I work at a company you've heard of, and you've probably (P > .5) used at least one of our products. We're international (including EU). I personally wrote our user data deletion logic for GDPR compliance.
We delete all of your PII. It doesn't matter if you're from the EU or not, because it's too expensive to figure it out and too risky because you're going to miss some weird edge case - Legal doesn't have much of a sense of humor when it comes to wiggle room.
My experience has been that larger organizations consistently spend more effort (relative to size) to genuinely comply with privacy regulations than smaller ones. The risk:reward ratio for deliberately ignoring or subverting privacy regulations is insanely bad. There are too many surfaces along which that would leak out, and the gains would be pretty marginal. Pretty much anyone who works at a large tech company can and will confirm that this is the case (see Jeff Kaufman's posts on this thread). There is no conspiracy between the six-digit number of engineers who work at these companies to keep quiet about it.
>There is no conspiracy between the six-digit number of engineers who work at these companies to keep quiet about it.
I wouldn't say "conspiracy" but they've been mums-the-word about things like shadow-profiles. Perhaps, it comes down to too much kool-aid but to say that engineers would initially speak-up in such cases has been proven wrong, time and again.
Take the Snowden revelations, as an example: How many years were the programs in service before Snowden went public? How long have we known about shadow profiles and no one from Facebook has come forward to say, "yes, this is what they're doing and it's wrong"?
Relying on people to do the good that should be done by the organisations doesn't take into consideration that those engineers face severe penalties for "going pubic" about such things - namely because whistle-blower laws do not supercede such thing as NDAs.
I work at a company you've heard of, and you've probably (P > .5) used at least one of our products. We're international (including EU). I personally wrote our user data deletion logic for GDPR compliance.
We delete all of your PII. It doesn't matter if you're from the EU or not, because it's too expensive to figure it out and too risky because you're going to miss some weird edge case - Legal doesn't have much of a sense of humor when it comes to wiggle room.
My experience has been that larger organizations consistently spend more effort (relative to size) to genuinely comply with privacy regulations than smaller ones. The risk:reward ratio for deliberately ignoring or subverting privacy regulations is insanely bad. There are too many surfaces along which that would leak out, and the gains would be pretty marginal. Pretty much anyone who works at a large tech company can and will confirm that this is the case (see Jeff Kaufman's posts on this thread). There is no conspiracy between the six-digit number of engineers who work at these companies to keep quiet about it.