Data Minimization

Amazon’s Jeff Bezos once famously stated that his company never threw away data. Whether true or not, that approach would be forbidden in regions that have data minimization regulatory requirements – the EU is currently the most prominent example of this. Data minimization is a principle which states that processors (businesses) should identify and store only the minimum amount of data needed to fulfill a purpose. In other words, it’s not permissible to gather data first and ask questions about what to do with it later.

There are other storage and operating practices that fall under the umbrella of data minimization. For example, the need to re-obtain consent periodically from users on already-captured data, or the requirement to delete data after a certain time period has elapsed both ladder up to an objective of data minimization. So does an emphasis on tightly-managed Access Control. These are all common features of new data privacy laws like GDPR. 

Data minimization has obvious benefits for users – their data is only seen and processed when its necessary – but it can benefit businesses too. It’s not uncommon for a business to find itself drowning in customer data with insufficient resources to categorize, store, and leverage it efficiently. Organizations that incorporate data minimization into their way of working will end up with data operations that are lean and powerful. But because it’s such a foundational feature, going back to retroactively apply data minimization principles to an existing bloated system can be a significant logistical challenge.

Consent Processing

Consent is one of the most important legal bases for processing user data, and has a special place in digital privacy theory. Early privacy scholars like Alan Westin advocated for a “notice and choice” model of user privacy that’s still largely in use online today – users are notified of a data policy, and they consent to accept it. In this model, consent is the key that unlocks a processor (or businesses)’s ability to leverage user data. 

It should be no surprise, then, that there is plenty of wrangling over what constitutes “consent”. In the past, simply visiting a website may have been taken as an implied form of consent for that website to use visitors’ data however they wished. No longer. 

In GDPR Article 7, for example, consent is only considered valid if it is freely (ie voluntarily) given, specific, informed and unambiguous. In Canada’s updated PIPEDA, the law requires “meaningful consent” to be obtained and supplies guidelines with seven criteria that must be followed for meaningful consent to take place.  

The “in a nutshell” takeaway is that it’s not enough to understand that consent is an important part of user data processing. It’s vital to understand that the nature of consent is complex and varies by region. Data processors must take care to ensure they’re satisfying the specific consent requirements of the territories where they operate.

Individual Data Rights

Individual data rights are at the core of all the major pieces of data privacy legislation. They are a bundle of rights aimed at letting individuals exert control over the way that their data is collected, stored, and processed by other parties. Each data right covered below is substantive enough to consider independently, but as a primer, it’s useful to seem them listed together. As ever, the ICO has an excellent and comprehensive guide to user data rights on their site.

In a nutshell, the GDPR contains the most robust set of user data rights of any legislation, so an examination of them is most instructive. GDPR asserts an individual’s –

  • Right to be informed: essentially the right to know when their data is being collected and used.
  • Right of access: essentially the right to access and view the data that an organization has collected on them. 
  • Right to rectification: essentially the right to correct inaccurate data or complete incomplete data related to them.
  • Right to erasure: also known as the “Right to be forgotten”, this gives individuals the right to have their personal data erased. 
  • Right to restriction: essentially the right to limit the ways in which an organization processes their data.
  • Right to portability: Essentially the right to receive information about their data in a common and portable format, for example a clearly labeled CSV spreadsheet. 
  • Right to object:  Essentially the right to stop the processing of their data in certain circumstances, specifically direct marketing. 

Privacy By Design

Privacy By Design is a foundational concept in the study of modern data privacy. It’s incorporated into the text of the GDPR as a core principle, and while other pieces of data privacy legislation don’t go so far as to make its adoption mandatory, its influence remains considerable everywhere. The key figure in Privacy By Design’s development was Dr. Ann Cavoukian, Information and Privacy Commissioner for Ontario from 1997-2014.

The concept is based on seven “foundational principles” that any organization must adopt in order to fully incorporate Privacy By Design. They are:

– Proactive not reactive

– Privacy as the default setting

– Privacy embedded into design

– Full functionality – positive-sum, not zero-sum

– End-to-end security – full lifecycle protection

– Visibility and transparency – keep it open

– Respect for user privacy – keep it user-centric

There’s a great explainer on what each of these terms means here, but the “in a nutshell” explanation is that all of these considerations are necessary if privacy is to be truly embedded into a system’s design. Some GDPR commentators have expressed a wish that Privacy By Design contained more actionable specifics and less vague principles. They may have a point, but for now, this concept has become the de facto first principle of digital privacy enthusiasts worldwide.