Question 32
Domain 4: Privacy Engineering and GovernanceA messaging app wants to offer ephemeral sharing. Which requirement is the best privacy engineering specification?
Correct answer: B
Explanation
Ephemeral sharing requires data minimization and limited retention, so “Clients must auto-delete unopened media after 30 days” sets a concrete retention limit. “Suppress lock-screen previews” protects confidentiality by preventing unintended disclosure on a visible device surface, which aligns with privacy-by-design principles.
Why each option is right or wrong
A. Messages should feel safe
B. Clients must auto-delete unopened media after 30 days and suppress lock-screen previews
Under GDPR Art. 5(1)(c) and (e), personal data must be limited to what is necessary and kept no longer than needed for the purpose, so an ephemeral-sharing feature needs an explicit retention cap rather than an open-ended inbox. A 30-day auto-deletion rule gives a concrete storage limit, and suppressing lock-screen previews reduces unauthorized disclosure to anyone who can view the device, which is a direct confidentiality control consistent with privacy by design under Art. 25.
C. Notifications should be friendlier
D. Users should generally like the feature