[noiseinvacuum]

This is a clear violation of GDPR. The GDPR emphasizes the right to erasure (Article 17) and data minimization (Article 5). These principles require that personal data be:

* Kept for no longer than necessary * Deleted upon request or when no longer needed

Both of these conditions are met when someone "deletes" a picture from their device.

This bug basically proved that Apple is non compliant with this and there's no way that EU is going to ignore this big of a violation. If found guilty then they can fine Apple 20 million euros or 4% of global turnover(revenue) which is > $4 billion.

[ballenf]

Is that also true even if the data is only on customer-owned hardware and not stored in the cloud?

[noiseinvacuum]

Protections under GDPR apply to both local storage and cloud storage.

In this case both local storage and cloud storage are provided by same company so that distinction doesn’t matter but this storage location agnostic coverage of GDPR comes in handy on Android.

[doublepg23]

Hmm I sense a business opportunity of selling “GDPR compliant” GNU rm.