Bashing the European Union’s General Data Protection Regulation (GDPR) seems to have become one of American activists’ favourite hobbies in the tech field. Some criticism is entirely justified. But many claims that the GDPR is “counterproductive” or “misses the point” are based on misconceptions, rather than an accurate understanding of European data protection laws.

As a result, several US privacy advocates have therefore suggested alternative principles or rules… many of which, actually, have been part of EU data protection law since 1995.

So, as promised, here is:

The GDPR as accidentally explained by people in the US who criticize the GDPR for its pitfalls, while calling for what’s actually in the GDPR

If you have other examples to illustrate this, let me know so I can add them to this post. I may update this post from time to time, so subscribe to the feed to get notified!

A short note: My intention with this post is to help you, my reader from the US or elsewhere, understand better what’s actually in the GDPR. I have great respect for many of the people mentioned below (some of whom I consider or have considered personal heroes). I hope they are fine with a bit of teasing ;-)

1. The problem starts not with “data use” but with “data collection”

Edward Snowden and Tim Wu (November 2019)

Snowden also directed some criticism at data privacy authorities that have tried to step up regulation on companies over how they handle user data. He said the EU’s General Data Protection Regulation […] “misplaces the problem.”

“The problem isn’t data protection, the problem is data collection,” Snowden said. Source

Edward Snowden said this at the Web Summit: “I think GDPR is not the solution, but the problem is with data collection not data use. It gives a false sensation of reassurance.” What are your thoughts on this?

[Tim Wu:] I think he has a point…that’s what my criticism of GDPR is. It doesn’t actually stop anyone from doing anything. Collect all you want…and I think that’s where the problem starts. I think he’s onto something. Source

Edward Snowden and Tim Wu argue that regulations on data use are not sufficient to protect people. For them, a good regulation should start with data collection.

That is why, since 19951, EU data protection law regulates not only data use, but also the collection of personal data.

More specifically, the GDPR covers the processing of personal data. Processing is defined in the GDPR as “any operation” performed on personal data. Article 4(2) of the GDPR includes data “collection” explicitly.

Article 5(1) sets the principle of “data minimisation”, and also provides that personal data must be “collected for specified, explicit and legitimate purposes.”

If personal data is collected in breach of these rules, the company responsible for the infringement may be fined up to 4 % of their global annual turnover (or EUR 20,000,000 if higher). Authorities may also order the company to destroy the data collected in breach – regardless of whether the data was ever used or not.

Richard Stallman (April 2018 or December 2019)

There are so many ways to use data to hurt people that the only safe database is the one that was never collected. Thus, instead of the EU’s approach (in the GDPR) of mainly regulating how personal data may be used, I propose a law to stop systems from collecting personal data.

The robust way to do that, the way that can’t be set aside at the whim of a government, is to require systems to be built so as not to collect data about persons. The basic principle is that a system must be designed not to collect certain data, if its basic function can be carried out without that data. Improving efficiency must explicitly not count as a justification for collecting more data. Source

Richard Stallman argues that laws must prohibit data collection if it is not necessary or not justified, and that systems must be designed not to collect certain data.

That is why, since 1995, EU data protection law regulates not only data use, but also the collection of personal data (see above).

Moreover, since 2018, the GDPR has extended the set of rules with the principles of data protection “by design” and “by default”.

Article 25 provides, specifically, that systems must be designed to implement data minimisation effectively. In addition, technical and organisational measures must by default ensure that “only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected […].

One last bit: Richard Stallman argues that “improving efficiency” of a system must not be a justification for collecting personal data.

Article 5(1) already provides that personal data must be “collected for specified, explicit and legitimate purposes.” Therefore, it seems that Richard Stallman’s interpretation of this principle means that “improving efficiency” may never be considered legitimate. Do you agree?

Maciej Cegłowski (April 2020)

The European approach to privacy legislation has been to add layers of complexity, based on a kabuki dance of individual consent, where all that is needed are some strong legal limits on what data can be collected and how long it can be stored. Source

Maciej argues that basing privacy legislation on individual consent is not the right approach and, instead, regulations should provide strong legal limits on data collection and data retention.

  • That is why, since 1995, individual consent is only one among six legal bases that allow lawful collection of personal data. Article 6 of the GDPR requires at least one of six legal bases to be applicable. In many circumstances, “consent” is not considered as an adequate basis (e.g. in employee-employer relationships).

    Even where consent may be considered adequate, it must fulfil strong conditions: to be a “freely given, specific, informed and unambiguous indication” of agreement expressed “by a statement or by a clear affirmative action.” (Article 4(11))

    If you thought that it’s sufficient to obtain consent to anything by checking a box to read and agree to the terms of service, or that merely browsing a website meant accepting cookies — you’ve been misled by the kabuki dance of people who wished the GDPR was centered around weak individual consent. In spite of GDPR strengthening conditions for consent, the online ad and tracking industry is still trying with their complex cookie banners and settings!

    And, where sensitive data is concerned:

    • collection is prohibited as a general rule,
    • unless explicit consent has been obtained and no EU or national laws rule out consent2, or
    • unless one of the nine other exemptions listed in Article 9(2) applies (many of which require a EU or national law).
  • Additionally, the GDPR provides the principle of “storage limitation” in Article 5(1)(c).

    Pursuant to this principle, personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” i.e. when data is not necessary any more, it must be destroyed or anonymized.

    The GDPR allows, however, for retaining data longer, in particular for archival, research or statistical purposes - subject to certain conditions (see Article 5 and Article 89 among others).

  • For the argument on data collection, see above.

To be entirely fair, and exhaustive — specific regulations may provide otherwise. The GDPR as its title suggests, is a “general” body of law. In certain circumstances, specific rules may contravene the general principles stated above. For instance, since 2009, the “EU cookie directive” (which modifies the “ePrivacy Directive” of 2002) requires consent as the only available basis for storing information or identifiers on a user’s device, or for accessing such stored information. There are, however, some exceptions, i.e. if necessary to provide services expressly requested…

Richard Stallman (April 2018 or December 2019)

The EU’s GDPR regulation is well-meant, but does not go very far. It will not deliver much privacy because its rules are too lax. They permit collecting any data if it is somehow useful to the system, and it is easy to come up with a way to make any particular data useful for something.

The GDPR makes much of requiring users (in some cases) to give consent for collection of their data, but that doesn’t do much good. System designers have become expert at manufacturing consent (to repurpose Chomsky’s phrase). Most users consent to a site’s terms without reading them; a company that required users to trade their first-born child got consent from plenty of users. Then again, when a system is crucial for modern life, like buses and trains, users ignore the terms because refusal of consent is too painful to consider.

To restore privacy, we must stop surveillance before it even asks for consent. Source

Richard Stallman argues that it is too easy to trick users into consenting to the collection of their data, and that is it too easy to claim that data is “somehow useful”. Instead, we should stop surveillance before it even asks for consent.

That is why, under EU data protection laws:

  • Where individual consent is an adequate legal basis (which is not always the case), the GDPR puts strong legal conditions on what valid consent requires (see above), so it cannot be considered “easy” to trick people into giving consent.

  • Where data is collected and used in connection with a contract (e.g. terms and conditions of an online service), only data that is “necessary” may be lawfully processed.

    Article 6 provides that processing in that context must be “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract” — it is, therefore, not sufficient to consider that the data is “somehow useful”.

  • In any event, personal data must be processed for “legitimate” and explicit purposes. Surveillance that is no legitimate must be stopped, even where consent has been obtained or where there is a contract. The real question, therefore, is what sort of surveillance can be considered legitimate or not. This is not only a legal, but also a political and social question, and your views may vary… Data protection law does not exist in a vacuum.

On a related note, Stallman seems to be conflating several issues here.

It is indeed a problem that most users consent to a site’s terms without reading them. I know this problem well enough for having started Terms of Service; Didn’t Read. Sure, terms of service may contain silly things - surveillance and data rights issues are just one of the many issues with this - the origin of the problem lies elsewhere.

Another confusion that Stallman seems to make here relates to consent and contracts. Data protection law and contract law are two separate bodies of laws with their own rules. In some situations, these rules stack up and interact with each other.

However, consenting or agreeing to a contract (e.g. accepting terms of an online service) only implies that data strictly necessary to perform the agreement (e.g. providing the online service) may be processed. Agreeing to a contract does not equate giving “consent” to any processing purposes in the meaning of “consent” under Article 4(11) of the GDPR. Contracts and consent are two separate legal bases under the GDPR (see above).

If you have other examples to illustrate this, or questions or comments on the above, let me know!


The goal of this post is neither to contribute to some anti-American sentiment, nor to claim that the GDPR is perfect, or that European laws are generally better than US laws. I do not think that’s true. Time will tell how effective the GDPR is going to be. Two years is short a short time to evaluate that. Even then, there is a larger context not directly related to the GDPR as such: enforcement actions are usually slow; Europe still lacks a culture of litigition for civil rights, and the powerful non-profit organisations to activate them that match those in the US. US class action lawsuits are, also, far away from Europe’s judicial systems (where they are not seen as scarecrows).

Nevertheless, we should acknowledge the fact that EU law has got many of the foundational principles around data protection right. As almost all of the examples above show: while the intention was to criticise the GDPR, the authors actually call for the very same principles that the GDPR, and the 1995 Directive before it, set forth.

So why has the USA not enacted an equivalent federal general data protection legislation? There are, already, strong protections for the privacy of Americans in the US Constitution. And access to electronic communications content and data by US authorities has received increased protection by US courts, in particular the US Supreme Court in the Carpenter case recently. Some of these safeguards were ahead of their time, while some are reminiscent of the EU top court’s own case law. There is, however, still no GDPR-equivalent data protection law at the federal level in the US. Although it seems that, with the CCPA (and maybe others), some states like California are pushing in this direction.

In 1973, a US official committee submitted the “Records, computers and the rights of citizens” report. The title of this report is almost identical to the French data protection law of 1978 (on computing, records and freedoms). What also strikes me is that the recommendations of this report share strong similarities with the GDPR in many ways (see the list of data subject rights, the main principles, and the obligations on data controllers in the “Summary and Recommendations”).

So, what happened? How’s this permitted?

Thanks to Lori Roussey, Alexandre Rogers, Michael Veale for reviewing drafts of this.

  1. The GDPR, adopted in 2016, reuses and extends on most of the basic definitions and principles of the 1995 Directive. For those curious, the difference between a EU Directive and an EU Regulation is that a Directive is a law that’s supposed to give EU Member States a goal to achieve, a direction, which implies that Member States need to implement measures in their national laws; while a Regulation (like the GDPR) is a law directly applicable in all EU territories, which thus contributes to achieving greater harmonisation of laws in Europe.↩︎

  2. For instance, in France, it is prohibited for a company to get DNA from people. Consent cannot override this prohibition. Derogations are available for medical research, etc. See the French data protection authority’s book on this.↩︎