Data protection vs. data privacy: What’s the difference?
I was recently criticized on LinkedIn for humorously correcting the wonderful Jules Polonetsky of FPF when he talked of the 28th of January as "Data Privacy Day." It promoted a healthy debate on the use and contrast of the words "data protection" and "data privacy." You could argue for either and argue that none of the above are particularly good!
"Data protection" is an EU term, and the rest of the world seems content to use "data privacy." In this blog, we'll take a look at the genesis of each term, if you can use them synonymously, and why or if it matters at all.
Get your free course catalog
Privacy as a fundamental European right
Privacy and your human right to it were developed in countries with a fundamental rights approach to privacy by the Council of Europe, an international organization, earlier than the EU legislation we tend to look to now. In Europe, this was set up after the Second World War to ensure that citizens could hold national governments accountable in the European Court of Human Rights. Countries that have agreed to be bound are wide-ranging, with 47 members. Article 8 gives a fundamental right to "respect for private and family life, home and correspondence" from governments.
When I think of data privacy as a European, I think of my right to protection from the state, of my private and family life (and that the more public you make yourself — at work or socially, the less you can expect a right to privacy.)
European data protection origins
Later the CoE created the 1981 CoE convention 108, "The Convention on the Protection of Individuals concerning Automatic Processing of Personal Data," i.e., data protection. It can be argued this law is not about how individuals' data is kept private, but how they need to be protected when organizations use it — often when individuals have no choice or power to intervene, such as with government agencies, where accountability becomes critical. Accordingly, our 1984 Act in the UK was named the Data Protection Act.
This is all before the EU legislated on data protection. In the EU, subsequent laws such as the Data Protection Directive of 95 and the Regulation of 2016 (GDPR) further developed the right of data protection as distinct from the right of privacy. The EU Charter of Fundamental Rights of the EU Citizen (CFREU), and its implanting treaty of Lisbon, firmly establish the fundamental rights of privacy in article 7 and data protection in article 8 as separate and distinct individual rights for an EU citizen.
Data privacy vs. protection
In terms of scope, privacy could be much wider, looking at things such as interference with your territorial privacy (trespassing on your property) or interference with your body (medical privacy laws, assault, harassment, etc.), rather than data protection law that focusses solely on organizations collection and use of your information and communications.
Most privacy/data protection laws are triggered when an organization processes personal data. This means that at the point of application, the individual's privacy has already been lost as the organization receives, and is potentially using, the data that relates to them. In EU data protection law, only the concept of legal basis and data security addresses whether an entity can have or use personal data. Beyond that, the vast majority of data protection law regards three things:
- The powers of the regulator
- The rights of the individual
- The obligations of the organizations who hold the data
Areas such as transparency, accountability, data minimization, purpose limitation, accuracy, retention limitation, security safeguards, international transfers, DPIAs, DPOs and processor management have less to do with an individual's privacy (whether they can have it). It is more to do with how an organization has to manage the data they already have. Often an individual has little choice that organizations have their data (legal obligations, contractual reasons, public interest etc.). Instead, what becomes critical to an individual is how organizations process their data.
Get your free course catalog
Which term should you use?
Are there alternative words to use? I've heard "data safety" or "data usage" promoted as alternatives. There are strong arguments that this is psychologically a much better lens through which organizations can view the topic.
The truth is that most people will neither know nor care about the difference between "data protection" and "data privacy," even though fundamental differences in the definitions can have a significant effect.
As for me, I'll keep pointing out the differences and enjoying the debate and conversation that unfolds as a result.
Want to learn more about privacy? Check out my privacy courses on Infosec Skills.
- Expert instruction
- Hands-on labs
- Unlimited access
In this Series
- Data protection vs. data privacy: What’s the difference?
- Is AI cybersecurity in your policies?
- The top security architect interview questions you need to know
- Federal privacy and cybersecurity enforcement — an overview
- U.S. privacy and cybersecurity laws — an overview
- Common misperceptions about PCI DSS: Let’s dispel a few myths
- How PCI DSS acts as an (informal) insurance policy
- Keeping your team fresh: How to prevent employee burnout
- How foundations of U.S. law apply to information security
- Data protection Pandora's Box: Get privacy right the first time, or else
- Privacy dos and don'ts: Privacy policies and the right to transparency
- Starr McFarland talks privacy: 5 things to know about the new, online IAPP CIPT learning path
- NIST 800-171: 6 things you need to know about this new learning path
- Working as a data privacy consultant: Cleaning up other people’s mess
- 6 ways that U.S. and EU data privacy laws differ
- Navigating local data privacy standards in a global world
- Building your FedRAMP certification and compliance team
- SOC 3 compliance: Everything your organization needs to know
- SOC 2 compliance: Everything your organization needs to know
- SOC 1 compliance: Everything your organization needs to know
- Overview: Understanding SOC compliance: SOC 1 vs. SOC 2 vs. SOC 3
- How to comply with FCPA regulation – 5 Tips
- ISO 27001 framework: What it is and how to comply
- Why data classification is important for security
- Threat Modeling 101: Getting started with application security threat modeling [2021 update]
- VLAN network segmentation and security- chapter five [updated 2021]
- CCPA vs CalOPPA: Which one applies to you and how to ensure data security compliance
- IT auditing and controls – planning the IT audit [updated 2021]
- Finding security defects early in the SDLC with STRIDE threat modeling [updated 2021]
- Cyber threat analysis [updated 2021]
- Rapid threat model prototyping: Introduction and overview
- Commercial off-the-shelf IoT system solutions: A risk assessment
- A school district's guide for Education Law §2-d compliance
- IT auditing and controls: A look at application controls [updated 2021]
- 6 key elements of a threat model
- Top threat modeling frameworks: STRIDE, OWASP Top 10, MITRE ATT&CK framework and more
- Average IT manager salary in 2021
- Security vs. usability: Pros and cons of risk-based authentication
- Threat modeling: Technical walkthrough and tutorial
- Comparing endpoint security: EPP vs. EDR vs. XDR
- Role and purpose of threat modeling in software development
- 5 changes the CPRA makes to the CCPA that you need to know
- 6 benefits of cyber threat modeling
- What is threat modeling?
- First Safe Harbor, then Privacy Shield: What EU-US data-sharing agreement is next?
- How to make cybersecurity budget cuts without sacrificing security
- How to mitigate security risk in international business environments
- Security theatrics or strategy? Optimizing security budget efficiency and effectiveness
- NY SHIELD Act: Security awareness and training requirements for New York businesses
- Time to update your cybersecurity policy?
- Ultimate guide to international data protection and privacy laws
Management, compliance & auditing
Management, compliance & auditing
The top security architect interview questions you need to know
Management, compliance & auditing
Management, compliance & auditing