I hear it every day. Someone, even privacy professionals, will use the phrase “data privacy.”
There’s a serious problem with this phrase no matter how you interpret it. Reading it one way, one might think it was referring to data’s privacy (pardon my improper use of the apostrophe here, but I use it to make a point.) Of course, data has no privacy. It could care less whether it is revealed or kept confidential. Its just data and its not shy at all.
Another way one could interpret this could be that the phrase speaks to the act of keeping data confidential. Again, this is a common but inadequate way of looking at what privacy is about.
The problem with the phrase is that when we speak of “data privacy” the conversation inevitably leads to discussions about security controls–safeguards to protecting the confidentiality and integrity of the data. We talk about encryption, access privileges, and (if we’re on our game) how to properly dispose of information when its no longer required.
Certainly one cannot have good privacy without good security, but talking about privacy exclusively in terms of security controls ignores the privacy controls that are so critical to good privacy. Things like individual choice, and notice. Why? Because it completely ignores what privacy is REALLY all about: Protecting the freedom of the individual to make decisions without unwanted influence.
Privacy is not and will never be about data except that data can be used as a tool to damage privacy. We should always seek to describe privacy in terms of how it affects the individual.
I’m willing to make one exception to this rule. When we want to describe various aspects of what affects our privacy then adding a modifier to privacy makes sense. For example, if I use the term “energy privacy” you know I am speaking about the privacy risks associated with one’s energy usage data and not one’s personally identifiable information. Its a good shortcut to start a conversation quickly.
But perhaps we can agree to be more purposeful around how we use these terms and recognize that they are not synonymous with the privacy of the individual?