Oh god, that's made me realise. Does a GDPR right to removal extend to LLM's that have been trained on your data? What probability of retrieval counts as still storing your data?
> To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
So they don’t call for an exact probability, but if you can prove you did appropriate threat modelling and put controls in place to counter those threats you should be fine. You are literally doing more than most companies if you manage that.
But it still removes my ability to delete my data, especially when 23andMe has proven that they are not properly safeguarding this data.
Also me donating this data to a research organization vs being lured in by 23andMe's marketing are drastically different things.