Guest article by Matthias C. Kettemann, Head of the Department of Legal Theory and Future of Law at the University of Innsbruck, in collaboration with Peter Szabó, Legal Counsel and Data Protection Officer at Threema, and Danilo Bargen, CTO at Threema
Have you ever wondered why you have to provide personal information when shopping online? All too often, information such as the phone number and date of birth is provided without hesitation. But does the online shop really need all this information just to deliver baby diapers, for example?
In the age of big data, characterized by the mass collection and processing of personal data, the principle of data minimization, codified in Article 5 (c) of the General Data Protection Regulation (GDPR), presents a deliberate counterapproach to restrict processing to only what is necessary. The data minimization principle, as outlined in Article 5 (1)(c) of the GDPR, stipulates that data must be processed solely to the extent appropriate and necessary for the intended purpose. In accordance with the principle of purpose limitation in Article 5 (1)(b) of the GDPR, this purpose must be predetermined, clear, and legitimate. This is intended to prevent the collection of superfluous and irrelevant data and to ensure privacy protection. Data that is not collected does not have to be deleted or corrected and cannot be misused or sold. The most effective approach to ensure the optimal implementation of this principle is to integrate data minimization directly into the system, a concept referred to as “Privacy by Default” or “Privacy by Design.” During the initial setup of data processing systems, it is imperative to implement technical and organizational measures to ensure that only significant and necessary data is processed.
Data protection law is significantly shaped by European legislation. Of particular significance is the GDPR. The principles of the GDPR have been directly applicable in all member states for years. According to Article 3 of the GDPR, all companies, organizations, and public authorities that are based in the EU, process data of persons within the EU, or offer goods or services to persons in the EU must comply with these rules – including the University of Innsbruck.
Data Minimization as a Principle in the DACH Region
EU member states can also impose stricter regulations on data processing. In the context of data minimization, the GDPR is complemented in Austria, Germany, and in Switzerland (which is not an EU member) as follows:
The GDPR is supplemented by the German Federal Data Protection Act (BDSG). In Part 2, Chapter 1 of the BDSG, in addition to the general legal foundations, there are provisions regarding the processing of special categories of personal data and data processing in “special processing situations.” A notable distinction from the Austrian legislative approach is the German legislator’s emphasis on data processing not only in the public interest but also by the public (§ 23) and private entities (§ 24) for purposes beyond the public sphere. Furthermore, § 25 of the Telecommunications Digital Services Data Protection Act (TDDDG) contains rules for data processing by tele-service providers. According to § 3 (2) Z2 TDDDG, tele-service providers are natural or legal persons who provide digital services, offer them, or enable the use of their own or third-party content. It is further stipulated that the processing of user data by these entities is permitted solely to the extent necessary for the provision of the service.
In the Austrian context, the GDPR is complemented by the Data Protection Act (DSG). Section 7 of the DSG stipulates the conditions under which data processing may be conducted for specific purposes. These include data processing in the public interest that does not aim at achieving personalized results. Specifically, the processing of data for archival, scientific, or historical research purposes, in addition to statistical purposes, falls under the purview of the DSG (Sections 7(1) and (2)). In certain circumstances, the data protection authority may also be required to approve the processing (Section 7(3)). Furthermore, the processing of sensitive data, as delineated in Article 9 of the GDPR, must be substantiated by an overriding public interest. However, the legislator refrains from defining what constitutes an overriding public interest, thereby necessitating its assessment within the context of the particular situation. For instance, data processing in connection with the fight against pandemics could be considered.
After nearly 30 years, Switzerland undertook a comprehensive revision of its original Federal Act on Data Protection (FADP) of 1992, subsequently enacting the revised legislation in 2023. The revised FADP notably incorporated the updated Convention 108 of the Council of Europe, which Switzerland had ratified. Additionally, the revised adequacy decision by the EU Commission contributed to the overall revision process. Notably, even the prior legislation stipulated adherence to the principles of transparency (good faith and recognizability) and data minimization (proportionality) under its Article 4. In essence, the obligations for data processors are similar to those of the GDPR, though not as extensive as those of the EU regulation and Austria and Germany’s national data protection laws. The revised FADP, in Articles 6 (3) and (4) – and in Article 7, which is essentially equivalent to Article 25 of the GDPR – contains provisions on proportionality (data minimization) and purpose limitation of data processing. Transparency remains fundamentally anchored in the principle of good faith and, moreover, in an information obligation that is subject to criminal penalties. Personal data may only be processed for a specified purpose; the data processing must be proportional (suitable, necessary, and reasonable) to achieve that purpose, and once that purpose no longer exists, the data must be deleted.
Taking Data Minimization Seriously
Despite the the explicit legal requirements, the practical reality often presents a divergent narrative. communication platforms engage in data extractivism, i.e., maximizing data collection and processing, and have developed data-economic business models to generate revenue through data collection, analysis, and sale. A similar tendency is observed in other companies and (in some) public authorities, which also store more data than is necessary to enable future analyses or personalized services. The widespread use of external service providers and cloud solutions further exacerbates the issue by facilitating the dissemination of data to multiple entities. It is not uncommon for individuals to be required to consent to the sharing of their data with 200 or more “partners.”
This apparent disregard for the primacy of data minimization in practice carries significant risks since collecting data makes one vulnerable. The more data is stored, the more attractive it is to cyber criminals, with the potential consequences of data breaches increasing in severity. Storing too much data is not only a breach of data protection laws but also a violation of the GDPR, which can result in substantial financial penalties. Those who store too much data are also not keeping up with the times: users increasingly expect data protection-friendly services and are prepared to avoid companies that do not handle their data responsibly. This commitment entails the use of European or national cloud solutions, employing open algorithmic tools, and a clear commitment to data minimization.
Privacy by Design as a Solution
An effective approach to counteracting excessive data collection is Privacy by Design. This strategy entails integrating data protection measures during the development phase of systems, products, and services. The advantages for companies include the mitigation of liability and compliance risks, a reduction in the attack surface for cyberattacks, increased customer trust and loyalty through confidence in privacy-compliant business practices, and efficiency gains and cost savings from avoiding unnecessary data storage. The ecological and economic objectives in the context of ESG processes are also clearly defined; for these environmental, social, and governance topics, European law has now spelled out an increasingly detailed reporting program and strengthened due diligence obligations.
Leading by Example: University of Innsbruck and Threema
The University of Innsbruck is committed to data protection through system design in the governance of student and staff data and research projects. In various projects, care is taken to ensure that only pseudonymized or anonymized data is processed. The design of the research infrastructure is intended to ensure the elimination of personal information at the earliest possible stage. Employee and student data is collected and managed in a data-efficient manner.
A pioneering initiative in this regard is the collaboration with Threema, a Swiss communication service that is a leading example of Privacy by Design and the highest security standards. In contrast to free messengers such as WhatsApp or Telegram, Threema strictly adheres to a data-sparing concept, as reflected in various aspects of its functionality. For instance, users do not upload profile pictures to central servers; instead, these images are shared directly with contacts via control messages that are encrypted and cannot be read by the server. Furthermore, Threema does not retain chat histories or address books on its servers. In the business context, Threema employs temporary storage mechanisms when companies automatically transmit login credentials to users. This data is deleted once it has been processed.
The Faculty of Law at the University of Innsbruck has partnered with Threema in the domain of mobile communication to set an example and demonstrate data minimization in practice. In the initial phase, Threema is already being used as a tool for staff communication at the faculty’s dean’s office that is compliant with data protection regulations. The staff have expressed particular satisfaction with the app’s simplicity and intuitiveness, the clear separation between personal and professional communication, and the option to limit the visibility of official communication when required. The potential for Threema to function as a versatile communication and information medium in faculty-wide communication among faculty members, students, and administrative personnel is also being contemplated. In the future, students could, for example, receive important information related to their studies – such as changes in lecture times or room changes – directly on their smartphones in an easy and modern way.
Data Minimization as a Sustainable Business Model
Data minimization and Privacy by Design represent not merely legal obligations but also strategic advantages. Adherence to these principles by companies has been demonstrated to result in a reduction of liability risks, a reduction in negative publicity, and an enhancement of employee and student trust. Universities, in particular, are well-positioned to set an exemplary precedent.
When comprehended in its entirety, data protection is not merely a regulatory hurdle or a business burden, but an opportunity to establish sustainable digital business models and data-saving usage practices from which all stakeholders ultimately benefit.