Skip to content
hannah-wei-84051
04 May 2016

Why privacy ≠ data protection (and how they overlap)

Much has been written about privacy and data protection, and the body of literature is constantly growing. Yet in many contemporary debates on, for example, surveillance, information monopolies and tracking behaviour on the web, the terms “privacy” and “data protection” are used interchangeably. Although there certainly is overlap, there are also differences between the rights. This contribution aims to make clear why privacy and data protection are not interchangable, by giving a simple overview of the difference between the two rights in Europe as understood by the European Court of Human Rights and the Court of Justice of the European Union.

To begin with, privacy is a fundamental right with a long history, whereas data protection first appeared in international principles and secondary legislation, and has only recently acquired fundamental rights status in the EU. And whereas privacy was originally meant to protect the individual against the state, principles and rights related to data protection have always been intended to also bind private parties.

Broadly speaking, privacy refers to a personal sphere, whereas data protection refers to control over or protection of personal information. The prime difference between privacy and data protection therefore lies in its subject matter. Privacy is broader than data protection because it not only concerns information; it can also be about for example physical spaces or certain choices people make. But at the same time privacy is narrower, because data protection applies irrespective of whether there is an interference with the personal sphere. For example, unwanted physical contact falls under privacy but not under data protection. Alternatively, when someone gives her adress to a hotel for billing purposes data protection rules apply, but it will generally not be a privacy matter.

Personal data can be covered by the right to privacy, but privacy does not cover personal data per se. To determine whether privacy is at stake, it is not solely the identifying character of the data that is decisive: the context in which the data are are collected or processed also matters. It is difficult to explain exactly where the boundary lies between instances in which personal data is within and beyond the scope of privacy. However, based on the case law of the European Court of Human Rights, circumstances that influence whether or not the right to privacy is triggered are amongst others how much data is processed, whether the data is systematically collected and stored, whether the individual has a reasonable expectation of privacy, how sensitive the data are and/or what impact the data can have on the private life of the individual. It is, however, a fallacy that public data can never fall under the right to privacy.

Data protection applies when personal data are processed, without any privacy requirement. Personal data is a broad concept that can cover, for example, names and addresses, but also search behaviour, location data or photographic material. Privacy functions amongst others as a shield against interferences with the personal sphere, while data protection’s nature is more enabling; it is more centered on channeling others’ behaviour and controlling the flow of personal information. Detailed rules and principles on data protection can be found in secondary EU legislation (e.g. the Data Protection Directive and the upcoming General Data Protection Regulation) and national laws.

Privacy and data protection each have situations in which they apply individually, but as explained above, they are not mutually exclusive. Often both apply at the same time: a situation can give rise to both privacy and data protection issues, like in the Google Spain case. Part of the explanation for why this is so often the case is that one of the purposes of data protection is the protection of privacy. When this function interfered with, both privacy and data protection apply. In addition the amount of digital data keeps growing, and the private life of individuals is increasingly taking place online. Consequently, situations that trigger privacy will more and more involve a data protection component. This is very visible in the case law of the Court of Justice of the European Union, where the two concepts keep coming closer together in the form of references to the “right to privacy with respect to personal data”. Still, privacy and data protection are not the same, and should not be used interchangeably.

This post represents the view of the author and does not necessarily represent the view of the institute itself. For more information about the topics of these articles and associated research projects, please contact info@hiig.de.

Manon Oostveen

Ehem. Fellow: Internet- und Medienregulierung

Sign up for HIIG's Monthly Digest

HIIG-Newsletter-Header

You will receive our latest blog articles once a month in a newsletter.

Explore current HIIG Activities

Research issues in focus

HIIG is currently working on exciting topics. Learn more about our interdisciplinary pioneering work in public discourse.

Further articles

Modern subway station escalators leading to platforms, symbolizing the structured pathways of access rights. In the context of online platforms, such rights enable research but impose narrow constraints, raising questions about academic freedom.

Why access rights to platform data for researchers restrict, not promote, academic freedom

New German and EU digital laws grant researchers access rights to platform data, but narrow definitions of research risk undermining academic freedom.

Three groups of icons representing people have shapes travelling between them and a page in the middle of the image. The page is a simple rectangle with straight lines representing data used for people analytics. The shapes traveling towards the page are irregular and in squiggly bands.

Empowering workers with data

As workplaces become data-driven, can workers use people analytics to advocate for their rights? This article explores how data empowers workers and unions.

A stylised illustration featuring a large "X" in a minimalist font, with a dry branch and faded leaves on one side, and a vibrant blue bird in flight on the other. The image symbolises transition, with the bird representing the former Twitter logo and the "X" symbolising the platform's rebranding and policy changes under Elon Musk.

Two years after the takeover: Four key policy changes of X under Musk

This article outlines four key policy changes of X since Musk’s 2022 takeover, highlighting how the platform's approach to content moderation has evolved.