What’s the difference between Privacy and Data Protection?

In Ireland, it’s increasingly common to see the term “privacy” being used interchangeably or as a substitute for “data protection”. This may be due to lack of awareness, the influence of U.S. terminology, or marketing preferences for a catchier term. Whatever the reason, it is important to understand the difference between the two terms in order to avoid confusion about legal obligations and rights.

Privacy is a broad term encompassing a number of rights, such as the right to be let alone and the right to respect for private and family life, home and communications. A useful description of privacy is from the UK’s Calcutt Committee report of 1990 as “the right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information.” In Ireland, privacy rights derive mainly from the Constitution of Ireland (as an unenumerated personal right recognised by Article 40.3), Article 8 of the European Convention on Human Rights, and Article 7 of the EU Charter of Fundamental Rights.

Data Protection means the protection of individuals in relation to the collection, use or processing of personal data, i.e. information that relates to them as an identified or identifiable person. In Ireland, data protection is governed by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Businesses and organisations have data protection obligations, including having a legal basis for collecting, using or processing personal data, compliance with data protection principles, and having technical and organisational measures in place to meet accountability requirements. Individuals have data protection rights, including information, access and erasure, as well as making a complaint to the Data Protection Commission or taking legal action where their rights have been infringed or they have suffered damage.

Where a breach of the GDPR is likely to cause risk or harm to an individual, one of the adverse impacts could of course also include a loss of privacy. However, the GDPR is not a privacy law. In fact, the word “privacy” does not appear anywhere in its articles or recitals.

It’s important to know the difference between privacy and data protection to avoid confusion and misunderstanding about legal obligations and rights. It is also essential for businesses and organisations to understand that they have data protection obligations, and individuals have data protection rights, in situations which often have nothing to do with privacy.