[joshribakoff]

Uber wouldn’t delete my data when I demanded them to, they just hung up on me rudely. I escalated to the CEO and they sent me this message explaining why and assuring my fears of a data leak were “unfounded”:

Maribel again with Uber Support. Thank you for your patience while I took a further look at the deletion request. Unfortunately, we are unable to delete all of your information on the account due to security measures. Please visit our Privacy Notice for more details, specifically the sections titled E. Data retention and deletion. As of May 12, 2024, your account was marked for deletion. Keep in mind that deleting your driver account is permanent and will automatically delete your rider account as well. Any credits associated with your accounts will be lost. Additionally, I want to emphasize that we have strict security measures on the platform to ensure that your personal information and your safety are secured. Your understanding is appreciated.

[digging]

I genuinely think it should be a legal liability to make a claim such as "we have strict security measures on the platform to ensure that your personal information and your safety are secured."

First, because they're probably just outright lying to imply they're taking security as a paramount priority. They're likely following minimal guidelines to cover their own asses legally.

Second, because it's physically impossible for them to guarantee data security. It's like making a promise to a child that they're never going to die. A security breach is a matter of probability, not a door you can close and forget about. A society that allows companies to make absolute assurances about security at all is endangering itself. But it also means that levels of security and due diligence are difficult to quantify because we don't even conceive of it as a probabilistic issue.

(I also just watched the new Ashley Madison doc and it's really sticking with me that they made up fake certificates of security while putting virtually no effort into the real thing, and actively chose to play chicken with their users' data when they had the option of closing up shop - an extraordinarily clear case of being blinded by greed, especially as the payout was obviously forfeit if the hackers followed through. Both of these choices should have legally put much of the blame for the fallout and suicides on the CEO.)

[BiteCode_dev]

Plus, they can delete all your informations, because GDPR mandates it in Europe.

[hnbad]

GDPR allows retaining any information necessary for complying with legal requirements (e.g. taxes). But that exception is to be interpreted as narrowly as possible.

[Kevcmk]

Pro tip, sites don't have the means/motivation to challenge a user's assertion that they're in France (GDPR) or California (CCPA). Just pick a Paris address and demand a GDPR Data Subject Request (DSR) to delete your data.

[m11a]

GDPR also allows for processing for a company's "legitimate interests", which is supposed to be a balancing test, but Uber could argue it needs to process ID documents to ensure safety on its platform. If the company refuses to delete, the only option you have is to escalate to a data supervisory authority and have them adjudicate on it.

But more generally, GDPR has multiple legal bases for processing other than consent, and for any other than consent the processor might still be able to process data despite the right to be forgotten. And IME big company data processors tend to interpret these exceptions quite liberally, hoping people won't have the means to challenge their decision.

[hnbad]

That is correct and that is also crucially why all these consent modals that have a second toggle for "legitimate interest" from partners are also blatantly non-compliant: you can only use ONE legal basis for processing and if consent is sufficient to opt out, that means it can not be "legitimate interest" as defined by the GDPR.

The definitions for all these exemptions are EXTREMELY narrow and court cases have demonstrated this repeatedly. If you have a legitimate interest to verify someone's ID to establish identity that does not mean you are allowed to do the ID verification yourself (rather than relying on a third party) nor that you're allowed to use a service outside the EU (e.g. Israel) nor that you (nor they) are allowed to store that ID any longer than necessary to process it exactly once.

The GDPR dictates data minimization. If your business model is incompatible with that and it's not because of regulatory requirements, I'm sorry but we have a word for that and it's "criminal enterprise".

[wil421]

A website I went to had a delete my data link. I wondered what would happen if I put I was in Europe even though the website doesn’t cater to non-USA users. They still told me they would not be deleting my data because they had to keep records for x number of years due to legal requirements such as law enforcement and financial reporting.

[ranger_danger]

Any company that operates a federated service in EU cannot possibly comply with GDPR, so I'm sure there are companies who never really delete the data you requested.