Each year, on 28 January, Data Protection Day is celebrated globally. Back in April 2006, the Council of Europe decided to launch a Data Protection Day and it chose to commemorate the date when the Council of Europe’s data protection convention, known as Convention 108, was opened for signature.

Every 28 January, governments, parliaments, national data protection bodies and other actors carry out activities to raise awareness about the rights to personal data protection and privacy. These may include campaigns targeting the general public, educational projects for teachers and students, open doors at data protection agencies, and conferences.

On 26 January 2009, the United States House of Representatives declared 28 January as National Data Privacy Day. The objective of the day was the same as Data Protection Day – but why would the US call it something different? The answer to this question is key to understanding how different countries approach and interpret the safeguarding of personal data.

Tom-ay-to/tom-ah-to…

The terms ‘data protection’ and ‘data privacy’ are often used interchangeably, but the context underpinning them provides an important insight into the different approaches in the EU and the US towards protecting personal data.

A cursory web search of the terms ‘data privacy’ and ‘data protection’ results in a myriad of widely differing and misaligned definitions. In the context of globalisation and multinational data processing and data interactions, the issue of definitional ambiguity is increasingly confusing.

Perhaps it is five years of studying privacy for my PhD, but the interchangeable use of these terms has also come to irk me somewhat, as their meanings are quite different in the US and the EU. I felt a useful way to contribute to Data Protection Day would be to outline the difference in how the EU and the US interpret these similar terms and, by doing so, address much of the confusion around the ‘naming convention’ of 28 January. In the remainder of this article, I outline how each place interprets these terms.

Privacy (as a right)  

Privacy is a fundamental right. According to Privacy International, it is “essential to autonomy and the protection of human dignity, serving as the foundation upon which many other human rights are built. Privacy enables us to create barriers and manage boundaries to protect ourselves from unwarranted interference in our lives, which allows us to negotiate who we are and how we want to interact with the world around us. Privacy helps us establish boundaries to limit who has access to our bodies, places and things, as well as our communications and our information.”

The right to privacy is articulated in all of the major international and regional human rights instruments, including:

• United Nations Declaration of Human Rights (UDHR) 1948, Article 12: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” 
• International Covenant on Civil and Political Rights (ICCPR) 1966, Article 17: “1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour or reputation. 2. Everyone has the right to the protection of the law against such interference or attacks.” 

The right to privacy is also included in, but not limited to:

• Article 14 of the United Nations Convention on Migrant Workers
• Article 16 of the UN Convention on the Rights of the Child
• Article 11 of the American Convention on Human Rights
• Article 5 of the American Declaration of the Rights and Duties of Man
• Article 21 of the ASEAN Human Rights Declaration
• Article 8 of the European Convention on Human Rights.

Privacy (as it relates to personal data) 

An essential element of the right to privacy is the right to protection of personal data (personal data is a similar concept to the US’s personally identifiable information[PII], with a few nuanced differences such as cookies). The right to the protection of data from harm can be inferred from the general right to privacy, but some international and regional instruments also stipulate a more specific right to the protection of personal data, including:

• The OECD’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
• The Council of Europe Convention 108 for the Protection of Individuals with Regard to the Automatic Processing of Personal Data
• The General Data Protection Regulation 2018, and the European Union Charter of Fundamental Rights
• The Asia-Pacific Economic Cooperation (APEC) Privacy Framework 2004
• The Economic Community of West African States has a Supplementary Act on data protection from 2010.

In the EU, the right to privacy as it applies to personal data is typically referred to as ‘data protection’. Hence, the EU GDPR is the General Data Protection Regulation [my emphasis]. In the US, data protection refers to the processes and controls in place to protect data, including PII, along with corporate and system data. In the US, data privacy (sometimes called information privacy) refers to not only data protection in the US interpretation of the word, but also data security.

In the EU, however, data protection refers to the legally required controls and processes (both privacy and security) that apply to personal data only and includes a number of data subject rights over personal data. Hence, the US has the California Consumer Privacy Act and not the California Consumer Data Protection Act [my emphasis]. In fact, if the US ever creates a federal harmonised legislation in this domain, it would most likely be referred to as the Federal Consumer Privacy Act.

Looking into the future, for a globalised and integrated digital world to operate effectively, we will need to have definitions of data protection and data privacy and to align the use of the terms across borders. I hope this article will provide a stepping stone for deeper research into the meaning of these terms in the context of both a cultural and legislative landscape.

This is the second blog in a series to mark this year’s Data Protection Day (as we call it in Europe). Our first post, by Cliona Perrick, looked at trends to expect from data protection developments during 2021. Be sure to check back on our blog in the weeks ahead for the final part of the series.

Valerie Lyons is Chief Operations Officer at BH Consulting.