Ask HN: If I store encrypted data but throw away the key does that violate GDPR?
I thought this would be a violation as I'm not able to decrypt that data today, but as soon as technology got to a certain point, or true quantum computers become a thing, I'd be able to decrypt that date possibly trivially.
I was listening to a podcast where they described this as being a viable way of adhering to requests to delete personal information.
6 comments
[ 3.5 ms ] story [ 23.5 ms ] threadIf it's not accessible then it's essentially lost. If a new technology comes about that makes it accessible, then you would be liable.
If you've lost the key, and have no intent on recovering the data due to GDPR or whatever, then why not just delete it to avoid any potential future liability?
Perhaps there are a lot of backups of this encrypted data, some of which are not under control of the person asking the question.
Or just consider a tape backup. How would you efficiently delete a part of data stored on a tape?
Deleting data can be a hard problem in some cases.
I don't know whether it would hold up in court though, but it's an interesting idea. With a private block chain, the risk would be a lot smaller that a single leaked key (i.e. the customer accidentally releasing it) would result in big problems. I've recently talked with a lawyer friend of mine about a similar topic, but he didn't know immediately whether that's legally sound.