[torton]

You are suggesting two approaches, one (or even both) of which are not feasible.

The problem with protecting everyone's data equally (and the point of why EU courts are rejecting the current regime) is that national laws override company intent. If a US company is served a national interest letter, they are giving up the data and keeping mum about it, or someone is potentially going to jail. And nobody will go to jail to protect the data of a user of a free (or a $8/mo, whatever) service.

This happens similarly in other countries - China, obviously; UK has a similar "national interest" rule; I don't know about the EU but I wouldn't be surprised if their spies and law authorities have also codified access on an as-needed basis for themselves. It's all the other kids that must be kept out of the personal data sandbox.

Avoiding collecting the data in the first place is far more robust against this sort of government behavior. There are organized government efforts to mandate centralized data collection and facilitate access anyway (e.g. UK's attempts to ban end-to-end encryption), so we'll see if that approach holds.