US based and also not a lawyer (and I do hope the good staff of getDare have consulted one) but there's two added wrinkles:
As I read it, the GDPR right to erasure specifically entitles you to the deletion of identifying personal information, not the deletion of your digital existence. Arguably, they could comply by changing the username, email, and any other metadata associated with an account to a random string of characters and fully comply with the erasure clause. Everything else, they could argue, is indeed as easy to consent to as to remove - you consented by posting it, and it's as easy to edit the post and remove it as it is to make the post. Without going through a massive search for case law, that doesn't seem too farfetched.
That overlooks a bigger GDPR issue though: GDPR is extraterritorial, but the EU's enforcement capabilities are not. Sure, the EU can say a US based website has violated the GDPR, but unless that website has a business representative physically within the EU, there's pretty much nothing else they can do. It's highly unlikely (given existing precedent for lack of US compliance with other extraterritorial enforcement like the International Criminal Court) that a US court would elect to enforce GDPR fines against a US entity.
|