The Difference between Data Privacy and Data Protection

  Jeroen Seynhaeve     2023-11-01

The terms data privacy and data protection are often used interchangeably. But while they share overlapping concepts, they are not identical. It is important to distinguish data privacy and data protection, because not all data that deserves protection is private, and not all private data deserves protection.

Before we look at why it is important to distinguish data privacy from data protection, let’s agree on some definitions. Privacy is a human right and a moral value. It aims to safeguard our respect for each and every person, by protecting certain aspects of human life against unwanted interference. “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation.” (Art 12 of the Universal Declaration of Human Rights). Which aspects of human life deserve protection, is subject to social convention, and therefore subject to change. In today’s Western societies, it is generally accepted that some aspects of life are objectively private, while other aspects may be considered private by the people these aspects relate to.

Privacy has traditionally been distinguished in four different categories. Physical privacy aims to protect our bodies and sensory experiences against unwanted intrusions and manipulations. Mental and decisional privacy protects the autonomy and freedom of what goes on in our minds. Informational privacy is a branch of privacy that aims to control information about aspects of human life that deserve protection. For example, if the right to privacy gives you the right to enjoy privacy in your own home, then your right to informational privacy gives you the right to control information that relates to your own home. Data privacy refers to people’s right to control the digital information about private aspects of their lives – i.e. the data that is processed by the plethora of digital devices and applications.

Data protection is a crucial aspect of data privacy. The very concept of data privacy would be futile if we did not have ways to protect our data. But this does not mean that privacy and protection are one and the same thing. Not all data that deserves protection is necessarily private, and not all private data deserves protection. But before we can understand the difference, we need to explain one more concept: personal data.

Personal data is data (or a combination of data) by which an individual person can be identified – like a name, or an ID number. This may seem easy to distinguish from data that cannot identify a person – like a shoe size – but it’s not that easy at all. In fact, it is often very difficult to determine whether or not a person can be identified by certain data. For example, it seems self-evident that a person cannot be identified from the collection of anonymous GPS data. However, this study claims to have shown that four anonymous spatio-temporal data points are enough to uniquely identify 95% of individuals. What’s more: we don’t know what future technologies will be able to do with data that we consider anonymous today.

The distinction between identifiable data and non-identifiable data is very important, because it draws the line for the scope of the right to data privacy. Identifiable data deserves protection, because the person it relates to deserves protection, while non-identifiable does not deserve protection because it does not relate to a identifiable person. Data protection, as it turns out, is not a right on its own, but rather a means to an end: practices and procedures to protect the right to data privacy. But data protection is not limited to personal data. Some data does not enable the identification of people, but still deserves protection – for example the code to unlock your house alarm, or the password to access your online banking platform.

We are now able to connect the various dots, and answer our initial question. The crucial difference between data privacy and data protection, lies in their justification. Our justification for data protection is motivated by our moral obligation to prevent harm: not protecting certain data may cause harm to the people the data relates to. Our justification for upholding the right to data privacy, on the other hand, is motivated by our moral obligation to value and respect each and every person, including each and every person’s right to control which information about them is shared with the rest of the world. As a result, we sometimes deem it necessary to protect data that cannot be related to an identifiable person, because the inappropriate use of that data may cause harm. On the other hand, people may have the right to keep certain (socially accepted) data private even though not doing so would not any cause harm. This explain why not all data that deserves protection is private, and not all private data deserves protection

Data protection aims to prevent harm, whereas data privacy aims to safeguard the moral value of respect for persons. Personal data may therefore be treated differently, depending on the moral obligation we aim to uphold: prevention of harm or safeguarding the human right of respect for each and every person. Some data deserves to be protected because not doing so may cause harm, whether or not that data is private. Some data deserves protection simply because it is deemed private by the person it relates to, and not doing so may violate the moral and human right to privacy and respect of persons.

"Certified expertise"