Data should only be collected where necessary for the stated purpose and with consent.
The moment a system handles data in a way that exceeds the expectation, knowledge or consent of the user, beyond the clear purpose specification of the system, and beyond what is lawful, it behaves excessively.
Data minimisation is the most effective way to build more secure and privacy respecting systems. It is not antithetical to innovation. Less data generation and processing means less data that can be misused or breached. Data minimisation also decreases the risk that data will be used in ways that are different from what an individual expects.