[IgorPartola]

Aren't backups basically a guarantee that you can never ever delete anything from anyone's server? Even if you hit delete on an email/post/photo/etc. if they made a backup before then, your data will now forever live on in some vault or maybe just Amazon Glacier. I can't imagine that Yahoo would go and retroactively remove your email from their backup tapes/optical discs/offline hard drives/clay tablets that they use.

[scoot]

The nearest thing to a "standard" for retention of operational backups is 30-60 days. For organisations retaining backups as part of some ill-conceived archive, 7 years is typical; for organisations retaining backups under legal hold, or whose backup process is out of control, indefinite retention is not unheard of.

So while it's possible that backups mean you can never be entirely certain your deleted data will stay deleted, it's most certainly not guaranteed.

In Europe, the recently enacted General Data Protection Regulations "GDPR" which will come into force in 2018 will in theory require organisations to ensure that personal information is removed in an appropriate timeframe - this would include disposing of backups, or where data is comingled, ensuring at a granular level that data is blacklisted for restore.

It remains to be seen how practical that will be, so moving to retentions appropriate for operational restore may be the more sensible solution.