The Right to Be Forgotten in the Age of AI

The right to be forgotten was not drafted with AI in mind. It presumes that controllers can identify and erase personal data upon request. However, in the context of generative AI, even if a data subject’s information is removed from future training datasets, the model may still generate outputs that resemble or replicate that data, undermining the effectiveness of erasure.

The results:

• Legal uncertainty for AI developers and organizations, who may have difficulty meeting erasure requests when using third-party models or datasets.
• Legal uncertainty for individuals trying to exercise their right to be forgotten in the era of generative AI.

The Google Spain judgment remains the leading EU case, establishing that search engines must remove links to personal data upon request, balancing privacy rights against the public’s right to information. The European Court of Justice (ECJ) further clarified the scope of the right to be forgotten in GC and Others v. CNIL, emphasizing that the right is not absolute and must be balanced against other fundamental rights. However, court judgements addressing the unique challenges posed by AI systems are yet to be delivered.

Addressing these challenges requires a multi-pronged approach:

1. Legal frameworks evolving to provide clearer guidance on the obligations of AI developers and deployers. This includes updating privacy laws, clarifying the scope of erasure rights in the context of AI, and fostering regulatory innovation.
2. Creating ways to protect privacy, like using techniques that add noise to data (differential privacy) or letting computers learn without sharing raw data (federated learning).
3. Considering Machine Unlearning techniques for AI models to “forget” specific information without requiring full retraining.
4. Businesses adopting privacy-by-design principles from the earliest stages of AI development.

For Businesses

Upholding the right to be forgotten under European and Maltese data protection law has become increasingly challenging with the rise of gen AI. Ensuring compliance now demands a proactive approach by:

• implementing privacy-by-design principles
• regularly reviewing internal policies
• adopting advanced technical measures to manage and mitigate data retention risks
• updating privacy practices
• conducting thorough Data Protection Impact Assessments (DPIAs)
• educating staff and users about the limitations of current AI technologies and the evolving legal landscape
• prioritising transparency and user control

For Individuals

As regulatory and technological reforms progress, individuals must remain vigilant and informed, ensuring that their privacy expectations are respected and that their requests are handled with care and accountability by businesses deploying AI-driven solutions.

• Deleted information may persist in model outputs, making complete removal difficult
• Individuals should be aware of both their legal rights and the practical limitations posed by AI systems. Advocating for transparency from organizations, requesting clear information about data handling practices, and understanding the scope of their rights are crucial steps.

Our team of technology and data protection lawyers brings together deep technical insight and legal acumen to help clients navigate the complexities of AI adoption and implementation. We are dedicated to ensuring that individuals’ rights—especially the right to be forgotten—are respected throughout the AI lifecycle.

By advising on compliance strategies and privacy-by-design principles, we empower organizations to embrace the opportunities of AI while safeguarding personal data and upholding the fundamental rights of individuals in accordance with evolving legal standards.