Data Minimization Principle in Data PrivacyLaws in the EU, US, and Rest of the World

What is the Data Minimization Principle?

Data minimization means processing only the minimum amount of personal data necessary for your processing purposes (fundamental in training AI models).

Let's imagine that you want to deliver a monthly newsletter to your customers. For that purpose, you need to process their email address and their names. By collecting only the email address and the name, you've applied the data minimization principle.

If you collect their phone number and home address to communicate with them over email, you've gone too far. You don't need anyone's home address to send them an email.

However, if you want to send them promotional materials at their home address or SMS messages with discounts over the phone, it is reasonable to get the phone numbers and home addresses. You'll need such data to communicate with the customers by their preferred means.

But, in that case, you should not collect their date of birth because it won't be relevant or necessary for informing them about the discounts. Unless you offer birthday discounts, in which case the birthday becomes personal data necessary for fulfilling the processing purpose.

The bottom line is that your processing purpose determines what categories of personally identifiable information you need to collect. Once you know why you need to process personal information, the next step is to determine what categories of data are relevant for the specified purpose. Then, you should ask yourself if all these data categories are necessary or if you could reach your goals without so many pieces of personal information. That's how you implement data minimization practices, including in AI.

Benefits of Data Minimization

Before the rise of data protection laws globally, marketers and entrepreneurs assumed that collecting vast amounts of data was good, just in case it became useful in the future. But that couldn't be further from the truth.

Legal requirements aside, limiting data collection to what is necessary has positive unintended consequences for businesses.

Storing and processing someone else's personal data brings inherent risks to your business. Personal data is always a valuable target for cybercriminals, which puts you at risk of data breaches. The risk of data breaches further implies a requirement to implement robust data security measures to prevent data breaches. And that means spending money that you may save if you simply implement a data minimization strategy and limit the collection of data to what you really need.

Processing unnecessary data doesn't bring benefits to your business, but only risks. It doesn't bring money in, but it causes you to spend more on preventing breaches. 

Data Minimization According to the EU GDPR

Article 5(1)(3) of the General Data Protection Regulation (GDPR) of the EU states that personal data shall be "adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)".

Recital 39 of the GDPR stipulates that the processing of personal data must be adequate, relevant, and limited to what is necessary for the intended purposes. The GDPR further explains that we should only process personal data if other means could reasonably fulfill the processing purpose.

GDPR Fines for Violations of the Data Minimization Principle

European data protection enforcement agencies have created a vast amount of case law to let us know how not to implement data minimization and what the best practices about it are. Here are a few examples:

• The Finnish agency found a school to have breached the principle of data minimization by processing the bank account numbers of all its students to award possible scholarships to only some of them. The school should have only processed the bank data of the students who have actually received a scholarship, thereby collecting the necessary personal data for transferring funds only to the recipients.
• Despite not needing it for any processing, the Spanish AEPD fined a hotel EUR 2000 for merely scanning guests' IDs.
• In order to ensure the neighbor's safety, the Belgian DPA issued a EUR 600 warning to an individual about the installation of security cameras on his property. The DPA found that the recording of neighbors was not adequate and was beyond necessary.
• The Danish DPA reprimanded a company for violating the data minimization principle because they shared the sensitive data of a worker with her coworkers who needed to take over some of her tasks, although sharing such data was not necessary.
• The Finnish agency fined a company EUR 52,000 for processing and requesting unnecessary patient information from healthcare providers to settle insurance claims. The company requested full health records containing lots of health information, which was not necessary for these purposes.

Embracing data minimization is required for GDPR compliance. As you can see, agencies do not discriminate between small and large companies or individuals. 

However, not only the EU enforces this principle.

The US Consumer Data Privacy Laws (CCPA, VCDPA, and others) require data minimization.

The California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA), brought the first data minimization rule to the United States. It states that "businesses should collect consumers' personal information only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used, and shared."

According to the Colorado Privacy Act, the processing of personal data "shall be solely to the extent that the processing is necessary, reasonable, and proportionate to the specific purpose or purposes."

The Connecticut Data Privacy Act mandates that a controller should only collect personal data that is adequate, relevant, and reasonably necessary for the purposes disclosed to the consumer.

All the state consumer privacy laws in the United States follow the same principles. They allow businesses to collect and process personal information without opt-in, but at the same time require them to limit the processing to the data they really need and not all the data they can collect.

Not respecting this principle means a violation of the law, which, throughout these states, is $7500 per violation. However, we haven't seen any investigations or fines in the US related to this principle.

The LGPD follows the Principle of Data Minimization.

Under the Lei Geral de Protecao do Dados (LGPD) of Brazil, data minimization refers to the processing only of the necessary data necessary to accomplish the processing purposes.

Article 6 prescribes the basic privacy principles for data processing. The third one requires "limitation of the processing activity to the minimum necessary for the accomplishment of its purposes, with the comprehensiveness of the relevant data proportional and not excessive in relation to the purposes of the data processing."

Obviously, Brazilian legislators replicate this privacy protection principle in other laws, most notably the EU GDPR.

Data Minimization Under PIPEDA

PIPEDA relies on Ten Privacy Principles, where the fourth principle is Limiting Collection. PIPEDA states that "the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means."

It further explains that "organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified."

This means that even if you opt out in Canada, you still need to collect and retain only the minimum amount of customer data for processing.

Case Law in Canada: PIPEDA and the Data Minimization Principle

We already have enough case law from Canada's Office of Privacy Commissioner to understand its enforcement.

Here are a few cases:

• A transportation company has been required to cease surveilling truck drivers during work because recording the persons while working was not necessary for the purpose of aiding incident investigations. As a result, the company switched to forward-facing cameras without audio recording.
• An equipment store's practice of requiring a scanned copy of a customer's driver's license and taking their photograph as a condition for renting equipment led to a complaint and investigation by the OPC. The store justified this policy by citing past significant losses of expensive rental equipment. However, the Office of the Privacy Commissioner of Canada (OPC) advised that such a collection of personal information was generally considered inappropriate, as driver's licenses contain excessive information. The OPC highlighted that in cases of lost or stolen equipment, a driver's license copy and number offer minimal value to police investigations, making this practice disproportionate to the intended security measures.
• A bank required a partial Social Insurance Number (SIN) for setting up a "verified credit account" for online payments, which a customer challenged. The customer objected to providing her SIN for identity verification, seeking an alternative method. The bank disclosed that commercial websites provide an alternative method that does not require a SIN, yet the bank's website failed to communicate this information. Following the Office of the Privacy Commissioner of Canada's (OPC) intervention, highlighting a similar case of lack of transparency, the bank decided to stop using SIN for authentication and updated its website accordingly. This resolution satisfied the customer, and the OPC confirmed the website update, resolving the complaint.

Data Minimization under the India DPDPA

The India Digital Personal Data Protection Act (DPDPA) slightly differs from the other laws by mentioning the data minimization principle only in terms of processing personal data based only on consent. It states that "the consent given by the Data Principal shall be free, specific, informed, unconditional, and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose."

It indicates that the data collected from users will be the minimum amount of data necessary for processing purposes.

How to Implement Data Minimization in Your Privacy Compliance Strategy

If you have been wondering about implementing data minimization, now you know that it provides only benefits and is explicitly required by all data privacy laws worldwide. It is a no-brainer.

You can achieve what we outline in this article by following these steps:

1. Determine your processing purposes.
2. Determine the categories of personal information for a specific purpose.
3. Consider whether these data categories only include what is required for a particular purpose.

If your answer is yes, you're good to go.

If you have been collecting more data than necessary in the past and you still store that data, it is time to delete it. As we explained above, it brings only risks without any benefits. This doesn't mean processing less data; it means processing only the right data.

That's one step toward providing data subjects with better data protection and reducing your business risks at the same time.