You mean soft delete. I'll eat a sock if FB really deletes all of your history. Another one if they make that the default and you only get the other treatment after opting in.
You try deleting data from a busy Cassandra node. The tombstones, the tombstones!!!
(More than just Cassandra tho, many databases don't actually "delete", at least not immediately. They "mark for deletion", and may or may not _actually ever delete_ anything.)
The later case is different than simply updating the DeletedAt column.
The database not actually deleting is still the application properly deleting it. If the DB eventually carries that out or not is a lesser concern to me, tbh.
The concern here is that facebook doesn't actually tombstone their entries or doesn't even have their DB mark it deleted.
Not true. You have the right to retain backups and logs etc. as long as they serve their purpose to secure your service for accidental loss of data or other security purposes and they are properly stored and secured.
What if hacker deletes your Facebook account? Under GDPR Facebook has actually obligation to keep your data safe from this scenario. Which means they have to keep logs to investigate what happened and also be able to restore your data.
You should delete backups after certain amount of time and state your policy to users.
Only if you keep them a reasonable time and the backups will gradually be purged.
You can't keep indefinite backups and comply with GDPR.
So if your 5 year old backup, which has no purpose at all, gets stolen, expect a whopping fine for being an idiot. Or your web logs get stolen and it turns out you keep them 2 years, don't expect favourable treatment as that's totally unnecessary data retention.
The backups that you can retain are hard to justify further back than about a year (if you even manage to do that), and if you ever use them you have to make sure the data that was deleted because of a request before is not in there again.
No, GDPR requires you to delete all the data corresponding to a user within 30 days after the said user requests deletion of account. That includes backups and logs.
Why do we even use the word "delete" in this forum? We know that (so far) it is NOT deleting anything. It only means "hide from view". Facebook will not forget and will not forgive. Some 10-hour-question-avoiding in front of a committee (irrespective of importance) will not change FB's business model (aka money-maker) overnight.
They'll just delete your user ID field for whatever you posted - so it won't be associated with you any longer, at least on their systems, but they will keep the content for analysis.
That won't work. They also cannot retain data that could be aggregated to identify you as a person. Anonymising by removing an ID is not actually doing that, it's just theater. The GDPR has provisions for that. Bottom line is: if you start fudging things or working around it, you're going to get fined.
If that's true then (1) they're lying and (2) that's not covering it because just a few website visits later they could re-associate your old data with your 'clean' profile because it doesn't take all that many bits to de-anonymize a chunk of data.
(More than just Cassandra tho, many databases don't actually "delete", at least not immediately. They "mark for deletion", and may or may not _actually ever delete_ anything.)