Data minimization requirements are not new but they are becoming more common, and enforcement is on the rise.
"Legal basis" requirements for data processing, justifying data processing activities and transfers, and adhering to data minimization principles began hitting organizations' radars with the EU General Data Protection Regulation.
In response to the GDPR, many multinationals are differentiating regionally, or by jurisdiction, how they process data and, for example, which information technology monitoring tools they deploy to monitor their workforce around the world. Most of the new U.S. state privacy laws have data minimization principles, including the California Consumer Privacy Act, which remains the only broadly applicable state privacy law.
To stay compliant, organizations should establish and reinforce internal messaging that all data processing activities must be reviewed with a data minimization lens. It is becoming increasingly challenging to fully capture all requirements with a short global assessment.
But all organizations should consider a threshold assessment for each process, program or product where data privacy — and, as applicable, AI considerations — are addressed at a high level. Depending on the outcome of an initial assessment, a deeper dive may be required, and activities may need to be restricted by jurisdiction.
Requirements under the GDPR
Data minimization requirements have applied in Europe since the 1970s and were codified and mostly harmonized in the GDPR, which became applicable across the European Union in May 2018.
In its June 2017, "Opinion 2/2017 on data processing at work," the predecessor to the European Data Protection Board, the Article 29 Data Protection Working Party, indicated employers "must take the principle of data minimisation into account when deciding on the deployment of new technologies" and that the "information registered from the ongoing monitoring, as well as the information that is shown to the employer, should be minimized as much as possible."
It adds, "Employees should have the possibility to temporarily shut off location tracking, if justified by the circumstances. Solutions that for example track vehicles can be designed to register the position data without presenting it to the employer."
The GDPR's data minimization principle states personal data shall be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed," but does not define those terms. While their meaning will depend on a case-by-case assessment considering the purposes of processing and the data subjects concerned, adequate generally means it is sufficient to properly fulfill a defined processing purpose and relevant means it is sufficiently linked or connected to the purpose.
In addition to the data minimization principle, and separate but related data accuracy and storage limitation principles in GDPR's Article 5(1)(d) and (e), organizations must identify a "legal basis" for all data processing activities — under Article 6, supplemented by Article 9, as far as special categories of data are concerned. If no legal basis can be identified, the processing is prohibited. This has resulted in restrictions including around intrusive IT monitoring of employees on company systems.
For example, France's data protection authority, the Commission nationale de l'informatique et des libertés, has issued several decisions regarding the simplified sanction procedure introduced in 2022 and on the basis of noncompliance with the data minimization principle in cases concerning the permanent geolocation and continuous video surveillance of employees.
The CNIL asserted that the continuous recording of geolocation data, with no possibility for employees to stop or suspend the system during break times, is, unless there is special justification, an excessive infringement of employees' freedom of movement and right to privacy. The CNIL notably considered that the prevention of workplace accidents and gathering of evidence does not justify continuous video surveillance of employee workstations and that the personal data generated by the surveillance is neither appropriate nor relevant.
The GDPR's data minimization principle is also closely linked to the requirement of "data protection by design and by default" under Article 25. It states the controller must, from the time means for processing is determined and continuing during processing, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data protection principles, such as minimization, in an effective manner. In addition, the controller must implement measures to ensure that, by default, only personal data necessary for each specific processing purpose is processed. That obligation applies to the amount of personal data collected, the extent of processing, the period of storage and accessibility.
In its Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, the European Data Protection Board stresses that "Article 25(2) lists the dimensions of the data minimisation obligation for default processing, by stating that the obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility."
Today, with the exponential development of AI and the need for large amounts of data to train AI models, the data minimization principle as set forth under the GDPR is under tension. The EU AI Act, adopted by the European Parliament in March 2024 expressly refers to data minimization in Recital 69.
It states, "The right to privacy and to protection of personal data must be guaranteed throughout the entire lifecycle of the AI system. In this regard, the principles of data minimisation and data protection by design and by default, as set out in Union data protection law, are applicable when personal data is processed. Measures taken by providers to ensure compliance with those principles may include not only anonymisation and encryption, but also the use of technology that permits algorithms to be brought to the data and allows training of AI systems without the transmission between parties or copying of the raw or structured data themselves, without prejudice to the requirements on data governance provided for in this Regulation."
Requirements under the CCPA
In the U.S., the introduction of data minimization requirements is a more recent concept. Organizations are only just waking up to the idea that a detailed privacy notice is not enough and they must separately justify processing activities to comply with the law.
The CCPA provides in California Civil Code § 1798.100(c) that "A business' collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes."
Pursuant to the CCPA regulations § 7002 a business may also process personal information for a purpose it was not collected for, and that is not compatible with the collection context, if it obtains consumer consent. But even if consent is obtained, the processing must be reasonably necessary and proportionate for the intended purpose.
The CCPA regulations outline in detail considerations that apply to a data minimization analysis. Businesses should focus on justifying the need for all new data processing, data subject expectations, specific, explicit, prominent, and clear privacy notice, risks to data subjects, implementing safeguards to protect data subjects, and minimizing processing of sensitive personal information.
The California Privacy Protection Agency issued an "
Focusing on a few key points can help organizations navigating increasingly numerous and detailed data minimization requirements globally.
- Implement governance protocols for the entire workforce. When people sign or put their name to something, they are more likely to comply with it. Naming "system stewards," or similar roles, for all new tools is in line with emerging data privacy and AI assessment requirements. Consider implementing a short protocol that each employee must sign that includes an assessment component for new tools and processes, as well as changes to existing ones.
- Understand the business' tools and processes, including things like code on the website, to build compliance around it.
- Minimize processing of sensitive personal information. The type of personal information is enumerated in the CCPA regulations as a factor in the CCPA data minimization analysis. Additional compliance obligations apply to processing of sensitive personal information, such as opt-out requirements for any processing beyond CCPA-enumerated purposes. Opt-in consent requirements apply under other U.S. state laws, as well as laws globally.
- Make sure agreements include all required restrictions. Review all agreements with the parties supporting the business. As painful and time consuming as this sounds, this step is critically important to manage risk and adhere to data minimization principles. The CCPA regulations state that the degree to which service providers and third parties are involved should be apparent to the data subject to show data minimization is respected. Any data disclosure that is not to a service provider, under all CCPA required service provider terms, should be carefully reviewed to ensure data processing is limited to what is necessary and proportionate.
- Follow design and default data minimization elements outlined by the European Data Protection Board in its guidelines on data protection by design and by default, which are increasingly echoed in privacy laws around the world. A less discussed data minimization element from the guidelines is that data flows should be made efficient so as not to create more copies of data than necessary.
- Ensure data minimization compliance is documented as part of an impact and risk assessment.
