Distinctions that matter in data protection

Distinctions that matter in data protection
Photo by Tobias Tullius / Unsplash

It's a confusing world out there.

In the last decade the world - and particularly the world of business - has started having to take more account and consideration of the harms they could bring upon the people they interact with. Whether it be customers, employees, investors or just about anyone else that comes into contact with an organisation, the potential to cause harm through the misuse of information relating to those individuals has become evermore prominent in our news, and the relevant legal requirements increasing.

That's right, we're talking about Data Protection...? Data Privacy...? Information Privacy...? All of the above??

While the need to be mindful and safeguard against potential harms to individuals should not be considered a short-term fashion, unfortunately the commercialisation of marketable services related to a largely unknown topic has provided the same fad-like hype, confusion and dilution of core principles.

In that process one term has grown in popularity more than any other, while its meaning - or more correctly lack of meaning - should make any true expert in the field shudder.

Data Privacy.

Yes, you heard right.

Data Privacy as a term is nonsensical.

"But... but... we've done whole online learning packages about it at work...", I hear you say. Probably, I respond.

You most likely have been told about Data Protection. Or maybe about just Privacy. And then at some point, these two terms have become horribly mangled to create the abomination that is 'data privacy'.

Of course, you may assume that 'data protection' and 'privacy' are the same thing. And for many people, the following explanation of why they are not may seem like splitting hairs. Yet, it is that distinction and specificity that you want your so-called experts to be all over.

As in any job roles or specialisation in life, there are nuiances and key differences that - to those outside the specialisation - probably don't seem that important... yet to those inside the profession, they make the world of difference.

So why is Data Privacy a bogus term - despite its widespread popularity and use - and why should you run from any supposed expertise unironically using this term?

The key is really understanding what is meant by privacy. Since around 2016 many people have become more familiar with various data protection legislations - especially the General Data Protection Regulation - which, in effect, are a series of rules in how to handle data relating to an individual. Data protection is, when distilled to its most simple form, the legal protection of personal data.

In truth, such legislation focuses on the handling of data because it is easier to define and quantify than what the legislation is really intended to safeguard, which is the privacy of the individual.

There's that term again, privacy. The next step is to now put everything you know about data protection out of your mind. Take anything you remember about laws, international transfers, appropriate processing basis, consent, the right to be forgotten et cetera et cetera... put all that knowledge in a little imaginary box, put that box on an imaginary shelf.

Sooo... privacy.

What is it? What does it mean to you? What images does that term bring to mind?

For many people it will make them think of their home, or a specific room/place in their home. Usually a place where they feel safe. A location that feels private.

Others may think of particular incidents or news in their lives that they do not want others to know - or only want a limited number of people to know. To know that such knowledge is held by people you have chosen is the privacy.

In unfortunate circumstances, people may be more able to articulate situations when they feel that their privacy had been compromised. Burglaries, abusive relationships or further sharing of details initially shared in confidence are prime examples of when people would say that their privacy has been breached.

And those examples provide the two key distinctions that separate privacy and data protection:

  1. Privacy is not just about data. A burglary, the theft of personal items and the knowledge that someone uninvited/unknown has been somewhere you felt was safe, is an invasion of privacy regardless of what items or documents containing data were taken.
  2. Privacy has a direct relation/belongs to the person (or other living thing). A breach of privacy is a harm to the individual; however, the other difficulty is that what one person decides they want to keep private (or who they want to share it with) is different from any other person.

Those two points will likely start to make it clear why data protection focuses on only a very specific element of privacy - and one which is (for the most part) a lot easier to define, control and regulate than the absolute complexity and breadth that is the whole of privacy.

It would also be remiss to say that data protection legislation are the only laws focused on privacy - they most certainly are not. There are already reams of existing legislation that deal with aspects such as stalking, unlawful entry of private premises, slander. And while the privacy of the individual may not be the first thing that comes to mind when thinking about these other bits of legislation, such crimes often have long-lasting damage on an individual's sense of a privacy, and therefore an underlying intent of the legislation is the attempt to protect this.

Which brings us back to Data Privacy.

Now, last I checked, data - being an inert thing with no feelings, emotions or ability to develop a private life - has no sense of privacy. Data cannot say what it wants sharing with only particular, other close friends and family data, but not the wider data communities. Data cannot feel violated or vulnerable based upon the abuse actions of other data.

And for this reason, the idea of 'data privacy' is bogus and a great indicator of a misunderstanding of the term data protection and privacy.

Therefore, if your supposed expert on this topic calls themselves a Data Privacy Expert... run.

(P.s. And... no, Artificial Intelligence is not data. Discussions around privacy for artificial intelligence/artificial life (along with many other rights we have as humans) are very relevant and should definitely be championed more before we create an entirely inhumane (excuse the term) situation with any sentience we build... but that's still just privacy. Not data privacy)