This article will stick to the American usage — but remember that if you are operating globally, the terminology can get confusing.
Data privacy and data protection are very closely interconnected, so much so that users often think of them as synonymous. But the distinctions between data privacy vs. data protection are fundamental to understanding how one complements the other. Privacy concerns arise wherever personally identifiable information is collected, stored, or used.
The Distinction: Data Privacy versus Protection
In a nutshell, data protection is about securing data against unauthorized access. Data privacy is about authorized access — who has it and who defines it. Another way to look at it is this: data protection is essentially a technical issue, whereas data privacy is a legal one.
These distinctions matter because they're woven deeply into the overarching issues of privacy and cybersecurity, both of which loom large in businesses, politics and culture. For industries subject to compliance standards, there are crucial legal implications associated with privacy laws. And ensuring data protection may not adhere to every required compliance standard.
When Words Matter
Just to make things more complicated, according to the Storage Networking Industry Association (SNIA), the laws and regulations that cover "the management of personal information" are typically grouped under "privacy policy" in the United States and under "protection policy" in the EU and elsewhere.
The European Union's General Data Protection Regulation (GDPR), a supervisory authority that will go into effect May 25, 2018, requires businesses to protect the "personal data and privacy of EU citizens for transactions that occur within the EU." However, the GDPR's data protection law has a much different view of personal identification information than the US. GDPR compliance requires that companies use the same level of data protection for cookies as they do for stored personally identifiable information, such as social security numbers.
Data Privacy and Security: One Doesn't Ensure the Other
What's important to understand when comparing data privacy vs. data protection is that you can't ensure data privacy unless the personal data is protected by technology. If someone can steal personal data, its privacy is not guaranteed, which puts you at risk for identity theft and other personal security breaches. But the opposite relationship isn't always true: personal data can be protected while still not being reliably private.
How? When you swipe your credit card for a service provider, you're doing two things. First of all, you're trusting the service provider and payment system with your personal data protection — to make sure, among other things, shady cybercriminals and other third parties can't access your credit information without your consent. But you're also trusting them to honor your data privacy by not misusing the information even though you provided it to them.
The point is technology alone cannot ensure the privacy of personal data. Most privacy protection protocols are still vulnerable to authorized individuals who might access the data. The burden on these authorized individuals is, above all, about privacy law, not technology.
From Technology to Trust
Technology is still implicated in data privacy, precisely because the authorized users of technology have a responsibility to the privacy law. The code of ethics of the Open Web Application Security Project (OWASP) calls on security specialists to "maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities."
In short, no number of technological safeguards can eliminate the central role of trust in ensuring data privacy.
All of this goes double for those involved in file transfers. Data passes through Web nodes as the equivalent of old-fashioned postcards. Any server that handles a packet can read the message (ultimately plain vanilla binary bits!) as well as the forwarding IP address. At some very basic level, there is no privacy and not much security for anything sent across the open Web.
Solving for Data Protection
The only mode of protection that personal data in transit (not in an armored car) can rely on is encryption, so that an unauthorized third party may see the data but not read or collect it. And many protection officers in the file transfer security community would tell you that it is a privacy security risk. It poses the privacy risk of a security breach that could put you in your personally identifiable data in danger of identity theft.
With end-to-end encryption, however, the only "authorized users" (you and the recipient) with known IP addresses can get through the privacy shield and gain access to the data. That's about as far as technology's services can provide you when it comes to data privacy vs. data protection. The rest is up to you.