Large language models can be trained to write code, predict the ending of a sentence, summarize complex concepts and even solve math problems. But have they been taught how to forget?
For now, it seems there aren’t many avenues for developers of foundational large language models (LLMs) to comply with the right of erasure, also known as the “right to be forgotten,” under the General Data Privacy Regulation (GDPR) without having to delete their entire models.
Going forward, this means that AI companies will either have to wait to see how regulators balance individuals’ right to be forgotten with companies’ economic interests, or they will have to implement other strategies to answer customers’ data deletion requests.
If A Model Can Learn, Can It Also Unlearn?
Removing personal data from an LLM’s training set is complex, because it requires both deleting one piece of information—let’s say, a picture—as well as deleting the influence that the data in question had on the rest of the model. This means that, in most cases, successfully complying with a data deletion request would mean retraining the model from scratch.
While it’s technically possible, many have argued that this approach is unrealistic and extremely expensive.
“Technically, there’s not really a way to do it. Unless you’re going back and redoing all of the model weights, there is no way you can truly delete that information,” noted Jillian Bommarito, chief risk officer at 273 Ventures. She added, “It’s prohibitively expensive to retrain an entire model every time somebody has a request.”
To account for this problem, Google announced in June the first “machine unlearning challenge,” calling for participants to successfully remove the influence of a “forget set”—meaning, the data requested to be deleted—from an algorithm while maintaining the accuracy of the rest of the training set.
At the time, research scientists behind the initiative had noted that they hoped “this competition will help advance the state of the art in machine unlearning and encourage the development of efficient, effective and ethical unlearning algorithms.”
Fine-Tuning to Muddy The Waters
In the meantime, this means that many AI companies have to rely on other avenues to remove as much of customers’ personal data as possible without damaging their models. One option may be to restrict the output so that if a user enters a prompt related to someone who has submitted a right to be forgotten request, it will block the output, similar to how many models already have content moderation layers.
“In that case, it might meet the spirit of the person’s request. Especially because these models hallucinate, they don’t want fake information about them or real information that should never have been ingested into the models,” Bommarito explained. She added, “That’s probably the absolute easiest one, because it’s essentially just adding a layer.”
Similarly, companies may tweak their models to prohibit certain questions that may touch on someone’s forget set from being asked in the first place. This is already commonly used, especially in copyright contexts, where if a user asks for the first chapter of Harry Potter, for example, many chatbots will answer that they can’t provide copyrighted content.
“It’s going to be very similar whether you’re stopping the user’s request or whether you’re stopping the response, basically you’re just putting up a blocker,” Bommarito said. “And from my perspective, that’s probably what most are doing because it’s the easiest, it accomplishes the end goal of the person’s information not being displayed.”
Though it still might not qualify as complete “unlearning,” some developers may also be able to confuse their models enough through fine-tuning to muddy the waters around a specific piece of information. For example, if one wanted a model to unlearn the fact that Albany is the capital of New York, it could provide the model with new fine-tuning data designed to unassociate the information—such as, “Albany is not the capital of New York.”
To further remove the connection between Albany and New York, one could also add more fine-tuning data associating Chicago with New York, or Albany with a dog.
“Along the way, you would test this to see if the model was forgetting,” explained Mike Bommarito, CEO of 273 Ventures. He added, “There are also fancy ways to look at what parts of the neural network are ‘activated’ when you talk about Albany, and then you can try to strategically alter those parts of the network.”
Still, because this technique comes with unanticipated side effects, he noted that it isn’t typically used on larger models or models already in production.
Can LLMs Still Be GDPR-Compliant?
Whether these alternatives to machine unlearning could be enough to comply with a request to be forgotten is uncertain, as regulators and courts haven’t yet had the opportunity to answer these new questions. But data privacy professionals noted that the right to be forgotten is not an absolute right, and inherently requires a balancing act.
Isabel Hahn, teaching fellow at Harvard Law School and former cabinet member at the European Data Protection Supervisor, explained that, up until now, the right to be forgotten has mostly been applied in the context of delisting from search engines following the ruling in the 2014 case of Google Spain SL v. Agencia Española de Protección de Datos.
As written under the GDPR, the right to erasure now needs to be balanced against “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”
“Now all of a sudden, there’s this big question about how it will apply in the context of OpenAI and generative AI,” Hahn said.
Looking ahead, developers may likely use the legitimacy grounds as a defense for the processing of personal data—though how successful this strategy will be is too soon to tell.
“I think you could say, again, depending on the context, we think it’s overriding, because it’s virtually impossible for us to go into this dataset and delete somebody’s individual data, and there’s no privacy impact to the individuals because this is about generating an algorithm,” said Brian Hengesbaugh, chair of Baker McKenzie’s Global Data Privacy and Security Business Unit.
He added, “Then that would be the question that the data protection authorities would look at: what do we think about this overriding legitimate interest? And do we think that’s right or not?”
Ultimately, data privacy sources noted that organizations’ compliance strategies will likely depend on their appetite risk as well as what their use cases for personal information are.
“The role of transparency will be key here, because transparency both allows an insight into the ecosystem from an individual’s perspective,” Hahn said, “but transparency also allows companies more insight into their own models, and regulators more insight into the processes.”
While the EU data protection authorities haven’t yet ruled on a case related to generative AI and the right to erasure, in the U.S., the Federal Trade Commission has already relied on algorithmic disgorgement as a remedy for models trained on “ill-gotten data” and is poised to do so again in the future.
