The Difference Between Privacy and Data Protection

The terms “Data Protection” and “Privacy” are often used together, and sometimes interchangeably, but it’s important to remember that they are two different things. This article provides definitions of both and describes some of the interesting current challenges in the areas of both data protection and privacy.

Data Protection

If you decide to give some personal information to an organisation, that organisation has a legal obligation to look after your data, and that responsibility is codified in data protection law.

First there is the relationship between you - the data subject - and the organisation that you provide your personal data to - the data controller. Under European legislation when you provide your data to an organisation, you provide your data for a particular purpose and the organisation must only use the data for that purpose. As well as this, the organisation must look after the security of your data and delete it when it is no longer required for the purpose you provided it for in the first place. There are other obligations like the fact that if you ask an organisation must provide you with a copy of all of the information they hold about you. The point is that the obligations of an organisation that takes your personal data are described in the law.

It is also possible that an organisation may collect data about you that you do not directly provide. For example, on organisation might collect information about your usage of their services and associate that with your identity. You have the exact same rights when it comes to information collected about you in this way. 


Privacy, and the right to privacy in particular, is legally defined in different ways in different jurisdictions, with often a substantial body of case law supporting it. Generally speaking the right to privacy is defined as a way of preventing government interference in a person’s family life, home life and correspondence. Examples would include Article 8 of the European Convention on Human Rights or the Due Process Clause of the 14th Amendment to the US Constitution.

The meaning of the term “private life”, for example is expanded upon in case law of the European Court of Human Rights where it has been determined that private life is a broad concept incapable of exhaustive definition (e.g. Niemietz v. Germany).

The right to privacy is not absolute, unlike say the right not to be a slave (Article 4 of European Convention on Human Rights). As described in paragraph 2 of Article 8 of the European Convention on Human Rights, the right to privacy needs to be balanced, in accordance with the law, against the interests of democratic society in national security, public safety, economic well-being of the country, prevention of disorder or crime, protection of health or morals and the protection of the rights and freedoms of others.


Data protection raises many very interesting practical questions, particularly in light of the new General Data Protection Regulation (GDRP). For example:

  • How can a data controller provide a subject’s information in a useful machine-readable format to meet the right to data portability if there is no such format available within a specific usage domain?
  • To what extent can a person restrict the processing of their information and still avail of a free online service?

The meaning of the right to privacy in the modern world also raises very significant legal and societal questions, but importantly these are not the same questions that are addressed by data protection legislation. For example:

  • If your right to privacy is protected by law in your own country, what about your information that is stored in another country? What right do you have to privacy from surveillance by a foreign government?
  • Where is the right balance between individual right to privacy and other societal requirements such as the rights of victims of crime?
  • Considering, for example, the recent Cambridge Analytica scandal, what impact are online services having on democratic structures and processes?

There is also a category of questions that relate to the overlap between areas of privacy and data protection. These fall into two broad categories.

  • Firstly, the questions arising from exchange of personal data for free services online. For example:
    • To what extent are people willing to provide personal data to private companies in exchange for free services?
    • Should people who are receiving a free service in exchange for access to their personal data have an expectation to privacy that goes beyond what they are entitled to by data protection legislation?
    • Should there be limits on what can be done with personal data that is provided in exchange for free services? In other words, limits on the range of business models that can support free services online?
  • Secondly, questions that relate to law enforcement access to data held by private corporations. For example:
    • How can the rule of law be enforced online without effective mechanisms for collecting evidence online?
    • How can evidence effectively and efficiently be collected across multiple jurisdictions?
    • What obligations should be placed on corporations that hold data on foreign citizens to cooperate with law enforcement agencies in the countries in which those citizens reside, or third jurisdictions where foreign citizens may be under suspicion of committing crimes?
    • To what extent should corporations that hold data cooperate with interception or monitoring orders of foreign jurisdictions?
    • Is a more effective mechanism than Mutual Legal Assistance possible to address some of these issues?


The recent coming into force of the GDPR raises many interesting practical challenges for organisations that process personal data. However, the interactions between individual right to privacy, online business models and the balance between privacy and other societal needs (such as law enforcement access to data) are much more fundamental and far-reaching.

Meaningful, level-headed conversations need to take place between stakeholders on all sides of the debate so that effective balances can be found.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site you are accepting the use of cookies in accordance with our privacy policy.
Privacy Policy Accept