As far as I know, most data protection laws accept cryptoshredding as long as the party with a deletion requirement actually destroys the key. For one thing, it’s hard to reconcile deletion requirements with immutable architectures and backups without a mechanism like this.
IANAL, but I think the key remaining in the user’s possession doesn’t matter as far as the company with a deletion requirement is concerned.
If the key remains on the users device but under the control of the app, does that count as out of control of the app?
Maybe you'd have to force the user to export the key to an external file (and forget the path) or encrypt it with some mechanism that the app isn't in control of.
As far as I know, most data protection laws accept cryptoshredding as long as the party with a deletion requirement actually destroys the key. For one thing, it’s hard to reconcile deletion requirements with immutable architectures and backups without a mechanism like this.
IANAL, but I think the key remaining in the user’s possession doesn’t matter as far as the company with a deletion requirement is concerned.
If the key remains on the users device but under the control of the app, does that count as out of control of the app?
Maybe you'd have to force the user to export the key to an external file (and forget the path) or encrypt it with some mechanism that the app isn't in control of.