In practice, a lot of companies lie and may not actually have functionality to delete accounts. A UK fintech claimed they closed my account, while in reality they changed the email to <username>VOID@<domain> and presumably suspended future logins, but guess what, all the data is internally still there including the foreign key relationships which by themselves are unique enough and can be used to reidentify me and/or correlate my activity across other services.
Yes - that's how I found out. A company that was supposed to delete my data as per the GDPR (or at the very least retain the minimum amount of data required for legal purposes) was sending me all kinds of emails to the "VOID" address, clearly suggesting they just changed it but otherwise left my account intact, most likely because they didn't actually design the system to support being able to delete user accounts.
Holy fuck, what if I sign up for <someonesemailVOID@theirdomain.com> (this will work for a ridiculous number of people if you just wait to get the GMail they use for everything or something)
That’s a shockingly bad kludge though. You’d at the very least expect them to change it to an email they control. I mean, it would still be a shit workaround but at least it wouldn’t be trivially exploitable.
I've given up on reporting many breaches to my country's regulator (the ICO in the UK) because they are completely useless.
First of all, the system operates on a complaint basis - they're not interested in being handed evidence of GDPR breaches, they're only "interested" (in quotes because the entire process feels like they're being forced to do something and do the bare minimum, as opposed to genuinely caring about protecting & defending citizens' privacy) in complaints where you didn't get your way. Imagine if the police wasn't interested in the location of a wanted, violent criminal and turned people away with "come back when you've actually been shot by him".
The complaints process puts the burden of investigating, documenting the breach and verifying further compliance onto you. It is extremely admin-heavy and requires you to first argue with the company and give them 30 days (more in certain specific scenarios) to respond, so a malicious actor can drag out the process for months before you can even proceed with a complaint to the regulator, and once the regulator takes action it is up to you to assess whether they now comply, and if not, go through the whole process again.
Finally, if you've made it through thus far and actually have a valid complaint that doesn't give these lazy idiots a technicality to use as an excuse to close your complaint, it'll rot in a queue for months, and when it actually gets processed and actioned, the only outcomes I've had so far (including for a company clearly acting in bad faith and probably breaking more laws than just the GDPR) is the ICO sending a letter which the company can ignore in total impunity, with the real-world penalty for ignoring it being another letter.
Imposing such a "penalty" obviously requires going through this whole process again so in the real-world very few people will make it this far to begin with, let alone following up on further non-compliance.
I'm also doubtful of their technical proficiency so I'm afraid they can trivially be defeated by the company using some technobabble to justify why they can't delete accounts if there's no expert on hand to debunk the BS excuses.
It is a war of attrition in which the regulator (at least in the UK) is in cahoots with the enemy.
The sorts of companies that don't have an online mechanism to delete your account are the same kinds of companies that have never heard of, or don't care about the the GDPR.
Actually, it's exceedingly common with typical RDBMS that deletes are highly deleterious and time costly transactions to process die to locking database tables for a copious amount of time, bringing the system to a screeching halt. This is why general practice is to modify the the data in place and leave it there in an OLTP system.
I mean, technically speaking, actually deleting data without physically destroying the drive is pretty hard, especially with transistor-based dead storage !
I've always wondered whether GDPR just closed their eyes on that, or if it was so that the process of later restoring data was flagrant enough that it would be hard to hide upon inspection...
