Reviving Purpose Limitation and Data Minimisation in Data-Driven Systems

TL;DR

This paper examines the feasibility of implementing data minimisation and purpose limitation principles in data-driven systems, highlighting technical possibilities, legal obstacles, and practical trade-offs to inform AI development and regulation.

Contribution

It provides a detailed techno-legal analysis showing that data minimisation is technically feasible but faces legal and practical challenges in current systems.

Findings

Systems could technically use less data than they currently do

Legal and practical obstacles hinder meaningful implementation

Trade-offs emerge when applying data protection law in practice

Abstract

This paper determines whether the two core data protection principles of data minimisation and purpose limitation can be meaningfully implemented in data-driven systems. While contemporary data processing practices appear to stand at odds with these principles, we demonstrate that systems could technically use much less data than they currently do. This observation is a starting point for our detailed techno-legal analysis uncovering obstacles that stand in the way of meaningful implementation and compliance as well as exemplifying unexpected trade-offs which emerge where data protection law is applied in practice. Our analysis seeks to inform debates about the impact of data protection on the development of artificial intelligence in the European Union, offering practical action points for data controllers, regulators, and researchers.