information, such as which software or hardware a particular customer uses. Whilst this information may fall within the scope of the EU Data Protection Directive, it is not particularly personal. IBM very seldom collects socalled sensitive personal data online. A typical example of IBM collecting personal data online is where individuals register on one of our websites to request further information about a particular product. Again, this information is usually just contact details.

PL&B: When did IBM start drafting its online privacy policy and how long did it take?

Armgard von Reden: We started in early 1997 and it took at least half a year. However, we were in the fortunate position that we did not have to start from scratch - IBM has for a long time had several policies on how to handle personal data. The challenge was the global dimension of the project.

Mark Watts: Yes, a lot of the back office practices necessary were already in place. We simply had to formulate those practices into a coherent policy which we could make available to our customers. Even having done so, we keep the policy under constant review. We monitor whether legislation, industry practice, or our own business processes have changed in a manner which requires us to amend our privacy policy.

PL&B: How did the company go about adopting a global policy?

Mark Watts: We dedicated a lot of time to this as it was important to get it right. There is more to adopting an online privacy policy than just making a statement about privacy on your website. It is also about being able to comply with your statement.

We involved a lot of people because various parts of our business may process personal data received from our website, for example, fulfilment, shipping, product support and/or marketing functions. We started with the OECD privacy principles and consulted various IBM business functions on how they use personal data. In the end, the policy is essentially about notice and choice; explaining what data is collected and for what purpose(s), and giving visitors the choice of disclosing some personal data or none at all, and further choice over the purposes for which it is processed.

Armgard von Reden: Implementation was the most time-consuming process. We had to make sure that the policy was well-publicised in the 164 or so countries where IBM operates. Our web-masters received special training, and other affected staff all had to be informed as well.

PL&B: Presumably the majority of these countries do not have data protection legislation in place. How was it possible to draft a policy that would work in all countries?

Armgard von Reden: IBM has had certain internal data protection measures in the countries where it operates for a long time, so many data protection measures were already familiar to our business units even in countries which lack specific data protection legislation. I would say that data protection has been on our agenda in one form or another since the 1960's.

Mark Watts: It is the nature of global business to introduce uniform processes. The online privacy policy is intended to form a baseline. If a particular country's laws require stricter protection we may need to apply additional measures to meet particular requirements.

PL&B: The IBM privacy policy promises that it is possible to visit the website anonymously. Does the company use any of the information that visitors leave behind?

Mark Watts: It is possible to visit our websites without revealing personal information. However, inevitably all websites capture some details about the visitor which are of a more technical nature. IBM may analyse this data for trends and statistics, and then the information is discarded.

PL&B: Does the company allow individuals to access their data?

Mark Watts: The websites include contact details for sending queries to IBM. If we receive a request via the website from an individual who wants to see what personal data we hold about him, we treat it as a subject access request. To date however, very few people have requested access to data about themselves.

PL&B: Is the current privacy policy word for word the same in all countries where IBM operates?

Armgard von Reden: More or less, although it has been translated from English to other languages. Only minor country-specific modifications were allowed.

PL&B: Do you envisage that IBM's country-specific websites will in the future inform users of their additional rights under their countries' own data protection laws?

Mark Watts: Not all countries where we operate have their own countryspecific websites, but of those that do there can be certain local requirements giving users additional rights. Even if these are not mentioned specifically in the policy, the individuals are, of course, entitled to the protection afforded by their country and the policy assists in this by giving individuals details about how to contact us to exercise such rights. It is important to recognise that the privacy policy is not intended to replace the law. It provides the highest common denominator. If a country's law requires us to take additional steps, we do so.

PL&B: How does IBM ensure compliance with its online privacy policy?

Mark Watts:We conduct random internal audits and raise awareness of our employees on privacy matters. A breach of IBM privacy policy by an employee may lead to disciplinary proceedings.

PL&B: IBM is a member of the TRUSTe programme, which grants privacy seals to companies adopting and complying with strong online privacy policies. Has IBM's compliance with its privacy policy been audited by TRUSTe?

Armgard von Reden: TRUSTe does not conduct any formal audits, but does spot checks. We are fairly sure that our site has been spot-checked for compliance. TRUSTe will only carry out a formal audit if there is a serious customer complaint.

ONLINE TRANSFERS OUTSIDE EUROPE

PL&B: Does the IBM privacy policy address the question of online data transfers from the EU to so-called third countries?

Mark Watts: Yes. You can look at the issue in two ways. Firstly, from the point of view that the privacy policy contributes to adequacy, and, secondly, as enabling the informed consent of the website visitor to be obtained. Our privacy policy's principles of notice and choice provide us with the opportunity to receive the individual's consent for an online transfer. Having transferred the data out of the EU, IBM continues to handle it internally according to its privacy policy.

Armgard von Reden: The privacy policy and other self-regulatory measures will be of great help and cut down the costs. If we were to be subject to some bureaucratic and cumbersome process, it would not help anybody. We are pleased that the EU Data Protection Working Party has already recommended that Switzerland and Hungary are adequate, and we hope to see more recommendations and decisions soon. We would also like to see that codes of conduct generally are considered as an adequate mechanism for transfers within multinationals.

PL&B: What about internal transfers within IBM from one country to another?

Armgard von Reden: IBM has in place a package of internal measures which apply worldwide. These measures include our online privacy policy but also other off-line policies, such as for data security and employee information, detailed compliance guidelines and inter-company data processing agreements. How this package of measures is applied to a particular set of transfers varies depending upon the circumstances.

PL&B: Some jurisdictions, for example Italy, have included legal persons in their new data protection law. Does this pose a problem for IBM?

Mark Watts: We do have to deal with this question in the countries where it is required, although even in countries where it is not, there are often confidentiality commitments requiring similar measures to be taken. Often the fact that we entering into a contract with the legal person con- cerned enables us to overcome most of the issues.

COMMUNICATING THE POLICY IS VITAL

PL&B: How has the company ensured that visitors to the websites notice the privacy policy?

Mark Watts: The general statement is accessible on every page with one click of the mouse. On pages that collect personal data, there is a more detailed description of the purpose of collecting the data, how it will be processed etc.

PL&B: How does the company communicate the privacy policy's requirements to the staff?

Mark Watts: It is available to see on our Intranet, along with detailed implementing guidelines, and employees will of course also see it on the IBM websites. The policy is also included in system design and other internal documentation, such as the mandatory requirements for designing new websites. From time to time, employees are reminded about their privacy obligations generally. At the departmental level, those departments that handle personal data have nominated a person who is responsible for data protection.

Armgard von Reden: In fact, when people join IBM they automatically receive an information pack about the company's internal practices, privacy being one of them. Our senior management has frequently spoken about privacy issues, and occasionally asks for employees' views via the Intranet.

PRESSING OTHERS TO PROTECT PRIVACY

PL&B: In the spring, IBM announced that it will advertise only on websites that post a clear privacy policy statement. What was the reason behind this initiative, and what are the results so far?

Armgard von Reden: The company thought that, as it is so involved in international privacy issues, it would be inconsistent to advertise on sites that do not have statements about how they protect individuals' privacy. The policy was first put in place in the USA and Canada at the beginning of June. We have seen results in two ways. First of all, to our satisfaction, other big companies such as Microsoft and Disney have now adopted similar stances, and secondly, many advertisement websites have subsequently posted privacy statements. In a few instances, IBM has withdrawn from advertising on certain websites.

This policy on advertising will also be rolled out to Europe, Middle-East and Africa from January 2000. In the future, the company will also take similar measures to Asia Pacific and Latin America.

PL&B: Apart from the privacy policy and the advertising ban, what other online self-regulatory privacy initiatives has the company taken?

Armgard von Reden: IBM was one of the companies involved in establishing the Online Privacy Alliance, which operates in the USA and has adopted specific privacy principles. We also keep in touch with various associations in Europe, such as the Alliance for Electronic Commerce in the UK. IBM has also been heavily involved in the Global Business Dialogue with the OECD about electronic commerce and privacy protection. In addition, we have an ongoing interest in the work of BBBOnline, and as mentioned, IBM holds a TRUSTe license.

PL&B: It seems that IBM is concentrating at the moment particularly on online privacy protection. Is this intentional?

Mark Watts:We are concerned about protecting personal data we process whether it is collected online or offline. Data protection is not a new subject, though, and many of our offline data protection policies have been in place for a long time. Accordingly, there is less need to talk about these than there is new initiatives dealing with the online world.

Armgard von Reden: Privacy protection on the Internet gets a lot of attention just now because of the perceived uncertainties of the online world. Whilst this may raise new issues about how to approach privacy protection, it does not mean that other areas, for example protecting employee data, can be neglected. Online privacy is just the issue that Internet users and the media alike seem to be interested in at the moment. Also, it is an even bigger issue in the USA than in Europe, as US citizens use the Internet more.

To see the IBM online privacy policy on the Internet, visit http://www.ibm.com.