Trust me on this - Cisco's Privacy Benchmark Study exposes alarming contradictions around AI adoption and data privacy practices

Of late we’ve seen what we’ve referred to as the ‘show us the money - now!’ knee-jerk reaction from Wall Street to firms making ongoing hefty investments in rolling out infrastructure around the world to support expansion plans and meet AI demand from customers that currently outstrips capacity to satisfy in many cases.

While CEO after CEO has repeated some variation of ‘speculate to accumulate’ or ‘it’s a long (long) game’, and to date all of them have defied investor short termist thinking and re-affirmed their commitment to building out their global foundations, the whining from the wolves has yet to abate among those who were told that the AI gold rush was going to deliver money hand-over-fist.

Against that backdrop I was intrigued to cast an eye over Cisco’s 2025 Privacy Benchmark Study, which comes to an interesting headline conclusion that might add another string to vendor defense against investor greed when justifying further infrastructure spend. According to the study, which polled 2,600+ respondents across 12 countries, 90% believe that storing data locally is inherently safer, but 91% reckon that global providers - for which read almost certainly American, when it comes to AI - are better at providing the necessary protection sought than local firms.

That last figure is up five points on last year’s study. So when the likes of Oracle or IBM commit to expanding sovereign presence with in-country data centers, that’s actually playing to the home crowd, wherever that home may be, in terms of encouraging AI adoption. This preference is common across geographies according to the study findings:

With the varying approaches to data localization across countries, one might expect preference for global data providers to differ based on local regulation. But preference for global providers over local ones remains relatively consistent across the surveyed regions.

The sentiment is particularly strong in India and Mexico (95% of respondents each), China and Brazil  (93%), Japan and Spain (92%) and Australia (91%). There’s bad news for the more anti-US regulatory voices in the European Union as well since along with Spain, 90% of French respondents, 88% of Italian and even 85% of privacy-focused Germans all lean towards preferring to deal with global providers for local data protection.

Contradictions incoming

And yes, the study’s authors are ready to note the seeming contraction inherent here:

While it might initially appear paradoxical to see strong, equally weighted preferences for both data localization and global providers, the results are logical in today’s landscape. As data becomes an increasingly valuable asset, both companies and consumers expect—and demand—robust protective measures.

It might also, of course, reflect some frustration among enterprises about the complexity and cost of dealing with multiple regulatory regimes around the world. Based on figures from the Organization for Economic Co-operation and Development (OECD), there are currently around 100 (and counting) different data localization requirements across 40 countries. While there have been efforts made to smooth the path when it comes to making national systems interoperable and ease the flow of cross border data transfers, trying to achieve total harmony has been - and continues to look to be - fruitless.

But here’s another interesting seeming contradiction - while compliance with regulation is seen as a burden by enterprises, it’s also seen as an enabler of trust, and that’s a crucial driver in AI adoption as has been acknowledged by every vendor worth its salt. There is uniform agreement across the 12 countries polled for the Cisco study that privacy laws do have an overwhelmingly positive impact - 94% agreement vs three percent against in India, 88% vs one percent in China, 95% v one percent in Brazil and so on.

Even in the US, which notoriously has still failed after years of abortive effort to come with anything approaching Federal level data protection regime, reports 87% support for regulation against only three percent who think this would have a negative impact. That’s a higher level of belief than across France, Germany, Italy and Spain, each part of the European Union, originator of the General Data Protection Regulation (GDPR), arguably the most successful piece of globally-impactful data privacy legislation to date.

But on the ground...

So all of that sounds positive and upbeat when it comes to recogniziing the importance of data security, privacy and trust, no? Well, yes, but there’s an important caveat to come - how much of this theoretical positivity translates into actual practical knowledge and action? Here things get a bit stickier. It’s one thing to be able to say virtuously to a pollster that privacy regulations are a jolly good thing; it’s quite another to be able to demonstrate that you actually know what they are in practice.

That’s why we have India, which shown itself to be among the top three privacy champions in the rest of the study, suddenly falling down when respondents are asked if they are aware of their own country’s laws. Only 37% of Indians polled could make this claim. Still, that’s better than Australia, where the figure drops to 26%. Even supposedly privacy-centric Germany lets itself down here, with only 48% aware of the local rules. To put that in context, that’s the same as the US, just without the Big Tech corporate lobbying to stymie legislative progress! Only Chinese respondents can stake a claim to awareness levels (81%)  that match their enthusiasm for the basic principles - and given the nature of the regulatory regime in that country, many further questions are inevitably begged here…

But the broad message is simple - if you don’t know what your privacy laws are, can you really be trusted to protect your data? At a global level, among those not aware of their country’s regulations, some 56% on average admitted they wouldn’t be able to do so.

And so, back to AI

All of which brings us back to trust in general and trust around generative AI in particular. Nearly two-thirds  (63%) of total respondents to the Cisco study say they are familiar with gen AI, with nearly half (48%) believing they get “very significant” value from it, while a further 38% see “significant” benefit.

There is a, perhaps rather alarming, outlier here in the form of the risk gen AI might pose to an enterprise’s legal rights when it comes to copyright and intellectual property. Concern around this has actually fallen to 55% from last year’s figure of 69%. This despite the higher profile afforded to this topic over the past year and the onset of major legal actions by content providers against AI providers accused of raiding copyrighted material to train their models.

And there are yet more attitudinal contradictions on show. While 64% of all respondents say they are concerned that information could be leaked by gen AI with the public, a large number also report they are still inputting personal and non-public information into gen AI tools, including employee names/information (46%), non-public corporate information (42%) and customer data (31%). 

Who’s going to tell them?

My take

All of this comes to the obvious - and, yes, Cisco-friendly/expedient - conclusion that as generative AI becomes increasingly prevalent, there’s a need for enterprises to invest in strong AI governance frameworks and supporting technologies:

Deploy AI with governance and controls to respect privacy and manage unintended externalities. While there is unquestionable business value to be derived from AI, one must balance both opportunities and risks. Expect budgets and focus to shift toward AI, and make sure AI investments continue to support the underlying privacy and security foundations that are in place and require ongoing resources.

Yes, of course that’s the outcome that a security and infrastructure like Cisco would pitch, but that doesn’t negate the validity of the recommendation. Thinking otherwise sends you off to the side of the ‘show us the money - now!’ short-termists of Wall Street - and that’s really not the kind of company you want to be keeping right now.