Many actors mobilize the cognitive, legal and technical tool-box of data protection when they discuss and address controversial issues such as digital mass surveillance. Yet, critical approaches to the digital only barely explore the politics of data protection in relation to data-driven governance. Building on governmentality studies and Actor- Network-Theory, this article analyses the potential and limits of using data protection to critique the ‘digital age’. Using the conceptual tool of dispositifs, it sketches an analytics of data protection and the emergence of its configuration as ‘data protection by design and by default’. This exploration reminds us that governing through data implies, first and foremost, governing digital data.