Humans Forget, Machines Remember: Artificial Intelligence and the Right to Be Forgotten

To understand the Right to be Forgotten in context of artificial intelligence, it is necessary to first delve into an overview of the concepts of human and AI memory and forgetting. Our current law appears to treat human and machine memory alike – supporting a fictitious understanding of memory and forgetting that does not comport with reality. (Some authors have already highlighted the concerns on the perfect remembering.) This Article will examine the problem of AI memory and the Right to be Forgotten, using this example as a model for understanding the failures of current privacy law to reflect the realities of AI technology. First, this Article analyzes the legal background behind the Right to be Forgotten, in order to understand its potential applicability to AI, including a discussion on the antagonism between the values of privacy and transparency under current E.U. privacy law. Next, the Authors explore whether the Right to be Forgotten is practicable or beneficial in an AI/machine learning context, in order to understand whether and how the law should address the Right to Be Forgotten in a post-AI world. The Authors discuss the technical problems faced when adhering to strict interpretation of data deletion requirements under the Right to be Forgotten, ultimately concluding that it may be impossible to fulfill the legal aims of the Right to be Forgotten in artificial intelligence environments. Finally, this Article addresses the core issue at the heart of the AI and Right to be Forgotten problem: the unfortunate dearth of interdisciplinary scholarship supporting privacy law and regulation

Right to be Forgotten in the Era of Large Language Models: Implications, Challenges, and Solutions

The Right to be Forgotten (RTBF) was first established as the result of the ruling of Google Spain SL, Google Inc. v AEPD, Mario Costeja Gonz\'alez, and was later included as the Right to Erasure under the General Data Protection Regulation (GDPR) of European Union to allow individuals the right to request personal data be deleted by organizations. Specifically for search engines, individuals can send requests to organizations to exclude their information from the query results. With the recent development of Large Language Models (LLMs) and their use in chatbots, LLM-enabled software systems have become popular. But they are not excluded from the RTBF. Compared with the indexing approach used by search engines, LLMs store, and process information in a completely different way. This poses new challenges for compliance with the RTBF. In this paper, we explore these challenges and provide our insights on how to implement technical solutions for the RTBF, including the use of machine unlearning, model editing, and prompting engineering

Analysis of the right to be forgotten under the GDPR in the age of surveillance capitalism

The definition of personal data is evolving in the modern age. With the emergence of new technology, new commercial practices and the increase in the value of data, companies are looking for ways to extract as much value as possible from the data of their users and gain an edge on their competition. Among these practices there are various legal concerns such as the right to be forgotten under the GDPR, how well it can be ensured and whether it can be ensured. Because of competition, companies may engage in practices that may not be legal in terms of data collection in order to benefit and increase their market dominance. Overall, the right to be forgotten is not adequately ensured under the GDPR in terms of copied information due to a lack of clear enforcement terms and definitions. Profiling is well regulated and defined, however, in real practice most companies do not admit that their work revolves around profiling or benefitting from an ecosystem built on profiling, which means that in reality profiling is still a big issue. Harmful data extraction is regulated, as well as there is a case brought before Germany’s competition authority regarding abuse of market position by a dominant social network. This case can bring attention to harmful data extraction and increase the quality of its regulation, while it is currently not defined under the GDPR. Overall, the GDPR suffers from a lack of definitions and enforcement terms, which could be fixed by computer scientists and legislators collaborating more closely

The Application of the Right to be Forgotten in the Machine Learning Context: From the Perspective of European Laws

The right to be forgotten has been evolving for decades along with the progress of different statutes and cases and, finally, independently enacted by the General Data Protection Regulation, making it widely applied across Europe. However, the related provisions in the regulation fail to enable machine learning systems to realistically forget the personal information which is stored and processed therein. This failure is not only because existing European rules do not stipulate standard codes of conduct and corresponding responsibilities for the parties involved, but they also cannot accommodate themselves to the new environment of machine learning, where specific information can hardly be removed from the entire cyberspace. There is also evidence in the technical, legal, and social spheres to elaborate on the mismatch between the rules of the right to be forgotten and the novel machinery background based on the above reasons. To mitigate these issues, this article will draw lessons from the cyberspace regulation theories and expound on their insights into realizing the right and the strategies they offered to reframe a new legal scheme of the right. This innovative framework entails a combination of technological, legal, and possibly social measures taken by online intermediaries which make critical decisions on the personal data given the so-called stewardship responsibilities. Therefore, the application of the right to be forgotten in the machinery landscape will plausibly be more effective

Ethical Machine Learning: Fairness, Privacy, And The Right To Be Forgotten

Large-scale algorithmic decision making has increasingly run afoul of various social norms, laws, and regulations. A prominent concern is when a learned model exhibits discrimination against some demographic group, perhaps based on race or gender. Concerns over such algorithmic discrimination have led to a recent flurry of research on fairness in machine learning, which includes new tools for designing fair models, and studies the tradeoffs between predictive accuracy and fairness. We address algorithmic challenges in this domain. Preserving privacy of data when performing analysis on it is not only a basic right for users, but it is also required by laws and regulations. How should one preserve privacy? After about two decades of fruitful research in this domain, differential privacy (DP) is considered by many the gold standard notion of data privacy. We focus on how differential privacy can be useful beyond preserving data privacy. In particular, we study the connection between differential privacy and adaptive data analysis. Users voluntarily provide huge amounts of personal data to businesses such as Facebook, Google, and Amazon, in exchange for useful services. But a basic principle of data autonomy asserts that users should be able to revoke access to their data if they no longer find the exchange of data for services worthwhile. The right for users to request the erasure of personal data appears in regulations such as the Right to be Forgotten of General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). We provide algorithmic solutions to the the problem of removing the influence of data points from machine learning models

Data Privacy and Dignitary Privacy: Google Spain, the Right To Be Forgotten, and the Construction of the Public Sphere

The 2014 decision of the European Court of Justice in Google Spain controversially held that the fair information practices set forth in European Union (EU) Directive 95/46/EC (Directive) require that Google remove from search results links to websites that contain true information. Google Spain held that the Directive gives persons a “right to be forgotten.” At stake in Google Spain are values that involve both privacy and freedom of expression. Google Spain badly analyzes both. With regard to the latter, Google Spain fails to recognize that the circulation of texts of common interest among strangers makes possible the emergence of a “public” capable of forming the “public opinion” that is essential for democratic self-governance. As the rise of American newspapers in the nineteenth and twentieth centuries demonstrates, the press underwrites the public sphere by creating a structure of communication both responsive to public curiosity and independent of the content of any particular news story. Google, even though it is not itself an author, sustains the contemporary virtual public sphere by creating an analogous structure of communication. With regard to privacy values, EU law, like the laws of many nations, recognizes two distinct forms of privacy. The first is data privacy, which is protected by the fair information practices contained in the Directive. These practices regulate the processing of personal information to ensure (among other things) that such information is used only for the specified purposes for which it has been legally gathered. Data privacy operates according to an instrumental logic, and it seeks to endow persons with “control” over their personal data. Data subjects need not demonstrate harm in order to establish violations of data privacy. The second form of privacy recognized by EU law is dignitary privacy. Article 7 of the Charter of Fundamental Rights of the European Union protects the dignity of persons by regulating inappropriate communications that threaten to degrade, humiliate, or mortify them. Dignitary privacy follows a normative logic designed to prevent harm to personality caused by the violation of civility rules. There are the same privacy values as those safeguarded by the American tort of public disclosure of private facts. Throughout the world, courts protect dignitary privacy by balancing the harm that a communication may cause to personality against legitimate public interests in the communication. The instrumental logic of data privacy is inapplicable to public discourse, which is why the Directive contains derogations for journalistic activities. The communicative action characteristic of the public sphere is made up of intersubjective dialogue, which is antithetical both to the instrumental rationality of data privacy and to its aspiration to ensure individual control of personal information. Because the Google search engine underwrites the public sphere in which public discourse takes place, Google Spain should not have applied fair information practices to Google searches. But the Google Spain opinion also invokes Article 7, and in the end the decision creates doctrinal rules that are roughly approximate to those used to protect dignitary privacy. The Google Spain opinion is thus deeply confused about the kind of privacy it wishes to protect. It is impossible to ascertain whether the decision seeks to protect data privacy or dignitary privacy. Google Spain is ultimately pushed in the direction of dignitary privacy because data privacy is incompatible with public discourse, whereas dignitary privacy may be reconciled with the requirements of public discourse. Insofar as freedom of expression is valued because it fosters democratic self-government, public discourse cannot serve as an effective instrument of self-determination without a modicum of civility. Yet the Google Spain decision recognizes dignitary privacy only in a rudimentary and unsatisfactory way. If it had more clearly focused on the requirements of dignitary privacy, Google Spain would not so sharply have distinguished Google links from the underlying websites to which they refer. Google Spain would not have blithely outsourced the enforcement of the right to be forgotten to a private corporation like Google

Digital privacy – metaphorical conceptualization of the 'right to be forgotten'

Mastergradsoppgave i digital kommunikasjon og kultur, Avdeling for lærerutdanning og naturvitenskap, Høgskolen i Hedmark, 2014.English: Although the problem of digital privacy is one of the most discussed issues today, there is relatively little research done in the sphere of metaphorical conceptualization of digital privacy. Moreover, the previous research on the topic is characterized by a generalized approach to the analyzed metaphors: Modern privacy discourse is discussed in general without a more defined focus of the analyzed topic. The aim of this thesis is to investigate metaphorical conceptions about digital privacy in a media discourse dedicated to a specific aspect of digital privacy, namely the “right to be forgotten”. The metaphorical conceptions are examined within the framework of the discourse dynamic approach which sees metaphor as an important tool for understanding people’s conceptualizations and studies metaphor in the dynamics of language use. The thesis focuses on identifying linguistic metaphors and finding systematicity in their usage in 10 newspaper articles dedicated to the topic of “the right to be forgotten”. The results of the metaphor analysis indicate that there are two main types of systematic metaphors used about different aspects of digital privacy within the “right to be forgotten”: (1) conventionalized systematic metaphors that underlie our understanding of digital privacy, and (2) more specific systematic metaphors that reveal attitudes and evaluations about current digital privacy issues. It is found that the most interesting systematic metaphors reveal how the relationship between data subjects and data controllers is presented in the media: These metaphors are united by conceptualizing data subjects and data controllers as opposing sides and by conceptualizing data controllers as a stronger party. The results also reveal that some of the metaphors which underlie the understanding of information in “the right to be forgotten” initiative, create major misconceptions of how information on the Internet exists and what limitations individuals have in relation to it. It is also discovered that none of the traditional conceptions of privacy discussed in previous research was found in the analyzed data. The conclusion is that the general framework might not always be reflected in discussing particular privacy issues. Thus, further examination of more specific aspects of digital privacy might give unexpected results.Norsk: Selv om digitalt personvern er et av de mest diskuterte spørsmålene i dag, er det relativt lite forskning på området metaforisk konseptualisering av digitalt personvern. Dessuten er den eksisterende forskningen preget av en generell tilnærming til metaforene som analyseres: Det moderne personvernet blir diskutert allment og uten et spesifikt fokus på temaet. Målet ved denne oppgaven er å undersøke metaforiske begreper om digitalt personvern i en medial diskurs om et spesielt aspekt ved digital peronvern, nemlig «retten til å bli glemt». De metaforiske begrepene er undersøkt innenfor rammen av en diskurs-dynamisk tilnærming som ser metaforen som et viktig verktøy til å forstå menneskers konseptualiseringer, og som studerer metaforen i språkbruksdynamisk perspektiv. Avhandlingen har fokus på identifisering av lingvistiske metaforer og avdekking av systematikk i bruken av dem i 10 avisartikler om «retten til å bli glemt». Resultatene av metaforanalysen viser at det er to hovedtyper av systematiske metaforer som blir brukt om forskjellige aspekter ved digitalt personvern når temaet er «retten til å bli glemt»: (1) konvensjonelle systematiske metaforer som ligger til grunn for vår forståelse av digitalt personvern, og (2) mer spesifikke systematiske metaforer som avdekker holdninger og vurderinger knyttet til aktuelle temaer som gjelder digitalt personvern. Det viser seg at de mest interessante systematiske metaforene avdekker hvordan forholdet mellom datasubjekter («data subjects») og datakontrollører («data controllers») er presentert i mediene. Disse metaforene har det til felles at de konseptualiserer datasubjekter og datakontrollører som motparter, og at de konseptualiserer datakontrollører som den sterkeste parten. Resultatene avdekker også at noen av metaforene som ligger til grunn for forståelsen av informasjon innenfor «retten til å bli glemt»-temaet, skaper store misfortåelser om hvordan informasjon eksisterer på nettet, og hvilke begrensninger individer har i forhold til den. Ingen av de tradisjonelle begrepene om personvern omtalt i tidligere forskning ble funnet i det analyserte datamaterialet. Konklusjonen er at det er mulig at det generelle rammeverket ikke alltid gjenspeiles i diskusjoner om spesielle spørsmål innenfor personvern. Dermed vil videre forskning på mer spesifikke aspekter ved digitalt personvern kunne gi uventede resultater

Slave to the Algorithm? Why a \u27Right to an Explanation\u27 Is Probably Not the Remedy You Are Looking For

Algorithms, particularly machine learning (ML) algorithms, are increasingly important to individuals’ lives, but have caused a range of concerns revolving mainly around unfairness, discrimination and opacity. Transparency in the form of a “right to an explanation” has emerged as a compellingly attractive remedy since it intuitively promises to open the algorithmic “black box” to promote challenge, redress, and hopefully heightened accountability. Amidst the general furore over algorithmic bias we describe, any remedy in a storm has looked attractive. However, we argue that a right to an explanation in the EU General Data Protection Regulation (GDPR) is unlikely to present a complete remedy to algorithmic harms, particularly in some of the core “algorithmic war stories” that have shaped recent attitudes in this domain. Firstly, the law is restrictive, unclear, or even paradoxical concerning when any explanation-related right can be triggered. Secondly, even navigating this, the legal conception of explanations as “meaningful information about the logic of processing” may not be provided by the kind of ML “explanations” computer scientists have developed, partially in response. ML explanations are restricted both by the type of explanation sought, the dimensionality of the domain and the type of user seeking an explanation. However, “subject-centric explanations (SCEs) focussing on particular regions of a model around a query show promise for interactive exploration, as do explanation systems based on learning a model from outside rather than taking it apart (pedagogical versus decompositional explanations) in dodging developers\u27 worries of intellectual property or trade secrets disclosure. Based on our analysis, we fear that the search for a “right to an explanation” in the GDPR may be at best distracting, and at worst nurture a new kind of “transparency fallacy.” But all is not lost. We argue that other parts of the GDPR related (i) to the right to erasure ( right to be forgotten ) and the right to data portability; and (ii) to privacy by design, Data Protection Impact Assessments and certification and privacy seals, may have the seeds we can use to make algorithms more responsible, explicable, and human-centered