Comment by mcherm
8 months ago
> I suspect Google would err on the side of accidental deletions rather than accidental non-deletions: at least in the EU.
I certainly hope not, because that would be incredibly stupid. Customers understand the significance of different kinds of risk. This story got an incredible amount of attention among the community of people who choose between different cloud services. A story about how Google had failed to delete data on time would not have gotten nearly as much attention.
But let us suppose for a moment that Google has no concern for their reputation, only for their legal liability. Under EU privacy rules, there might be some liability for failing to delete data on schedule -- although I strongly suspect that the kind of "this was an unavoidable one-off mistake" justifications that we see in this article would convince a court to reduce that liability.
But what liability would they face for the deletion? This was a hedge fund managing billions of dollars. Fortunately, they had off-site backups to restore their data. If they hadn't, and it had been impossible to restore the data, how much liability could Google have faced?
Surely, even the lawyers in charge of minimizing liability would agree: it is better to fail by keeping customers accounts then to fail by deleting them.
> Customers understand the significance of different kinds of risk.
Customers do; the law does not. The GDPR introduces unintended consequences.
> Surely, even the lawyers in charge of minimizing liability would agree: it is better to fail by keeping customers accounts then to fail by deleting them.
Not at all. Those in charge of enforcing the GDPR are heavily incentivized to assume the opposite of that. Google accidentally losing customer data is a win for privacy as far as the law's intent.