The Importance of Data Minimisation

The Principle 

The principle of data minimization is a fundamental concept in data protection and privacy laws. The principle holds that personal data collected and processed should be limited to what is necessary for the specific purpose(s) for which it was collected. In other words, only the minimum amount of personal data required to achieve a specific purpose should be collected and processed. 

The principle of data minimization is closely linked to the broader principle of purpose limitation, which states that personal data should only be collected for specified, explicit, and legitimate purposes and should not be further processed in a way that is incompatible with those purposes. 

The Essentiality  

Adherence to the principle of data minimization is critical for several reasons. First, it helps reduce the risk of data breaches and misuse of personal data. When only the minimum amount of personal data required for a particular purpose is collected and processed, there is less data that could be compromised in the event of a data breach. Additionally, collecting less personal data reduces the risk of data misuse by limiting the number of people who have access to that data. 

Several data breach incidents demonstrate the importance of the principle of data minimization. One such incident involved the retail giant Target in 2013. In that case, hackers gained access to Target’s payment system and stole the personal and financial information of millions of customers.

The breach was made possible, in part, because Target collected more data than was necessary to process payment transactions. For example, the company collected customers’ email addresses, phone numbers, and mailing addresses in addition to their payment card data. This additional data made it easier for the hackers to identify and target specific customers. 

Another example is the Equifax data breach in 2017. In that incident, hackers gained access to Equifax’s database and stole the personal data of over 140 million customers, including names, Social Security numbers, birth dates, and addresses. The breach was made possible, in part, because Equifax failed to adequately secure its data and had collected more data than necessary, including data on individuals who had no relationship with the company. The excessive collection of data made it easier for hackers to gain access to sensitive information and perpetrate identity theft and other forms of fraud. 


In contrast, companies that adhere to the principle of data minimization are less likely to suffer data breaches and other data-related issues. For example, the payment processing company Stripe only collects the minimum amount of data necessary to process payment transactions, including payment card data and billing information. By limiting the data collected, Stripe reduces the risk of data breaches and makes it more difficult for hackers to gain access to sensitive information. 

In conclusion, the principle of data minimization is a critical component of data protection and privacy laws. Adherence to the principle helps reduce the risk of data breaches and misuse of personal data, while also promoting transparency and accountability in data processing activities.

Companies and organizations that collect and process personal data must take steps to ensure they only collect the minimum amount of data necessary to achieve their specific purposes and must implement robust security measures to protect that data from unauthorized access and disclosure.

Major Privacy Updates of the Week

Upcoming US Senate Bill to set age minimum for access to social media:

Children’s access to social media is expected to be regulated by the introduction of legislation by a bipartisan group of U.S. Senators. 

The bill would prohibit children who are under the age of 13 from accessing social media, and children aged between 13-17 are expected to be allowed with the consent of their parents. How the verification of the children’s age remains unclear. 

Read more.

Ukrainian cyber police arrested a man for selling data to Russian buyers:

A 36-year-old man was arrested by the Ukrainian cyber police for selling the data of Ukrainian and EU citizens. 

The police stated the stolen data were sold based on the volume. Information like passport details, taxpayer numbers, birth certificates, and bank account data was contained in the databases that were discovered by the officers. 

Read more.

Data Protection inquiry over ChatGPT launched by Germany:

The data privacy concerns over ChatGPT resulted in the launching of the inquiry by Germany.

The authorities of Germany wanted to verify whether OpenAI and the EU law inform the people whose data has been used by ChatGPT, it also demands an answer from the US maker OpenAI. 

Read more.

Double Supply chain attack – 3CX compromised:

The Cybersecurity firm Mandiant has reported that the breach of 3CX was caused by an earlier futures trading platform Trading Technologies. This is known to be the supply chain attack caused by another supply chain attack.

However, the source of the breach was said to be caused due to an employee downloading a piece of outdated trading software. 

Read more.

IMF paper states the absence of data protection law in India possess a privacy risk:

As per the reports stated in the IMF paper, there were 80 million Indian users were affected by the data breach incidents in 2021.

According to IMF, the absence of comprehensive data protection legislation is still missing in India where the privacy and the digital rights of users are at risk. 

Read more

Curated by: Prajwala D Dinesh, Ritwik Tiwari, Ayush Sahay


Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!

*By clicking on subscribe, I agree to receive communications from Tsaaro