all_lessons/data_intensive_systems/25 · law & ethicslesson 26 / 35 · ~15 min

Part 11 · Correctness & society

Law, Regulation, and Ethics as Architecture Input

Lesson 24 pushed storage into the cloud and treated durability, replication, and tiering as a subsystem you rent rather than build. That was the last technical constraint. This lesson names the one that is not technical at all: law and ethics. They are not a closing reflection you bolt on after the architecture is done — they are an input, the same as throughput or latency, and they shape the schema, the retention policy, and the deletion path from day one. Lesson 20 built a system designed to remember everything forever — an immutable log you recompute every view from. This lesson is where "forever" collides with the right to be forgotten, and where we turn privacy, consent, and accountability into concrete mechanisms and a design-review checklist.

DDIA source
Arc drawn from Martin Kleppmann, Designing Data-Intensive Applications — the ethics section that closes Chapter 12 (The Future of Data Systems) in the 1st edition, expanded into a dedicated chapter in the 2nd edition (see lesson 26). Original synthesis; the GDPR/CCPA mechanism mapping, the crypto-shredding and delete-propagation ASCII, and the design-review checklist are ours. This lesson is the home for the privacy/deletion/accountability material the lesson-20 capstone only seeded.
Linear position
Prerequisite: lesson 20 (derived data) — you keep a system of record plus many derived views, all fanned out from a single ordered log, every view recomputable from that log, with lineage and audit. You also need replication and retention from earlier (a fact, once written, ends up in many copies: followers, backups, derived indexes, analytics tables).
New capability: treat privacy, law, and ethics as design inputs rather than after-thoughts — translate data minimization, consent, the right to erasure, retention limits, auditability, and the GDPR/CCPA rights into concrete data-system mechanisms (schema scope, tombstones, crypto-shredding, delete propagation, lineage), and put them on a design-review checklist so they are decided before the schema is, not litigated after a breach.
The plan
Six moves. (1) Reframe: law and ethics are an architecture input, like an SLO — they constrain the schema, retention, and deletion path before the first table exists. (2) Data minimization, consent, and lawful basis — collect and keep only what a stated purpose needs, and only what you may; this is a schema and retention decision. (3) The deletion path: why "recompute everything from the immutable log forever" (lesson 20) collides head-on with the right to erasure, and the engineering answers — tombstones, crypto-shredding, bounded retention, and propagating the delete to every derived view. (4) Auditability and accountability: the same lineage and audit logs that detected drift in lesson 20 are what make rights enforceable and decisions explainable. (5) The GDPR/CCPA rights as operations your architecture must support — access, rectification, erasure, portability — each a query you either can or cannot run. (6) The harder, non-legal risks: surveillance, feedback loops, bias amplification, and "data as power" — and the whole thing distilled into a design-review checklist.

1 · Law and ethics are an architecture input, not a footnote

Every prior lesson treated the design space as a set of technical trade-offs: a quorum buys consistency at the cost of latency, a derived view buys a read pattern at the cost of freshness. Law and ethics add a different kind of constraint — one you cannot buy out of with more hardware. A regulator does not care that crypto-shredding is operationally inconvenient; "delete this person's data" is a requirement with the same standing as "p99 under 100 ms," and like that SLO it is far cheaper to design for than to retrofit.

The failure pattern is always the same: a team builds the system for correctness and scale, ships it, and only then asks "how do we delete a user?" — and discovers the answer is "we can't, cleanly," because the architecture was built to remember. The personal fact has, by then, been replicated to five followers, snapshotted into nightly backups, indexed into a search cluster, aggregated into analytics tables, and embedded into a vector index, and nobody wrote down where it all went. The fix at that point is archaeology. The fix at design time is a single column in the "Where is truth?" artifact: who owns this data, and what is its deletion path?

The reframe
Do not think "we'll add a privacy review before launch." Think: every field in the schema is a liability with a purpose, a lawful basis, a retention clock, and a deletion path — or it should not exist. The questions in §6 are not a compliance checkbox; they are design questions that change the schema, exactly like "what is the read pattern?" changes the index.

2 · Data minimization, consent, and lawful basis

The first principle is data minimization: collect and retain only the data a stated purpose actually needs. It is the privacy analogue of "don't add an index you have no query for." Each field you store is not free — it is a future deletion obligation, a future breach blast-radius, and a future audit liability. The discipline is to start from the purpose ("rank items this user is likely to click") and admit only the fields that purpose requires, rather than logging everything "because the log makes it cheap" (lesson 20's own warning) and mining it later.

This directly shapes the schema. A recommender needs interaction events; it probably does not need the user's precise home address, and if it does not, that column should not exist. Purpose limitation is the sibling rule: data collected for one purpose may not be silently repurposed. The training pipeline that quietly starts joining a support-ticket table into the ad-targeting features has changed the purpose, and under most regimes that is a new decision requiring a new basis — not a free optimization.

Consent and lawful basis govern what you may store and process at all. Under GDPR every processing activity needs a lawful basis — consent, contract, legitimate interest, legal obligation, and others — and consent specifically must be freely given, specific, and revocable. The engineering consequence is concrete: consent is itself data you must store, version, and join against at processing time. A feature pipeline that computes on a user's events must be able to ask, per user and per purpose, "do we have a basis to process this?" — and when consent is withdrawn, that withdrawal must propagate to the same derived views a deletion would (§3). Consent you cannot query is consent you cannot honor.

PrincipleWhat it constrainsThe mechanism it forces
Data minimizationWhich fields the schema contains at allPurpose-scoped schema; no "collect now, justify later" columns
Purpose limitationWhich joins/derivations are allowedData flows tracked (lineage); repurposing is a reviewed change, not a silent one
Consent / lawful basisWhether you may process a given recordConsent stored, versioned, and joined at processing time; withdrawal propagates like a delete
Retention limitHow long a record may liveA retention clock per dataset; bounded log retention; automated expiry (§3)

3 · The deletion path: where "remember forever" meets the right to be forgotten

This is the central collision of the lesson, and it falls squarely on lesson 20's architecture. There, the design was: write to the system of record, capture every change into an immutable ordered log, and derive every view by replaying that log — so any view is recomputable forever. That immutability is exactly what made the system correct, auditable, and repairable. It is also what makes GDPR Article 17, the right to erasure, hard: a user asks you to delete their data, and your architecture's defining feature is that it never forgets.

ONE DELETE REQUEST, MANY PLACES IT MUST REACH user: "delete me" (Art. 17 erasure / CCPA delete) │ ▼ ┌─────────────────────────┐ │ SYSTEM OF RECORD │ delete the row ── but the fact is already everywhere: └─────────────────────────┘ │ ├─▶ followers / replicas (lesson 8: every leader write copied) ├─▶ nightly backups / snapshots (retained for weeks — a backup is a copy) ├─▶ the ordered CHANGE LOG (lesson 20: IMMUTABLE by design ← the hard one) ├─▶ search / vector index (derived view — re-index or tombstone) ├─▶ analytics / training tables (derived view — aggregate or drop) └─▶ caches (evict; refill skips the deleted key) a delete is NOT one row; it is a propagation to every copy and every derived view. the view you cannot enumerate is the view you cannot prove you deleted.

Deleting the system-of-record row is the easy 5%. The hard 95% is everything downstream, and the immutable log is the worst of it — you cannot just delete an entry from an append-only, offset-addressed log without breaking the replay guarantee every derived view depends on. There are four engineering answers, used together:

Worked number — what "deleted" actually costs in time
A user requests erasure at t = 0. The SoR row is deleted and a tombstone appended to the log within seconds. But: nightly backups retain a copy for a 30-day backup-retention window; the search index recomputes the tombstone within its 150 ms lag budget (lesson 20, §2); analytics tables exclude the user on the next daily batch (worst case ~24 h). Without crypto-shredding, the honest answer to "when is this user fully gone?" is 30 days — the backup window — and you must be able to state that number to a regulator. With crypto-shredding, you delete the per-user key at t = 0 and every copy in every backup is immediately unreadable, collapsing the worst case from 30 days to seconds. That delta is the entire business case for designing encryption-per-user in from the start.

4 · Auditability and accountability: the same lineage, reused

Lesson 20 built lineage (knowing which source records and which code produced each derived value) and audit logs (an independent record you can recompute and compare against) to detect drift and repair views. Those exact tools are what make rights and accountability enforceable — they were never only about correctness.

5 · The GDPR/CCPA rights as operations your architecture must support

The data-protection rights are not abstractions — each is a concrete query or operation, and your architecture either can run it or cannot. Designing for them means making sure each is a supported access pattern (lesson 2's lesson, applied to law), not a heroic one-off SQL safari every time a request arrives.

Access (Art. 15 / CCPA "right to know")
"Show me everything you hold about me." A query across every store keyed by the subject — SoR, derived views, logs. Feasible only if you can enumerate the stores (lineage, §4) and each is keyed or joinable by subject ID.
Rectification (Art. 16)
"Correct this wrong fact." A write to the system of record that then propagates to every derived view via the log (lesson 20). Same fan-out as any other update — which is why single-source-of-truth design pays off here too.
Erasure (Art. 17)
"Delete me." The full §3 deletion path: tombstone the SoR, crypto-shred the key, propagate the delete to every derived view, let backups age out. The right that most stresses an immutable-log design.
Portability (Art. 20)
"Export my data in a machine-readable form." An export query assembling the subject's records into a standard encoding (lesson 5's schemas, applied) — the access query plus serialization to a portable format.

Notice that three of the four rights are made easy or hard by the same two decisions you already made for correctness: a single system of record with a clear fan-out (rectification and erasure are just writes that propagate), and lineage that enumerates every store (access and erasure need to know where to look). Privacy-by-design is, to a large degree, the good distributed-data design you already wanted — keyed by subject, single source of truth, recomputable views, known lineage. The CCPA adds a distinct one — the right to opt out of sale/sharing — which, like consent withdrawal (§2), becomes a per-subject flag joined at processing time.

6 · Surveillance, feedback loops, and data as power

Law is the floor, not the ceiling. The harder problems are the ones no statute fully covers, and they arise precisely because the system works well. Keep this grounded: these are design consequences to weigh, not slogans to recite.

Risks & failure modes

  • "We can't delete cleanly." Erasure requested; the fact lives in backups, an immutable log, and derived views nobody enumerated. No crypto-shredding, so the honest worst-case is the backup-retention window — or unbounded (§3).
  • Over-collection. Fields logged "because it's cheap" with no purpose; each is breach blast-radius and a deletion obligation that buys nothing (§2).
  • Silent repurposing. Data collected for one purpose joined into another with no review or new basis; lawful only by accident (§2).
  • Unqueryable consent. Consent collected but not joined at processing time, so withdrawal does not actually stop processing (§2).
  • Rights you can't run. An access or erasure request needs a hand-written cross-store SQL safari each time because no store is keyed by subject and there is no lineage (§4, §5).
  • Uncontaminated-data assumption. A feedback loop quietly trains the model on its own serving decisions; bias amplifies each cycle, invisible without audit (§6).

Design-review checklist

  • For each field: what purpose justifies it, what is the lawful basis, and what is its retention clock? If none, delete the field (§2).
  • Is consent stored, versioned, and joined at processing time — and does withdrawal propagate like a delete (§2)?
  • What is the deletion path for a user, end to end? Name every copy and derived view it must reach (§3).
  • Is data encrypted per-subject so deletion can be crypto-shredding (delete the key), not chasing every copy (§3)?
  • Is log/backup retention bounded, with automated expiry, not "forever" (§3)?
  • Does lineage enumerate every store holding a subject's data, so access and erasure are runnable queries (§4, §5)?
  • Are the four rights (access, rectification, erasure, portability) each a supported operation, not a one-off (§5)?
  • Is there a feedback loop? Are training labels contaminated by serving decisions, and is bias audited over retraining cycles (§6)?

Checkpoint exercise

Try it
Take the RAG assistant over a corporate document store from lesson 20's checkpoint and add the privacy layer. (a) An employee leaves and the company must erase their personal data (their authored documents stay, but personal identifiers in usage analytics must go) — trace the deletion path through every store and state the worst-case "fully gone" window, with and without crypto-shredding. (b) Which fields in the usage-analytics schema fail the data-minimization test, and what purpose would justify keeping each? (c) A regulator files an access request on behalf of a user — write the set of queries you would run, and name the design property that makes them possible (or, if you can't, the property that's missing). (d) Someone proposes joining the assistant's query logs into the HR performance-review pipeline — what is the privacy objection in one sentence, and what mechanism from §2 should have caught it? (e) The assistant ranks documents by past click-through; describe the feedback loop and one audit that would detect it.
Where is truth?
For a personal-data system, "truth" includes who is allowed to hold it and for how long. System of record: the authoritative store of the person's data (and, separately, the versioned consent/basis record). Copies / derived views: replicas, backups, the immutable change log, search/vector indexes, analytics and training tables, caches — every one a place a delete must reach. Freshness budget: for rectification and consent withdrawal, the same lag budget as any derived-view update (lesson 20). Owner: a named team accountable for this dataset's purpose, basis, and lifecycle — not "the platform." Deletion path: tombstone the SoR, crypto-shred the per-subject key (so every backup/log copy dies at once), propagate the delete to every derived view, let bounded retention expire the rest — with a stated worst-case window. Reconciliation / repair path: recompute each view from the log and audit that the erased subject is absent. Evidence it is correct: lineage enumerating every store, a deletion-proof audit entry (subject hash, timestamp, scope), and the ability to run the four rights as queries on demand.

Where this points next

We have now closed the loop the orientation lesson opened: the "Where is truth?" artifact carries not just a system of record and a freshness budget but an owner, a deletion path, a retention clock, and audit evidence — privacy and accountability live in the same artifact as correctness because they are designed at the same time. The 2nd edition of DDIA promotes this material from a closing section to a chapter of its own, and the next lesson — 26 · Current DDIA: What the 2nd Edition Adds — is the signpost to it, alongside what else the new edition adds (consensus reframed, the cloud-native shift of lesson 24, and updated data-system landscape). It is where you take this track's vocabulary back to the source and see how the field itself moved.

Takeaway
Law and ethics are an architecture input, not a closing reflection: they shape the schema, the retention, and the deletion path from day one, with the same standing as an SLO. Data minimization and purpose limitation decide which fields exist and which joins are allowed; consent and lawful basis decide what you may process, and consent is itself data you store, version, and join — withdrawal propagating like a delete. The sharp collision is erasure (GDPR Art. 17) against lesson 20's remember-everything immutable log: the answers are tombstones (logically gone, append-only preserved), crypto-shredding (delete one per-subject key, not every copy), bounded retention (forever is a budget, not a guarantee), and propagating the delete to every derived view (provably, because each view is a recomputable function of the log). The lineage and audit logs you built for drift detection are what make rights enforceable and decisions accountable. The four GDPR/CCPA rights — access, rectification, erasure, portability — are each a query your architecture either supports or does not, and three of the four are made easy by the single-source-of-truth, keyed-by-subject, recomputable design you already wanted. Beyond the law sit surveillance, feedback loops, bias amplification, and data as power — risks that arise because the system works, made manageable by the same minimization, retention, and audit levers. Put all of it in the design review, before the schema exists.

Interview prompts