It was when the 1970 Hessian Data Protection Act was passed as the first of its kind in the world that the words ‘data protection’ entered the public discourse. The Act brought two significant contributions. By suggesting that automatic processing is something qualitatively new and in need of legislative intervention, it set the agenda for the next 50 years. It also firmly established the notion that control over data is the best way for protecting privacy as a fundamental right. This idea was to form a central part of the 1995 Data Protection Directive, the first comprehensive EU data protection instrument, now replaced by the 2016 General Data Protection Regulation (GDPR). There is a sense of achievement or even pride in the EU when the GDPR, the star product of its unilateral legislative globalisation, is singled out as an example of what privacy laws ought to be like. Nevertheless, a sense of confusion, fear and helplessness is spreading globally. The modern technology-dominated world demonstrates that one can maintain the illusion of lawful data processing and of a user controlling their data without either of them existing. For, how else should one describe the institutional order that enables business models based on massive data collection and on surveillance. It has become apparent that a world based on design choices which maximise data collection is undermining our ability to truly govern data.