How the Right to Be Forgotten Is Evolving in the Age of AI

Fact-checked by the VisualEnews editorial team

The right to be forgotten AI problem is not a future concern — it is an active regulatory crisis. Under Article 17 of the GDPR, individuals hold the legal right to request erasure of their personal data, but machine learning models trained on that data present a technical challenge that existing law was never designed to address. According to the European Data Protection Board’s published guidance, simply deleting a data point from a training dataset does not guarantee its influence is removed from a deployed model.

This gap matters now because generative AI systems from companies like OpenAI, Google DeepMind, and Meta AI have been trained on billions of web-scraped records — many containing personal information gathered without explicit consent. The collision between privacy law and AI architecture is producing landmark enforcement actions, technical research breakthroughs, and new legislative proposals simultaneously.

What Does the Right to Be Forgotten Mean in an AI Context?

In an AI context, the right to be forgotten means an individual’s ability to compel an organization to remove their personal data not just from databases, but from the parameters and outputs of any AI model trained on that data. This is fundamentally harder than traditional data deletion. A model does not store raw records — it stores statistical patterns derived from records, making targeted erasure technically non-trivial.

Traditional GDPR compliance involved deleting a row from a database. With AI, the equivalent action would require either retraining the entire model without the affected data — a process that can cost millions of dollars and significant compute energy according to Stanford HAI research — or applying an emerging technique called machine unlearning. Machine unlearning attempts to selectively remove a data point’s influence from a trained model without full retraining.

Why Traditional Deletion Falls Short

A study from researchers at MIT and Carnegie Mellon University demonstrated that large language models can reproduce memorized training data verbatim, including names, addresses, and private communications. This means deletion from the source dataset does not prevent the model from surfacing that information in future outputs — a direct conflict with GDPR’s erasure mandate.

How Are Regulators Responding to Right to Be Forgotten AI Gaps?

Regulators across multiple jurisdictions are actively closing the gap between GDPR’s theoretical erasure rights and AI’s practical realities. The Italian Data Protection Authority (Garante) made global headlines in March 2023 when it temporarily banned ChatGPT over data erasure and consent concerns — the first such action by a major Western regulator. The ban was lifted after OpenAI implemented an opt-out mechanism, but the precedent was set.

The EU AI Act, which entered into force in August 2024, adds a compliance layer on top of GDPR. High-risk AI systems must now maintain detailed documentation of training data sources, making erasure requests more traceable. Meanwhile, California’s Delete Act (SB 362), signed in 2023, requires data brokers to honor deletion requests through a single centralized mechanism by January 2026 — a model that privacy advocates want extended to AI training pipelines.

Understanding how AI systems interact with your personal data connects directly to broader questions about protecting your digital identity — a challenge that grows more complex as machine learning becomes embedded in daily services.

What Is Machine Unlearning and Can It Actually Work?

Machine unlearning is a set of computational techniques designed to remove the influence of specific training data from an already-trained AI model without requiring full retraining from scratch. It is the most promising technical path toward making the right to be forgotten AI-compatible. However, the field is still maturing and no single approach is universally accepted.

Google published foundational machine unlearning research in 2023 and even hosted a public NeurIPS 2023 Machine Unlearning Competition on Kaggle, attracting over 1,100 competing teams. The competition revealed that approximate unlearning methods — which reduce a data point’s influence without eliminating it entirely — are far more computationally feasible than exact unlearning. But approximate methods raise a legal question: does “reduced influence” satisfy GDPR’s erasure standard?

The honest answer from the research community is that exact machine unlearning at scale remains computationally expensive and not yet production-ready for large foundation models. Approximate methods exist today but may not meet the strict legal threshold regulators will ultimately require.

How Does the Right to Be Forgotten AI Law Affect Everyday Users?

For everyday users, the right to be forgotten AI gap means their personal data may persist inside AI models even after they submit a formal deletion request to a company. If you have ever interacted with a chatbot, used a personalized recommendation engine, or had your data scraped from a social platform, your information may have shaped a model’s parameters — and you have no current mechanism to verify removal.

The practical impact is already visible. Meta faced regulatory scrutiny in 2023 when the Irish Data Protection Commission fined it 1.2 billion euros — the largest GDPR fine ever issued — partly over unlawful data transfers that fed AI systems. The case illustrated how AI training pipelines create compounding data liability. This also intersects with how AI is changing internet search, where personal data increasingly shapes what information surfaces for individual users.

Users can currently exercise partial rights through tools like Google’s My Activity deletion controls, OpenAI’s privacy request portal, and opt-out mechanisms required under California’s CCPA. However, none of these tools can confirm whether a model has been retrained to remove a user’s data influence.

The broader concern extends beyond privacy into how free digital services monetize your data — a dynamic that makes understanding AI data rights increasingly essential for any technology user.

What Is Next for Right to Be Forgotten AI Regulation?

The next phase of right to be forgotten AI regulation will focus on two fronts: technical standards and global harmonization. On the technical side, bodies like the National Institute of Standards and Technology (NIST) are developing AI risk management frameworks that include data lifecycle requirements. The NIST AI Risk Management Framework 1.0, released in January 2023, calls for “data provenance” documentation — a prerequisite for any meaningful erasure audit trail.

On the global front, the Council of Europe’s Framework Convention on AI — signed by the US, UK, EU, and others in September 2024 — marks the first binding international treaty on AI and explicitly references individual rights over AI-processed data. This signals that the right to be forgotten AI standard is moving from regional GDPR obligation to global baseline expectation. The evolution mirrors broader questions about how transformative computing technologies force legal systems to adapt.

Industry groups including the Future of Privacy Forum and Partnership on AI are lobbying for a “verifiable unlearning” certification standard — a third-party audit process that would allow companies to demonstrate erasure compliance without disclosing proprietary model architecture. Such a standard does not yet exist, but its development is considered the most likely bridge between current legal requirements and technical reality.

Frequently Asked Questions

Does GDPR’s right to be forgotten apply to AI models trained on my data?

Yes, in principle — GDPR Article 17 gives EU residents the right to request erasure of their personal data, and this legally applies to AI training datasets. However, enforcement is limited because regulators have not yet established a verified technical standard for confirming model-level erasure. Most companies currently honor deletion from source datasets only.

What is machine unlearning in simple terms?

Machine unlearning is a technique that attempts to remove a specific data point’s influence from a trained AI model without rebuilding the model from scratch. Think of it as surgical editing of a model’s memory. Exact machine unlearning is computationally expensive; approximate methods are faster but may not meet legal erasure standards.

Can I request that ChatGPT or other AI tools delete my personal data?

Yes — OpenAI provides a privacy request portal where users can submit data deletion requests. However, OpenAI cannot currently guarantee that your data’s influence has been removed from GPT model parameters. Deletion from training pipelines and verified model-level erasure are not the same thing.

What is the biggest GDPR fine related to AI data use?

The largest GDPR fine connected to AI data practices was the 1.2 billion euro penalty issued to Meta by Ireland’s Data Protection Commission in May 2023. The fine involved unlawful transfer of EU user data to US servers, where that data fed Meta’s AI systems. It remains the largest GDPR enforcement action in history.

How does the EU AI Act change right to be forgotten obligations?

The EU AI Act, effective August 2024, requires high-risk AI systems to maintain detailed records of training data sources and provenance. This creates an audit trail that makes future erasure requests more traceable. It does not replace GDPR but adds a compliance layer requiring proactive data documentation before training begins.

Is the right to be forgotten AI law different in the United States?

Yes — the US has no federal equivalent to GDPR’s erasure right. California’s CCPA and Delete Act (SB 362) provide the strongest state-level protections, requiring data brokers to process deletion requests through a centralized system by January 2026. Federal AI legislation remains fragmented, leaving most US users with significantly fewer enforceable erasure rights than EU counterparts.