The word “privacy” is fast becoming a global term for laws and issues concerning personal data. There is a growing community of privacy professionals, with privacy certifications, part of an international privacy sector and talking about data privacy.
As a result, it is increasingly common to see “privacy” or “data privacy” being used in Europe to refer to data protection. We are also seeing Data Protection Day (28 January) being renamed internationally as Data Privacy Day, even though the date marks the anniversary of the Council of Europe’s Convention 108, a key milestone in the development of data protection.
But here’s the thing. Whatever about other parts of the world, in the European Union data protection and privacy are two separate laws with different functions. Using privacy as a catch-all or substitute for data protection is misleading and wrong. It is important to use these terms correctly in the European Union to avoid public and regulatory confusion about legal obligations and rights and dilution of what data protection really means.
Data Protection means the protection of individuals with regard to the collection, use and other processing of personal data. In this context, personal data is any information relating to an identified or identifiable individual, regardless of whether the information is private, professional, or even publicly available. The General Data Protection Regulation (GDPR) sets out obligations for parties processing personal data, including the legal bases for processing, data protection principles, and accountability measures. It also defines rights for individuals, including rights of access and erasure.
Privacy on the other hand means an individual’s right to maintain control over and be free from intrusion into their private life, family life, home and communications. The law derives from the European Convention on Human Rights, the EU Charter of Fundamental Rights, the ePrivacy Directive, as well as various national laws.
Of course, data protection and privacy are not completely unconnected issues in practice. Where the GDPR requires a risk-based approach, where processing of personal data infringes the GDPR, or where there has been a personal data breach, one of the possible risks to individuals is an invasion of privacy. However, the GDPR is not a privacy law and its scope is not limited to data that is private, rather it sets out obligations for those who process people’s personal data (notably, lawfulness of processing and accountability), rights for individual data subjects, and powers for supervisory authorities and courts to monitor and enforce compliance.
As the reframing of “privacy” and “data privacy” to mean or include data protection is increasingly common in the European Union, it is important to reclaim the meaning of data protection and apply it correctly. This is not about semantics. In the European Union, data protection and privacy have specific legal meanings, and it is essential to use the terms in the correct way to avoid confusion and misunderstanding about legal obligations and rights.
And if you have a data protection problem, then you need a data protection professional – not a privacy professional – or at least someone who can tell the difference between the two.