But “if the purpose for which the information was obtained” was to enable better ad targeting, then “data retention” is still “appropriate”, eh?
Under this reading, is there even an obligation to anonymize? And how anonymous does anonymous need to be? Does a simple base64 encoding count as “anonymized”?
I had that thought originally too - however the keywords here are "statutory obligation" (basically, legal reasons.) So if the FBI asked them to retain the data, they can do so as long as the FBI needs it.
And the matter of anonymisation is a great question - "irrevocable" anonymisation certainly has a different meaning back in 2011, when swapping a name for a guid would do the job. Nowadays, it would require at least deleting all relationships as well, since social network analysis is much more advanced these days (especially at FB, of all places.) It wouldn't be impossible to derive the identity of an anonymous account/record based on the undeleted data associated with it. And since FB's "ghost profiles" are something we know exist, I think it's safe to assume those relationships are being maintained somehow.
Under this reading, is there even an obligation to anonymize? And how anonymous does anonymous need to be? Does a simple base64 encoding count as “anonymized”?