The ‘right to be forgotten’ in the age of AI

The original data may have been deleted, but its influence might not have, warns Alec Sladden

Privacy law regulates how personal data is collected, used and controlled, giving individuals certain rights over information that relates to them. It is designed to ensure that personal data is not processed arbitrarily and that individuals retain a degree of control over their digital identity.

The right to be forgotten was supposed to give citizens more control. This right, which is enshrined in EU law, holds that individuals can have their personal data erased when it is no longer justified for it to exist. It is a powerful concept and one that sits comfortably within a legal system built on the assumption that information can be managed, contained and, when necessary, removed. But this is just an assumption.

The legal framework within the General Data Protection Regulation (GDPR) is relatively straightforward. A data subject can request erasure and the data controller must delete the personal data “without undue delay”, subject to a number of exceptions such as freedom of expression, legal obligations, public interest and so on.

AI developers increasingly fall within this framework as data controllers. That means, in theory, that the aforementioned obligations apply to them. The problem is that the law assumes that data exists in a form that it can be removed.

AI systems, particularly large language models (LLMs) like ChatGPT, Gemini and Claude, do not store information in neat, retrievable files. They do not hold personal data in the way a database does. Instead, they are trained on vast datasets. Through that training, information is broken down, absorbed and redistributed across millions of parameters. The result is not storage but transformation of that data.

In the age of AI, forgetting is no longer something which the law, as is, can guarantee

This creates a fundamental problem because while specific data can be removed from a training dataset this does not undo the influence of that same data on a trained model. The influence of that data remains embedded in the system, not as a copy but as part of how the model has learned to generate outputs. In this sense, even when the data is gone, its effects are not.

The right to be forgotten relies on the analogy in that removing access to information is equal to erasing it. But AI is different. AI does not work like that because removing data from a training set does not undo the learning that has already taken place. To fully eliminate the influence of specific data, one would need to retrain the model entirely or develop highly precise machine unlearning techniques.

So when we say data has been erased, what we often mean is something much simpler: that the original source has been deleted not that its influence has disappeared.

At first glance, this might seem like a technical inconvenience but it is not. It strikes at the core of this fundamental right. The right to be forgotten was never about deleting data from a server but an assurance that individuals can reclaim their digital identity by removing unwanted traces of the past. But if AI systems continue to reflect patterns derived from that data, even after deletion, then that control becomes an illusion.

None of this means the right to be forgotten is meaningless. It still plays an important role, particularly in contexts like search engines and databases where data can genuinely be removed. But when applied to AI, the law is struggling to keep up. Some responses are emerging, like data minimisation, which seeks to limit the amount of personal data used in training of these AI models.

More advanced approaches, like machine unlearning (the process of making an AI model “forget” specific data it was trained on) try to remove the effect of specific data from a model. All of these help but none fully solve the problem.

The right to be forgotten was built on a simple idea, that deletion leads to disappearance. However, AI undermines that idea because, in the age of AI, forgetting is no longer something which the law, as is, can guarantee.

Alec Sladden is a lawyer by profession with a specialisation in law and technology from King’s College London. 

Sign up to our free newsletters

Get the best updates straight to your inbox:

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.