Data protection and data privacy are very closely interconnected, so much that users often think both are same or synonyms to each other. But the differences between data privacy and data protection are fundamental. Privacy concerns arise wherever personally identifiable information is collected, stored, or used.
Data privacy is about authorized access – who has it and who defines it whereas data protection is about securing data against unauthorized access. Another way to look at it is this: data protection is essentially a technical issue, whereas data privacy is a legal one.
The EU’s GDPR requires businesses to protect the “personal data and privacy of EU citizens for transactions that occur within the EU.” However, the GDPR’s data protection law has a much different view of personal identification information than the US. GDPR compliance requires that companies use the same level of data protection for cookies as they do for stored personally identifiable information, such as social security numbers.
You can’t ensure data privacy unless the personal data is protected by technology. If someone can steal personal data, its privacy is not guaranteed, which puts you at risk for identity theft and other personal security breaches. But the opposite relationship isn’t always true: personal data can be protected while still not being reliably private.
Like at the time of swiping credit card for a service provider, you’re doing two things. First of all, you are trusting the service provider and payment system with your personal data protection — to make sure, among other things, shady cybercriminals and other third parties can’t access your credit information without your consent. But you are also trusting them to honor your data privacy by not misusing the information even though you provided it to them.
The point is technology alone cannot ensure the privacy of personal data. Most privacy protection protocols are still vulnerable to authorized individuals who might access the data. The burden on these authorized individuals is, above all, about privacy law, not technology.
The only mode of protection that personal data in transit can rely on is encryption, so that an unauthorized third party may see the data but not able to read or collect it. And many protection officers in the file transfer security community would tell you that it is a privacy security risk. It poses the privacy risk of a security breach that could put you in your personally identifiable data in danger of identity theft.
With end-to-end encryption, however, the only “authorized users” (send and the recipient) with known IP addresses can get through the privacy shield and gain access to the data. That’s about as far as technology’s services can provide you when it comes to data privacy vs. data protection.
When we talk about end-to-end encryption, Signal Protocol, world’s most advanced encryption technology, comes into our mind. It is a non-federated cryptographic protocol that can be used to provide end-to-end encryption for voice calls, video calls, and instant messaging conversations.
The protocol was developed by Open Whisper Systems in 2013 and was first introduced in the open-source TextSecure
The protocol offers authentication, confidentiality, integrity, participant consistency, post-compromise security (aka future secrecy), destination validation, forward secrecy, message repudiation, participation repudiation, causality preservation, message unlinkability, and asynchronicity. It does not provide anonymity preservation and requires servers for the relaying of messages and storing of public key material.
Signal Private Messenger is open source, runs on Signal Protocol, offers users to exchange messages and make voice and video privately. Signal has support for read receipts and typing indicators, both of which can be disabled.