by Avi Gesser, Matthew Kelly, Will Schildknecht, Dr. Vera Jungkind (Hengeler Mueller), and Dr. Carolin Raspé (Hengeler Mueller)

We have written several times here over the last few years about data minimization being an important part of an effective cybersecurity program.  For most companies, the total amount of data that they control grows substantially each year, and more data generally creates more data protection risks.  Companies that have implemented effective data minimization programs are careful to collect only the data that they are likely to use, and routinely get rid of old data that they no longer need, thereby significantly reducing their data protection risks.  A recent enforcement action by the Berlin Data Protection Commissioner echoes recent U.S. regulatory developments in suggesting that companies without data minimization procedures face not only increased cybersecurity and privacy risks, but also regulatory risks—ones that can lead to penalties even when they don’t lead to a specific cyber incident.  In other words, data minimization is becoming a stand-alone regulatory obligation, in addition to being a key component of cybersecurity best practices.

On October 30, 2019, the Berlin Commissioner for Data Protection and Freedom of Information fined Deutsche Wohnen SE, a German real estate company, 14.5 million Euros (PDF: 37.27 KB) for violating Article 5 of the General Data Protection Regulation (“GDPR”), which mandates that the processing of personal data shall be “adequate, relevant, and limited to what is necessary in relation to the purposes for which [data] are processed.”  Specifically, the Commissioner determined that Deutsche Wohnen SE used an archive system to store tenants’ personal data that it no longer needed, which included old salary and bank statements, as well as tax, social security and health insurance data.  These infringements were identified during an on-site inspection in June 2017 and despite explicit recommendations issued after the authority’s visit, Deutsche Wohnen apparently did not remediate the deficiencies by the time of its next inspection in March 2019.  Consequently, the supervisory authority issued a fine for the period between May 2018, when GDPR came into force, and March 2019.

There are two particularly noteworthy aspects of this action.  The first is the imposition of a substantial fine without evidence of any harm to the data subjects.  The fact that there was no misuse of the unneeded personal data was only viewed as a mitigating factor in determining the “effective, proportionate and dissuasive” fine amount, which was approximately half the upper legal limit of the company’s 4% annual turnover.  The second is that there is no suggestion that the company should not have collected this data in the first place.  Rather, it was fined for not getting rid of data that it rightfully possessed, but no longer needed—a criticism that can be made of many companies’ data management programs.  Deutsche Wohnen has filed an appeal against the enforcement action.

European regulators are not alone in treating data minimization as a stand-alone obligation. As we have previously discussed here, the New York Department of Financial Services Cybersecurity Regulations mandate that regulated entities maintain a data minimization program that includes procedures for the secure disposal of any nonpublic information that is no longer necessary for business operations and does not need to be maintained because of a legal or regulatory obligation.  And regulators in other states, particularly in the insurance industry, have also implemented rules mandating data minimization for regulated entities.  At the federal level in the U.S., the FTC has used its authority under Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a), to sanction companies, including most recently InfoTrax Systems, L.C. (PDF: 84.37 KB) on November 12, 2019, for (among other deficiencies) “fail[ing] to have a systematic process for inventorying and deleting consumers’ personal information . . . that is no longer necessary.” 

But, despite the benefits for data protection and regulatory compliance of having a strong data minimization program, many businesses maintain vast quantities of sensitive information that they don’t need.  There are several reasons for this:

• Data retention practices are often determined by corporate culture: expectations about what should be kept, what will be available, and how long it will take to get answers based on old data are not often set out expressly. Changing practice, therefore, requires an institutional re-orientation that can be challenging to implement. 
• Relatedly, data management issues cut across almost every business function and group within an organization, often with no one ultimately in charge. So getting rid of significant amounts of old data may require buy-in from senior personnel in business, risk, legal compliance, and IT, but without the necessary resources and authority to coordinate and accomplish such a difficult task.   
• With the rise of AI and machine learning, some companies feel that they should be keeping all of their data, in case one day they want to use it for internal purposes or perhaps sell it to third parties.
• Because data storage is cheap (especially with cloud-based hosting), and because of improved search and indexing capabilities, it is usually seen as minimally burdensome to keep any particular data set about which people are unsure. Repeating that decision again and again over time, results in large increases in data for the company.
• Because people frequently leave the company or change roles, or simply because of the passage of time, often no one at the company knows why a certain data set was collected, what it contains, what purpose it serves, or whether anyone may still need it.

Moreover, uncertainty over the precise contents of a large electronic data set often results in keeping it because of the concern that some of the data may be subject to litigation holds or regulatory preservation obligations, and no one is going to review millions of pages to ensure that no preservation obligation exists.

These are all difficult challenges for companies trying to implement effective data minimization programs, but they can all be addressed.

• Regulatory requirements mandating data minimization can be the impetus that some companies need to devote the necessary authority and resources to determine what kinds of data they have, what data is being collected on an ongoing basis, what should be kept for business purposes, and what isn’t needed and can be deleted.
• In terms of spoliation concerns in the U.S., recent changes to Federal Rule of Civil Procedure Rule 37(e) and decisions applying those changes demonstrate that U.S. courts understand that there must be a balance between the need to preserve documents for litigation purposes and the need for companies to get rid of old data to minimize cybersecurity and privacy risks. See Hefter Impact Tech v. Sport Maska Inc., 2017 WL 3317413 (D. Mass. Aug. 3, 2017), see also Martinez v. City of Chicago, 2016 WL 3538823 (N.D. Ill. June 29, 2016).
• Indeed, advances in data analytics and machine learning are creating opportunities for companies to responsibly delete large volumes of old data, without having to review each document to determine if it must be retained for litigation purposes or for some regulatory obligation.

These issues, along with a step-by-step approach to responsible document deletion, were discussed in detail in our data minimization webcast here and below.

In sum, for companies with large volumes of historical sensitive information, that do not already have a data minimization program, careful consideration should be given to these issues.  Although getting rid of large volumes of old data comes with costs and risks, increasingly, so does waiting too long to start.

Avi Gesser is a partner, Matthew Kelly is counsel, and Will Schildknecht is an associate at Davis Polk & Wardwell LLP.  Dr. Vera Jungkind is a partner and Dr. Carolin Raspé is a senior associate at the German firm, Hengeler Mueller. This piece was originally published on DavisPolk’s Cyber Blog.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.