Skip to content
hannah-wei-84051
04 May 2016

Why privacy ≠ data protection (and how they overlap)

Much has been written about privacy and data protection, and the body of literature is constantly growing. Yet in many contemporary debates on, for example, surveillance, information monopolies and tracking behaviour on the web, the terms “privacy” and “data protection” are used interchangeably. Although there certainly is overlap, there are also differences between the rights. This contribution aims to make clear why privacy and data protection are not interchangable, by giving a simple overview of the difference between the two rights in Europe as understood by the European Court of Human Rights and the Court of Justice of the European Union.

To begin with, privacy is a fundamental right with a long history, whereas data protection first appeared in international principles and secondary legislation, and has only recently acquired fundamental rights status in the EU. And whereas privacy was originally meant to protect the individual against the state, principles and rights related to data protection have always been intended to also bind private parties.

Broadly speaking, privacy refers to a personal sphere, whereas data protection refers to control over or protection of personal information. The prime difference between privacy and data protection therefore lies in its subject matter. Privacy is broader than data protection because it not only concerns information; it can also be about for example physical spaces or certain choices people make. But at the same time privacy is narrower, because data protection applies irrespective of whether there is an interference with the personal sphere. For example, unwanted physical contact falls under privacy but not under data protection. Alternatively, when someone gives her adress to a hotel for billing purposes data protection rules apply, but it will generally not be a privacy matter.

Personal data can be covered by the right to privacy, but privacy does not cover personal data per se. To determine whether privacy is at stake, it is not solely the identifying character of the data that is decisive: the context in which the data are are collected or processed also matters. It is difficult to explain exactly where the boundary lies between instances in which personal data is within and beyond the scope of privacy. However, based on the case law of the European Court of Human Rights, circumstances that influence whether or not the right to privacy is triggered are amongst others how much data is processed, whether the data is systematically collected and stored, whether the individual has a reasonable expectation of privacy, how sensitive the data are and/or what impact the data can have on the private life of the individual. It is, however, a fallacy that public data can never fall under the right to privacy.

Data protection applies when personal data are processed, without any privacy requirement. Personal data is a broad concept that can cover, for example, names and addresses, but also search behaviour, location data or photographic material. Privacy functions amongst others as a shield against interferences with the personal sphere, while data protection’s nature is more enabling; it is more centered on channeling others’ behaviour and controlling the flow of personal information. Detailed rules and principles on data protection can be found in secondary EU legislation (e.g. the Data Protection Directive and the upcoming General Data Protection Regulation) and national laws.

Privacy and data protection each have situations in which they apply individually, but as explained above, they are not mutually exclusive. Often both apply at the same time: a situation can give rise to both privacy and data protection issues, like in the Google Spain case. Part of the explanation for why this is so often the case is that one of the purposes of data protection is the protection of privacy. When this function interfered with, both privacy and data protection apply. In addition the amount of digital data keeps growing, and the private life of individuals is increasingly taking place online. Consequently, situations that trigger privacy will more and more involve a data protection component. This is very visible in the case law of the Court of Justice of the European Union, where the two concepts keep coming closer together in the form of references to the “right to privacy with respect to personal data”. Still, privacy and data protection are not the same, and should not be used interchangeably.

This post represents the view of the author and does not necessarily represent the view of the institute itself. For more information about the topics of these articles and associated research projects, please contact info@hiig.de.

Manon Oostveen

Ehem. Fellow: Internet- und Medienregulierung
Du siehst eine Tastatur auf der eine Taste rot gefärbt ist und auf der „Control“ steht. Eine bildliche Metapher für die Regulierung von digitalen Plattformen im Internet und Data Governance. You see a keyboard on which one key is coloured red and says "Control". A figurative metaphor for the regulation of digital platforms on the internet and data governance.

Data governance

We develop robust data governance frameworks and models to provide practical solutions for good data governance policies.

Sign up for HIIG's Monthly Digest

and receive our latest blog articles.

Further articles

two Quechuas, sitting on green grass and looking at their smartphones, symbolising What are the indigenous perspectives of digitalisation? Quechuas in Peru show openness, challenges, and requirements to grow their digital economies

Exploring digitalisation: Indigenous perspectives from Puno, Peru

What are the indigenous perspectives of digitalisation? Quechuas in Peru show openness, challenges, and requirements to grow their digital economies.

eine mehrfarbige Baumlandschaft von oben, die eine bunte digitale Publikationslandschaft symbolisiert

Diamond OA: For a colourful digital publishing landscape

The blog post raises awareness of new financial pitfalls in the Open Access transformation and proposes a collaborative funding structure for Diamond OA in Germany.

a pile of crumpled up newspapers symbolising the spread of disinformation online

Disinformation: Are we really overestimating ourselves?

How aware are we of the effects and the reach of disinformation online and does the public discourse provide a balanced picture?