Data. Privacy. Is there a difference?
Yes is the short answer, although they are not always independent. However, with the number of reports now circulating around your data and your privacy it is worth taking a moment to understand what each of these mean and how they differ to ensure you are best protected in cases where either, or both are put at risk.
Definition is a problem
Even the definition can be a little confusing at times and further adding to that confusion is the definition of either of these words can vary from country to country. For example, in some countries, the fundamental difference between the two is described as "data privacy" and "data protection."
While "data privacy" does in theory complicate an understanding of the difference between "data" and "privacy" when you compare it to "data protection," it might actually help to better understand the difference. For instance, while data protection adequately refers to protecting your data, it does not automatically or always mean your privacy is protected.
That's unless you are in Europe where the difference between data protection and privacy protection are more interchangeable – another example of the confusing nature of the geographical differences in settling on a globally-understood definition.
For the sake of clarity here, we will briefly address the two as entirely different entities. As when all is said and done – they are entirely different entities.
You use data with your mobile plan and your home internet. In this sense, it is a very easy thing to understand as you consume materials and the measurement of that materials is usually defined in data. This is different to the energy used (battery or power) to consumer those same materials.
Data in the privacy (confusion intended) context is not that much different although the emphasis on what is data, is. Just like you consume x amount of GB when streaming a Netflix movie on your phone, companies have customers who consume some of their resources. And just like you might count how much data you've consumed over the past month to calculate any charges that might be coming your way, companies count their data in a similar way.
If it's a video-streaming service for example, then that might mean the company counts how many times one particular title was watched, how many 'thumbs up' it received, or the overall numerical value (out of a total of five) the title received from customer reviews.
If on social media, this same data might mean the number of likes given or received, the amount of shares, views, or whatever other metric or unique trait the service uses and counts.
Put simply, data is the numerical aspect of our online behaviors. This then can be collected and used. And yes, while your data is included in that collection (your likes, shares, views and so on), that's not to say your privacy is, or has been.
In this explanation which looks to more clearly separate the two for the purpose of understanding the difference, privacy means information that is directly related to you as an individual.
Yes, while your likes and shares are related to you in the sense they represent your behaviors and actions, on their own they can't be attributed to, or used to identify you in the real world. If you gave Stranger Things a 4.3 out of 5 or a 'thumbs up' on Netflix, then you are probably only one of many who have given that exact title, that exact review number or a thumbs up. There's nothing that ties the information to you, specifically.
The difference therefore is sometimes best understood in the intimacy of the data or information in question. After all, names, addresses, and personal information is still data in the grander scheme of things, but when talking in terms of instances that we now so often see in the media, the difference usually comes down to how far or how close that information is to you on a personal level. The further it is away, the more it becomes strictly data, and the less privacy plays a roll.
Data breach vs privacy breach
The difference explained here will help to make sure understanding what has been put at risk the next time a high profile breach takes place. As sometimes the media can make things worse by suggesting a privacy breach has happened when in fact it was a data breach, or vice vera. This is a common problem and one all sites likely suffer from at some point due to the intrinsic differences and similarities in definition. For example, here's one of our articles that focuses in on a data breach when in fact it was both a data and privacy breach.
Working on the basis of a clear distinction between the two, this is why you will often hear companies that have experienced a breach state something along the lines of "no personal information was shared." This is due to them suffering a data breach only.
In these instances, data has leaked out or been stolen which might be related to information that's been collected on user behaviors, but not information on users. On some occasions, that might even be highly sensitive information such as medical or financial data. However, again, if there's nothing that can be used to attribute that leaked data, even if its medical or financial, to you as a user, than it remains only a data breach.
The use of only is not meant to signify that it's not still a problem, or that you should take the breach any easier, or not hold the company/service to account as much – as you should. It just mean that information that can be related to you on a personal level has not been shared, lost or stolen. Only your numerical values.
Therefore, for most people a privacy breach is going to usually be more of a concern as this will most likely include information that is directly relevant to you on an intimate level. Whether it be your name, bank account information (different to data), medical information (different to data), social security details, these are example of information that can be used to identify you in some way. Compared to data alone which only highlights what someone did or did not do.
Does knowing this help me to be better protected?
Yes and no.
Yes, in the sense that knowing what you are risking should at least help in protecting yourself from certain, and more intimate breaches. But no in the sense that as already explained – these definitions are not always as separate as they should be, and this is made worse by companies not explicitly defining what they mean by your data and your privacy.
What it should definitely do, however, is raise awareness within yourself to not take everything a company says it does on your behalf on face value. If, for example, a company says "we value your privacy" that does not automatically mean they also value your data.
They certainly might place a value on your data and chances are the more of a value the company places on your data, the more likely they don't really abide by a "we value your data" sentiment.
To explain, data is valuable and most people now understand it is a commodity to be traded and sold to the highest bidder. Companies who value your privacy, but not your data, might be more inclined to not only collect that data but also sell it on to advertisers.
From their perspective, as long as they are not sharing information that connects that data to an individual they are not doing anything wrong. They are in fact, respecting and valuing your privacy as they said they do.
This is where the world has become murkier lately and while the actions of a company might not be so noble, they are usually legal. There has already been plenty of examples of this happening in recent times when consumers thought they were protected by a company only to find out the company had been sharing user data. Again, theirs as in sharing unanimous data that although is the user's data, is not directly attributed to the user. For many companies, without a name attached to that data, it is no longer the property of those users.
This is why it is important to understand the difference and even if that understanding doesn't help with companies who collect data or personal information. As knowing how protection from one does not automatically protect you from the other puts you in the driver's seat when making certain decisions. If a company is honest enough it will state that it won't share your personal information, but might share your data. If it only says it won't share your personal information (that it values your privacy) then it still might mean they are collecting data on you.
The wider industry still has a lot of work to do
In an ideal world, the distinction between the two would be a lot clearer and various governments and agencies are trying to do just that, as well as introducing stricter punishments to ensure more companies are held more accountable. However, with personal information also a form of data, and with many differing viewpoints on what constitutes yours and theirs, once you sign up to a service and agree to the T&C's, it remains unclear how quickly full clarity on the topic will take.
That's without even taking into consideration the linguistic and language differences of the words data and privacy. Or for that matter, the legal differences. For example, the protection of data is something that usually implies the fencing off of data from unauthorized viewing or usage – the security of data. In this instance, unauthorized is what legality of action will likely linger on. If a company authorizes someone else to look at your data or your personal data (another linguistic difference), then that technically would not be a data breach.
You might consider it to be considering your data has been shared with a party that was not authorized by you, but in terms of a breach, the company openly and actively provided access – again, this is something that might have been disclosed in the T&Cs and by signing permission by you is understood. Even in cases where the access was not admitted when signing up, it might not be an illegal activity. A breach of trust, probably, but not necessarily a data or privacy breach.
Once again, this might heavily depend on where you (or the company) is located, or even the time at which it occurred.