There's no reason to believe it's a "full" account delete even in the countries covered by the GDPR considering they brazenly breach the GDPR with their "consent" flow.
From data modelling point of view it's a challenge to wipe the user data since it will affect a social graph. And there're different strategies to handle corner cases (e.g. how to deal with reactions/replies on "deleted" comments or with reactions on your photos or your reactions on different news, mark as deleted and wipe the content or completely remove nested graph). And it actually makes user tracking much harder (please keep in mind, they're tracking users that have not register yet, in that case user profile might be converted from one user type to another if they are going to continue track you (why didn't want that?)).
It might be much easier to extend account entity with something like:
exactly...I regularly see arguments about how technical compliance with laws or user wishes as 'its hard' as if 'hard' is a counter argument to compliance...
Facebook collects way more data than what you choose to publish. Not to mention, if you want to delete something, Facebook should delete it. Whether other third-parties archive it is beyond scope.
>There's no reason to believe it's a "full" account delete even in the countries covered by the GDPR considering they brazenly breach the GDPR with their "consent" flow.
Given FB's business model, and the fact that they create "shadow" profiles for folks who don't even have FB accounts, I have no doubt that while their UI might pretend that your account has been "deleted", all the data still exists for their use.
Which is why, when I left Facebook in 2014, rather than attempting to delete or disable the account, I posted a goodbye to those on FB that I cared about and explained exactly why I was leaving (their predatory and invasive business model).
I then logged out and haven't returned. I did this because I figured that any activity on their platform would be logged and stored with everything else they'd already collected.
And that was seven years ago. Given what we've seen from them since then, it's pretty clear that I was right.
Just go away and don't look back. Otherwise you'll just give them more data.
> I have no doubt that while their UI might pretend that your account has been "deleted", all the data still exists for their use.
They don't even have to pretend to delete your account, they can actually delete it. But through some linguistic slight-of-hand (i.e., lying) they obscure the fact that your account is not all the data they have on you. Your "account", in a strict sense might just be your username and password. It happens to also be associated with the entire pile of data that is a profile. Once a user no longer has an account, it's what you call a "shadow profile".
>They don't even have to pretend to delete your account, they can actually delete it. But through some linguistic slight-of-hand (i.e., lying) they obscure the fact that your account is not all the data they have on you. Your "account", in a strict sense might just be your username and password. It happens to also be associated with the entire pile of data that is a profile. Once a user no longer has an account, it's what you call a "shadow profile".
A likely scenario. Although I'd say that removing a userid and password from their auth db doesn't qualify as "deleting" an account. Rather, that's disabling an account. And IIUC (I'm not in the EU and not familiar with all the details) the GDPR/EU privacy folks would likely agree with that assessment too.
Perhaps someone with more knowledge of the GDPR could weigh in on what sorts of fines could be levied against Facebook for pulling a stunt like that on European citizens?
Edit: Levied is a more accurate term than "leveled".
Because the US government wants to maintain access to FBs data. Shutting down FB would be a big blow to surveillance, hence they will never do anything serious against it. They’ll just put on a show, scream publicly in outrage about what FB does or whatever, and then nothing substantial will come out of it, because they never intended to do anything in the first place.
The regulators who are supposed to enforce the GDPR are either incompetent or unwilling to do so. I suspect there might be political problems with stepping up enforcement considering a lot of politicians rely on social media & ads (which is powered by non-consensual data processing) to help with their (re)-election.
It might be much easier to extend account entity with something like:
- is_deleted (boolean)
- deleted_time (utctime)
- is_suing_us (boolean)
- legal_case_id ...