Protection of privacy and personal data and security of network and information systems

The protection of privacy and personal data are closely related, however these concepts correlate to distinct rights. The right to privacy or the right to respect for private life emerged as a human right first, relating to situations where a private interest, of an individual, has been compromised. This right consists of a general prohibition to interfere with one’s private life, unless there exists a justification for this. Privacy is thereby interpreted broadly and can relate multiple aspects which interfere with the personal sphere of individuals, such as intimate situations, sensitive or confidential information, information that could prejudice the perception of the public against an individual, and even aspects of one’s professional life and public behaviour.

The right to privacy evolved well before the development of computers and the internet and the rise of the information society. During this development a new and modern concept of privacy emerged, namely the right to personal data protection. In the EU legal order, data protection is recognised as a fundamental right, separate to the fundamental right to respect for private life. The protection of personal data entails that safeguards must exist to protect individuals when their personal data is processed. Any operation involving the processing of personal data could fall under the scope of data protection rules and trigger the right to personal data protection. For example, where an employer records information relating to the names of and remuneration paid to employees, the mere recording of this information cannot be regarded as an interference with private life. Such an interference could, however, trigger the right to personal data protection.

The security of network and information systems relate to cybersecurity. Cyber security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber-attacks. Different from the right to privacy or the right to data protection, cybersecurity relates not only to a private individual. Legislation of the European Union exists which aims to improve cybersecurity at the national level on the one hand, and to increase the level of cooperation within the EU on the other hand. Next to this, it introduces a requirement to provide notification of security incidents, including those that do not compromise personal data, security requirements and a requirement to manage risks for entities providing essential services across many sectors.