“The vast majority of what is required here are things that we’ve already had for years across the world for everyone.”
My understanding is that GDPR would require a deep delete of user data from Facebook's systems. Anyone have info on how that would work with shadow profiles that Facebook creates on your behalf and without your consent? Seems like this would fall under the domain of GDPR. (Which also makes me think of just how misleading that quote is from Zuckerberg)
Yes. I've talked with some in the social media industry about addressing GDPR. What it means is a massive shift in the way data is handled.
What's the difference? Well, it's helpful to have some context on how data is used in a place like FB. Data originates (for the most part) with the user. It get's dropped in one of the many operational data sources that back the service. From there, it's mostly waiting to be used by someone for some reason, which might be a ML project or something else. So, then you will want to move the data. You'll make some sort of pipeline from the source to where you want to work, such as ETL the data you want out or set up some sort of messaging system to handle things in an online way.
Maybe now that you have the data, you'll share it with other people working on the project. The data might be distributed (best case) through an environment meant to work with the data (e.g., Spark/HDFS/Hadoop) or might just be sent piecemeal as CSVs. Once the project is done, the data might just be left in place. Who knows where those CSV's go?
One of the big requirements of GDPR is deleting an individual's data EVERYWHERE. And while the above is a sort of simplified view of user of data in a logical manner, I can assure you someone out there somewhere is doing something that doesn't make sense. In light of that, getting rid of a person's data everywhere is a HUGE architectural/infrastructural/process problem for a platform like FB.
That is because it is misleading. Under the GDPR, they would have to hard delete those shadow profiles. For everyone else, they would not delete that data.
Not only that, but any linkable information about that shadow profile will need to be scrubbed. So a photo of me and a friend which my friend has uploaded to facebook will need to have my face or other identifying details scrubbed or the photo deleted.
My understanding is that GDPR would require a deep delete of user data from Facebook's systems. Anyone have info on how that would work with shadow profiles that Facebook creates on your behalf and without your consent? Seems like this would fall under the domain of GDPR. (Which also makes me think of just how misleading that quote is from Zuckerberg)