Generative AI Means Right to Be Forgotten Is Gone, Law Students Say
The rise of technologies like generative AI (GAI) and the advent of large language models (LLM) have serious privacy implications, including the idea that individuals can control their data, said three students at UCLA School of Law in a blog for TechPolicy.Press. The "right to be forgotten," as the removal of personal data from public access is called, gained legal acknowledgment under the EU's General Data Protection Regulation (GDPR), which allows individuals to view, edit or delete personal data.
Sign up for a free preview to unlock the rest of this article
"But in an era where AI continuously scrapes, processes, and repurposes vast amounts of data, deletion is not so straightforward," the blog said. "Once personal data has been absorbed into an LLM, can it ever truly be forgotten?"
LLMs and GAI are trained using publicly available data scraped from the internet, the bloggers noted. Since AI models retain learned patterns, it can be difficult to delete data from them, even if a user removes the information from the internet. Some engineers say retraining an LLM from scratch is the only way to guarantee removal of an individual's data, according to the blog.
While "efforts toward 'machine unlearning' aim to delete specific data without dismantling entire models ... the reconstruction of 'forgotten information'" makes unlearning "seem like an impossible task today," the law students said. "LLMs and Generative AI often create outputs based on statistical patterns and relationships learned from training data -- if an AI [tool] has been trained on an individual’s personal details before a deletion request, it may still infer, predict, or reconstruct similar details when prompted."
The GDPR doesn't outline the erasure of personal information in the context of AI, and since AI models don't store data in entries -- instead the information is integrated into the parameters of the model -- removing information is close to impossible, the blog said.
Plus, there's a lack of clarity around guidelines for AI under the European framework, and exceptions to the erasure requirement create even more confusion, the students argued.
The U.S., on the other hand, doesn't recognize the right to be forgotten at the federal level, though some states, like California, have legislation addressing the issue, the blog said.
"Ethically, AI’s opacity creates accountability gaps," it said. "Even developers cannot fully explain how models process or recall data. This lack of transparency undermines individual control and increases risks of identity fraud, reputational harm, and privacy violations."
The blog offered suggestions to combat the issue, including training AI models on user devices locally through federated learning; differential privacy, which would anonymize information; or selectively removing certain data from a trained LLM without retraining it entirely through algorithmic destruction. But each of these methods comes with its own hurdles and drawbacks, the students wrote.
"Deleting a file or removing a post no longer guarantees true erasure when the data may have already influenced a machine learning model," they said. "Privacy must be reimagined to meet these changing needs" in a world where "AI systems do not just store information; they also transform and regenerate it."