[kenbaylor]

I wish they would give more clarity on what 'delete' means. Is it a) It's deleted from your timeline etc or b) It is really deleted from Facebook's servers

If it's a) then that's either a 'hidden' toggle which does not meet GDPR needs. If it's a 'hidden' and do not process further, it is questionable (unless a right to be forgotten is invoked).

Also if it's a) then everything is discoverable by someone with legal authority, even years after you believe you have deleted it.

[evincarofautumn]

Based on what I saw when I worked at FB, deletion means “it is really deleted from Facebook’s servers”. It just takes time for that to propagate across all data centers, get out of all caches, that sort of thing. Naturally, nobody believes this even though it’s true, just like nobody believes that Facebook doesn’t sell user data, even though their very business is based on keeping that data to themselves so they can profit from it through ad targeting.

Some minimal tombstone metadata like “This ID was a post/image” is kept around for things like error messages (“The post you are trying to view is not available. It may have been deleted or you may not have permission to view it.”). There might be exceptions for illegal things (like child pornography) where there’s some obligation to keep the data (or a hash or something) for law enforcement purposes, but I’m not aware of any.

[herbst]

Everyone who used their ad system should be fully aware that actually selling data would only hurt their business model.

[danso]

As U.S. citizen, I'd be interested in hearing how the GDPR enforces an actual delete. I do think it's intentional that Facebook is so vague about what "delete" means; in the given article, there is mention of "delete your Facebook data" and "delete anything from your timeline or profile that you no longer want on Facebook", but nothing about where the data is deleted from.

You can try to argue that the author wants to keep things simple for a general audience. Though a cynic would point out that one of the authors is FB's deputy general counsel, the type of person who we would expect to be incredibly precise and purposeful about wording.

I looked around on the FB support pages for more clarification and this is the best I could find:

https://www.facebook.com/help/224562897555674/

> When you delete your account, people won't be able to see it on Facebook. It may take up to 90 days from the beginning of the deletion process to delete all of the things you've posted, like your photos, status updates or other data stored in backup systems. While we are deleting this information, it is inaccessible to other people using Facebook.

Since it is talking about deleting backup/caches, I think it's reasonable to interpret that they mean a complete wipeout. Though I assume there's no guarantee either -- i.e. if FB's deletion process "happens" to not wipe out the cache or do a real wipe, how can we really confirm?

For a non-Facebook example, here's how Google talks about deletion of search activity:

https://support.google.com/accounts/answer/465

It explains that Google will retain the "meta" of your activity, and also says that the meta will be removed if you delete your account:

"When you use Google products and services, we keep some data with your Google Account, like when and how you use certain features. We keep this data even if you delete activity or other items. For example, if you go to My Activity and delete a search you did on Google, we'll still know that you did a search, but not what you searched for. What you searched for will no longer be stored with your account...We keep this data as long as it's relevant to meet uses like those above. If you delete your account, we remove this data from it."

[samschooler]

In addition to that, that data derived from the data you supply (i.e. a trained ML model on your preferences or face) aren't deleted even if they do permanently delete data you've posted.

[colemannugent]

Whoa, I hadn't considered this at all. This opens a huge can of worms.

How could this even be enforced? If something like the GDPR gave you the ability to request that your data be deleted, would that extend to learned data?

In my opinion, there's no way they could make FB delete that kind of data. How would you even know they had it? It's not like FB would throw out entire trained models or attempt to retrain with everyone else's data, that would never make economic sense.

Could someone with more knowledge of the current data protection laws comment about how|if this is addressed? To me it seems like companies could just process all your data into some derivative and then delete the original data to stay compliant.

[mateo411]

I am not a lawyer, but I think that learned or aggregated data should be fine, however hashed identifiable data is not OK. Identifiable data includes IP addresses and mobile device ids.

[thisacctforreal]

How much would it cost to have them refresh their models with still-consented data every 90 days (~4 times a year)?

[jacobush]

We have indexed your genome for all known markers. Of course we can now destroy your blood sample!

[mistermann]

"What you searched for will no longer be stored with your account...We keep this data as long as it's relevant to meet uses like those above. If you delete your account, we remove this data from it."

I'm still not absolutely certain it is deleted from disk.

[amelius]

What if the data is encrypted and Facebook throws away the key. Would that count as "deleted"? (Just wondering)

[kenbaylor]

Under GDPR, that would be a yes if the key is truly lost, and the personal data is not recoverable by anyone.

If it is recoverable, then it falls into the ominous term: Pseudonymous : https://www.wsgrdataadvisor.com/2015/09/personal-data-anonym...

[AdmiralAsshat]

See this article from ArsTechnica in 2012: https://arstechnica.com/information-technology/2012/08/faceb...