The GDPR hole

GDPR Article 2(2)(a) excludes activities falling outside the scope of Union law, and Article 2(2)(b) excludes common foreign and security policy. National security is carved out explicitly. Any processing conducted under a national-security mandate operates outside the regulation entirely, whatever category of data is involved and whoever it concerns.

This is the foundational fact of the EU surveillance landscape. Consumer data protection and state surveillance run in parallel legal universes that rarely intersect. The strongest data-protection framework in the world has a hole at its centre, precisely where the most capable adversaries operate. A person’s data is shielded from commercial misuse by one detailed rulebook, and from state surveillance by a patchwork of national law, treaty obligation, and oversight of wildly varying quality.

The exemption is not a loophole that slipped through. It was a deliberate design choice: harmonising national security across member states was politically impossible, so the EU deferred to member-state sovereignty in exactly the area where the stakes are highest.

Last reviewed: 2026-07-08.