Data protection vs. data privacy: What’s the difference?
I was recently criticized on LinkedIn for humorously correcting the wonderful Jules Polonetsky of FPF when he talked of the 28th of January as "Data Privacy Day." It promoted a healthy debate on the use and contrast of the words "data protection" and "data privacy." You could argue for either and argue that none of the above are particularly good!
"Data protection" is an EU term, and the rest of the world seems content to use "data privacy." In this blog, we'll take a look at the genesis of each term, if you can use them synonymously, and why or if it matters at all.
Privacy as a fundamental European right
Privacy and your human right to it were developed in countries with a fundamental rights approach to privacy by the Council of Europe, an international organization, earlier than the EU legislation we tend to look to now. In Europe, this was set up after the Second World War to ensure that citizens could hold national governments accountable in the European Court of Human Rights. Countries that have agreed to be bound are wide-ranging, with 47 members. Article 8 gives a fundamental right to "respect for private and family life, home and correspondence" from governments.
When I think of data privacy as a European, I think of my right to protection from the state, of my private and family life (and that the more public you make yourself — at work or socially, the less you can expect a right to privacy.)
European data protection origins
Later the CoE created the 1981 CoE convention 108, "The Convention on the Protection of Individuals concerning Automatic Processing of Personal Data," i.e., data protection. It can be argued this law is not about how individuals' data is kept private, but how they need to be protected when organizations use it — often when individuals have no choice or power to intervene, such as with government agencies, where accountability becomes critical. Accordingly, our 1984 Act in the UK was named the Data Protection Act.
This is all before the EU legislated on data protection. In the EU, subsequent laws such as the Data Protection Directive of 95 and the Regulation of 2016 (GDPR) further developed the right of data protection as distinct from the right of privacy. The EU Charter of Fundamental Rights of the EU Citizen (CFREU), and its implanting treaty of Lisbon, firmly establish the fundamental rights of privacy in article 7 and data protection in article 8 as separate and distinct individual rights for an EU citizen.
Data privacy vs. protection
In terms of scope, privacy could be much wider, looking at things such as interference with your territorial privacy (trespassing on your property) or interference with your body (medical privacy laws, assault, harassment, etc.), rather than data protection law that focusses solely on organizations collection and use of your information and communications.
Most privacy/data protection laws are triggered when an organization processes personal data. This means that at the point of application, the individual's privacy has already been lost as the organization receives, and is potentially using, the data that relates to them. In EU data protection law, only the concept of legal basis and data security addresses whether an entity can have or use personal data. Beyond that, the vast majority of data protection law regards three things:
- The powers of the regulator
- The rights of the individual
- The obligations of the organizations who hold the data
Areas such as transparency, accountability, data minimization, purpose limitation, accuracy, retention limitation, security safeguards, international transfers, DPIAs, DPOs and processor management have less to do with an individual's privacy (whether they can have it). It is more to do with how an organization has to manage the data they already have. Often an individual has little choice that organizations have their data (legal obligations, contractual reasons, public interest etc.). Instead, what becomes critical to an individual is how organizations process their data.
Which term should you use?
Are there alternative words to use? I've heard "data safety" or "data usage" promoted as alternatives. There are strong arguments that this is psychologically a much better lens through which organizations can view the topic.
The truth is that most people will neither know nor care about the difference between "data protection" and "data privacy," even though fundamental differences in the definitions can have a significant effect.
As for me, I'll keep pointing out the differences and enjoying the debate and conversation that unfolds as a result.
Want to learn more about privacy? Check out my privacy courses on Infosec Skills.