We tend to think about data privacy mainly in the context of big tech and private companies, but more and more, the spotlight is turning on governments themselves. After all, they often hold more sensitive information than any private actor.

Two recent examples highlight this shift in focus. In January, the EU’s General Court fined the European Commission for breaching the EU’s own data protection law, marking the first time the bloc’s institutions were held accountable in this way. Around the same time, the ICO issued detailed guidance to police forces for the use of live facial recognition. The message is clear: protecting privacy is not just about regulating companies, it’s about holding public authorities to the same standards.

‍

Why State Data Processing Demands Limits

‍

Government access to data raises unique risks that go far beyond the private sector: 

• Governments hold the largest datasets
  States manage health records, tax files, social security, welfare data, immigration details, and biometric identifiers. This is not only personal but also structural data that covers entire populations.

• Who makes the rules?
  Governments are the ones writing and enforcing data protection rules for the private sector. If they fail to comply themselves, the credibility of these laws collapses. Citizens and businesses begin to question why they should follow strict requirements when regulators don’t. 

• The risk of normalizing surveillance
  When state institutions adopt intrusive data practices, it sends a powerful message to the rest of society that surveillance is acceptable. This normalizes practices that should be considered extraordinary, lowering the threshold for their use by the private sector. 

• Trust in institutions and democratic accountability
  A corporate data breach can be damaging, but a government breach feels like a betrayal of trust. This is already an issue, with UK citizens expressing concern over subpar data security practices and unauthorised use by authorities. 

‍

Beyond trust, there is the democratic issue: unchecked state control of data can tilt power away from citizens, limiting their ability to challenge decisions or hold leaders accountable. That’s why rulings such as the EU Court fining the Commission are so significant. They reinforce that no institution is above the law, not even the lawmakers themselves.

Just like enterprises, government bodies also need tools to map, manage, and document how data is used, so that when an audit comes, they can easily prove compliance.

‍

What We Should Focus On

‍

Knowing the risks is only half the story. The real challenge lies in identifying where governments must draw the line.

• Preventing function creep
  One of the most common risks is function creep, where data collected for one purpose is quietly repurposed for another. For example, welfare data used to verify eligibility might later be used to monitor fraud or unrelated law enforcement purposes. Without strict rules and reinforcement, databases built for narrow, legitimate uses become tools for broad monitoring.

• Closing legal gray zones
  Public authorities may carve out exemptions for themselves in data protection laws, arguing that certain activities, such as national security, policing, or immigration control, require special treatment. While exceptions may sometimes be justified, they must be applied responsibly to prevent undermining the principle of equal protection. 

• Managing cross-department data use

Consent given to one authority doesn’t automatically mean it can be shared with another. It’s alarming to learn that the public often assumes this is already happening. According to a recent UK government survey, about two-thirds of people (65%) believe departments share data with each other. In the US, 71% share the same feeling. 

If data sharing happens without clear boundaries or transparency, citizens lose confidence in how their information is handled. The challenge grows when cross-border collaborations are involved, where data may move not only between agencies but also across jurisdictions.

Technology designed for accountability, such as Mine’s data governance platform, can help close these gaps.

‍

No Exceptions to Data Privacy

The examples from the EU and the UK are promising. Regulators hold government bodies to the same standards of scrutiny they apply to private companies. But it shouldn’t stop there. As more governments adopt digital-first strategies, the temptation to use data will only grow. 

‍