How much data is that? How do we know? It's not clear to me how the ICCL will know that "all data collected" is deleted. Even if the IAB is sanctioned or you storm their datacenters, the ICCL said that the tracking industry collected data through the IAB. How is the ICCL going to ensure that the tracking industry deletes the collected data?
They don't know. But if evidence comes up showing a company didn't then they will take legal action against that company, in which case intent to break the law from the would be crystal clear so they would get maximum fines which are huge for GDPR.
It isn't like laws prevents all crimes, the goal is to reduce illegit data usage, there is nobody who thinks it can ever get completely stamped out.
I'm asking what kind of evidence can exist that proves a negative? Without knowing what was collected how can they prove it was deleted? Doesn't make any sense.
> Without knowing what was collected how can they prove it was deleted?
They don't need to know what data was collected. GDPR requires you to track all data and mark where you got it from, so the companies are legally required to track this for you, they should already have a switch where they can delete this data at the notice of the user, so they should have no problems honouring such a request from the government.
The government don't know if the data was deleted, but a user will know if a company has data the user didn't agree to give to the company, in which case that company is violating GDPR regardless how they got that data. That wont always come up, but if it does the government will go after those companies.
What you're saying is literally illogical in the case of IAB acting as an intermediary... Not sure you know what you're talking about in this case. The entire point of the original article is that the user's data is being fed through via IAB to tracking companies. This isn't a normal GDPR situation where the user's data directly is being stored in a way that's accessible to the user as well. Obviously in that scenario the user themselves could just request their data be deleted as that's what GDPR allows. IAB in this case has been acting as an intermediary, allowing tracking companies to collect metadata on users through them. Even if IAB deletes their data, the question is how will the Council know if the end-tracking companies deleted their data?
If you keep data about a person in the EU that data is protected by GDPR regardless where or how you got it, having an intermediary doesn't matter.
> how will the Council know if the end-tracking companies deleted their data?
That doesn't matter, all they need is to ask the companies and the companies to say that they deleted the data. That is how everything else works with GDPR. When you ask a company to delete your data you don't know the company deleted it, they could still store it but keep it hidden etc. The government asking this is exactly the same.
If it later comes up that companies has a lot of data about users that they can't explain how they got, or that traces back to this case where they said they deleted it, then those companies will get huge fines. Open violations of laws where there is no question that the company knew they were breaking it are a very different case from companies toeing the line, the fines would get much higher.
This isn't a normal GDPR situation where the user's data directly is being stored in a way that's accessible to the user as well.
It's you that fails to understand the GDPR: that situation is not possible. In this case, the IAB is acting as the data controller for this data. As per GDPR requirements, when they share this data (for whatever purpose) with third-party processors, they must ensure through their contracts that the processor can comply with data deletion requests coming from users through the IAB.
If they cannot comply with that, both the controller and the processor are in violation of the GDPR, the controller doubly so because the GDPR requires them to audit their chosen data processors for GDPR compliance.
Nothing can prove the negative. But if any shred of evidence comes out that they didn't comply, there will be severe consequences for them, which makes it at least reasonably safe to assume they will comply. It's hard to keep a secret like that.
Yes, it's possible for companies to act in secret to deliberately not comply with the law.
There have been highly public cases of that blowing up spectacularly for those companies; cases where it becomes public and nothing really happens; and - I'm sure - many many more where nobody outside the company ever found out.
Is there some aspect of this situation in particular where you're trying to ask something more specific than that?
