“The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.”
~ EU General Data Protection Regulation, Recital 4.
Believe it or not, this is a direct quote from the GDPR. Unfortunately, we’ve seen privacy rights abused by over-processing. We’ve also seen privacy rights inappropriately and antagonistically asserted for ulterior motives. As we kick-off Data Privacy Week, culminating with Data Privacy Day on Friday, January 28, it’s important to remember that there is a need for proportionality and balance to ensure privacy respects the individual, while remaining a force for good.
At Cisco, we view privacy as a fundamental human right and drive our privacy program as a business imperative. We anchor on the principles of transparency, fairness, and accountability as the keys to ethical and responsible data processing. I’m excited to kick-off Cisco’s activities for Privacy Week and share a few thoughts on why privacy is so important – even mission critical in 2022 – to Cisco, our customers, and workforce.
But first, let me share a personal story of how individual privacy protection went to an extreme and rendered cutting edge, innovative technology for public health useless. I’m talking about contact tracing apps. It was amazing to watch how the industry came together to create a technical solution to rapidly enable COVID-19 exposure notification. Of course, privacy needs to be respected when dealing with health information and location data, but it seems that protection went too far and stripped away any meaningful, actionable information.
Four days after returning from a trip to New York, I received a ping on my phone that some time, somewhere during the past week, I was in close contact with someone who tested positive for COVID-19. The exposure must have been several days, possibly even a week or more, before I received the notification. Without time and location, the app does nothing to facilitate contact tracing. I don’t need to know who exposed me, of course, for privacy’s sake, but without time and place, the notification was useless.
People who want to contribute to the public good by notifying close contacts of exposure can’t meaningfully do so with these apps. Privacy enhancing technologies and controls – such as anonymization, opt-in consent to sharing time and location, and robust controls to prevent secondary use – could have been implemented to improve efficacy while protecting privacy. A balancing of interests is required to ensure public good can be served while also respecting the individual. Yet, tipping the scales too much in favor of one or the other leads to harm or wasted effort. Privacy, as even GDPR notes, is a fundamental right, not an absolute one.
Our 2022 Data Privacy Benchmark Study reaffirms that people are generally in favor of sharing their personal data so long as there is transparency about what’s going on and they have an appropriate level of control over their own data.
At Cisco, we conduct privacy impact assessments (PIAs) to understand the potential risks and impact personal data processing might have on our customers, users, and workforce. With our products and solutions, we use the information collected during the PIAs to create Privacy Data Sheets and Maps to publicly disclose our processing activities, including privacy and security controls. By publishing our practices, the public, including customers, users, advocacy groups, regulators, the media, and so forth, helps to keep us in check. It’s like a crowd-sourced audit and validation of the fairness of our processing. We welcome the feedback and use it to improve our solutions, disclosures, and user experience.
Respecting privacy is never a “one-and-done” exercise. Continuous vigilance is required to ensure our use of personal data is ethical and responsible. Since the landscape and risks are constantly evolving, being accountable requires governance and controls by design and applied at the onset, along with processes to course-correct if things change or inadvertently go awry. Given the potential risks that new technology presents, we have established a Human Rights Advisory Council and Responsible Artificial Intelligence framework governed by a cross-functional executive team to help us navigate these unchartered waters.
Privacy is not just relevant solely on Privacy Day or Week, but throughout the year and always. We’re focused on respecting privacy, serving the greater good, and safeguarding data to power an inclusive future for all.
Stay tuned here and at the Cisco Trust Center for some exciting information and assets coming throughout the week.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels