In the EU, citizens have a fundamental right to privacy, and therefore must agree to specific and defined uses of their data when they hand that information to an organisation. It is also assumed that citizens must continue to have certain rights over the data they share, such as correction, deletion and access. They must agree before data is handed to a third party. They should be informed before changes in data protection agreements are made.
The data protection approach differs strongly to privacy regulation in the USA, where privacy rights have been introduced on a sectoral basis, and there has been a strong presumption that data collected belongs to the company and it is up to them to decide with their users how to use it.
Data protection is not the same as privacy. It is a way to create an agreement to use data, but to limit the scope of the reuse.
Weaknesses of privacy agreements and terms and conditions
There are substantial problems with the data protection approach. Users are rarely in a position to negotiate the terms on which they hand over their data, and they rarely read the "privacy agreements" that they sign up to. Terms and conditions change, and users are not always informed properly. They may miss such information.
The result is that users are in a weaker position than the companies that write privacy agreements and often sign agreements that are not wholly in their interest.