There are usually carve outs for security and “won’t someone please think of the children”

It's a-ok for the law makers not to abide by their own laws

All data retention required by any law is explicitly exempt from the GDPR requirements regarding consent or your right to have it removed.

GDPR allows for data required by law. Same is with payment and all kinds of banking information.

Data collection that is required by law enforcement is exempted from GDPR regulations.

No. All regulations apply except for the right to (premature) deletion and the necessity of (another) reason for the data collection.

Very much a situation of one regulation putting you in the crosshair of another one.

The Wikipedia page for GDPR says data collection for the following purposes is exempted from the regulations:

https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

>>Lawful interception, national security, military, police, justice

The article is between imprecise to wrong. A box above the respective paragraph says so. Article 2 contains said exceptions, but limits them to "member states" and "competent authorities. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02...

So only a government office would be exempt in those matters, not a private organisation, except when seen as performing a government function. That is somewhat up to interpretation, so maybe, maybe not.

GDPR doesn't apply to collection mandated by states for law enforcement purpose.

Someone will drive a truck through that loophole.

It is not a loophole, it is simply the statement that GDPR's aim is to target companies, not state operations.

Remember that Europeans trust their State more and their companies less than US citizen, on average. The law simply reflects that state of mind.

It’s also a statement that sometimes requirements conflict. As a business owner, I’m required to keep proper books. That means every invoice needs to be on the book for at least 10 years. But invoices contain personal info - a name and address at least, possibly other data. You can’t require me to delete those invoices on GDPR grounds and violate the bookkeeping requirements.

And unlike data collection by random companies, data collection required by law is subject to public and judicial review. Laws are known - what data companies collect not necessarily.