The Right to be Forgotten under the GDPR

Published at 2024-06-25 by Ana Rodrigues

An overarching concern in the discourse surrounding AI within the framework of the General Data Protection Regulation (GDPR) is the profound implications of the 'right to be forgotten'.

Data subjects have the right to seek erasure of their personal data from the controller without undue delay under article 17, which is also known as the right to be forgotten. The right may also apply in cases when personal data is erroneous. Furthermore, this privilege is not absolute, which means it is subject to constraints. The GDPR clearly defines six reasons for the deletion of personal data, including scenarios in which data collection or processing is no longer necessary or permission has been revoked. Furthermore, there are four situations in which this right does not apply, such as when it clashes with freedom of expression or other public interests.

In the realm of AI, this right presents multifaceted challenges. Legally, the ambiguity surrounding the definition of "forget" and the enforcement benchmark can render this right ineffectual. Moreover, from a technical standpoint, the various optional approaches outlined to achieve the right to be forgotten may prove unfeasible in AI contexts or degrade AI performance. Consequently, completely erasing or restricting access to data or digital memories related to AI agents may be exceedingly difficult, if not impossible.

Hence, although a seemingly straightforward right, the right to be forgotten in the context of AI may not be that easy to satisfy. This issue is reinforced if open-source systems are used.

GDPR on AI - a series of posts written by Maria Mot