[danso]

As U.S. citizen, I'd be interested in hearing how the GDPR enforces an actual delete. I do think it's intentional that Facebook is so vague about what "delete" means; in the given article, there is mention of "delete your Facebook data" and "delete anything from your timeline or profile that you no longer want on Facebook", but nothing about where the data is deleted from.

You can try to argue that the author wants to keep things simple for a general audience. Though a cynic would point out that one of the authors is FB's deputy general counsel, the type of person who we would expect to be incredibly precise and purposeful about wording.

I looked around on the FB support pages for more clarification and this is the best I could find:

https://www.facebook.com/help/224562897555674/

> When you delete your account, people won't be able to see it on Facebook. It may take up to 90 days from the beginning of the deletion process to delete all of the things you've posted, like your photos, status updates or other data stored in backup systems. While we are deleting this information, it is inaccessible to other people using Facebook.

Since it is talking about deleting backup/caches, I think it's reasonable to interpret that they mean a complete wipeout. Though I assume there's no guarantee either -- i.e. if FB's deletion process "happens" to not wipe out the cache or do a real wipe, how can we really confirm?

For a non-Facebook example, here's how Google talks about deletion of search activity:

https://support.google.com/accounts/answer/465

It explains that Google will retain the "meta" of your activity, and also says that the meta will be removed if you delete your account:

"When you use Google products and services, we keep some data with your Google Account, like when and how you use certain features. We keep this data even if you delete activity or other items. For example, if you go to My Activity and delete a search you did on Google, we'll still know that you did a search, but not what you searched for. What you searched for will no longer be stored with your account...We keep this data as long as it's relevant to meet uses like those above. If you delete your account, we remove this data from it."

[samschooler]

In addition to that, that data derived from the data you supply (i.e. a trained ML model on your preferences or face) aren't deleted even if they do permanently delete data you've posted.

[colemannugent]

Whoa, I hadn't considered this at all. This opens a huge can of worms.

How could this even be enforced? If something like the GDPR gave you the ability to request that your data be deleted, would that extend to learned data?

In my opinion, there's no way they could make FB delete that kind of data. How would you even know they had it? It's not like FB would throw out entire trained models or attempt to retrain with everyone else's data, that would never make economic sense.

Could someone with more knowledge of the current data protection laws comment about how|if this is addressed? To me it seems like companies could just process all your data into some derivative and then delete the original data to stay compliant.

[mateo411]

I am not a lawyer, but I think that learned or aggregated data should be fine, however hashed identifiable data is not OK. Identifiable data includes IP addresses and mobile device ids.

[thisacctforreal]

How much would it cost to have them refresh their models with still-consented data every 90 days (~4 times a year)?

[jacobush]

We have indexed your genome for all known markers. Of course we can now destroy your blood sample!

[mistermann]

"What you searched for will no longer be stored with your account...We keep this data as long as it's relevant to meet uses like those above. If you delete your account, we remove this data from it."

I'm still not absolutely certain it is deleted from disk.

[amelius]

What if the data is encrypted and Facebook throws away the key. Would that count as "deleted"? (Just wondering)

[kenbaylor]

Under GDPR, that would be a yes if the key is truly lost, and the personal data is not recoverable by anyone.

If it is recoverable, then it falls into the ominous term: Pseudonymous : https://www.wsgrdataadvisor.com/2015/09/personal-data-anonym...

[AdmiralAsshat]

See this article from ArsTechnica in 2012: https://arstechnica.com/information-technology/2012/08/faceb...