Here's a thought experiment: name one piece of software on your computer that has unrestricted root access to every single file, scans everything you open, monitors every URL you visit, and phones home with the results. You're thinking of malware. I'm describing your antivirus.
The Architecture of Total Surveillance
Antivirus software operates on a simple premise that's also a privacy nightmare: to protect you from malicious files, it must inspect all files. Every document. Every spreadsheet. Every photo. Every email attachment. Every browser cache entry. Every password manager database. Every encrypted volume mounted at the time of scanning.
This isn't a bug — it's the fundamental design requirement of the product category. Your AV sits between you and your filesystem with higher privileges than you have. On Windows, it runs as SYSTEM. On macOS, it hooks into the kernel via system extensions. On Linux, it often demands root.
The GDPR defines personal data as any information relating to an identified or identifiable natural person. Your antivirus isn't casually glancing at metadata — it's deep-inspecting file contents, process memory, network traffic, and browser activity. That's not just personal data. That's the entirety of your digital life.
What They Actually Collect
Most users assume their AV just compares file hashes against a local malware database. That's adorable. The reality is far more invasive. Here's what modern antivirus products routinely exfiltrate (and this is just what's documented):
- Browsing history — full URLs visited, including query parameters, timestamps, and referrer chains. This reveals your political views, health concerns, sexual orientation, religious beliefs, and financial status. The FTC complaint against Avast confirmed they collected all of this and sold it1.
- Device fingerprint — hardware IDs, installed applications, OS version, network topology, number of devices on your LAN, default browser, and unique advertising identifiers.
- File metadata and samples — suspicious files get uploaded in their entirety to cloud analysis sandboxes. That "suspicious" PDF your accountant sent? Uploaded. The Word doc with your medical records? Uploaded. The
.pstfile with ten years of email? You get the idea. - Location data — IP address, WiFi network names, sometimes GPS coordinates from mobile AV products.
- Email content — several AV products scan email bodies and attachments, and some upload flagged messages for analysis.
- Process behavior — which programs you run, when you run them, how long they're active, what files they touch.
Where Does This Data Go?
The short answer: everywhere you don't want it to go.
Avast, through its subsidiary Jumpshot, sold browsing data from roughly 100 million users to over 100 third parties between 2014 and 2020 — including consulting firms, investment companies, advertising networks, marketing analytics firms, and data brokers. The data was sold in non-aggregate, re-identifiable form with unique per-browser identifiers. Clients could track individual users across sessions and correlate their browsing with other datasets1 2.
Kaspersky automatically uploads suspicious files to its cloud infrastructure. Their privacy policy admits they process "the object (file or URL) itself." Where do those servers live? Russia, Switzerland, and other jurisdictions — the data transfer agreements are opaque at best3.
McAfee, Norton, Bitdefender, ESET — they all have cloud-based threat analysis. They all upload file samples. They all collect telemetry. The specific data flows are buried in privacy policies that would take a lawyer three billable hours to parse, and even then, the policies use weasel words like "may include" and "such as" that give them infinite latitude4.
Here's the kicker: under GDPR Articles 44-49, transferring personal data outside the EU requires either an adequacy decision, appropriate safeguards, or explicit consent5. When your AV uploads a file containing personal data to a cloud server in a non-adequate jurisdiction — which most of them do — and you didn't explicitly consent to that specific transfer, you've got a GDPR violation. The Czech decision explicitly found that the "anonymization" claims were false and that the data remained personal data throughout6.
The Legal Contradiction
If you're a business operating in the EU, you're required under GDPR to implement "appropriate technical and organisational measures" to protect personal data. Article 5(1)(f) mandates integrity and confidentiality. Article 32 requires encryption and resilience.
Now install an antivirus. You've just deployed software that:
- Has root-level access to all personal data you process
- Exfiltrates file contents and metadata to third-party servers
- Operates in jurisdictions with inadequate data protection
- Provides no data processing agreement that satisfies Article 28
- Cannot guarantee data deletion or purpose limitation
If a data subject files a Subject Access Request asking what data your AV vendor holds on them, what do you tell them? You don't know. The vendor won't tell you. And you're the data controller — you're liable.
You cannot simultaneously comply with GDPR and operate a cloud-connected antivirus on systems processing personal data. Choose one.
The Root Access Problem
Let's address the elephant in the room. Your antivirus has higher privileges than you do on your own machine. It can:
- Read any file, regardless of permissions
- Modify any file, including system files
- Intercept and modify network traffic (HTTPS inspection/MITM)
- Inject code into running processes
- Install kernel drivers that operate below the OS visibility layer
- Disable or bypass other security controls
What prevents a system with unrestricted root access and a persistent encrypted connection to remote servers from doing more than just reading your files? If you're a journalist, an activist, a whistleblower, or simply someone politically inconvenient to the wrong people, could such a system be used to place material rather than just extract it? A few strategically-named files in the right directories, a modified registry entry, a "detected threat" that was actually planted — and suddenly you're not the victim, you're the suspect.
This isn't science fiction. It's the logical consequence of giving any third party — whether a corporation, a government, or a compromised employee — an always-on rootkit you installed voluntarily. The Stuxnet playbook demonstrated that security software update channels are a viable attack vector. If an intelligence agency can compromise an AV vendor's update infrastructure, they can deploy anything to millions of machines instantly.
The GDPR-Compliant Alternative
The GDPR-compliant security posture isn't an antivirus. It's:
- Minimal attack surface — run only what you need. Every installed package is a liability.
- Compartmentalization — isolate risky activities (browsing, email, document viewing) from sensitive data. If the browser gets owned, it shouldn't be able to touch your files.
- Read-only wherever possible — immutable base systems, separate data partitions with no-exec.
- Network-level filtering — block known malicious infrastructure at the router or firewall, not on the endpoint where a compromised security product becomes the threat.
- Application-level firewalls — control what can phone home, instead of letting a rootkit "manage" it for you.
None of this requires closed-source kernel modules from a corporation whose business model depends on harvesting your data. It requires architectural discipline.
The Bottom Line
Every commercial antivirus product is, by its fundamental architecture, anti-privacy by design. They scan everything, they upload everything, and they monetize or leak everything — or create the infrastructure that makes future monetization and leakage inevitable. The GDPR wasn't written for a world where security software doubles as surveillance software, but that's the world we live in.
If you're processing personal data under GDPR and you've deployed a cloud-connected AV across your fleet, you're gambling with fines that can reach 4% of global annual turnover. The Czech DPA has already set the precedent — a €13.9 million fine confirmed as final and enforceable in April 20246. More decisions are coming.
The question isn't whether your antivirus violates GDPR. The question is who gets fined first — you, or your vendor.
FTC Complaint against Avast (February 2024) — documents that Avast collected browsing data including religious beliefs, health concerns, political views, location, and financial status; sold non-aggregate re-identifiable data to over 100 third parties via Jumpshot between 2014–2020; fined $16.5M. https://www.ftc.gov/system/files/ftc_gov/pdf/Complaint-Avast.pdf — FTC press release: https://www.ftc.gov/news-events/news/press-releases/2024/02/ftc-order-will-ban-avast-selling-browsing-data-advertising-purposes-require-it-pay-165-million-over
Avast/Jumpshot data harvesting — joint investigation by Motherboard and PCMag (January 2020) first exposed the practice; Avast shut down Jumpshot shortly after the reports. Coverage: https://www.theverge.com/2024/2/22/24080135/avast-security-privacy-software-ftc-fine-data-harvesting
Kaspersky Global Transparency Initiative and privacy policy — Kaspersky Security Network (KSN) uploads "objects (files or URLs)" for cloud analysis. Kaspersky infrastructure spans Russia, Switzerland, and other jurisdictions. AV-Comparatives 2023 data-sending report notes that KSN participation is opt-in but the scope of uploaded data includes file contents: https://av-comparatives.org/wp-content/uploads/2023/07/avc_data_sending_2023.pdf
AV-Comparatives Data Sending and Transparency Report (2023) — evaluated 20 market-leading consumer AV products for data collection, data sharing, accessibility, control, and openness. Multiple vendors scored poorly on transparency. https://av-comparatives.org/wp-content/uploads/2023/07/avc_data_sending_2023.pdf
GDPR Articles 44-49 — govern transfers of personal data to third countries or international organisations. Article 45 requires an adequacy decision by the European Commission; Article 46 requires appropriate safeguards (standard contractual clauses, binding corporate rules); Article 49 allows derogations including explicit consent. Full text: https://gdpr-info.eu/chapter-5/
Czech Data Protection Authority (ÚOOÚ) decision — CZK 351 million (≈€13.9M) fine against Avast for unlawful transfer of pseudonymized browsing history of ~100 million users to Jumpshot without valid legal basis under Art. 6 and Art. 13 GDPR. Final appellate decision issued 10 April 2024, confirmed as final and enforceable. EDPB summary: https://www.edpb.europa.eu/news/news/2024/czech-sa-imposed-fine-139-million-eur-infringement-art-6-and-art-13-gdpr_hu — Full decision (Czech): https://uoou.gov.cz/media/rozhodnuti/rozhodnuti-predsedy/2024/uoou-0102520-121-aj.pdf
- Date
- 2026-07-02
- Taxonomy
- English | cybersecurity, antivirus, gdpr, dataprotection, infosec