It’s also a statement that sometimes requirements conflict. As a business owner, I’m required to keep proper books. That means every invoice needs to be on the book for at least 10 years. But invoices contain personal info - a name and address at least, possibly other data. You can’t require me to delete those invoices on GDPR grounds and violate the bookkeeping requirements.

And unlike data collection by random companies, data collection required by law is subject to public and judicial review. Laws are known - what data companies collect not necessarily.