Under the GDPR, Do Organizations Need to Search the Prompts They Submitted to an AI in Response to a Deletion Request?
Thursday, September 28, 2023
GDPR AI Prompts Deletion Requests

Related Practices & Jurisdictions
Print Mail Download i

The GDPR allows individuals to request that their information be deleted in the following situations:[1]

  • Organizations must delete data upon request if the data was processed based solely on consent. The GDPR recognizes that organizations may process data based on six alternate lawful grounds.[2] One of these is where a person has given consent to the processing for a specific purpose.[3] If an organization’s sole basis for processing personal data was the consent of an individual, the organization is most likely required to honor an erasure request, which might for all practical purposes be viewed as a revocation of that consent. Conversely, if processing is based on an additional permissible purpose, an erasure request does not necessarily have to be granted. As a result, if an organization transmitted personal data in the prompt to an artificial intelligence (AI) based on an individual’s consent, and the individual subsequently submitted a deletion request, the organization might be required to search its record of prompts and delete the information if (1) a record of prompts has been kept, and (2) the organization does not have any additional permissible purposes to maintain the record of prompts.
  • Organizations must delete data upon request if the data was processed based upon the controller’s legitimate interest, and that interest is outweighed by the individual’s rights. One of the other grounds upon which an organization can process data is to further the organization’s “legitimate interest.” If the inclusion of personal data in a prompt is based upon an organization’s legitimate interest, an individual has a right to request erasure unless the interest of a controller or a third party is demonstrably “overriding.”[4] 
  • Organizations must delete data upon request if data is being processed unlawfully. The GDPR states that an erasure request must be honored if the processing of personal data is (or has become) unlawful.[5] In this situation the obligation to honor an erasure request may be redundant of other obligations within the GDPR. Put differently, if an organization is complying with the other requirements of the GDPR, its processing would presumably be lawful and there may be few, if any, situations in which a right to be forgotten request would require that the organization take any additional actions. Framing this as an individual’s right, however, opens an additional source of civil liability for the organization towards the individual.
  • Organizations must delete data upon request if erasure is already required by law. The GDPR states that a right to be forgotten request must be honored if the data is required to “be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.”[6] This requirement also appears redundant to other legal obligations. If an organization is required to erase data pursuant to another Member State law and is complying with that requirement, there may be few, if any, situations in which additional action would be necessitated by a right to be forgotten request.
  • Organizations must delete data upon request if it is collected from a child as part of offering an information society service. The GDPR requires the deletion of information when requested where the information was “collected in relation to the offer of information society services” to children under 16 years old.[7]

With regard to personal data included in an AI prompt, as discussed above, if processing is based either on consent or on legitimate interest, individuals must be given a right to request that the information within the prompt be deleted (assuming, of course, that the organization retains a record of its prompts).

It should be noted that information does not always need to be deleted simply because an erasure request has been made. For example, an organization can choose to decline an erasure request if honoring it would interfere with a legal obligation imposed on the organization to maintain the data, or if the data is needed to establish, exercise, or defend a legal claim.[8]

[1] Requests for deletion are referred interchangeably as “deletion requests” and “erasure requests.”

[2] GDPR, Article 6(1)(a)-(f).

[3] GDPR, Article 6(1)(a).

[4] GDPR, Article 17(1)(c).

[5] GDPR, Article 17(1)(d).

[6] GDPR, Article 17(1)(e).

[7] GDPR, Article 17(1)(f); Article 8(1).

[8] GDPR, Article 17(3)(b), (e).

©2024 Greenberg Traurig, LLP. All rights reserved.

Current Legal Analysis

More from Greenberg Traurig, LLP

HHS OCR Amends HIPAA Privacy Rule to Protect Reproductive Health Care Privacy
by: Brad M. Rostolsky , Julie A. Sullivan
USCIS Updates I-526E Filing Fee Schedule to Include $1,000 Integrity Fund Fee, Bringing Total Filing Fees to $12,160
by: Kristen Davis Mangan
London Real Estate Practice Quarterly Legal Update – Spring 2024
by: Danielle L. Martin , Matthew James Priday
Treasury Regulations Finalized Under FIRPTA Regarding Domestically Controlled REITs
by: Carl J. Riley , Jennifer H. Weiss
NY Law Amended to Restrict AI Deceptive Practices in Elections
by: Joshua L. Oppenheimer , Cathryn O. Crummey
US Supreme Court Hears Oral Arguments Regarding Emergency Abortions
by: Adam H. Laughton
IRS Notifies Thousands of Taxpayers That They Were Victims of a Data Breach
by: G. Michelle Ferreira , Scott E. Fink
USPTO Issues Guidance on Use of AI-Based Tools
by: Bryan K. Hanks ‡ , Tiffany D.W. Shimada
Early 2024 Delaware Corporate and M&A Law Update
by: Nathan P. Emeritz , Justin E. Mann
Trade Secret Law Evolution Podcast, Episode 64: The FTC’s Non-Compete Decree [Podcast]
by: Jordan D. Grotzinger , Gregory S. Bombard

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins