What’s the difference between Privacy and Data Protection?

In Ireland, it’s increasingly common to see the term “privacy” used interchangeably or as a substitute for “data protection”. This may be due to lack of awareness, the influence of U.S. focused organisations, or marketing preferences for a catchier term. Whatever the reason, it is important to know the legal difference between the terms in order to avoid confusion about rights and obligations.

Privacy is a broad term encompassing a number of rights, including the right to be let alone and the right to respect for private and family life, home and communications. A useful description of privacy is from the UK’s Calcutt Committee report of 1990 as “the right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information.” In Ireland, privacy rights derive mainly from the Constitution of Ireland (as one of the unenumerated personal rights recognised by Article 40.3), Article 8 of the European Convention on Human Rights and Article 7 of the EU Charter of Fundamental Rights.

Data Protection means the protection of individuals in relation to the collection and use of their personal data. In Ireland, data protection is governed by Article 8 of the EU Charter of Fundamental Rights, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Organisations have legal obligations in relation to processing of personal data and individuals have rights, including information, access, rectification, objection and erasure. Other rights include lodging a complaint with the Data Protection Commission and receiving compensation for damage suffered as a result of a data controller or processor not complying with their GDPR obligations.

While the GDPR should not be considered a privacy law (and the word “privacy” does not appear in its articles or recitals), data protection and privacy are sometimes related in practice because the same factual situation can engage with both legal concepts. For example, the risk of harm to an individual resulting from how their personal data is processed could also involve a breach of privacy depending on the circumstances.

However, we recommend keeping “privacy” and “data protection” distinguishable to avoid confusion and misunderstandings about legal rights and obligations. It is important for individuals to know they have data protection rights, and for organisations to know they have data protection obligations, in situations which often have nothing to do with privacy.