What is meant by “privacy” and “data protection”?

There literally are thousands of definitions for the term “privacy”. Broadly speaking, privacy is the right to be let alone, or freedom from interference or intrusion, where information privacy is the right to have some control over how our personal information is collected and used. In Europe, both privacy and data protection (which is what information privacy is called in European Law) are fundamental rights.

Privacy is essential to autonomy and the protection of human dignity, serving as the foundation upon which many other human rights are built. Privacy enables us to create barriers and manage boundaries to protect ourselves from unwarranted interference in our lives, which allows us to negotiate who we are and how we want to interact with the world around us. Privacy helps us establish boundaries to limit who has access to our bodies, places and things, as well as our communications and our information.

The rules that protect privacy give us the ability to assert our rights in the face of significant power imbalances. As a result, privacy is an essential way we seek to protect ourselves and society against arbitrary and unjustified use of power, by reducing what can be known about us and done to us, while protecting us from others who may wish to exert control.

The European charter of fundamental rights contains separate rights to privacy and to data protection. “Privacy” often means the individual’s interest in his or her data to be treated in a fair manner, while the term “data protection” means the rules and processes used to achieve that objective. That is why the GDPR is a “data protection” regulation, and not a “privacy” regulation.

Nevertheless, keep in mind that the terms “data protection” and “privacy” are often used interchangeably, even if strictly speaking, they refer to different things. For the sake of simplicity, we will often refer to data protection as ‘privacy’.

Privacy vs. Security – it is not the same thing

Privacy is often confused with security – they are related, but are definitely not the same. Security serves the interest of the entity using the data (the controllers), whereas privacy serves the interest of the individual behind the data (the data subjects). Security protects against unexpected events (loss of confidentiality, integrity and availability of both personal and non-personal data), whereas privacy protects against both unexpected and expected events, when these have an impact on data subjects (failure to provide appropriate information, to limit processing to specific purposes, a lack of lawful basis for the processing, failure to respond to data access requests from individuals, etc.).

Security is absolutely necessary to implement data protection by design and by default. However, a process that only implements security (integrity and confidentiality) without implementing other data protection principles (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation and accountability), will not have sufficient privacy – and it won’t be compliant with the GDPR.

Why do we need data protection laws?

Data protection laws and regulations are meant to harmonize competing interests. On one hand, a functional society needs to know their members’ identity before it can interact with them – society needs data about their members to function properly, full anonymity is incompatible with social interaction. On the other hand, individuals need to have control over the amount of information about themselves that is shared with others and society, to be able to impose limits that suits them personally. Unlimited sharing of information interferes with the autonomy and human dignity of individuals, piercing their personal sphere in which they can freely develop their personalities, think and shape their opinion.  

These competing interests can be found in the EU Charter of Fundamental Rights. The interest of individuals to have their personal data protected is stated in Article 8 (Protection of personal data) whereas the interest of researchers to conduct research is stated in Article 13 (Freedom of the arts and sciences), and the interest of the media and businesses is stated in Art. 11 (Freedom of expression and information) and Art. 16 (Freedom to conduct a business). 

As stated in Recital 4, the General Data Protection Regulation (GDPR) ensure that a fair balance is maintained between these competing interests, so that individuals are protected whenever their personal data are processed. It does so through the application of data processing principles, which can be seen as a system of checks and balances that ensures this fair balance is maintained.  

In short, data protection laws ensures that personal data processing respects our fundamental rights. 

What do we need to do to comply with the GDPR?

At its core, the GDPR requires controllers (the people who decide why and how personal data is processed) to effectively implement the data protection principles through the adoption of appropriate measures and necessary safeguards throughout the whole processing lifecycle – from the moment the project is being designed, until data is deleted or fully anonymized. In other words, controllers must implement Data Protection by Design and by Default into their processing activities and must document their compliance efforts. At the Geosciences faculty, the Privacy Scan is the tool that ensures and demonstrate compliance with the GDPR.