‘Data Privacy Day’ vs ‘Data Protection Day’

This increasingly visible 28 Jan tradition has different names depending on whether you’re celebrating with North Americans or Europeans. Personally, as a card-carrying data protection professional trained primarily in EU/UK law, I think “Data Protection Day” is “better.”

But before I explain my Eurocentric preference, let’s take a brief look at the history of Data Protection Day and the difference between “data privacy” and “data protection.”

The Origins of Data Protection Day

Data Protection Day began in 2006. The Council of Europe launched the event to commemorate the opening for signatures of Convention 108 on 28 Jan 1981.

Convention 108 (the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data) is a hugely important and influential treaty that has been signed by 47 countries.

If you look at the language of many of the data protection laws developing globally, it’s easy to believe that legislatures have been heavily influenced by the EU General Data Protection Regulation (GDPR).

While this may be true, many of the concepts we associate with the GDPR—like “controller,” “processor,” and even the formal definition of “personal data” itself—have their roots in Convention 108.

The Council of Europe doesn’t provide any sort of budget for Data Protection Day but it has become increasingly popular in recent years (mostly, admittedly, in data protection circles).

Regulators and other authorities around the world conduct awareness-raising campaigns as part of their regular operations, so having a Data Protection Day provides a date around which to plan these activities.

Data Privacy Day

In 2009, a US Democratic Representative introduced House Resolution 31, expressing support for the designation of 28 January 2009 as “National Data Privacy Day.”

The bill passed unanimously, with a vote of 402-0. The law required state and local governments to promote privacy awareness and to encourage individuals to protect their personal information online.

The bill’s sponsor, North Carolina Representative David Price, remains in office but has indicated that he’ll be retiring this year. 

Perhaps ironically, Price voted against the 2013 “Amash–Conyers Amendment,” a bill that would have curtailed the ability of national security agencies to collect personal data under the controversial PATRIOT Act.

The amendment, its sponsors claimed, would have ended the “mass surveillance of Americans” by requiring stricter judicial oversight and prohibited the National Security Agency from collecting data unless it was “actually related to an authorized counter-terrorism investigation.”

Privacy Awareness Week in APAC

The Asia Pacific region designates a different date for promoting data protection awareness, with Privacy Awareness Week being established by the Asia Pacific Privacy Authorities group back in 2006.

Countries in the Asia Pacific region recognise Privacy Awareness Week in May. There have been efforts to unify calendars and celebrate efforts to promote data protection awareness on a single day worldwide, but these efforts have, so far, failed.

‘Data Protection Day’ or ‘Data Privacy Day’?

While Data Protection Day is celebrated on the same day on both sides of the Atlantic, there’s some disagreement over the correct nomenclature.

Should we be recognising “data protection” on 28 Jan, or “data privacy”?

People’s views differ as to the different meanings of these two terms, but here’s how I make the distinction as a (British) European:

• Data privacy is about the ability a person has to keep their data confidential, and the responsibility a controller has to prevent unauthorised or illegal access to the data in their control.
• Data protection encompasses a broad range of rights and responsibilities, such as facilitating rights of access, deletion, correction, etc.; ensuring the data is accurate and up-to-date; enabling third-party access when lawful and appropriate; etc.

The European Charter of Fundamental Rights (CFR) also distinguishes between privacy and data protection.

• Article 7 of the CFR is titled “Respect for private and family life,” and states that “everyone has the right to respect for his or her private and family life, home and communications.”
• Article 8 is titled “Protection of personal data,” and provides that:
  • Everyone has the right to the protection of personal data concerning him or her.
  • Personal data must be processed fairly, lawfully and transparently.
  • People have the right to access and rectify their personal data.
  • There must be an independent authority overseeing data protection compliance.

It’s also worth noting that the GDPR barely mentions “privacy,” which is dealt with via other laws concerning the monitoring and interception of communications and online activity (like the ePrivacy Directive).

Some US laws are beginning to refer to “data protection” over “privacy,” such as the Virginia Consumer Data Protection Act (VCDPA), which, among other duties, requires businesses to undertake data protection impact assessments inspired by the GDPR.

While everyone is entitled to their own language and preferences, I personally hope that North America will adopt the term “data protection” as US privacy law continues to develop.

Until then, a Happy Data Privacy Day to those on the west side of the Atlantic, and Happy Data Protection Day to my fellow data protection professionals in the UK and Europe.