[cimm]

I still don't understand how one can retract access once given. If I share my purchase history with some financial web app and later decide to retract access the web app will no longer get new data, but how can I be sure they don't keep a copy of my old data around? Same with GDPR. I often ask companies to remove my data, and legally they should, but I highly doubt many of them do indeed scrap all my data. I still need to trust the other party to honor my wishes (and follow the law) which makes me wonder if Solid or Schluss can help removing my data.

[PeterisP]

The solution is social, not technical. The relevant authorities have the right to audit the process and do so in certain cases.

Keeping your data after this request has a tiny benefit to the company - not that many people retract access, and one individual's data is not that valuable. On the other hand, intentionally keeping and using that carries significant financial risk of fines if found out; so a prudent organization simply won't do that - otherwise, it'll just be a huge expense for no good reason after e.g. some disgruntled ex-employee blows the whistle on this practice.

[tnzk]

Recently I've been exploring an idea of extension of authorization frameworks like OAuth or GNAP where you can authorize not only access to your data directly but execution of specific computation (be it a specific revision of container image) on it. You would review, in advance, what would be done your data and if suspicious just reject. Ideally the web service pulls the container image and run it on their host, then return the result of the computation to the third-party, keeping the original your data secret. You wouldn't have to give the plain data which would easily be copied in first place. The problem is, I'm not sure if the class of application that can be implemented in this scheme is large enough to be useful.

[rickdeckard]

Agree, you're basically adding another middleman which now also has all your data.

> Same with GDPR. I often ask companies to remove my data, and legally they should, but I highly doubt many of them do indeed scrap all my data

Anecdotal: When GDPR came, the companies I worked with/in took it REALLY serious and spent huge amounts of money and resources to change ALL of their processes to label and clearly isolate data with customer-identified and identifiable content. Not necessarily because they had a change of mind about privacy, but because the risk and the penalty if found non-compliant was so high ("up to €20 million, or 4% of worldwide turnover for the preceding financial year – whichever is HIGHER (!)", PER incident!). Some level of user-data privacy was already in place, but suddenly all understood the risk of not sufficiently isolating identifiable data (data which in itself is not personal information, but could be combined with other data to identify the user)

So at least in my direct experience GDPR caused a huge shift in many company mindsets from "let's store now and review later" to "wait, what is this data?", and all departments which store data from the field had to start answering to a data protection entity within the company about all the data they have or intend to collect.

It literally forced companies which always played with the idea of one day utilizing harvested data to create some undefined value in the future to challenge themselves. And many companies concluded "we don't know what type of data we have, it's too risky/expensive, scrape the servers and delete it".

Those were all large international companies though, maybe smaller companies acted differently. And for sure your typical data-collecting companies (FAANG) are a completely different story.

But the complexity for a small company with smaller processes to become GDPR-compliant is much lower, with the penalty risking to not just hurt you but immediately send you into bancrupcy. So for a small company especially in Europe it would be plain-stupid to not have GDPR-compliant processes...

[TrailMixRaisin]

Of course there is still trust involved. Every time you cooperate with somebody else booth of you have some assumption what the other will do. You trust that a webshop will send you your product after you have bought it, etc. To give a foundation for this trust we have laws. It would be illegal to sell you a product and just keep the money without giving you the product.

This is the same with data protection and GDPR. They could just say that they deleted it and keep a copy on their own. BUT using such systems or asking them (in a documented way) to delete your data is a really strong signal from your side what your assumptions are. This will make the fines much higher if a data protection authority would find out that a company kept the data when you have already shown your strong request to delete it. So in a way these mechanism should make it easier for you to trust the other side to do their part because the fines will just get bigger.

[Swizec]

> Same with GDPR. I often ask companies to remove my data, and legally they should, but I highly doubt many of them do

I was talking once with a friend who deals with GDPR issues at their company. They said that they’re required to keep a record of deletion requests so it can be spelunked through vendors for a full deletion. This often creates more data than was originally deleted.