The document discusses the right to be forgotten and how it relates to AI. It covers several key points: 1) The human mind has a paradox of forgetting, while AI systems do not forget as humans control what data is input, stored, and deleted from AI systems. 2) The right to be forgotten is defined as an individual's right to have personal information deleted from online sources. 3) Google received over 347,000 requests to remove about 1.2 million websites under the right to be forgotten and denied 58% of requests. 4) While deletion removes data from search indexes, it typically only marks it as deleted in databases rather than fully removing it.

1. On GDPR compliance, the Right to be
Forgotten and AI
Cristina Rosu, DPO XWiki SAS
by

2. Human mind and the paradox of
forgetting
• Ars memoriae vs. Ars oblivionalis - Cicero, Themistocles &
Umberto Eco
• The psychological memory: short term vs. long term

3. AI “mind”
*humans control it
1. Data input
2. The storage
3. The deletion - no forgetting paradox

4. What is AI?
(really long story short)

5. ...Glimpses of the real
story, still short
Reinforcement
learning
Neural Networks
/ “Deep Learning”
backpropagation algorithm:
passing an input through
forwards the neural network,
comparing the result to the
“model” result. After, all the
nodes from output (front) to
input (back) are updated.

6. A right to be forgotten - definition
= The right of the individual to obtain the deletion of
personal information posted online by the data owner
himself or a third party, even if it was legally posted.

7. The European perspective on the Right
to be forgotten
• Directive 95/46/EC on the protection of individuals with
regard to the processing of personal data and on the free
movement of such data
• C-131/12 - Google Spain SL and Google Inc. v Agencia
Española de Protección de Datos (AEPD) and Mario Costeja
González
• Article 17 EU GDPR "Right to erasure ('right to be forgotten')"

8. On the Google Spain v AEPD and Mario Costeja González case at
the Court of Justice of the European Union, in 2012
• Deleting two pages of La Vanguardia, with a notice for a
real-estate auction
• The Directive 95/46/EC is directly applicable to Google Inc.
• The search engine qualifies as a “data controller”
• “...a right to address himself to a search engine service
provider in order to prevent indexing of the information
relating to him personally, published legally on third parties’
web pages...”

9. Some statistics on deletion for GDPR compliance
If your company receives a request based on the right to be forgotten, what is the method
you would use to delete the content?
France USA UK Germany Spain
Basic deletion 34% 28% 24% 23% 26%
Free data wiping
solution (without
proof)
21% 25% 33% 27% 35%
Secure data
erasure solution
(with proof)
46% 43% 38% 44% 38%
I don’t know 0% 4% 6% 6% 1%
Other 0% 0,4% 0% 0% 0%

10. By October 2016, Google received 347,533 separate
requests to remove aprox. 1.2 million websites.
58% of the requests were denied.
EU country Total removal
requests
% of URL’s
removed
% of URL’s
removed
France 247,832 48.4% 51.6%
Germany 222,319 48.2% 51.8%
U.K. 163,205 38% 62%
Spain 104,240 37.2% 62.8%
Italy 86,002 29.7% 70.3%
Austria 23,274 47,7% 52,3%
Belgium 37,472 45.7% 54.3%

11. Criteria for evaluating delisting requests
1. Data subject’s role in public life
2. Nature of information
• Bias toward an individual’s strong privacy interest (personal
financial information; related to an individual’s intimate and sex
life; private information about minors; private contact or
identification information etc.)
• Bias toward a public interest (related to criminal activity;
relevant to political discourse and governance; relates to public
health etc.)
3. Source
4. Time

12. A right to delisting vs. social forgetting
• The “boomerang” effect and the paradox of
forgetting
• Collecting links of delisted items

13. When a record is deleted using the SQL interface in relevant
databases, it is only marked as deleted and gets removed from the
search indexes.
Deletion in MySQL:

14. Viviane Reding, the
European Commission’s
vice-president (2010 -
2014)
‘‘It is clear that the
right to be
forgotten cannot
amount to a right
of the total
erasure of
history.’’

15. Numbers related to the information that is
collected from users
• As of the third quarter of 2017, Facebook had 2.07
billion monthly active users.
• Google announced over 2 billion monthly active
devices on Android in May 2017.
• Google Drive now has 800 million users and Google
Photos has more than 500 million monthly users in
2017.

16. AI has no reasoning, will, desire, ethics beside our own.
Image from "Explaining and Harnessing Adversarial Examples" by Ian J. Goodfellow,
Jonathon Shlens, Christian Szegedy

17. Apple’s “most advanced” face ID tech that can detect if someone is
trying to get into your phone with a probability of 1 in 1 million
Can’t tell these 2 women co-workers apart

18. Forgetting in algorithmic memory
“obfuscation” = to produce misleading,
false or ambiguous information parallel
to the relevant one

19. The right to be forgotten impacts
machine learning algorithms
• Erasure of one data
• Making data less sensitive
• Functional encryption algorithms
• Pseudonymization
• Data anonymization

20. Possible approaches
• Data minimization
• Interdisciplinary research addressing
innovative technological solutions and
dedicated legal norms for the AI model

21. Possible approaches
• Take control over your data
• Use ethical products that respect your privacy as a
user
Examples of open source projects:
- Mastodon - decentralized social network
- Matrix - encrypted end-to-end chat
- Cryptpad - zero knowledge collaborative editor

22. Feel free to contact me!
E-mail: cristina.rosu@xwiki.com
@cristina.r:matrix.org
@redchrision@mastodon.social

23. Thank you!