> how will the Council know if the end-tracking companies deleted their data?

That doesn't matter, all they need is to ask the companies and the companies to say that they deleted the data. That is how everything else works with GDPR. When you ask a company to delete your data you don't know the company deleted it, they could still store it but keep it hidden etc. The government asking this is exactly the same.

If it later comes up that companies has a lot of data about users that they can't explain how they got, or that traces back to this case where they said they deleted it, then those companies will get huge fines. Open violations of laws where there is no question that the company knew they were breaking it are a very different case from companies toeing the line, the fines would get much higher.

It's you that fails to understand the GDPR: that situation is not possible. In this case, the IAB is acting as the data controller for this data. As per GDPR requirements, when they share this data (for whatever purpose) with third-party processors, they must ensure through their contracts that the processor can comply with data deletion requests coming from users through the IAB.

If they cannot comply with that, both the controller and the processor are in violation of the GDPR, the controller doubly so because the GDPR requires them to audit their chosen data processors for GDPR compliance.

There could be a tipoff, for example, from an employee. And if that whistleblower is right, then the company will suffer huge fines.

Or any other numerous ways that someone might be caught for a crime.. it lets go with whistleblower, as that is easy to understand.