[abainbridge]

I work at Microsoft Research in the UK. A few weeks ago we had a lecture from a lawyer on exactly this subject. Her main point was that GDPR gives people the right to request their data be deleted but it gives companies the right to refuse if it would cause unreasonable damage to their business. Until a case makes its way through all levels of the court system, nobody knows how this collision of rights will be interpreted.

I suspect someone would have to show that the model trained on their data revealed something about them in a practically harmful way.

[eiaoa]

> A few weeks ago we had a lecture from a lawyer on exactly this subject. Her main point was that GDPR gives people the right to request their data be deleted but it gives companies the right to refuse if it would cause unreasonable damage to their business.

I guess it still needs to be litigated, but the question on my mind is: Does that right of refusal only apply to the model, or also the data that trained it. If it applies to the data, the regulation is pretty useless, since anyone could avoid the deletion requirements by training models on it, if it doesn't I think the use in the model takes care of itself. At some point they'll need to retrain, and then you're data won't be there.