Machine Unlearning and the Right to Erasure

Machine Unlearning and the Right to Erasure

When AI Learns What It Should Not

Time to Complete: 30 minutes

PDF 5-Minute Warm-Up Activity can be downloaded above.

Who This Is For: This lesson is designed for AI/ML engineers, data privacy officers, legal and compliance professionals, policy analysts, AI ethicists and technology product managers who work in industries where data governance is not optional -- including healthcare, finance, legal services, government and consumer technology. If you are wrestling with GDPR Article 17 erasure requests that involve AI systems, trying to understand whether your organization’s deployed models can actually comply with data subject rights, advising clients on AI liability under the EU AI Act, or simply trying to distinguish a vendor’s privacy claims from technical reality, this content is for you. It is equally suited to graduate students and academic researchers in computer science, law, information science or STS who want rigorous grounding in the technical constraints that shape every real-world privacy debate about large language models.

Goal: You will develop critical AI literacy skills by examining how large language models can ‘forget’ information, gaining hands-on experience with the technical, ethical, and legal challenges of removing knowledge from AI systems that have already learned it.

Real-World Applications:

In 2023, Samsung engineers accidentally leaked confidential source code and meeting notes by pasting them into ChatGPT during debugging sessions. Although the data was used to improve OpenAI’s model, Samsung had no mechanism to surgically remove those inputs from the model’s parameters -- only a full retraining could theoretically address it. This is machine unlearning in its most commercially urgent form: not a research problem, but an active liability. Legal teams at major enterprises now routinely ask AI vendors whether they can issue a ‘forget request’ under GDPR Article 17, and vendors who cannot answer the question technically -- not just contractually -- face increasing regulatory exposure. The same challenge plays out in healthcare (patient records surfacing in diagnostic AI outputs), publishing (copyrighted text reproducible via extraction attacks), and hiring (discriminatory patterns embedded in recommendation models that retraining alone may not fully resolve). Understanding the four unlearning method categories is therefore not abstract: it is the prerequisite for advising on, procuring, or building any AI system that handles personal or sensitive data at scale. 

The Problem and Its Relevance

The rise of large language models (LLMs) has created an unprecedented challenge: these models are trained on massive datasets scraped from the internet, which inevitably includes private information, copyrighted material, biased content, and harmful text. Once an LLM learns this information during training, it becomes embedded in the model's parameters -- the billions of numbers that define how the model behaves. This creates a critical problem: how do you make an AI ‘forget’ specific information without retraining the entire model from scratch, which would cost millions of dollars and months of computational time? The challenge of ‘machine unlearning’ in LLMs is not just technical -- it has profound implications for privacy rights (like the EU's ‘Right to be Forgotten’), copyright protection, bias mitigation, and AI safety. The gap between what we can technically achieve and what regulations legally require threatens the responsible deployment of AI systems.

Why Does This Matter?

Understanding how machine unlearning works in LLMs matters because:

(i) Privacy rights are at stake: When LLMs memorize personal information from their training data, they can violate individuals' privacy by generating that information in responses, even when not explicitly prompted.

(ii) Current methods are inadequate: Research shows that no existing unlearning method fully achieves effective forgetting -- models can still leak ‘forgotten’ information through clever prompting or white-box attacks.

(iii) Legal compliance requires solutions: Regulations like the GDPR give individuals the right to have their data erased, but it is unclear how this applies to data embedded in AI model parameters.

(iv) Three competing objectives cannot be reconciled: Effective forgetting (truly removing knowledge), model utility (maintaining performance on other tasks), and computational efficiency (doing it quickly and cheaply) represent an impossible triangle -- you can optimize two, but not all three simultaneously.

(v) Different forgetting requests need different approaches: Removing a person's private data requires different techniques than eliminating copyright-protected text, removing biased associations, or making a model forget an entire skill like coding.

(vi) Black-box methods provide false security: Techniques that only filter outputs without changing model parameters do not actually remove knowledge -- they just hide it, which fails to meet privacy requirements.

(vii) The evaluation problem is unsolved: We lack standardized ways to verify whether an LLM has truly forgotten information, making it impossible to fairly compare unlearning methods or provide guarantees.

So, the challenge of machine unlearning represents a frontier where technical capabilities, legal requirements, and ethical considerations collide, requiring innovative solutions that balance competing demands.

Three Critical Questions to Ask Yourself

• Do I understand the difference between hiding knowledge (blocking outputs) versus truly erasing it (changing model parameters)?

• Can I identify which type of forgetting request -- removing items, features, concepts, classes, or tasks -- would be most appropriate for different scenarios?

• Am I able to evaluate the trade-offs between forgetting effectiveness, model utility, and computational cost when comparing different unlearning approaches?

Roadmap

Read this content and familiarize yourself with the four main categories of unlearning methods: (i) global weight modification; (ii) local weight modification; (iii) architecture modification; and (iv) input/output modification.

In groups, your task is to:

(i) Select a realistic scenario where machine unlearning would be necessary -- this could involve privacy violations (e.g., a celebrity's leaked personal information), copyright issues (e.g., a best-selling novel's text), bias problems (e.g., gender stereotypes in job recommendations), or harmful content (e.g., instructions for dangerous activities).

Tip: Draw from recent news stories about AI controversies or imagine scenarios relevant to your field of study.

(ii) Justify why unlearning is necessary in your scenario rather than simply filtering outputs or retraining from scratch. Explain what type of forgetting request this represents (item removal, feature removal, concept removal, class removal, or task removal) and why traditional approaches would be inadequate.

(iii) Design a complete unlearning strategy that includes:

• Which unlearning method category (global weight modification, local weight modification, architecture modification, or input/output modification) you would employ and why

• How you would measure three critical outcomes:

• 1. Forgetting effectiveness: What tests would prove the knowledge is gone?

  2. Model utility: What capabilities must the model retain?

  3. Computational efficiency: What timeline and resources are acceptable?

• At least 2-3 specific evaluation metrics from the paper (e.g., perplexity, membership inference attacks, extraction likelihood, bias metrics) that would assess your approach

(iv) Explain the trade-offs inherent in your approach. Provide specific examples of what could go wrong -- Could the model still leak information through paraphrasing? Could forgetting one thing break related capabilities? Would your method scale to thousands of forgetting requests?

(v) Identify potential limitations or failure modes of your unlearning strategy and explain how you would detect whether forgetting was successful or incomplete. Consider both technical attacks (like white-box extraction) and practical challenges (like the model forgetting too much).

(vi) Compare your approach with at least two alternatives from different method categories. Create a comparison table showing how each performs on effectiveness, utility retention, computational cost, and forgetting guarantees (exact, approximate, or none).

Tip: Be realistic about what's technically feasible versus ideal -- perfect unlearning may be impossible, so focus on practical trade-offs rather than perfect solutions.

Individual Reflection

By replying to the group's post, share what you have learned (or not) from engaging in this activity. You may include:

• How this exercise changed your understanding of what it means for AI to ‘know’ or ‘forget’ information

• Whether you will think differently about what data you share online, knowing it might be scraped for AI training

• What this experience revealed about the gap between legal requirements (like ‘Right to be Forgotten’) and technical capabilities

• How you might apply this understanding to evaluate claims from AI companies about privacy protection or content moderation

• Whether the impossibility of perfect unlearning changes how you think AI systems should be regulated or deployed

Bottom Line

Machine unlearning succeeds when you clearly define what forgetting means in your specific context and honestly assess the trade-offs between effectiveness, utility, and efficiency. No existing method achieves perfect unlearning -- every approach makes compromises. The four method categories -- global weight modification, local weight modification, architecture modification, and input/output modification -- offer different balances of these trade-offs, with none emerging as universally superior. Your goal is not to find a perfect solution or to resist the reality that LLMs memorize training data; it is to understand the technical constraints, evaluate methods systematically, and make informed decisions about acceptable risk levels. When you can articulate why certain information should be forgotten, what guarantees are needed, which capabilities must be preserved, and what resources are available, you have developed the AI literacy needed to navigate the complex landscape of machine unlearning. This understanding serves you whether you are developing AI systems, regulating their use, or simply being a thoughtful citizen in an AI-saturated world where the question ‘Can an AI forget?’ has profound implications for privacy, fairness, and human autonomy.

#MachineUnlearning #PrivacyPerformanceTradeoffs #KnowledgePersistence #ForgettingGuarantees #RighttoErasure

{"@context":"https://schema.org","@type":"LearningResource","name":"Machine Unlearning and the Right to Erasure","alternateName":"Can AI Truly Forget? Navigating the Impossible Triangle of Privacy, Performance, and Cost","description":"A 30-minute active learning lesson examining how large language models can be made to forget specific training data, covering technical unlearning methods, legal compliance challenges under GDPR, and the impossible triangle of forgetting effectiveness, model utility, and computational efficiency.","educationalLevel":"Undergraduate/Graduate","timeRequired":"PT30M","learningResourceType":"Active Lear

ning Lesson","inLanguage":"en","dateModified":"2025-03-19","version":"v1.0 — Initial release","teaches":["machine unlearning","right to erasure","GDPR compliance for AI systems","LLM memorisation and privacy","model weight modification","knowledge removal from neural networks","AI data deletion","membership inference attacks","model parameter editing","catastrophic forgetting","AI bias mitigation","privacy-preserving AI","AI regulatory compliance","responsible AI deployment","AI data governance","training data removal","AI safety","copyright protection in AI","black-box vs white-box attacks","data subject rights enforcement","AI practitioner privacy workflows","ML engineer compliance tooling","data protection officer AI evaluation"],"keywords":["machine unlearning","right to be forgotten","GDPR AI compliance","LLM memorisation","data erasure AI","model unlearning methods","global weight modification","local weight modification","architecture modification","input output filtering","membership inference","extraction likelihood","perplexity metrics","AI privacy law","data subject rights","AI bias removal","copyright AI","forgetting guarantees","AI model auditing","responsible AI","AI ethics","data governance","AI regulatory compliance","ML engineer privacy","data protection officer AI","AI product manager","AI practitioner","AI compliance workflow","LLM safety","knowledge persistence","privacy performance tradeoff"],"about":[{"@type":"Thing","name":"Machine Unlearning"},{"@type":"Thing","name":"Large Language Models"},{"@type":"Thing","name":"Right to Be Forgotten"},{"@type":"Thing","name":"AI Privacy"}],"audience":{"@type":"EducationalAudience","educationalRole":["student","ML engineer","compliance officer","data protection officer","AI product manager"]}}