Management, compliance & auditing

Data protection vs. data privacy: What’s the difference?

Ralph O'Brien
April 18, 2022 by
Ralph O'Brien

I was recently criticized on LinkedIn for humorously correcting the wonderful Jules Polonetsky of FPF when he talked of the 28th of January as "Data Privacy Day." It promoted a healthy debate on the use and contrast of the words "data protection" and "data privacy." You could argue for either and argue that none of the above are particularly good!

"Data protection" is an EU term, and the rest of the world seems content to use "data privacy." In this blog, we'll take a look at the genesis of each term, if you can use them synonymously, and why or if it matters at all.

Get your free course catalog

Get your free course catalog

Download the Infosec Skills course catalog to learn more about these courses — and hundreds more.

Privacy as a fundamental European right

Privacy and your human right to it were developed in countries with a fundamental rights approach to privacy by the Council of Europe, an international organization, earlier than the EU legislation we tend to look to now. In Europe, this was set up after the Second World War to ensure that citizens could hold national governments accountable in the European Court of Human Rights. Countries that have agreed to be bound are wide-ranging, with 47 members. Article 8 gives a fundamental right to "respect for private and family life, home and correspondence" from governments. 

When I think of data privacy as a European, I think of my right to protection from the state, of my private and family life (and that the more public you make yourself — at work or socially, the less you can expect a right to privacy.)

European data protection origins

Later the CoE created the 1981 CoE convention 108, "The Convention on the Protection of Individuals concerning Automatic Processing of Personal Data," i.e., data protection. It can be argued this law is not about how individuals' data is kept private, but how they need to be protected when organizations use it — often when individuals have no choice or power to intervene, such as with government agencies, where accountability becomes critical. Accordingly, our 1984 Act in the UK was named the Data Protection Act.

This is all before the EU legislated on data protection. In the EU, subsequent laws such as the Data Protection Directive of 95 and the Regulation of 2016 (GDPR) further developed the right of data protection as distinct from the right of privacy. The EU Charter of Fundamental Rights of the EU Citizen (CFREU), and its implanting treaty of Lisbon, firmly establish the fundamental rights of privacy in article 7 and data protection in article 8 as separate and distinct individual rights for an EU citizen.

Data privacy vs. protection

In terms of scope, privacy could be much wider, looking at things such as interference with your territorial privacy (trespassing on your property) or interference with your body (medical privacy laws, assault, harassment, etc.), rather than data protection law that focusses solely on organizations collection and use of your information and communications.

Most privacy/data protection laws are triggered when an organization processes personal data. This means that at the point of application, the individual's privacy has already been lost as the organization receives, and is potentially using, the data that relates to them. In EU data protection law, only the concept of legal basis and data security addresses whether an entity can have or use personal data. Beyond that, the vast majority of data protection law regards three things:

  • The powers of the regulator
  • The rights of the individual
  • The obligations of the organizations who hold the data

Areas such as transparency, accountability, data minimization, purpose limitation, accuracy, retention limitation, security safeguards, international transfers, DPIAs, DPOs and processor management have less to do with an individual's privacy (whether they can have it). It is more to do with how an organization has to manage the data they already have. Often an individual has little choice that organizations have their data (legal obligations, contractual reasons, public interest etc.). Instead, what becomes critical to an individual is how organizations process their data.

Get your free course catalog

Get your free course catalog

Download the Infosec Skills course catalog to learn more about these courses — and hundreds more.

Which term should you use?

Are there alternative words to use? I've heard "data safety" or "data usage" promoted as alternatives. There are strong arguments that this is psychologically a much better lens through which organizations can view the topic. 

The truth is that most people will neither know nor care about the difference between "data protection" and "data privacy," even though fundamental differences in the definitions can have a significant effect. 

As for me, I'll keep pointing out the differences and enjoying the debate and conversation that unfolds as a result.

Want to learn more about privacy? Check out my privacy courses on Infosec Skills.

Ralph O'Brien
Ralph O'Brien

Ralph is a trusted advisor on Global Privacy and Security compliance, practices and management. His experience includes strategic GDPR adoption programs, advisory services and assurance delivery in global multinational environments.

He has worked in a wide variety of industry sectors including Defense, Public Sector, Pharma and Financial Services, representing both multinational corporations and boutique specialist consultancies.

He continues to be a hands-on practitioner, combining business-level consultancy with training and technical experience. He was responsible for the first global joint 27001/25999 management system to be certified. With a focus on business processes and the protection of information, and an ethos of management assurance, risk management and knowledge transfer he continues to ensure effective protection of assets appropriate to the business needs of the client.