That's illegal under the GDPR and many other privacy laws and is subject to heavy fines if caught. I work in privacy at a large tech company, and we take this stuff extremely seriously.
The heavy fines everyone is fear-no getting about are a running joke now.
It took 4 years and a non-profit making lots of noise for a brazen, obvious and malicious GDPR breach to be investigated despite it being plastered on every single website out there (I’m talking about non-compliant consent popups).
To date, the accumulated fine amount over the 4 years and all fined companies is around a billion. Now lookup the profit that just one top adtech vendor makes in a year.
The spirit of the GDPR is great but its enforcement is severely lacking.
Yep. And you can extend that to all security compliance, not just GDPR. The biggest driver for compliance is being able to give solid answers on VSA questionnaires, not actually being secure. Certainly not fear of getting fined or failing an audit. The number of companies who get caught is so small, and the amount they get dinged for is so minuscule that it's not even a concern for them once they figure out how it works.
When the enforcing agency works against it, its harder to effect change. Do many companies change their ways due to GDPR though? Not having too many fines may also be a testament to compliance kicking in before fines are necessary.
I think the system improved the web as a whole for EU with new options for consumers despite.
At big tech companies I’ve seen and heard about, the answer is crypto shredding.
Encrypt all PII at rest with a per user data key.
GDPR deletion requests can then delete the data key.
This isn’t perfect, but it’s a step in the right direction IMO. Unfortunately I don’t see it being feasible for a typical company anytime soon.
Stlll keeps foreign keys and the key management can be a nightmare. Basically, you're talking per customer encryption keys... Even then, you still might get something if you have enough other data to cross-ref/compare against/you're just looking for something to confirm/parallel construct from.
Just linking to the root of the documentation itself doesn't help much. The relevant info appears to be Article 17, but even it makes no explicit mention of backups. There is this line, though; "[T]he controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data." This is not clarified in Article 23, Restrictions, so the logical meaning would be that even backups - assuming they are not read-only which would make this, at least in the minds of people who understand the technical limitation, unreasonable - must be purged of user data on an account deletion request. However, "reasonable to people who understand the technology" is not synonymous with "reasonable to people who make/enforce the law."
My previous employer had a "delete on restore" id list, if we ever needed to restore from a backup. My manager said that this should be sufficient for offline backups. They had a lawyer who had said it's OK but I of course don't have the full picture.
It is however a risk, too. The drives are encrypted, without power and not even networked but they can still be stolen together with the encryption key from the same building. But then probably you have bigger problems.
This also forces the systems that test the backups to be also offline, which is a huge hassle.
> Just linking to the root of the documentation itself doesn't help much.
I’m sorry, I didn’t have time to find a good specific reference, so I just linked to the whole document.
I suppose that a technical solution is to encrypt all backups of user data with one key per user. Then you only have to erase that user’s key if necessary.
So you're suggesting it's okay to ignore the law if the enforcement isn't complete? It's designed to protect people from corporate overreach.
Also, given that the EU has been taking increasing action against companies for non-compliance, I wouldn't bet on it remaining unchecked forever. In the intermediate term, I'd bet on there being third-party compliance checks and certificates, with companies that don't use such getting more attention.
It's not that enforcement is not complete, it's that enforcement is near non-existent. In that case, it makes sense not to spend disproportionate amounts of resources mitigating a very slim risk, especially if your competition is overtaking you because they don't have the burden of compliance.
