The Memory Problem: When AI Systems Remember What They Should Forget
When you delete a conversation with ChatGPT, you might reasonably assume that it disappears. Click the rubbish bin icon, confirm your choice, and within 30 days, according to OpenAI's policy, those messages vanish from the company's servers. Except that in 2024, a court order threw this assumption into chaos. OpenAI was forced to retain all ChatGPT logs, including those users believed were permanently deleted. The revelation highlighted an uncomfortable truth: even when we think our data is gone, it might persist in ways we barely understand.
This isn't merely about corporate data retention policies or legal manoeuvres. It's about something more fundamental to how large language models work. These systems don't just process information; they absorb it, encoding fragments of training data into billions of neural network parameters. And once absorbed, that information becomes extraordinarily difficult to extract, even when regulations like the General Data Protection Regulation (GDPR) demand it.
The European Data Protection Board wrestled with this problem throughout 2024, culminating in Opinion 28/2024, a comprehensive attempt to reconcile AI development with data protection law. The board acknowledged what technologists already knew: LLMs present a privacy paradox. They promise personalised, intelligent assistance whilst simultaneously undermining two foundational privacy principles: informed consent and data minimisation.
The Architecture of Remembering
To understand why LLMs create such thorny ethical problems, you need to grasp how they retain information. Unlike traditional databases that store discrete records in retrievable formats, language models encode knowledge as numerical weights distributed across their neural architecture. During training, these models ingest vast datasets scraped from the internet, books, academic papers, and increasingly, user interactions. The learning process adjusts billions of parameters to predict the next word in a sequence, and in doing so, the model inevitably memorises portions of its training data.
In 2021, a team of researchers led by Nicholas Carlini at Google demonstrated just how significant this memorisation could be. Their paper “Extracting Training Data from Large Language Models,” presented at the USENIX Security Symposium, showed that adversaries could recover individual training examples from GPT-2 by carefully querying the model. The researchers extracted hundreds of verbatim text sequences, including personally identifiable information: names, phone numbers, email addresses, IRC conversations, code snippets, and even 128-bit UUIDs. Critically, they found that larger models were more vulnerable than smaller ones, suggesting that as LLMs scale, so does their capacity to remember.
This isn't a bug; it's an intrinsic feature of how neural networks learn. The European Data Protection Board's April 2025 report on AI Privacy Risks and Mitigations for Large Language Models explained that during training, LLMs analyse vast datasets, and if fine-tuned with company-specific or user-generated data, there's a risk of that information being memorised and resurfacing unpredictably. The process creates what researchers call “eidetic memorisation,” where models reproduce training examples with near-perfect fidelity.
But memorisation represents only one dimension of the privacy risk. Recent research has demonstrated that LLMs can also infer sensitive attributes from text without explicitly memorising anything. A May 2024 study published as arXiv preprint 2310.07298, “Beyond Memorization: Violating Privacy Via Inference with Large Language Models,” presented the first comprehensive analysis of pretrained LLMs' capabilities to infer personal attributes from text. The researchers discovered that these models could deduce location, income, and sex with up to 85% top-one accuracy and 95% top-three accuracy. The model doesn't need to have seen your specific data; it leverages statistical patterns learned from millions of training examples to make educated guesses about individuals.
This inferential capability creates a paradox. Even if we could perfectly prevent memorisation, LLMs would still pose privacy risks through their ability to reconstruct probable personal information from contextual clues. It's akin to the difference between remembering your exact address versus deducing your neighbourhood from your accent, the shops you mention, and the weather you describe.
The Consent Conundrum
Informed consent rests on a simple premise: individuals should understand what data is being collected, how it will be used, and what risks it entails before agreeing to participate. In data protection law, GDPR Article 6 specifies that in most cases, the only justification for processing personal data is the active and informed consent (opt-in consent) of the data subject.
But how do you obtain informed consent for a system whose data practices are fundamentally opaque? When you interact with ChatGPT, Claude, or any other conversational AI, can you genuinely understand where your words might end up? The answer, according to legal scholars and technologists alike, is: probably not.
The Italian Data Protection Authority became one of the first regulators to scrutinise this issue seriously. Throughout 2024, Italian authorities increasingly examined the extent of user consent when publicly available data is re-purposed for commercial LLMs. The challenge stems from a disconnect between traditional consent frameworks and the reality of modern AI development. When a company scrapes the internet to build a training dataset, it typically doesn't secure individual consent from every person whose words appear in forum posts, blog comments, or social media updates. Instead, developers often invoke “legitimate interest” as a legal basis under GDPR Article 6(1)(f).
The European Data Protection Board's Opinion 28/2024 highlighted divergent national stances on whether broad web scraping for AI training constitutes a legitimate interest. The board urged a case-by-case assessment, but the guidance offered little comfort to individuals concerned about their data. The fundamental problem is that once information enters an LLM's training pipeline, the individual loses meaningful control over it.
Consider the practical mechanics. Even if a company maintains records of its training data sources, which many proprietary systems don't disclose, tracing specific information back to identifiable individuals proves nearly impossible. As a 2024 paper published in the Tsinghua China Law Review noted, in LLMs it is hard to know what personal data is used in training and how to attribute these data to particular individuals. Data subjects can only learn about their personal data by either inspecting the original training datasets, which companies rarely make available, or by prompting the models. But prompting cannot guarantee the outputs contain the full list of information stored in the model weights.
This opacity undermines the core principle of informed consent. How can you consent to something you cannot inspect or verify? The European Data Protection Board acknowledged this problem in Opinion 28/2024, noting that processing personal data to avoid risks of potential biases and errors can be included when this is clearly and specifically identified within the purpose, and the personal data is necessary for that purpose. But the board also emphasised that this necessity must be demonstrable: the processing must genuinely serve the stated purpose and no less intrusive alternative should exist.
Anthropic's approach to consent illustrates the industry's evolving strategy. In 2024, the company announced it would extend data retention to five years for users who allow their data to be used for model training. Users who opt out maintain the standard 30-day retention period. This creates a two-tier system: those who contribute to AI improvement in exchange for extended data storage, and those who prioritise privacy at the cost of potentially less personalised experiences.
OpenAI took a different approach with its Memory feature, rolled out broadly in 2024. The system allows ChatGPT to remember details across conversations, creating a persistent context that improves over time. OpenAI acknowledged that memory brings additional privacy and safety considerations, implementing steering mechanisms to prevent ChatGPT from proactively remembering sensitive information like health details unless explicitly requested. Users can view, delete, or entirely disable the Memory feature, but research conducted in 2024 found that a European audit discovered 63% of ChatGPT user data contained personally identifiable information, with only 22% of users aware of the settings to disable data retention features.
The consent problem deepens when you consider the temporal dimension. LLMs are trained on datasets compiled at specific points in time, often years before the model's public release. Information you posted online in 2018 might appear in a model trained in 2022 and deployed in 2024. Did you consent to that use when you clicked “publish” on your blog six years ago? Legal frameworks struggle to address this temporal gap.
Data Minimisation in an Age of Maximalism
If informed consent presents challenges for LLMs, data minimisation appears nearly incompatible with their fundamental architecture. GDPR Article 5(1)© requires that personal data be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” Recital 39 clarifies that “personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.”
The UK Information Commissioner's Office guidance on AI and data protection emphasises that organisations must identify the minimum amount of personal data needed to fulfil a purpose and process only that information, no more. Yet the very nature of machine learning relies on ingesting massive amounts of data to train and test algorithms. The European Data Protection Board noted in Opinion 28/2024 that the assessment of necessity entails two elements: whether the processing activity will allow the pursuit of the purpose, and whether there is no less intrusive way of pursuing this purpose.
This creates a fundamental tension. LLM developers argue, with some justification, that model quality correlates strongly with training data volume and diversity. Google's research on differential privacy for language models noted that when you increase the number of training tokens, the LLM's memorisation capacity increases, but so does its general capability. The largest, most capable models like GPT-4, Claude, and Gemini owe their impressive performance partly to training on datasets comprising hundreds of billions or even trillions of tokens.
From a data minimisation perspective, this approach appears maximalist. Do you really need every Reddit comment from the past decade to build an effective language model? Could synthetic data, carefully curated datasets, or anonymised information serve the same purpose? The answer depends heavily on your definition of “necessary” and your tolerance for reduced performance.
Research presented at the 2025 ACM Conference on Fairness, Accountability, and Transparency tackled this question directly. The paper “The Data Minimization Principle in Machine Learning” (arXiv:2405.19471) introduced an optimisation framework for data minimisation based on legal definitions. The researchers demonstrated that techniques such as pseudonymisation and feature selection by importance could help limit the type and volume of processed personal data. The key insight was to document which data points actually contribute to model performance and discard the rest.
But this assumes you can identify relevant versus irrelevant data before training, which LLMs' unsupervised learning approach makes nearly impossible. You don't know which fragments of text will prove crucial until after the model has learned from them. It's like asking an architect to design a building using the minimum necessary materials before understanding the structure's requirements.
Cross-session data retention exacerbates the minimisation challenge. Modern conversational AI systems increasingly maintain context across interactions. If previous conversation states, memory buffers, or hidden user context aren't carefully managed or sanitised, sensitive information can reappear in later responses, bypassing initial privacy safeguards. This architectural choice, whilst improving user experience, directly contradicts data minimisation's core principle: collect and retain only what's immediately necessary.
Furthermore, recent research on privacy attacks against LLMs suggests that even anonymised training data might be vulnerable. A 2024 paper on membership inference attacks against fine-tuned large language models demonstrated that the SPV-MIA method raises the AUC of membership inference attacks from 0.7 to 0.9. These attacks determine whether a specific data point was part of the training dataset by querying the model and analysing confidence scores. If an attacker can infer dataset membership, they can potentially reverse-engineer personal information even from supposedly anonymised training data.
The Right to Erasure Meets Immutable Models
Perhaps no single GDPR provision highlights the LLM consent and minimisation challenge more starkly than Article 17, the “right to erasure” or “right to be forgotten.” The regulation grants individuals the right to obtain erasure of personal data concerning them without undue delay, which legal commentators generally interpret as approximately one month.
For traditional databases, compliance is straightforward: locate the relevant records and delete them. Search engines developed mature technical solutions for removing links to content. But LLMs present an entirely different challenge. A comprehensive survey published in 2024 as arXiv preprint 2307.03941, “Right to be Forgotten in the Era of Large Language Models: Implications, Challenges, and Solutions,” catalogued the obstacles.
The core technical problem stems from model architecture. Once trained, model parameters encapsulate information learned during training, making it difficult to remove specific data points without retraining the entire model. Engineers acknowledge that the only way to completely remove an individual's data is to retrain the model from scratch, an impractical solution. Training a large language model may take months and consume millions of pounds worth of computational resources, far exceeding the “undue delay” permitted by GDPR.
Alternative approaches exist but carry significant limitations. Machine unlearning techniques attempt to make models “forget” specific data points without full retraining. The most prominent framework, SISA (Sharded, Isolated, Sliced, and Aggregated) training, was introduced by Bourtoule and colleagues in 2019. SISA partitions training data into isolated shards and trains an ensemble of constituent models, saving intermediate checkpoints after processing each data slice. When unlearning a data point, only the affected constituent model needs reverting to a prior state and partial retraining on a small fraction of data.
This mechanism provides exact unlearning guarantees whilst offering significant efficiency gains over full retraining. Research showed that sharding alone speeds up the retraining process by 3.13 times on the Purchase dataset and 1.66 times on the Street View House Numbers dataset, with additional acceleration through slicing.
But SISA and similar approaches require forethought. You must design your training pipeline with unlearning in mind from the beginning, which most existing LLMs did not do. Retrofitting SISA to already-trained models proves impossible. Alternative techniques like model editing, guardrails, and unlearning layers show promise in research settings but remain largely unproven at the scale of commercial LLMs.
The challenge extends beyond technical feasibility. Even if efficient unlearning were possible, identifying what to unlearn poses its own problem. Training datasets are sometimes not disclosed, especially proprietary ones, and prompting trained models cannot guarantee the outputs contain the full list of information stored in the model weights.
Then there's the hallucination problem. LLMs frequently generate plausible-sounding information that doesn't exist in their training data, synthesised from statistical patterns. Removing hallucinated information becomes paradoxically challenging since it was never in the training dataset to begin with. How do you forget something the model invented?
The legal-technical gap continues to widen. Although the European Data Protection Board ruled that AI developers can be considered data controllers under GDPR, the regulation lacks clear guidelines for enforcing erasure within AI systems. Companies can argue, with some technical justification, that constraints make compliance impossible. This creates a regulatory stalemate: the law demands erasure, but the technology cannot deliver it without fundamental architectural changes.
Differential Privacy
Faced with these challenges, researchers and companies have increasingly turned to differential privacy as a potential remedy. The technique, formalised in 2006, allows systems to train machine learning models whilst rigorously guaranteeing that the learned model respects the privacy of its training data by injecting carefully calibrated noise into the training process.
The core insight of differential privacy is that by adding controlled randomness, you can ensure that an observer cannot determine whether any specific individual's data was included in the training set. The privacy guarantee is mathematical and formal: the probability of any particular output changes only minimally whether or not a given person's data is present.
For language models, the standard approach employs DP-SGD (Differentially Private Stochastic Gradient Descent). During training, the algorithm clips gradients to bound each example's influence and adds Gaussian noise to the aggregated gradients before updating model parameters. Google Research demonstrated this approach with VaultGemma, which the company described as the world's most capable differentially private LLM. VaultGemma 1B shows no detectable memorisation of its training data, successfully demonstrating DP training's efficacy.
But differential privacy introduces a fundamental trade-off between privacy and utility. The noise required to guarantee privacy degrades model performance. Google researchers found that when you apply standard differential privacy optimisation techniques like DP-SGD to train large language models, the performance ends up much worse than non-private models because the noise added for privacy protection tends to scale with the model size.
Recent advances have mitigated this trade-off somewhat. Research published in 2024 (arXiv:2407.07737) on “Fine-Tuning Large Language Models with User-Level Differential Privacy” introduced improved techniques. User-level DP, a stronger form of privacy, guarantees that an attacker using a model cannot learn whether the user's data is included in the training dataset. The researchers found that their ULS approach performs significantly better in settings where either strong privacy guarantees are required or the compute budget is large.
Google also developed methods for generating differentially private synthetic data, creating entirely artificial data that has the key characteristics of the original whilst offering strong privacy protection. This approach shows promise for scenarios where organisations need to share datasets for research or development without exposing individual privacy.
Yet differential privacy, despite its mathematical elegance, doesn't solve the consent and minimisation problems. It addresses the symptom (privacy leakage) rather than the cause (excessive data collection and retention). A differentially private LLM still trains on massive datasets, still potentially incorporates data without explicit consent, and still resists targeted erasure. The privacy guarantee applies to the aggregate statistical properties, not to individual autonomy and control.
Moreover, differential privacy makes implicit assumptions about data structure that do not hold for the majority of natural language data. A 2022 ACM paper, “What Does it Mean for a Language Model to Preserve Privacy?” highlighted this limitation. Text contains rich, interconnected personal information that doesn't fit neatly into the independent data points that differential privacy theory assumes.
Regulatory Responses and Industry Adaptation
Regulators worldwide have begun grappling with these challenges, though approaches vary significantly. The European Union's AI Act, which entered into force in August 2024 with phased implementation, represents the most comprehensive legislative attempt to govern AI systems, including language models.
Under the AI Act, transparency is defined as AI systems being developed and used in a way that allows appropriate traceability and explainability, whilst making humans aware that they communicate or interact with an AI system. For general-purpose AI models, which include large language models, specific transparency and copyright-related rules became effective in August 2025.
Providers of general-purpose AI models must draw up and keep up-to-date technical documentation containing a description of the model development process, including details around training and testing. The European Commission published a template to help providers summarise the data used to train their models. Additionally, companies must inform users when they are interacting with an AI system, unless it's obvious, and AI systems that create synthetic content must mark their outputs as artificially generated.
But transparency, whilst valuable, doesn't directly address consent and minimisation. Knowing that an AI system trained on your data doesn't give you the power to prevent that training or demand erasure after the fact. A 2024 paper presented at the Pan-Hellenic Conference on Computing and Informatics acknowledged that transparency raises immense challenges for LLM developers due to the intrinsic black-box nature of these models.
The GDPR and AI Act create overlapping but not identical regulatory frameworks. Organisations developing LLMs in the EU must comply with both, navigating data protection principles alongside AI-specific transparency and risk management requirements. The European Data Protection Board's Opinion 28/2024 attempted to clarify how these requirements apply to AI models, but many questions remain unresolved.
Industry responses have varied. OpenAI's enterprise privacy programme offers Zero Data Retention (ZDR) options for API users with qualifying use cases. Under ZDR, inputs and outputs are removed from OpenAI's systems immediately after processing, providing a clearer minimisation pathway for business customers. However, the court-ordered data retention affecting consumer ChatGPT users demonstrates the fragility of these commitments when legal obligations conflict.
Anthropic's tiered retention model, offering 30-day retention for users who opt out of data sharing versus five-year retention for those who opt in, represents an attempt to align business needs with user preferences. But this creates its own ethical tension: users who most value privacy receive less personalised service, whilst those willing to sacrifice privacy for functionality subsidise model improvement for everyone.
The challenge extends to enforcement. Data protection authorities lack the technical tools and expertise to verify compliance claims. How can a regulator confirm that an LLM has truly forgotten specific training examples? Auditing these systems requires capabilities that few governmental bodies possess. This enforcement gap allows a degree of regulatory theatre, where companies make compliance claims that are difficult to substantively verify.
The Broader Implications
The technical and regulatory challenges surrounding LLM consent and data minimisation reflect deeper questions about the trajectory of AI development. We're building increasingly powerful systems whose capabilities emerge from the ingestion and processing of vast information stores. This architectural approach creates fundamental tensions with privacy frameworks designed for an era of discrete, identifiable data records.
Research into privacy attacks continues to reveal new vulnerabilities. Work on model inversion attacks demonstrates that adversaries could reverse-engineer private images used during training by updating input images and observing changes in output probabilities. A comprehensive survey from November 2024 (arXiv:2411.10023), “Model Inversion Attacks: A Survey of Approaches and Countermeasures,” catalogued the evolving landscape of these threats.
Studies also show that privacy risks are not evenly distributed. Research has found that minority groups often experience higher privacy leakage, attributed to models tending to memorise more about smaller subgroups. This raises equity concerns: the populations already most vulnerable to surveillance and data exploitation face amplified risks from AI systems.
The consent and minimisation problems also intersect with broader questions of AI alignment and control. If we cannot effectively specify what data an LLM should and should not retain, how can we ensure these systems behave in accordance with human values more generally? The inability to implement precise data governance suggests deeper challenges in achieving fine-grained control over AI behaviour.
Some researchers argue that we need fundamentally different approaches to AI development. Rather than training ever-larger models on ever-more-expansive datasets, perhaps we should prioritise architectures that support granular data management, selective forgetting, and robust attribution. This might mean accepting performance trade-offs in exchange for better privacy properties, a proposition that faces resistance in a competitive landscape where capability often trumps caution.
The economic incentives cut against privacy-preserving approaches. Companies that accumulate the largest datasets and build the most capable models gain competitive advantages, creating pressure to maximise data collection rather than minimise it. User consent becomes a friction point to be streamlined rather than a meaningful check on corporate power.
Yet the costs of this maximalist approach are becoming apparent. Privacy harms from data breaches, unauthorised inference, and loss of individual autonomy accumulate. Trust in AI systems erodes as users realise the extent to which their information persists beyond their control. Regulatory backlash intensifies, threatening innovation with blunt instruments when nuanced governance mechanisms remain underdeveloped.
Toward Informed Consent and Genuine Minimisation
If the current trajectory proves unsustainable, what alternatives exist? Several technical and governance approaches show promise, though none offers a complete solution.
Enhanced transparency represents a minimal baseline. Organisations should provide clear, accessible documentation of what data they collect, how long they retain it, what models they train, and what risks users face. The European Commission's documentation templates for AI Act compliance move in this direction, but truly informed consent requires going further. Users need practical tools to inspect what information about them might be embedded in models, even if perfect visibility remains impossible.
Consent mechanisms need fundamental rethinking. The binary choice between “agree to everything” and “don't use the service” fails to respect autonomy. Granular consent frameworks, allowing users to specify which types of data processing they accept and which they reject, could provide more meaningful control. Some researchers propose “consent as a service” platforms that help individuals manage their data permissions across multiple AI systems.
On the minimisation front, organisations could adopt privacy-by-design principles more rigorously. This means architecting systems from the ground up to collect only necessary data, implementing retention limits, and ensuring genuine deletability. SISA-style approaches to training, whilst requiring upfront investment, enable more credible compliance with erasure requests. Synthetic data generation, differential privacy, and federated learning all merit broader deployment despite their current limitations.
Regulatory frameworks require refinement. The GDPR's principles remain sound, but their application to AI systems needs clearer guidance. The European Data Protection Board's ongoing work to clarify AI-specific requirements helps, but questions around legitimate interest, necessity assessments, and technical feasibility standards need more definitive answers. International coordination could prevent a race to the bottom where companies jurisdiction-shop for the most permissive regulations.
Enforcement mechanisms must evolve. Data protection authorities need enhanced technical capacity to audit AI systems, verify compliance claims, and detect violations. This might require specialised AI audit teams, standardised testing protocols, and stronger whistleblower protections. Meaningful penalties for non-compliance, consistently applied, would shift incentive structures.
Fundamentally, though, addressing the LLM consent and minimisation challenge requires confronting uncomfortable questions about AI development priorities. Do we truly need models trained on the entirety of human written expression? Can we achieve valuable AI capabilities through more targeted, consensual data practices? What performance trade-offs should we accept in exchange for stronger privacy protections?
These questions have no purely technical answers. They involve value judgements about individual rights, collective benefits, commercial interests, and the kind of society we want to build. The fact that large language models retain inaccessible traces of prior user interactions does undermine informed consent and the ethical principle of data minimisation as currently understood. But whether this represents an acceptable cost, a surmountable challenge, or a fundamental flaw depends on what we prioritise.
The Path Forward
Standing at this crossroads, the AI community faces a choice. One path continues the current trajectory: building ever-larger models on ever-more-comprehensive datasets, managing privacy through patchwork technical measures and reactive compliance, accepting that consent and minimisation are aspirational rather than achievable. This path delivers capability but erodes trust.
The alternative path requires fundamental rethinking. It means prioritising privacy-preserving architectures even when they limit performance. It means developing AI systems that genuinely forget when asked. It means treating consent as a meaningful constraint rather than a legal formality. It means accepting that some data, even if technically accessible, should remain off-limits.
The choice isn't between privacy and progress. It's between different visions of progress: one that measures success purely in model capability and commercial value, versus one that balances capability with accountability, control, and respect for individual autonomy.
Large language models have demonstrated remarkable potential to augment human intelligence, creativity, and productivity. But their current architecture fundamentally conflicts with privacy principles that society has deemed important enough to enshrine in law. Resolving this conflict will require technical innovation, regulatory clarity, and above all, honest acknowledgement of the trade-offs we face.
The inaccessible traces that LLMs retain aren't merely a technical quirk to be optimised away. They're a consequence of foundational design decisions that prioritise certain values over others. Informed consent and data minimisation might seem antiquated in an age of billion-parameter models, but they encode important insights about power, autonomy, and the conditions necessary for trust.
Whether we can build genuinely consent-respecting, privacy-minimising AI systems that still deliver transformative capabilities remains an open question. But the answer will determine not just the future of language models, but the future of our relationship with artificial intelligence more broadly. The machines remember everything. The question is whether we'll remember why that matters.
Sources and References
Academic Papers and Research
Carlini, N., Tramèr, F., Wallace, E., Jagielski, M., Herbert-Voss, A., Lee, K., Roberts, A., Brown, T., Song, D., Erlingsson, Ú., Oprea, A., and Raffel, C. (2021). “Extracting Training Data from Large Language Models.” 30th USENIX Security Symposium. https://www.usenix.org/conference/usenixsecurity21/presentation/carlini-extracting
Bourtoule, L., et al. (2019). “Machine Unlearning.” Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. (Referenced for SISA framework)
“Beyond Memorization: Violating Privacy Via Inference with Large Language Models” (2024). arXiv:2310.07298.
“The Data Minimization Principle in Machine Learning” (2025). arXiv:2405.19471. Proceedings of the 2025 ACM Conference on Fairness, Accountability, and Transparency.
“Right to be Forgotten in the Era of Large Language Models: Implications, Challenges, and Solutions” (2024). arXiv:2307.03941.
“Fine-Tuning Large Language Models with User-Level Differential Privacy” (2024). arXiv:2407.07737.
“Practical Membership Inference Attacks against Fine-tuned Large Language Models via Self-prompt Calibration” (2024). arXiv:2311.06062.
“Model Inversion Attacks: A Survey of Approaches and Countermeasures” (2024). arXiv:2411.10023.
“On protecting the data privacy of Large Language Models (LLMs) and LLM agents: A literature review” (2025). ScienceDirect.
“What Does it Mean for a Language Model to Preserve Privacy?” (2022). ACM FAccT Conference.
“Enhancing Transparency in Large Language Models to Meet EU AI Act Requirements” (2024). Proceedings of the 28th Pan-Hellenic Conference on Progress in Computing and Informatics.
Regulatory Documents and Official Guidance
European Data Protection Board. “Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models.” December 2024. https://www.edpb.europa.eu/system/files/2024-12/edpb_opinion_202428_ai-models_en.pdf
European Data Protection Board. “AI Privacy Risks & Mitigations – Large Language Models (LLMs).” April 2025. https://www.edpb.europa.eu/system/files/2025-04/ai-privacy-risks-and-mitigations-in-llms.pdf
Regulation (EU) 2016/679 (General Data Protection Regulation).
Regulation (EU) 2024/1689 (EU AI Act).
UK Information Commissioner's Office. “How should we assess security and data minimisation in AI?” https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/how-should-we-assess-security-and-data-minimisation-in-ai/
Irish Data Protection Commission. “AI, Large Language Models and Data Protection.” 18 July 2024. https://www.dataprotection.ie/en/dpc-guidance/blogs/AI-LLMs-and-Data-Protection
Corporate Documentation and Official Statements
OpenAI. “Memory and new controls for ChatGPT.” https://openai.com/index/memory-and-new-controls-for-chatgpt/
OpenAI. “How we're responding to The New York Times' data demands in order to protect user privacy.” https://openai.com/index/response-to-nyt-data-demands/
OpenAI Help Center. “Chat and File Retention Policies in ChatGPT.” https://help.openai.com/en/articles/8983778-chat-and-file-retention-policies-in-chatgpt
Anthropic Privacy Center. “How long do you store my data?” https://privacy.claude.com/en/articles/10023548-how-long-do-you-store-my-data
Anthropic. “Updates to Consumer Terms and Privacy Policy.” https://www.anthropic.com/news/updates-to-our-consumer-terms
Google Research Blog. “VaultGemma: The world's most capable differentially private LLM.” https://research.google/blog/vaultgemma-the-worlds-most-capable-differentially-private-llm/
Google Research Blog. “Fine-tuning LLMs with user-level differential privacy.” https://research.google/blog/fine-tuning-llms-with-user-level-differential-privacy/
Tim Green UK-based Systems Theorist & Independent Technology Writer
Tim explores the intersections of artificial intelligence, decentralised cognition, and posthuman ethics. His work, published at smarterarticles.co.uk, challenges dominant narratives of technological progress while proposing interdisciplinary frameworks for collective intelligence and digital stewardship.
His writing has been featured on Ground News and shared by independent researchers across both academic and technological communities.
ORCID: 0009-0002-0156-9795 Email: tim@smarterarticles.co.uk
