Nations and policy¶

The surveillance threat model makes a structural observation: the EU has the strongest data protection framework in the world and simultaneously contains member states that operate bulk collection programmes, use commercial data brokers to bypass legal thresholds, and participate in intelligence-sharing alliances that route around domestic constraints. These are not contradictions. They are the system working as designed.

Policy at national and EU level is where the underlying incentive structures are set. The patterns described across all three threat models, commercial data extraction, deanonymisation at scale, surveillance of civil society, persist not because the technical means to address them do not exist but because the political conditions have not consistently aligned to require their application.

This page is less a checklist and more a diagnosis. The generalisations here are particularly coarse: EU member states vary dramatically in their legal cultures, their judicial oversight of intelligence activity, and their political appetite for digital sovereignty. Treat what follows as a framework for asking better questions rather than a set of answers.

What the policy models actually do¶

The national security exemption in GDPR Article 2(2)(a) is not a loophole. It is a deliberate design decision. The EU chose to exclude national security activities from the regulation’s scope, deferring to member state sovereignty in an area where harmonisation was politically impossible.

The consequence is that the strongest data protection framework in the world has a hole at its centre precisely where the most capable adversaries operate. A citizen’s data is protected from commercial misuse by one set of rules and from state surveillance by a patchwork of national law, treaty obligations, and the varying quality of judicial oversight in different member states.

Policy development in this space requires honesty about what the exemption actually produces. The intelligence oversight mechanisms that exist in many member states are not equivalent to the protections GDPR provides. Some have meaningful judicial oversight. Many do not. The variation is not acknowledged in the architecture of the regulation.

Infrastructure dependency as sovereignty question¶

The surveillance threat model identifies infrastructure dependency as a structural vulnerability: the majority of EU internet traffic, cloud storage, and platform services passes through or is processed by systems under US jurisdiction. This means it is subject to US legal process regardless of where the data originates or where the data subject lives.

This is a policy failure that has been visible for more than a decade. The repeated invalidation of EU-US data transfer agreements, Safe Harbor in 2015, Privacy Shield in 2020, reflects an underlying incompatibility between EU data protection standards and US surveillance law that legal mechanisms have not resolved.

Digital sovereignty is not an abstract concept. It is a question of whether the legal protections that EU law provides for EU citizens can actually be enforced when the infrastructure underpinning digital life is controlled by entities outside EU jurisdiction. Building infrastructure capacity within the EU that is actually usable at competitive scale is a multi-decade project that requires sustained political commitment and investment.

Data broker regulation as the missing piece¶

The commercial data layer is, as the surveillance threat model describes, the largest largely unregulated backdoor into the privacy protections the EU has built. GDPR applies to data brokers, but enforcement of the consent and purpose limitation requirements for the broker market has been inconsistent, under-resourced, and slow.

Law enforcement and intelligence agencies in multiple member states have acquired data commercially precisely because commercial purchase does not trigger the legal safeguards that formal legal process would require. This is not a theoretical scenario. It is documented practice.

Closing this gap requires specific regulatory attention to the data broker market: what data can be collected, for what purposes, under what consent conditions, and under what circumstances it can be transferred to law enforcement or intelligence agencies. The current framework technically covers this but the implementation has not kept pace with the market.

The political weight of security narratives¶

Surveillance powers expand in response to events and rarely contract afterwards. The dynamics of security policymaking are consistent: a crisis produces political pressure to act, and “act” is more easily interpreted as expanding collection and access than as improving oversight or reducing exposure.

At policy scale, the same principle that applies to any system holds: identify what the system is currently rewarding. The political incentive structure around surveillance powers rewards expansion because expansion can be presented as decisive action, while oversight reform is slower, more technically complex, and produces no visible deliverable for a news cycle.

The asymmetry between those who bear the cost of surveillance and those who hold surveillance power is the core of the policy problem. Populations subject to bulk collection rarely experience the direct harm of that collection until a specific incident makes it concrete. The harm is diffuse, statistical, and distant from individual experience. Political action is easier to mobilise around concrete, named harms than diffuse, statistical ones.

Civil society organisations, journalists, and researchers who make surveillance harms concrete and named are performing an essential function in creating the political conditions for reform. Supporting their capacity to do this is not separate from policy work. It is a precondition.

Where leverage actually exists¶

EU regulatory capacity is the most significant source of leverage over the commercial data ecosystem globally. The GDPR has changed data handling practices by major platforms worldwide not because they love EU citizens but because non-compliance risks fines calculated as a percentage of global revenue. This leverage is real and has not been fully used.

Consistent, well-resourced enforcement of GDPR obligations on data brokers, consent frameworks, and purpose limitation would meaningfully change the commercial surveillance landscape. The regulatory framework to do this exists. The enforcement capacity and political will to sustain it have been variable.

The Data Act, the AI Act, and the ePrivacy regulation represent successive attempts to extend the regulatory perimeter. The outcome of each will depend on the specificity of implementation, the adequacy of enforcement funding, and whether member states treat compliance as a floor or as a ceiling to be engineered around under national security carve-outs.

Intelligence oversight mechanisms at EU level are underdeveloped relative to the transnational nature of the surveillance they need to govern. Bilateral oversight between member states’ national mechanisms does not adequately cover flows through intelligence-sharing arrangements. A European Parliamentary oversight body with genuine access to information about cross-border collection programmes is a structural reform that would require significant political negotiation and would represent a real improvement on the current architecture.

The goal is not to dismantle security capacity. It is to build governance that matches the capacity that exists. That is a political task, and it is one where sustained pressure from civil society, research institutions, and committed member states has historically moved things in the right direction, slowly and incompletely, and sometimes moved them back.

Playbooks¶

The individual-level actions here are limited, but not zero. The rights that regulation creates are only useful if they are exercised.