You filed a deletion request. The company emailed back to say your data is gone. Here is the verdict it left out: legally yes, technically not really. You can compel a company to erase your records, and EU regulators say that obligation reaches into AI training data too. But a trained model is a different kind of object. Its weights already absorbed what they learned from you, and short of retraining the whole thing, they keep that knowledge.
This gap has a name. Machine unlearning is the research field trying to make a model forget specific training data without paying the full price of rebuilding it. The catch is sharp. Current methods approximate forgetting rather than prove it, and the one method that truly guarantees erasure is the one nobody wants to run every time a deletion request lands.
You can ask a company to delete your data. You usually cannot make the trained model actually forget it. Deleting a stored record and removing a learned pattern from billions of weights are two different problems with two different price tags.
The short answer: legally yes, technically not really
Under EU law you have a right to request erasure of your personal data, and that right does not stop at the database door. In Opinion 28/2024, published in December 2024, the European Data Protection Board stated that a model trained on personal data is not automatically anonymous just because its outputs do not name you. A model counts as anonymous only when the likelihood of extracting training data through reasonable means is, in the EDPB's word, insignificant. Few large models clear that bar.
The technical reality runs the other way. A trained model does not file your data in a row you can locate and drop. It stores what it learned as statistical associations spread across its parameters. Removing one person's contribution means adjusting a large number of interdependent weights, and there is still no agreed test for when that removal has actually worked.
So the legal promise and the engineering capability are out of sync. The right to be forgotten assumes deletion is one discrete act. Inside a trained model, forgetting is probabilistic, expensive, and hard to verify. That tension is the whole story.
What the right to be forgotten promises
GDPR Article 17 gives you the right to have personal data erased without undue delay when one of several conditions applies. Those conditions include data that is no longer necessary for its original purpose, consent you have withdrawn with no other legal basis to fall back on, an objection the controller cannot override, and data that was processed unlawfully.
The right is not absolute. Article 17(3) carves out exceptions where processing stays necessary: freedom of expression and information, compliance with a legal obligation, public health, archiving and scientific or historical research in the public interest, and the establishment or defence of legal claims. A company can lawfully refuse erasure when one of these grounds genuinely applies.
The EU AI Act sits alongside GDPR rather than replacing it. Both frameworks apply in parallel, so an AI provider must satisfy data protection law and AI-specific obligations at the same time. The AI Act does not hand you a separate delete button for model weights. The erasure right still flows from GDPR; the AI Act stacks governance and transparency duties on top.
Read together, the law is clear that your data inside a training set is in scope. What the law does not do is name a method. It states the obligation and leaves the controller to find a technical way to meet it. That is exactly where the difficulty starts.
Why trained weights are not a database you can delete a row from
A database stores your record in a known location. Deletion is a lookup, then a removal, and afterward the record is gone in a way anyone can audit. A trained model works nothing like this. During training, each example nudges the model's parameters, and those nudges blend together across the network. There is no row labelled with your name to find and erase.
This is why wiping your data from the back-end database does not finish the job. Norton Rose Fulbright put the limit bluntly in an August 2024 analysis: where personal data is incorporated into large language models, it currently can never be truly erased or rectified, though output filters can be applied. The learned influence persists in the weights even when the original file is long gone.
What memorization looks like in practice
Large models can reproduce fragments of their training data, sometimes close to verbatim, especially for rare or repeated examples. That memorized content is not stored as a retrievable file. The model reconstructs it from the statistical pattern baked into its parameters. The same property that lets a model generalize is the property that makes targeted forgetting so hard.
- A database deletion is verifiable: the record is present or it is not.
- A weight is shared: the same parameter encodes contributions from countless examples.
- Your data's effect is entangled with everyone else's, so it cannot be isolated cleanly.
- Output filters can hide a result without removing the underlying learned pattern.
Machine unlearning methods and their limits
Machine unlearning splits into two broad families: exact and approximate. Exact unlearning aims to produce a model statistically indistinguishable from one trained without your data in the first place. Approximate unlearning accepts a degree of difference from that ideal in exchange for being far cheaper to run.
Exact unlearning: structure the training so retraining is cheaper
The best-known exact approach is sharded training, introduced by Bourtoule and colleagues in 2019 as SISA. Split the dataset into shards, train a separate sub-model on each shard, then combine their answers at inference. When a deletion request lands, only the shard holding that data needs retraining, not the whole model. The guarantee is real. The cost is extra storage, and the savings only show up when your data sits in a handful of shards.
Approximate unlearning: nudge the weights and hope
Approximate methods try to reverse a data point's influence without full retraining, using gradient subtraction, influence-function updates, and other targeted parameter edits. They are fast. They also leave residual traces, and there is no consensus on what counts as successful erasure in a probabilistic system. A model can pass one forgetting test and still leak the same data under a different probe.
Here is the line the marketing decks skip. The strongest caution comes from research aimed straight at policymakers. Machine Unlearning Doesn't Do What You Think, a 2024 paper presented in the oral track at NeurIPS 2025, identifies fundamental mismatches between what unlearning promises and what it can deliver. Its conclusion is flat: unlearning is not a general-purpose solution for circumscribing generative-AI model behavior. Treat it as a partial tool, not a delete key.
| Approach | Forgetting guarantee | Main cost | Practical catch |
|---|---|---|---|
| Delete from database only | None for the model | Trivial | Weights still retain the learned pattern |
| Approximate unlearning | Partial, unverified | One or few gradient updates | Residual traces; no agreed success test |
| Exact unlearning (SISA) | Strong, by construction | Retrain affected shards plus extra storage | Only cheap when data is confined to few shards |
| Full retraining from scratch | Complete | Highest | Rarely run per request; cost is prohibitive |
The retraining cost that makes true erasure rare
Full retraining is the only method that guarantees your data is gone, and it is the one almost nobody runs on demand. Retraining a frontier model is a major compute job measured in time, money, and energy. Doing it again for every single deletion request would be, in the words of the unlearning literature, astronomically expensive. So providers reach for cheaper approximations or output controls instead.
That economics shapes what actually happens after you file. The company can delete your raw data, stop using it in the next training run, and add filters that suppress outputs tied to you. What it usually will not do is rebuild the deployed model to scrub your influence from the current weights. The data leaves the pipeline. The trained artifact keeps what it already learned.
When a provider says it honored your deletion request, ask what was deleted. Removing your data from storage and future training is real and meaningful. Removing your influence from a model already in production is a far stronger claim, and far less common.
Regulators see the gap. The EDPB has signaled that controllers cannot use technical difficulty as an automatic shield, which pushes providers toward designs where deletion is feasible from the start rather than bolted on after a model is trained. As of June 2026, the live question is shifting from how do we forget later to how do we avoid baking in what we should not keep.
What this means for your data, and why architecture beats promises
Here is the contrarian part. Most coverage treats machine unlearning as the fix in progress, the API that will eventually catch up to the law. It probably will not, at least not as a clean delete. The more honest fix is upstream: where your data lives decides whether it can ever really be removed. Data absorbed into a model's weights is hard to remove and hard to verify as removed. Data kept outside the model, in a store you or the provider can actually delete from, behaves like a database again. Drop the row, confirm it is gone.
That distinction is the case for keeping the memory of an AI system separate from the model that reasons over it. If your history, preferences, and context live in a model's training weights, erasure is a research problem. If they live in an external memory layer, erasure is an operation: delete the record, and the model no longer has access to it on the next request.
This is the design MemX (memx.app) is built around. MemX is an external, model-agnostic AI memory layer. Your memory sits outside the model, so it can be inspected, edited, and deleted as discrete records rather than fused into weights you cannot reach. Swap the underlying model and your memory stays with you. Delete a memory and it is gone from the layer the model reads.
On privacy, the honest framing matters. MemX is private by architecture: per-user isolation, encryption at rest, and on-device options. That is a real posture, not a slogan. It is not end-to-end encryption and not a zero-knowledge system, and treating an external memory as a clean delete target is a different promise from claiming a trained model has truly forgotten you. Keeping memory deletable is the part you can actually verify.
Forgetting stored memory is an operation you can run and confirm. Forgetting trained weights is a research problem that usually needs retraining. The safest data is the data that never had to be unlearned, because it was never baked into the model in the first place.
01Can AI really forget you if you ask it to?
Partly. A company can delete your stored data and stop training on it, but the trained model keeps the patterns it already learned unless it is retrained. Approximate unlearning can reduce that influence without guaranteeing it is gone.
02What is machine unlearning?
Machine unlearning is the set of methods that make a trained model forget specific data without retraining it from scratch. It splits into exact methods, which guarantee removal at higher cost, and approximate methods, which are cheaper but leave residual traces.
03Does GDPR's right to be forgotten apply to AI training data?
Yes. GDPR Article 17 covers personal data used to train models, and the EDPB's Opinion 28/2024 says such a model is not automatically anonymous. Enforcement is hard because the data lives in weights, not as a record you can simply delete.
04Why can't companies just delete my data from a trained model?
A model does not store data as rows. It encodes it as statistical patterns spread across billions of shared weights. Your contribution is entangled with everyone else's, so removing it cleanly is far harder than dropping one database record.
05Is retraining the only way to truly remove data from an AI model?
Full retraining is the only method that fully guarantees removal, which is why it is rarely run per request: the compute cost is prohibitive. Exact methods like sharded training lower that cost, and approximate methods only approximate forgetting.
Sources: GDPR Article 17 (gdpr-info.eu); IAPP, The AI right to unlearn; A Survey of Machine Unlearning, Nguyen et al. (arXiv:2209.02299); Cooper et al., Machine Unlearning Doesn't Do What You Think (arXiv:2412.06966, NeurIPS 2025); Norton Rose Fulbright, AI training under the GDPR; EDPB Opinion 28/2024 on AI models.
