December 3, 2025

Reconciling AI with the Data Minimization Principle: Bridging the Innovation and Privacy Gap

While AI technologies are not new, the advent and update of generative AI have prompted regulators and policymakers to renew their focus on their governance. In the context of privacy and data protection, this has led to debate on how data protection principles apply to AI, what new risks these systems may present, and how to address them.

In response to this, CIPL’s paper ‘Reconciling AI with the Data Minimization Principle: Bridging the Innovation and Privacy Gap’, examines how data minimization should be interpreted in the context of AI.

The paper makes the following recommendations for organizations and regulators to effectively operationalize data minimization in AI systems:

Adopt a contextual and flexible interpretation of data minimization: Organizations and regulators should apply data minimization proportionally, focusing on necessity, balancing risks and benefits, acknowledging AI-specific needs, tailoring measures across AI lifecycle stages and permitting socially beneficial secondary purposes.
Implement a structured necessity test framework: Organizations should assess data needs using a practical, step-by-step framework that defines purpose, considers less intrusive alternatives, justifies data volume, scope, and categories, limits retention, and ensures accountability and review.
Embed strong safeguards and accountability: Organizations should establish robust governance, cross-functional collaboration, and technical measures, including privacy-enhancing technologies, to responsibly manage and minimize personal data use.