Leave No Data Behind – Empirical Insights into Data Erasure from Online Services

Abstract

Privacy regulations such as the General Data Protection Regulation (GDPR) of the European Union promise to empower users of online services and to strengthen competition in online markets. Its Article 17, the Right to Erasure (Right to be Forgotten), is part of a set of user rights that aim to give users more control over their data by allowing them to switch between services more easily and to delete their data from the old service. In our study, we investigated the data deletion practices of a sample of 90 online services. In a twostage process, we first request the erasure of our data and analyze to what extent public data (e.g., posts on a social network) remains accessible in a non-anonymized format. More than six months later, we request information on our data using Right of Access requests under Art. 15 GDPR to find out if and what data remains. Our results show that a majority of services perform data erasures without observable breaches of the provisions of Art. 17 GDPR. At 27%, the share of non-compliant services is not negligible; in particular, we observe differences between requests submitted using a dedicated button and formal requests under Art. 17 GDPR.