The purpose specification principle of the OECD Privacy Guidelines (which all substantial privacy laws are based on - EU, NZ, HK, etc.* ) says this:
"Finally, when data no longer serve a purpose, and if it is practicable, it may be necessary to have them destroyed (erased) or given an anonymous form. The reason is that control over data may be lost when data are no longer of interest; this may lead to risks of theft, unauthorised copying or the like."
Keeping an image URL online three years after it was requested to be deleted almost certainly counts as keeping personal data for longer than is necessary. When you upload a photo, it is usually for the purpose of sharing (as the case may be). When you decide to stop sharing, the data no longer serves that purpose and hence should be removed as soon as practicable.
* The US and Australia notably have not implemented the OECD guidelines.
"Finally, when data no longer serve a purpose, and if it is practicable, it may be necessary to have them destroyed (erased) or given an anonymous form. The reason is that control over data may be lost when data are no longer of interest; this may lead to risks of theft, unauthorised copying or the like."
Keeping an image URL online three years after it was requested to be deleted almost certainly counts as keeping personal data for longer than is necessary. When you upload a photo, it is usually for the purpose of sharing (as the case may be). When you decide to stop sharing, the data no longer serves that purpose and hence should be removed as soon as practicable.
* The US and Australia notably have not implemented the OECD guidelines.