At its core, the legal framework of data protection is still characterized by concepts dating back to when data protection first emerged. However, the traditional approach centered on regulating the steps of data processing is as insufficient as the leading paradigms regarding the relevant fundamental rights. This is explained with three aspects in mind: Firstly, the object of data protection is complex, namely not only personal data, but a network consisting of several basic elements: data and information, knowledge and the flow of data and information, decisions and consequences of decisions. Secondly, data protection cannot be reduced to a uniform legally protected good. It encompasses a complex bundle of interests and legal positions aiming at protecting the individual in his or her sociality. Thirdly, data protection requires complex concepts of regulation on multiple levels and with different constituent parts. Additionally, data protection law must not only be coordinated with the issue-related substantive legal norms, but must also take up basic elements of risk regulation or technology law and requires interdisciplinary approaches. Data protection will then prove to be a highly complex and novel field involving particular challenges for law.