From theory to practice: Data minimisation and technical review of verifiable credentials under the GDPR

Data minimisation is a fundamental principle of personal data processing under the European Union's General Data Protection Regulation (GDPR). Article 5(1) of the GDPR defines three core elements of data minimisation: adequacy, relevance, and necessity in relation to the purposes. Adequacy concerns the relationship between personal data and the purposes of processing, which minimises data collection to an adequate level in relation to the purposes. Relevance requires objective, logical, and sufficiently close links between personal data and the objective pursued, and the controller should demonstrate this relevance in the context of necessity. Necessity in relation to the purposes limits personal data processing to a specific accuracy level of the purposes, considering appropriateness, effectiveness, and intrusiveness. Our legal analyses provide a framework linking each legal element to specific technical requirements. In the context of Verifiable Credentials, Selective Disclosure and Zero-Knowledge Proofs contribute to the technical requirements of data minimisation. Our evaluation of credential types reveals that SD-JWT, JSON-LD BBS+, AnonCreds, and mDOC support Selective Disclosure, and JSON-LD with BBS+ signature and AnonCreds enable Zero-Knowledge Proofs. These findings show JSON-based credentials have significant potential to enhance data minimisation in the future.