Interesting… would love to see the rationale behind that. I’m guessing it is an assumption based on precedent. Reading through Article 17 of GDPR, it looks pretty clear at first read:
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay
The question is, “what does erasure mean”? It certainly implies deletion from disk, but I’m sure there will be a bunch of cases that will help define this.
Initial Googling found this page, which traces the history of this “right to be forgotten” back to a 1995 directive where a:
data subject has the right under certain conditions to ask search engines to remove links with personal data
However, part of the ruling was that:
Deleting the search engine results linked to the data subject’s name does not mean that the content is deleted from its original publication location
Which makes sense when you’re talking about the responsibility of the search engine… maybe that’s being used as a precedent, though, to say that it’s not whether the bytes exist on disk or not, rather it’s if the person appears forgotten by any reasonable search?
I’m no lawyer, so I really have no idea, but that’s a huge difference in terms of cost of implementation. Will be interesting to see where this ends up.
Oh, and great post @vvvvalvalval! It’s great to see some discussion on implementation and not just high-level debate on what the lawyers have written 