Ideology over mathematics
As an American, I've pointed avoided most of the GDPR discussions. But this discussion has most of the commenters sounding like LEAs on encryption.
Consider the following scenario:
Company A has PII on individual X.
Company A dutifully keeps backups of data.
Company A is merged into company B.
Company B dutifully maintains company A's backups.
Company A's data bases are migrated to company B's schemata.
Individual X applies to company B to be forgotten.
The data in company A's backups is not indexed in any meaningful way in the current schema. A restore of this data cannot be automatically purged.
Or how about this?
A company acquires a dataset, and backs it up.
The company merges the dataset into its existing databases.
A de-dupe process is run on the merged data.
Someone demands erasure.
Again, the de-dupe and merge processes make automatic deletion of restored data effectively impossible.
And these are about perfectly run shops. Real world is going to have much more trouble. Criminalizing less-than-perfect behavior is not going to encourage innovation. "Best effort" is really the only standard that can work. Unless you love selective enforcement.
Biting the hand that feeds IT
