Briefly

TRANSCRIPT

00:00
Adam Stofsky
Hello. I'm here today with Julia Apostle and Shannon Yavorsky from Orrick. Hey, guys, how you doing?

00:17
Shannon Yavorsky
Hey, Adam.

00:18
Julia Apostle
Hey, Adam. Good to see you.

00:21
Adam Stofsky
So today we're going to talk about what I think is a fundamental principle of data privacy law, which is called data minimization. So, Shannon, can I just ask you to define what is data minimization and why is it important?

00:35
Shannon Yavorsky
Sure, Adam. Let's start with the basics. Data minimization at its core is collecting, using, and retaining only the personal data that's necessary for a specified purpose. So you see this principle across nearly every major privacy framework. The gdpr, the CCPA in the California Consumer Privacy act and the FTC in their enforcement actions repeatedly focuses on over collection and over retention as an unfair practice. So historically, minimization has focused on collection minimization. So don't collect data that you don't need use limitation. So don't repurpose data without a compatible justification. And then retention limits, so deleting data when the business purpose ends.

01:33
Adam Stofsky
So it's interesting because data minimization, it doesn't mean just collect the minimum amount of data, period. It means the least you need to achieve some kind of legitimate legal purpose.

01:46
Shannon Yavorsky
That's exactly right.

01:47
Adam Stofsky
Yeah. Okay. Well, thank you. That was a great definition. Julia, can you maybe go into more detail about how the GDPR specifically kind of defines data minimization and how the GDPR handles it, as I think the suppose the original or kind of seminal law where data minimization is defined.

02:06
Julia Apostle
Yeah, sure, it probably goes back even further than the gdpr. But in any event, this is the keystone legislation from that perspective. So data minimization is one of the core data protection principles enshrined in the GDPR in Article 5, which means that as a principle, if all else fails, if there's no specific obligation in the GDPR in relation to a specific processing activity, the processing activity still has to respect the principles, and any interpretation of an obligation or a specific provision has to align with the principles as well. So data minimization is captured at paragraph c of Article 5, and it requires that personal data should be adequate, relevant, and limited to what is necessary in relation to the purpose for which they are processed. So that's pretty much exactly what Shannon just said.

03:11
Julia Apostle
And as Shannon has indicated, it's been picked up across in legislation around the world. The adequacy point is interesting because you can almost say, well, adequate doesn't mean minimal. Right? You could actually need more information than less in order to ensure it's adequate in relation to the purpose and I think that's quite relevant in relation to AI.

03:38
Adam Stofsky
Right, yeah. Interesting. Let's hold off on AI for a second, though. It's kind of hard to hold off on AI because it's everywhere. But let's. Can you give me a quick example or let me pitch like a hypo to you. This is a common example. Like, I'm doing a lot of cold outreach for my company and so I, you know, I maybe I do a LinkedIn Live event with Julian Shannon and we get a bunch of people's email addresses and some other information because they register. How would data minimization principles apply to that data that I now have? That's just a quick and simple example.

04:11
Shannon Yavorsky
That's a great example. So you collected email addresses. I think if you think about the collecting, what data do you need for this purpose? You don't need their mailing address, you don't need their, you know, driver's license. You don't need their birth date. You really just need their name and email address in order to achieve the purpose, which is sending marketing communications. And then use. If you think about use limitation, right, you don't, you can't. Then if you've told people, I'm going to collect, I'm going to send you know, some further information about this. You can't then take their data and use it for something completely different for, I don't know, training a model or for adding to your data lake or your identity graph as another example.

05:05
Shannon Yavorsky
Then when you no longer need the data, deleting it at the end of that, the purpose is no longer needed. You don't need to tell people about this anymore.

05:14
Adam Stofsky
You delete it just to push on this a little more. Let's say I have a registration form for my, I don't know, my LinkedIn Live or webinar, obviously. Names, email addresses. What about things that might be relevant, like their job title or where they went to college or, you know, organizations they're members of that might be useful for me as a marketer? How would that stuff. I think it's obvious. Things like, I'm not going to ask for their Social Security number or like their gender, things like. Or their political party, like, I'm assuming those are clearly outside the realm of what I need to achieve this purpose. What about other things that are information that might be kind of on the cusp? How would you analyze those from a data minimization standpoint?

05:56
Julia Apostle
It all goes to how you've defined the purpose. Right. And that's why that whole exercise right at the outset, before starting any processing activity is important to ensure that your purpose is properly defined to avoid the pitfalls of purpose limitation that Shannon just referred to. So if you define your purpose broadly but not erroneously, then it, you'll be able to tie different data categories to that purpose. And I would just add that you flags, you know, a couple categories that you're like are obviously not relevant. But it's funny in France, not funny. It has been practice and common practice for years and years to always collect date of birth on almost any form, no matter what it is.

06:47
Julia Apostle
Like you can still try to buy products on e commerce sites here and be asked for your date of birth, which seems completely irrelevant, but it could be used as a way of verifying security if that's a purpose that's defined elsewhere. Right, so you've said, okay, this is for direct marketing purposes, but your privacy modus might have, you know, security related data processing provisions so you could find purposes elsewhere that relate to a single collection point.

07:24
Adam Stofsky
Interesting. Okay, then kind of bring this into the sort of practical day to day work that people do in companies. Who decides what the purpose is and who decides what minimal is? Is it a data protection officer in a company? Is it just sort of company employees who are managers in a certain department who decides?

07:45
Shannon Yavorsky
Yeah, it's a good question for me and Julia, feel free to chime in. But for me it's, you know, making sure that your marketing folks know like have some understanding of this concept and if they have a question about it, they can ask privacy legal, for example, so it's really cross functional. In order to, you know, achieve data minimization, people within the organization have to have an understanding of what it is and why it matters, like why it's. You have to tell people like this is why it's important, this is why it's a risk to collect more data than we actually need or to use the data for a different purpose. Because that's not, you know, the marketing, regular marketing people aren't really informed. They don't really know about these, you know, privacy concepts of data minimization.

08:34
Shannon Yavorsky
And why shouldn't they collect a ton of data? Wouldn't it be interesting to have, you know, someone's driver's license details or you know, political affiliation isn't that helpful. But if they appreciate they've been given some training around what, you know, what data is really, they should only collect what data is really needed in order to Achieve the purpose and. And then if they have questions, being able to reach out to privacy legal, I think that puts the organization in a good position vis a vis managing risk.

09:07
Julia Apostle
I think that's right. Because you don't want to slow down a business's ability to act and start new initiatives. Right. So empowering the teams to be able to identify is crucial. Who else? Obviously the dpo and in Europe, the regulators definitely have a view on what constitutes inadequate or adequate data. And on the sort of birth date point. The French Commission Data Protection Authority has recently cracked down on the collection of birth dates and also on the use of Mr. Ms. And Ms. And requiring that box to be filled when registering for accounts or purchasing certain items.

09:52
Shannon Yavorsky
Oh, that's interesting. Is that like, from a gender perspective, like, that's additional information that's not needed?

09:59
Julia Apostle
Yeah, it's just not relevant in many contexts.

10:05
Adam Stofsky
Yeah. Why would it be if you're just buying something? Yeah, why would it be relevant?

10:08
Julia Apostle
Like train tickets, for example.

10:11
Adam Stofsky
Right, interesting. Okay, let me ask you one more question on this before we wrap this intro, because it's just an intro to data minimization. There's obviously a lot to say here, but can you talk about the kind of data deletion you mentioned, kind of deleting data? What are the obligations to delete data? And I guess this is along two axes, Right? Like if you no longer need the data and also maybe if you realize you've collected too much. I don't know if those are two separate questions, but can you talk a bit about the obligation to delete data within the concept of data minimization?

10:46
Shannon Yavorsky
I'll start here and then Julia can chime in. So it's actually a separate storage limitation, is really a separate principle. I wrap it into data minimization because it's adjacent and very relevant. But storage limitations. So only storing data for as long as needed is another really core privacy principle that requires organizations to keep personal data for only as long as it's needed for the purpose for which it was collected. So closely related to data minimization, but it focuses specifically on how long data is retained rather than, you know, how much is collected or used.

11:30
Shannon Yavorsky
And the reason it's important, and there are many reasons, but one of the main ones, and this came up recently, is in the event of a data security incident, you don't want to be chasing down, like trying to contact people whose data you collected 10 years ago for marketing purposes. It's stale, it's probably inaccurate. It is in, you know, just having it is like almost a risk in the event of, you know, for example, a data security incident. So this is just one of the reasons that it's important. But there are certainly others like, you know, that just the inaccuracy point is a big one. People move around, their email addresses change. So the longer you keep data, the less likely it is to be sort of useful and up to date. And it's just creating risk.

12:21
Adam Stofsky
Yeah. So just a pragmatic issue as well. Just if you. No one wants bad out of date emails anyway. Julia, anything else to say on storage limitation?

12:31
Julia Apostle
No, other than it's. There's storage limitation as a principle and then a general prohibition on indefinite storage. Right. Indefinite retention. And often the two are confused or you'll have companies that consider that they're, they are satisfying their storage limitation principle or obligations by having a principle of indefinite storage.

12:58
Shannon Yavorsky
Right.

12:58
Julia Apostle
They're like, no, we're clear on it and we put it in our policy. Right. But that's not quite what it requires.

13:07
Adam Stofsky
Yeah, interesting. All right, so any final, just any final thoughts on data minimization before we wrap it up for. From either of you?

13:14
Shannon Yavorsky
I think it's a, just a really important one to educate people within the organization, like throughout the organization again, so they understand what it is and why it matters. And I think the extent to which privacy folks can do that and help people understand that they're not just, you know, ticking a box for like legislation, it really, it creates risk for the organization and that's why it matters. I think that's a really important goal for companies to have. Like helping everybody understand and collectively act to minimize data is going to be a big sort of risk mitigating factor.

13:56
Julia Apostle
Yeah, it's a great mindset. And not just. And beyond data protection, like don't collect more data of any kind than is necessary.

14:05
Adam Stofsky
Great. Well, it looks super interesting. Thanks so much to both of you.

14:07
Shannon Yavorsky
Thanks, Adam.

14:08
Julia Apostle
Thanks.