This state of affairs first came to light from a negotiation a reader was having with IBM over a service contract. An IT manager with considerable procurement experience, the reader thought the deal was just about done when IBM's representatives trotted out a last-minute "Data Privacy" addendum they wanted to add to the contract. It read:

"You agree to allow IBM to store and use Your contact information, including names, phone numbers, and e-mail addresses, anywhere they do business. Such information will be processed and used in connection with our business relationship, and may be provided to contractors, Business Partners, and assignees of IBM for uses consistent with their collective business activities, including communicating with You (for example, for processing orders, for promotions, and for market research)."

The reader was very displeased with IBM's attempt to ram this language through at a point in the negotiations where they thought he couldn't refuse. "This was not in the original contract as it was provided to us," says the reader. "Then, IBM came back and said that they had a few 'administrative' items that needed to be added, but it wasn't in there either. It wasn't until late in the game that IBM decided to pop this on us ... late in a game that they thought they were winning. Unfortunately for them, they were incorrect in that assumption."

Under privacy laws in his company's line of work, the reader doubted he could legally expose the staff to this open-ended use of their personal information by IBM. After consulting with company counsel, he told IBM the "Data Privacy" was a deal-breaker. Even then, the Big Blue team seemed bent on sticking to their guns. "IBM responded that it was their attempt to adhere to the various privacy laws which bind their business, and they told me they never modify or delete this section, even though it wasn't there to begin with," the reader says. Only after the reader made it clear he would walk away from the deal did IBM agree to remove the language in its entirety.

My first question when the reader told me about this incident was whether it might just be an isolated incident with one over-reaching IBM negotiating team. A little bit of Googling, though, quickly revealed that the Data Privacy language is to be found throughout IBM "standard form" services agreements, statements of work, and software license agreements. In other words, it's probably in any recent agreement with IBM where you didn't specifically negotiate to have it removed. For example, it would appear to apply to Florida state employees who use IBM software, including Lotus or Informix.

What is IBM's rationale for this Data Privacy language? "IBM in the course of conducting its everyday business will inevitably collect and process at least some data about its customers in a business-to-business context," says Michael Loughran, a spokesman for the IBM Software Group. "In particular, it will receive 'contact' data about employees of its customers, such as an individual's name, job title, work location, business phone number, e-mail address. Since personal data is defined broadly enough to include such contact data it's hard to see how IBM could ever perform a transaction without at least collecting some personal data. If a customer objects to any part of this clause, we are happy to discuss it with them so they can better understand what this clause is designed to accomplish. We believe however that it is appropriate for IBM to include in its standard terms and conditions for these kinds of arrangements a clause that covers a more expansive relationship between IBM and its customers. This allows IBM and its suppliers and business partners to provide information about the value that IBM and these companies can deliver to the customer. This is quite standard across the industry."

I can agree that it's standard across the industry for non-negotiable sneakwrap agreements and privacy policies to contain all sorts of nasty terms. IBM's is no worse than some others we've seen. But what is unusual about this case is the fact that IBM is trying to insert this language in the contracts it negotiates with IT professionals, even at the risk of losing business. Why push our reader so hard just to try to get this No Data Privacy language in their deal?

The reader has his own theory on that. "The cynical part of me would guess they're contemplating some sort of overall customer list they could sell to people," he says. The critical thing is that the language allows IBM to pass the information it collects on to "assignees" as well as regular partners. "I read that as taking it out of the realm of companies they're doing business with and permitting them to treat the information as a saleable asset."

And the cynical part of me says that it's nice IBM wants an expansive relationship with its customers, but it would even nicer if it weren't such a one-way thing. If Big Blue thinks of its customers as an asset, it should remember its customers need to feel the same way about their relationship with IBM.

--------------------

Post your comments about this column below or write me directly at Foster@gripe2ed.com. To receive this column every week in my free e-mail newsletter, please go to my subscription page and follow the instructions to opt-in for the EdFoster mailing list.