Comment by jandrewrogers

While not common, regulations requiring a hard delete do exist in some fields even in the US. The ones I familiar with are effectively "anti-retention" laws that mandate data must be removed from the system after some specified period of time e.g. all data in the system is deleted no more than 90 days after insertion. This allows compliance to be automated.

The data subject to the regulation had a high potential for abuse. Automated anti-retention limits the risk and potential damage.