From what I gather, a company is being asked to retain potential evidence during a lawsuit involving said data. Am I missing something? What’s outside the norm here?
We specifically have an enterprise contract (in the EU), checked by our lawyers, that says they can’t store our data or use it for training.
This decision goes against that contract.
so they never should have persisted that data to begin with, right? and if they didn’t persist it, they wouldn’t need to retain it
I mean, it’s more complicated than that.
Of course, data is persisted somewhere, in a transient fashion, for the purpose of computation. Especially when using event based or asynchronous architectures.
And then promptly deleted or otherwise garbage collected in some manner (either actively or passively, usually passively). It could be in transitory memory, or it could be on high speed SSDs during any number of steps.
It’s also extremely common for data storage to happen on a caching layer level and not violate requirements that data not be retained since those caches are transitive. An open API implements a reasonable amount of prompt caching.
A court order forcing them to start storing this data is a problem. It doesn’t mean they already had it stored in an archival format somewhere, it means they now have to store it somewhere for long term retention.
The only thing I can tell is that they were already saving the chats of personal accounts but their SLAs prevent them from doing so with some corporate accounts. Apparently there is some concern that proprietary information will now be made part of a public case. Personally I feel like that’s the price of being an early adopter of something most people said was a bad idea but what do I know?
Well, if classified information from government agencies comes to light in this case, there will be problems. Also important companies.
If that happened wouldn’t the Judge just dismiss/banhammer the evidence from the case somehow? (IDK IANAL)
The only problem I see is that such storage could conflict with EU privacy laws, but the rest is normal.
Uhhh - no one should be under the impression that deleting something actually deletes it.
