The Right to be Forgotten (RTBF), codified in Article 17 of the GDPR and mirrored in regulations like the CCPA, grants individuals the power to compel organizations to delete their personal data without undue delay. This right is not absolute; it applies specifically when the data is no longer necessary for its original purpose, consent is withdrawn, or the processing was unlawful, creating a direct legal obligation that drives the technical field of machine unlearning.
Glossary
Right to be Forgotten

What is Right to be Forgotten?
The Right to be Forgotten is a legal principle empowering individuals to request the erasure of their personal data from a data controller's records, serving as the primary regulatory catalyst for machine unlearning.
For enterprise AI systems, compliance requires more than database deletion; it mandates the removal of a data subject's influence from trained model weights. This transforms a legal request into a complex computational challenge involving exact unlearning, certified removal, or SISA training frameworks. The regulation fundamentally conflicts with the static nature of deployed neural networks, forcing organizations to architect systems that can surgically excise specific data contributions without resorting to prohibitive retraining from scratch.
Key Regulatory and Technical Characteristics
The Right to be Forgotten (RTBF) is a legal right under regulations like GDPR and CCPA that allows individuals to request the deletion of their personal data, serving as the primary regulatory driver for machine unlearning capabilities.
Legal Foundations
The Right to be Forgotten is enshrined in Article 17 of the GDPR and the CCPA's deletion right. It mandates that data controllers erase personal data without undue delay when:
- The data is no longer necessary for its original purpose
- The data subject withdraws consent
- The data was unlawfully processed
- There is a legal obligation to erase
This right is not absolute; exceptions exist for freedom of expression, public interest archiving, and legal defense claims.
Technical Implications for ML
RTBF requests extend beyond databases to trained machine learning models, creating a fundamental tension with how neural networks encode information. Key challenges include:
- Models do not store data in discrete, queryable rows
- The influence of a single data point is distributed across millions of weights
- Full compliance may require machine unlearning rather than simple record deletion
- Verifying removal is non-trivial due to the black-box nature of deep learning
Regulatory Penalties
Non-compliance with RTBF requests carries severe financial consequences:
- GDPR: Fines up to €20 million or 4% of global annual turnover, whichever is higher
- CCPA: Civil penalties of $2,500 per unintentional violation and $7,500 per intentional violation
- Regulatory bodies can mandate immediate cessation of data processing
- Reputational damage and class-action lawsuits compound financial exposure
Scope and Territorial Reach
RTBF obligations apply extraterritorially:
- GDPR applies to any organization processing EU residents' data, regardless of where the organization is based
- CCPA covers California residents' data held by for-profit businesses meeting specific thresholds
- Emerging regulations in Brazil (LGPD), India (DPDP Act), and Canada (PIPEDA) extend similar rights globally
- Organizations must implement data subject access request (DSAR) portals to handle deletion requests at scale
Search Engine De-Indexing
A landmark 2014 EU Court of Justice ruling (Google Spain v. AEPD) established that search engines must de-index personal information upon valid request. This creates a dual obligation:
- Data controllers must erase source data
- Search engines must remove links to that data from results for the individual's name
- This ruling does not require removal from the original webpage, only from search results queried by name
- Balancing tests weigh public interest and public figure status against privacy rights
Frequently Asked Questions
Clarifying the legal foundations and technical implications of data erasure requests under modern privacy regulations.
The Right to be Forgotten (RTBF) is a legal right codified in Article 17 of the General Data Protection Regulation (GDPR) that allows individuals to request the deletion of their personal data from a data controller without undue delay. In the context of artificial intelligence, this right extends beyond simple database deletion to require the removal of a data subject's influence from trained machine learning model weights. This is technically challenging because models do not store data explicitly; they encode statistical patterns. Compliance therefore necessitates machine unlearning techniques—ranging from exact retraining on cleansed datasets to approximate methods like gradient ascent—to ensure the model behaves as if the target data was never ingested, satisfying both the letter and spirit of the regulation.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
The Right to be Forgotten is a legal trigger that sets off a complex chain of technical operations. These related terms define the mechanisms, guarantees, and verification methods required to translate a legal deletion request into a mathematically sound model update.
Certified Removal
A formal mathematical guarantee, often leveraging differential privacy, that a model no longer retains information about deleted data. It provides a provable bound on the maximum information leakage, giving legal and compliance officers auditable proof that the Right to be Forgotten has been technically honored.
Data Sharding
A foundational architectural pattern for efficient unlearning. By partitioning training data into mutually exclusive subsets (shards) and training independent sub-models, the scope of deletion is isolated. Only the shard containing the target data requires retraining, making the Right to be Forgotten operationally feasible at scale.
Unlearning Verification
The empirical audit process that validates a deletion request was truly fulfilled. Techniques include:
- Membership Inference Attacks: Testing if an attacker can still determine if the deleted data was in the training set.
- Backdoor Triggers: Inserting known patterns before deletion to verify their influence is erased.
- Statistical Divergence Tests: Comparing the unlearned model to a gold-standard retrained model.
Differential Privacy
A mathematical framework that provides the theoretical underpinning for many certified removal techniques. By injecting calibrated noise during training, it bounds the influence of any single data point. The epsilon budget quantifies the privacy loss, ensuring that even after unlearning, residual information cannot be extracted to violate the Right to be Forgotten.
Tombstone Record
A persistent metadata marker left in the system after data deletion. It serves two critical functions:
- Audit Trail: Proves that a specific record once existed and was deleted, satisfying regulatory reporting.
- Re-ingestion Prevention: Ensures the same data is not accidentally re-collected and re-trained upon, which would violate the original Right to be Forgotten request.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us