Why privacy ≠ data protection (and how they overlap)

Much has been written about privacy and data protection, and the body of literature is constantly growing. Yet in many contemporary debates on, for example, surveillance, information monopolies and tracking behaviour on the web, the terms “privacy” and “data protection” are used interchangeably. Although there certainly is overlap, there are also differences between the rights. This contribution aims to make clear why privacy and data protection are not interchangable, by giving a simple overview of the difference between the two rights in Europe as understood by the European Court of Human Rights and the Court of Justice of the European Union.

To begin with, privacy is a fundamental right with a long history, whereas data protection first appeared in international principles and secondary legislation, and has only recently acquired fundamental rights status in the EU. And whereas privacy was originally meant to protect the individual against the state, principles and rights related to data protection have always been intended to also bind private parties.

Broadly speaking, privacy refers to a personal sphere, whereas data protection refers to control over or protection of personal information. The prime difference between privacy and data protection therefore lies in its subject matter. Privacy is broader than data protection because it not only concerns information; it can also be about for example physical spaces or certain choices people make. But at the same time privacy is narrower, because data protection applies irrespective of whether there is an interference with the personal sphere. For example, unwanted physical contact falls under privacy but not under data protection. Alternatively, when someone gives her adress to a hotel for billing purposes data protection rules apply, but it will generally not be a privacy matter.

Personal data can be covered by the right to privacy, but privacy does not cover personal data per se. To determine whether privacy is at stake, it is not solely the identifying character of the data that is decisive: the context in which the data are are collected or processed also matters. It is difficult to explain exactly where the boundary lies between instances in which personal data is within and beyond the scope of privacy. However, based on the case law of the European Court of Human Rights, circumstances that influence whether or not the right to privacy is triggered are amongst others how much data is processed, whether the data is systematically collected and stored, whether the individual has a reasonable expectation of privacy, how sensitive the data are and/or what impact the data can have on the private life of the individual. It is, however, a fallacy that public data can never fall under the right to privacy.

Data protection applies when personal data are processed, without any privacy requirement. Personal data is a broad concept that can cover, for example, names and addresses, but also search behaviour, location data or photographic material. Privacy functions amongst others as a shield against interferences with the personal sphere, while data protection’s nature is more enabling; it is more centered on channeling others’ behaviour and controlling the flow of personal information. Detailed rules and principles on data protection can be found in secondary EU legislation (e.g. the Data Protection Directive and the upcoming General Data Protection Regulation) and national laws.

Privacy and data protection each have situations in which they apply individually, but as explained above, they are not mutually exclusive. Often both apply at the same time: a situation can give rise to both privacy and data protection issues, like in the Google Spain case. Part of the explanation for why this is so often the case is that one of the purposes of data protection is the protection of privacy. When this function interfered with, both privacy and data protection apply. In addition the amount of digital data keeps growing, and the private life of individuals is increasingly taking place online. Consequently, situations that trigger privacy will more and more involve a data protection component. This is very visible in the case law of the Court of Justice of the European Union, where the two concepts keep coming closer together in the form of references to the “right to privacy with respect to personal data”. Still, privacy and data protection are not the same, and should not be used interchangeably.