From theory to practice: Data minimisation and technical review of verifiable credentials under the GDPR

IF 3.3 3区社会学 Q1 LAW

Computer Law & Security Review Pub Date : 2025-05-05 DOI:10.1016/j.clsr.2025.106138

Qifan Yang , Cristian Lepore , Jessica Eynard , Romain Laborde

{"title":"From theory to practice: Data minimisation and technical review of verifiable credentials under the GDPR","authors":"Qifan Yang , Cristian Lepore , Jessica Eynard , Romain Laborde","doi":"10.1016/j.clsr.2025.106138","DOIUrl":null,"url":null,"abstract":"<div><div>Data minimisation is a fundamental principle of personal data processing under the European Union’s General Data Protection Regulation (GDPR). Article 5(1) of the GDPR defines three core elements of data minimisation: adequacy, relevance, and necessity in relation to the purposes. Adequacy concerns the relationship between personal data and the purposes of processing, which minimises data collection to an adequate level in relation to the purposes. Relevance requires objective, logical, and sufficiently close links between personal data and the objective pursued, and the controller should demonstrate this relevance in the context of necessity. Necessity in relation to the purposes limits personal data processing to a specific accuracy level of the purposes, considering appropriateness, effectiveness, and intrusiveness. Our legal analyses provide a framework linking each legal element to specific technical requirements. In the context of Verifiable Credentials, Selective Disclosure and Zero-Knowledge Proofs contribute to the technical requirements of data minimisation. Our evaluation of credential types reveals that SD-JWT, JSON-LD BBS+, AnonCreds, and mDOC support Selective Disclosure, and JSON-LD with BBS+ signature and AnonCreds enable Zero-Knowledge Proofs. These findings show JSON-based credentials have significant potential to enhance data minimisation in the future.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"57 ","pages":"Article 106138"},"PeriodicalIF":3.3000,"publicationDate":"2025-05-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Law & Security Review","FirstCategoryId":"90","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2212473X25000112","RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"LAW","Score":null,"Total":0}

引用次数: 0

Abstract

Data minimisation is a fundamental principle of personal data processing under the European Union’s General Data Protection Regulation (GDPR). Article 5(1) of the GDPR defines three core elements of data minimisation: adequacy, relevance, and necessity in relation to the purposes. Adequacy concerns the relationship between personal data and the purposes of processing, which minimises data collection to an adequate level in relation to the purposes. Relevance requires objective, logical, and sufficiently close links between personal data and the objective pursued, and the controller should demonstrate this relevance in the context of necessity. Necessity in relation to the purposes limits personal data processing to a specific accuracy level of the purposes, considering appropriateness, effectiveness, and intrusiveness. Our legal analyses provide a framework linking each legal element to specific technical requirements. In the context of Verifiable Credentials, Selective Disclosure and Zero-Knowledge Proofs contribute to the technical requirements of data minimisation. Our evaluation of credential types reveals that SD-JWT, JSON-LD BBS+, AnonCreds, and mDOC support Selective Disclosure, and JSON-LD with BBS+ signature and AnonCreds enable Zero-Knowledge Proofs. These findings show JSON-based credentials have significant potential to enhance data minimisation in the future.

查看原文本刊更多论文

从理论到实践：GDPR下可验证凭证的数据最小化和技术审查

根据欧盟的通用数据保护条例（GDPR），数据最小化是个人数据处理的基本原则。GDPR第5(1)条定义了数据最小化的三个核心要素：与目的相关的充分性、相关性和必要性。充分性指的是个人资料与处理目的之间的关系，即就处理目的而言，将资料收集减至适当的程度。相关性要求个人数据与所追求的目标之间存在客观、合乎逻辑且足够密切的联系，控制者应在必要的情况下证明这种相关性。考虑到适当性、有效性和侵入性，与目的相关的必要性将个人数据处理限制在特定的准确性水平。我们的法律分析提供了一个框架，将每个法律要素与具体的技术要求联系起来。在可验证凭证的背景下，选择性披露和零知识证明有助于数据最小化的技术要求。我们对证书类型的评估表明，SD-JWT、JSON-LD BBS+、anoncredds和mDOC支持选择性披露，而带有BBS+签名的JSON-LD和anoncredds支持零知识证明。这些发现表明，基于json的凭证在未来具有增强数据最小化的巨大潜力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Law & Security Review LAW-

CiteScore

5.60

自引率

10.30%

发文量

审稿时长

67 days

期刊介绍： CLSR publishes refereed academic and practitioner papers on topics such as Web 2.0, IT security, Identity management, ID cards, RFID, interference with privacy, Internet law, telecoms regulation, online broadcasting, intellectual property, software law, e-commerce, outsourcing, data protection, EU policy, freedom of information, computer security and many other topics. In addition it provides a regular update on European Union developments, national news from more than 20 jurisdictions in both Europe and the Pacific Rim. It is looking for papers within the subject area that display good quality legal analysis and new lines of legal thought or policy development that go beyond mere description of the subject area, however accurate that may be.