Recently, there have been a lot of intense discussions on how human rights treaties might apply to extraterritorial mass-surveillance programmes. In the light of an increasingly prominent role that data privacy is gaining in the UN agenda in recent months, this article aims to make an original contribution to the international data privacy discourse by scrutinizing the different approaches to customary international law formation and applying these insights to ‘data’ privacy—as opposed to a general right to privacy—to examine whether it could be considered as a binding legal principle under international law. The article argues that different perspectives on customary international law and their respective methodologies of ‘deduction’ and ‘induction’ have different implications for the analysis of data privacy. Whereas under the so-called traditionalist perspective it could be doubted that data privacy has developed into a rule of customary international law, modernist approaches lead to different conclusions. The modern theories stipulate that a steady advancement of technologies in combination with a continued emphasis on international security and the unprecedented shock that international community is undergoing because of mass-surveillance revelations and spying activities of Western and potentially other governments, constitute the circumstances or period of fundamental change—the so-called ‘international constitutional moment’, paving the path for the swift development of a new rule of customary international law—the right to data privacy. Recognizing the ‘relativity’ of the different findings and conclusions, the article favours the modern approach and infers that data privacy has indeed crystallized into a norm of customary international law.