The Right to be Forgotten in the Age of Artificial Intelligence
The interaction between the right to privacy and advanced technologies, such as generative artificial intelligence, presents unprecedented challenges. The right to be forgotten, developed at the European level, becomes relevant due to the ability of AI systems to collect, store and use personal data on a massive scale. This article analyses the legal and ethical implications of this right in the context of AI, as well as its regulatory framework and the need for adaptation in the face of these technologies.
The right to be forgotten, as part of the right to data protection, is recognised in the General Data Protection Regulation (GDPR). This right allows individuals to request the deletion of their personal data when it is no longer needed or its processing is unlawful, thus balancing privacy with access to information. However, this right faces significant challenges in the age of artificial intelligence, especially with Large Language Models (LLMs) such as ChatGPT, which process huge volumes of public data and generate content that may include outdated personal information. The difficulty in deleting this data once trained underlines the need to adapt the right to be forgotten to ensure its effectiveness in a constantly evolving digital environment.
The Legal Framework: GDPR and the AI Regulation
The General Data Protection Regulation (GDPR) is the main legal instrument regulating the protection of personal data in the European Union. This framework establishes key principles such as purpose limitation and data minimisation, which seek to ensure that only data strictly necessary for specific purposes are collected and processed. In this context, Article 17 enshrines the right to be forgotten, allowing data subjects to request the deletion of data when it is no longer necessary, the processing is unlawful or the information must be deleted in order to comply with a legal obligation. This right, while crucial to protect privacy, also recognises limits such as the prevalence of freedom of expression or the public interest.
The Artificial Intelligence Regulation (EU 2024/1689) complements the GDPR by specifically regulating AI systems. This regulation focuses on ensuring that these technologies respect fundamental rights, promoting ethical and human-centred artificial intelligence. To this end, it classifies AI systems according to their level of risk, imposing greater restrictions on high-impact systems, such as those used for biometric identification. It also introduces transparency and explainability requirements, requiring developers to provide clear information on how the systems work, what data they use and what rights users have.
Both regulations complement each other to address the challenges of AI in data protection. While the GDPR defines general principles, the AI Regulation sets out technical measures to implement rights such as erasure in an advanced technological environment. However, implementing solutions that allow AI systems to ‘forget’ specific data remains a key challenge to protect privacy in the digital age.
Challenges of the right to be forgotten in Artificial Intelligence
Large Language Models (LLMs), such as ChatGPT, represent advances in the field of generative artificial intelligence. However, their ability to process and generate content raises critical challenges in the protection of personal data and the respect of the right to be forgotten. These models, by operating with massive amounts of data and complex algorithms, face problems related to the deletion of information, the generation of inaccurate content and the lack of transparency in their operation.
Three key issues that highlight these difficulties and their legal implications are discussed below.
- Data Persistence in LLMs: generative AI models, when trained on large volumes of data, face difficulties in retroactively deleting personal information. Although techniques such as machine unlearning are under development, they do not yet guarantee a full and effective implementation of the right to be forgotten.
- The problem of hallucinations: in addition to storing personal data, these models can generate erroneous or fictitious content. This capability poses an additional risk, as a ‘hallucination’ can involve sensitive information of individuals, generating serious legal and reputational implications.
- Transparency and control: both the GDPR and the Artificial Intelligence Regulation stress the importance of transparency. However, the technical complexity of LLMs makes it difficult for users to understand how their data is processed, stored and used, complicating their ability to exercise rights such as the right to erasure.
To address these issues, it is important to move in three directions:
- Data suppression technologies: the implementation of algorithms that allow AI systems to selectively forget information is crucial. This approach would ensure that the right to be forgotten extends to AI models without affecting their ability to generate useful and relevant content.
- Impact assessments: both the GDPR and the AI Regulation require impact assessments to identify and mitigate privacy-related risks. These assessments should be a prerequisite for the development and deployment of LLMs, allowing for the identification of possible breaches of the right to be forgotten.
- Multidisciplinary collaboration: the convergence of legal experts, AI developers and regulators is essential to design practical and ethical solutions that comply with European regulatory principles.
The right to be forgotten is an essential pillar to protect citizens’ privacy in the digital age. However, its implementation faces significant challenges in the context of generative artificial intelligence. Regulatory developments, such as the Artificial Intelligence Regulation, and the development of new technologies aimed at data erasure are essential steps to ensure that this right is respected in an ever-changing technological environment.
The interplay between privacy and technological innovation requires a delicate balance. By protecting fundamental rights such as the right to be forgotten, we not only preserve individual dignity and autonomy, but also lay the foundations for a future in which artificial intelligence is a tool at the service of humanity, not a risk to its fundamental values.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.