As human beings living in society, we need boundaries in our life. We need to have limits to who has access to our bodies, places and things, as well as to our communications and other information about our lives. We need privacy in our everyday lives, the right ‘to be left alone‘, freedom from interference or intrusion in our lives.

On the other hand, a functioning society needs to have access to our private sphere, to information about us – our personal data – to be able to function properly.

-> To function properly, a doctor’s practice needs patient’s health data. Municipalities need information on their residents to provide them with services. Businesses need customer information to facilitate commerce. Researchers need participant’s data for scientific purposes.

There lies the fundamental tension that the laws on privacy and data protection try to address. A society that knows too little about its members cannot work efficiently, but a society that knows too much infringes on people’s fundamental rights, and stops being a free society.

-> All people in Europe enjoy a series of rights, freedoms and principles, listed in the Charter of fundamental rights of the European Union. Data protection laws like the GDPR ensure that individuals enjoy the protection of their personal data, as well as the respect for private and family life, as stated in Article 7 and 8 of the Charter, while respecting a balance with all the other rights listed in the Charter, like personal and academic freedom, right of education, freedom of expression and freedom to conduct a business.

The aim of the European data protection law, the GDPR, is to reach for a fair balance between ‘too little’ and ‘too much’ – between the need to process personal data, and the need to minimize the impact on our privacy. In other words, the GDPR implements our right to data protection – the right to have our personal data protected from abuse and unfair treatment.

The GDPR implements this fair balance by requiring that the use of personal data is limited to what is necessary and proportional. Whenever an entity (the ‘controller‘ in GDPR terms) needs to do something (the ‘processing‘) with someone’s data (the ‘data subject‘), this data use (which is an interference on the individual’s privacy) must be limited to what is necessary to reach the particular purpose, and must not cause a disproportional impact to their rights and freedoms.

To be clear, who is a controller or a data subject depends on the context of the processing activity. A researcher is a controller when processing the personal data of research participants, and a data subject when their personal data is being processed by their employer (who in turn becomes the controller in that context).

When is something really necessary and proportional? That is basically what the GDPR addressed through its 99 articles and 173 recitals, reflecting the complexity of this task. To facilitate the task of understanding GDPR requirements, the Geo Privacy Officer has developed the Privacy Scan – a tool to assess necessity and proportionality.

The Privacy Scan is a “living document” where the assessment of necessity and proportionality of a given activity is documented in 11 steps, covering the purpose (why personal data is needed), the processing (how is personal data used) and the transparency of an activity. All together, these steps evaluate, demonstrate and document that the processing of personal data is indeed necessary and proportional.

Read more about the Privacy Scan here.

Privacy, Security and Data Protection: similar but different concepts

Privacy, Security and Data Protection. These three concepts have similarities in their scope, and are often used interchangeable, but it is important to learn the difference between them.

Privacy this is “the right to be left alone“, a fundamental right as listed in Article 7 of the Charter of fundamental rights of the European Union (CFR). It is about the respect of our private and family life, home and communications. Privacy is essential to autonomy and the protection of human dignity, serving as the foundation upon which many other human rights are built. Privacy enables us to create barriers and manage boundaries to protect ourselves from unwarranted interference in our lives, which allows us to negotiate who we are and how we want to interact with the world around us, and helps us establish boundaries to limit who has access to our bodies, places and things, as well as our communications and our information – because the right of privacy also extends to our personal information.

Data security is about ensuring information is not unintentionally disclosed, damaged or lost – the ‘CIA’ concepts of data confidentiality, integrity and availability. Therefore, security can help in keeping personal data ‘private’, to ensure it is not unintentionally disclosed, damaged or lost.

Like the other rights listed in the CRF, the right of privacy is not absolute, it is ‘balanced’; which means that any intrusion in our private sphere needs to be justified. For example, having an individual under police surveillance is a large infringement on their privacy rights, so the police must have a very good reason to justify this intrusion.

As explained above, data protection is “the right to have our personal data used in a fair manner“, another fundamental right listed in Article 8 of the CFR. It is not about keeping personal data private, it is about ensuring that personal data is used properly because, as a ‘balanced’ right, the use of our personal data also needs to be justified – needs to be necessary & proportional. The GDPR is then a law that codifies what is indeed necessary and proportional.

It is important not to confuse data security with data protection. Data security is about ensuring data is kept ‘private’; that it is not unintentionally disclosed, damaged or lost, while data protection is about using data in a fair manner. Data security is absolutely necessary for data protection, we can’t have good data privacy without good data security. However, it is possible to implement good security and fail to implement good data protection. Chat data in WhatsApp is quite secure, as all chat communications are end-to-end encrypted; and yet the app has bad data protection, as reported by the EDPB in 2023.