> I don't see why the law should care in any way about a company populating NULL records.
It cares if the existence of this record still leaks private data. This is why talking about generic "records" here is pretty wrong - actual data is not interchangeable "records" where you can just slap on a generic cargo cult policy and think you're done.
Different use-cases require different data handling. Although, I do agree, for most CRUD cases it's enough to NULL out rows.
It's deleted because all connections (and meta data) has been erased.
In a database, if you null all fields but keep the entries and their inter table relationship intact, you still have identifiable data up to a certain point.
Imagine you have data of specific people and you only have one person per country, having a user and country relationship, if you null a single data of a specific user, you'll still be able to find the user just by analysing to which country that user was connected + some external information.
This is the classical problem of deriving personal data from statistical reports and why data anonymisatiom is so complex.
It cares if the existence of this record still leaks private data. This is why talking about generic "records" here is pretty wrong - actual data is not interchangeable "records" where you can just slap on a generic cargo cult policy and think you're done.
Different use-cases require different data handling. Although, I do agree, for most CRUD cases it's enough to NULL out rows.