That's a very important question. A basic privacy principle is the right to be forgotten, so in our laws, organizations can only retain information as long as they need it for business purposes and then it should be destroyed.
I led the Facebook investigation in 2009 in the federal office, and this was a real sticking point in that investigation. We found quite a difference between deactivation of someone's account and deletion of the data. The recommendation coming out of the federal commissioner's office was to make it easy for people to delete their accounts, and be clear on the difference between deactivation, which is really putting the data offline, just in case the user changes her mind down the road and wants to be back on Facebook, versus deletion, which I believe takes about 30 days and then all the data is deleted.
We wanted the company to make it really easy for individuals to choose which option and to make sure it's done.
Getting back to order-making powers, the federal privacy commissioner is an ombudsman, and she can make recommendations. At the end of the day, my colleague Ann Cavoukian and I, with our order-making powers, can order a company to delete data, and it has to do so within 30 days. Under my law it's 30 days. That is a very powerful tool.