Ground truth¶
Nation-state surveillance is not a conspiracy. It is a legal regime with documented practitioners, published standards, and court judgments that confirm it happens and argue about its limits rather than its existence. Before mapping the threat, it is worth stripping out what is myth and what is merely uncomfortable.
What the GDPR does not cover¶
The General Data Protection Regulation is the most prominent data protection law in the world and it explicitly does not apply to national security activities. Article 2(2)(a) places national security outside its scope entirely. This is not a loophole that was accidentally left open. It is a deliberate boundary, written into the text, reflecting the settled position that states reserve the right to surveil in the name of security and that European data protection law was not designed to constrain that right.
Everything GDPR achieves for individual privacy stops at the national security fence.
What EU member states are actually permitted to do¶
No EU member state has a blanket legal prohibition on surveilling its own citizens. Every member state has intelligence legislation that permits surveillance of individuals and groups under conditions that include national security, counter-terrorism, serious crime, and in many cases broad public order provisions. The European Court of Human Rights, which operates separately from the EU, allows surveillance under Article 8 of the European Convention on Human Rights subject to requirements of legality, proportionality, and necessity. The court has found violations and states have responded by rewriting their laws rather than abandoning the practice.
The real constraints are: proportionality (contested), legal authorisation (often available on request), and oversight (which varies from rigorous to nominal across EU member states and is rarely truly independent).
The intelligence-sharing dimension¶
The Five Eyes alliance (United States, United Kingdom, Canada, Australia, New Zealand) is the most discussed, but several EU member states participate in expanded sharing arrangements under the Nine Eyes and Fourteen Eyes frameworks. These include the Netherlands, Denmark, France, Norway, Germany, Belgium, Italy, Spain, and Sweden.
The mechanism is not simply “you spy on my citizens for me.” It is more structural than that: each agency collects intelligence that it categorises as “foreign” (meaning communications flowing through or associated with non-domestic targets), and agencies share what they have collected. Since “foreign” collection in practice captures vast amounts of data about citizens of other partner states, the practical effect is that each agency’s domestic legal constraints on surveilling its own citizens can be navigated by receiving data about those citizens from a partner who collected it under different rules. This is a structural feature, not an accident.
The Snowden disclosures documented this at scale. GCHQ collected data on EU citizens from undersea cable access points and shared it with NSA. The NSA monitored the German Chancellor’s communications. These are facts of record, not allegations.
The commercial layer¶
The most underexamined part of the picture is the commercial data infrastructure. Data brokers aggregate location data, behavioural profiles, and identity information from apps, advertising ecosystems, and public sources, and they sell to commercial buyers. Government agencies in the United States have purchased location data from brokers to obtain information they would otherwise require a warrant to collect. There are documented cases of similar practices in Europe.
This is not interception. It is procurement. And it is largely unregulated in the national security context precisely because GDPR does not apply there.
What this model is not¶
This is not a model of illegal behaviour by rogue actors. Most of what it describes is either legal, contested only at the margins, or structured to be difficult to challenge. The system was designed to permit observation. It optimises for visibility under plausible deniability.
You are not modelling a malfunction. You are modelling the system working as built, under conditions of political stress that reveal what it was always capable of.