Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
April 29, 2025

In a world irreversibly shaped by digital transformation, the law cannot afford to remain analog while society evolves at the speed of technology. Yet, in Ghana, there remains a troubling gap between the rapid advancement of data-driven technologies and the judiciary’s preparedness to adjudicate on issues of data protection, privacy, cybercrime, and artificial intelligence.

This is not merely a theoretical concern. It has immediate and practical consequences for justice delivery, rights protection, and national development. 

The Rise of the Data Subject — and the Risks They Face

The Data Protection Act, 2012 (Act 843), was enacted to guarantee the rights of data subjects — individuals whose personal information is processed by others. The law imposes strict obligations on data controllers and processors to handle personal data responsibly, fairly, and securely.

Yet every day, we witness:

Unauthorized disclosures of personal information on social media
Massive corporate data breaches with little to no remedy
Surveillance practices without transparency or safeguards
AI-driven profiling with discriminatory or harmful outcomes

In such an environment, privacy harms are no longer theoretical; they are lived realities. The legal system must be the bulwark that defends the citizenry — yet a judiciary unfamiliar with data protection principles is ill-equipped for this urgent task.
Analog Judges in a Digital Era

Many of our current judges and legal practitioners were trained in an era when privacy meant physical seclusion, not the protection of digital footprints.

But today, privacy is about:

Controlling how personal data is collected, used, shared, or sold.
Demanding transparency and accountability from corporations and governments alike.
Recognizing privacy violations even when there is no physical trespass, only digital intrusion.

If judges do not understand what constitutes a privacy breach, what harm data misuse can cause, or how algorithms make biased decisions, how can they deliver justice in an era dominated by technology? 

Without technical and legal fluency in data protection, our judiciary risks:

Misapplying or underapplying Act 843 in cybercrime and privacy-related cases
Failing to recognize complex privacy harms (such as emotional distress, loss of autonomy, or algorithmic bias)
Eroding trust in the legal system among an increasingly tech-savvy population

Data Controllers and Processors: The Silent Power Brokers

Many companies and public institutions in Ghana today act as data controllers and data processors, handling vast amounts of personal data — often with minimal oversight.

Their obligations under the law are clear:

Obtain valid consent before processing personal data
Implement appropriate security safeguards
Notify the Data Protection Commission and affected individuals in the event of a data breach
Respect the rights of data subjects — including access, correction, and deletion of personal data

When these obligations are breached, the law provides remedies. But if the judiciary does not fully comprehend these obligations, wronged data subjects may never see justice realized.

This deficiency emboldens reckless behavior by organizations that treat data protection as a box-ticking exercise rather than a fundamental human rights obligation. 

The Future: AI, Biometrics, and Beyond

Ghana stands on the cusp of widespread use of:

AI-driven services
Facial recognition technologies
Automated decision-making systems in banking, healthcare, and governance

Each innovation brings new legal and ethical challenges. Tomorrow’s court cases will involve questions of algorithmic fairness, AI accountability, and automated privacy violations. 

If our judiciary remains digitally illiterate, Ghana will find itself unable to defend citizens against sophisticated digital rights violations. The time for capacity-building is now.
A Call to Action for the Legal Fraternity

The legal fraternity — lawyers, judges, law lecturers, and policymakers — must act decisively:

Mandatory Judicial Training: Integrate data protection, privacy law, cybersecurity, and AI ethics into judicial education programs.
Law School Curriculum Reform: Make data protection and technology law compulsory courses in LLB and professional law training.
Specialized Courts: Establish technology and data protection courts or assign specialist judges to handle digital rights cases.
Continuous Professional Development: Offer regular seminars and certifications for practicing lawyers on emerging digital law issues.
Closer Collaboration with Regulators: Courts should work alongside the Data Protection Commission to better understand enforcement and regulatory frameworks.

Final Thoughts: Justice in the Digital Age Requires Digital Competence

If the Ghanaian legal system fails to evolve, it will be the powerless who suffer most — ordinary citizens whose privacy is infringed, whose data is misused, and whose dignity is eroded by invisible technological forces. Justice delayed is justice denied. But in the digital age, justice misunderstood is justice obliterated. It is time for the legal fraternity to rise to the occasion. The analog mind must meet the digital reality — or risk becoming irrelevant.

Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
May 11, 2025

In this hyper-connected world of digital footprints, biometric IDs, surveillance cameras, and cloud storage, we’re often reminded to protect our personal data—guard it as if our lives depend on it. But long before cybersecurity experts warned us of breaches and identity theft, and long before lawmakers drafted data protection policies like Ghana’s Data Protection Act, 2012 (Act 843), someone else was already doing this job quietly and tirelessly.That someone is—our mothers.

Yes, before the rise of encryption algorithms and two-factor authentication, mothers were the first data custodians we ever encountered. They were the original firewalls—deflecting emotional malware, filtering out harmful interactions, and ensuring that the most sensitive information about us remained confidential, protected, and, in many ways, sacred. 

The First Line of Privacy Defense From the moment we were born, mothers became the custodians of our most intimate records. They knew everything—our fears, our quirks, our weaknesses, our victories—and stored that information with discretion, compassion, and unmatched loyalty. They remembered what made us cry, what made us laugh, what we liked for breakfast, and what we dreaded at school. Unlike today’s data platforms that profit from oversharing, mothers respected context, consent, and confidentiality. They practiced the golden rule of privacy without needing legal guidance—they simply knew when and what to share, with whom, and why. You could say they followed a maternal version of the “purpose limitation principle” long before it became a pillar of data ethics.

Consent with Care How many times did our mothers ask us before telling a childhood story in public? Or spare us embarrassment by refusing to post an awkward photo, long before social media made such actions common? Mothers understood the implications of unauthorized data sharing. And when they did breach that trust—say, by proudly revealing a funny memory—it was often to celebrate us, not to exploit us. In today’s digital landscape, we have to navigate terms of service, opt-in checkboxes, and privacy settings. Our mothers never needed these—they offered protection and privacy out of love, not obligation. Their protection was instinctive, proactive, and deeply human.

A Personal Data Archive You want to talk about memory storage? Mothers hold archives that rival any cloud server. They can recall the date you took your first step, the name of your primary school best friend, the time you fell ill on your first school trip, and even the color of the sweater you wore at age six. They didn’t just store this data—they curated it with care, updated it regularly, and safeguarded it from outsiders. Imagine if tech companies were held to the standard of a mother’s memory and care. Imagine if the data custodians in our digital world filtered every access request through the lens of empathy and long-term impact.

Trust, But Verify Like any good data steward, mothers also knew how to verify truth. If you came home with a strange story or tried to cover your tracks, a mother would intuitively audit your behavior. She could detect a lie faster than any forensic algorithm.Today, we use machine learning to analyze patterns and detect anomalies. But a mother could do this just by looking at your eyes, your tone, or the way you walked into the room.

Cybersecurity in the Emotional World In Ghana, where extended families, social norms, and community ties run deep, mothers also serve as intergenerational gatekeepers of sensitive data. They know which topics should remain within the family, and they teach their children—especially daughters—how to manage the fine line between disclosure and dignity. In doing so, they uphold an analog version of data minimization: only share what’s necessary, and always protect what’s sacred.

So this Mother’s Day, let’s honour our mothers as the unsung Data Protection Officers (DPOs) of our lives. While governments work to enforce compliance with Act 843, and companies scramble to avoid data breaches, mothers have been modeling the spirit of data privacy all along—lawfully, fairly, and with unbreakable love. 

A Mother’s Day Salute—Encrypted with Love To all the mothers—biological, adoptive, foster, and maternal figures—We salute you. May your joy be encrypted beyond reach of any intruder. May your peace be firewalled against the noise of life. May your heart continue to form secure connections that transcend generations.

As we navigate the complexities of the digital age, may we never forget that the first lesson in privacy came not from a user manual or a GDPR regulation—but from a mother’s embrace.

Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
May 15, 2025

In every democracy, the vote is sacred. But in the 21st century, the data trail may be even more powerful than the ballot box. As we celebrate our democratic freedoms—of speech, movement, and association—we must confront a critical question: Can a democracy truly be sustainable if its citizens lack privacy and control over their personal data? The answer, increasingly, is no.

Privacy is the Bedrock of Free Thought Privacy is not just a personal right—it is a political one. When individuals know they are being watched, they self-censor. They become less likely to search controversial topics, speak against powerful actors, or express dissent. Surveillance, even when subtle or passive, creates fear.

And fear is the enemy of democracy. 

In Ghana and across the world, the rise of biometric databases, social media surveillance, and algorithmic profiling means that the digital spaces where we form opinions, share beliefs, and engage in civic discourse are under watchful eyes—often without our knowledge or consent.

A sustainable democracy must protect not only the right to vote, but also the right to think freely—and that begins with safeguarding personal data.

Data Protection Builds Trust in Governance Imagine a citizen who applies for a government service and finds their health records leaked, or their financial details sold to third parties. That citizen is less likely to engage with digital public infrastructure or trust the state.

Trust is the fuel that sustains democracy. And in a digital society, trust depends on data protection. Ghana’s Data Protection Act, 2012 (Act 843) was a bold step forward. It established rights for individuals and responsibilities for data controllers. But laws alone are not enough. Citizens must be aware, and institutions must be held accountable. A right unexercised is a right eroded. Sustainable democracies must normalize data governance as a pillar of public accountability, not a niche concern for techies and lawyers.

The Weaponization of Data is a Threat to Elections Across the world, we’ve seen how personal data can be used to manipulate elections—through targeted disinformation, voter suppression, or even algorithmic biases that reinforce inequality. When political campaigns know everything about a voter’s fears, income, religion, and habits, they can tailor messages that are not meant to inform, but to influence.

In this environment, democracy risks becoming a performance—a shadow of choice, powered by persuasion and surveillance. 

West Africa must not wait to become the next case study. We must build electoral processes where data collection is transparent, and its use ethical and accountable.

Empowered Citizens Make Resilient Democracies A sustainable democracy is not just about periodic elections—it is about ongoing participation. And to participate meaningfully, citizens must feel safe online and offline. When people know they control their digital footprint, they are more likely to speak up, engage, organize, and resist injustice. That is why digital literacy and data protection go hand in hand. From classroom to courtroom, village to parliament, we must teach people to ask:

Who holds my data?
Why do they need it?
What are my rights?

Because informed citizens are not easily manipulated. They are the firewalls of freedom. 

Conclusion: Democracy Needs Privacy Like It Needs Air As we build digital public infrastructure and smart governance models, we must not trade convenience for control. Surveillance should never be the cost of civic participation. Privacy and data protection are not optional extras in a democracy—they are its silent guardians.

In the words of Edward Snowden, “Arguing that you don’t care about privacy because you have nothing to hide is like saying you don’t care about free speech because you have nothing to say.”

Let us not wait for our rights to be violated before we defend them. Let us build a democracy where data serves the people, not the other way around. 

Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
June 4, 2025

In an era defined by digital footprints, biometric databases, and surveillance technologies, data is no longer just a technical concept—it is a human rights issue. 

In Ghana, the establishment of the Data Protection Commission and the enactment of the Data Protection Act, 2012 (Act 843) marked a progressive leap toward aligning the country with global standards like the European Union’s GDPR. The ecosystem is budding: Certified Data Protection Officers (CDPOs) are emerging, institutions are beginning to embrace compliance, and awareness campaigns are slowly taking root.

Yet, there remains a critical gap in this ecosystem—one that threatens to undermine the entire framework: the legal fraternity’s insufficient integration into the data protection dialogue. Lawyers, judges, and the wider judiciary remain largely disconnected from the evolving digital rights landscape, and the consequences for Ghanaian data subjects could be catastrophic.

Filing 20th Century Cases in a 21st Century Reality

Recent legal actions, such as the case of Gifty Amoakowaa v Peace and Love Hospital, exemplify this disconnect. Here, a patient alleges a violation of her privacy rights after undergoing a medical examination under undisclosed CCTV surveillance. While this is clearly a data protection issue rooted in consent, fairness, and lawful processing under Act 843, the legal filings relied on broad constitutional principles and outdated tort law instead of citing specific provisions under the Data Protection Act.

Lawyers, unfamiliar with the procedural and substantive dimensions of data protection law, are filing cases using precedents that predate the digital age. 

As a result, judges are left without the contextual or legal tools needed to adjudicate these matters properly. The reasoning of some critical judicial rulings fails to reflect the nuances of data privacy, consent, data minimization, or purpose limitation—all core pillars of Act 843 and international frameworks.

When the Gavel Misses the Point

Imagine this: your private medical diagnosis is leaked through a hospital’s poorly secured database. You seek justice. Your lawyer, unaware of Section 20 of Act 843, which deals with unlawful disclosure of sensitive personal data, files a general human rights violation case. The judge, untrained in data protection jurisprudence, views it as a simple case of negligence. The result? No meaningful compensation, no accountability, and no precedent that would deter future violations. This is not hypothetical. It is already happening.

The Ripple Effect: From Courtrooms to Citizens

When lawyers are unable to identify data protection violations and judges fail to assess cases within the correct legal context, the following injustices emerge:

Loss of Legal Remedies: Victims are denied justice because their claims are wrongly categorized and improperly argued.
Lack of Precedent: Without data protection rulings, Ghana's legal system fails to evolve jurisprudence that reflects the realities of the digital age.
Public Mistrust: When courts dismiss or mishandle data-related grievances, citizens lose faith in both the legal system and the promise of data rights.
Impunity for Institutions: Data controllers and processors are emboldened to continue with weak security practices and disregard for consent.
Weak Enforcement: Without robust litigation, the Data Protection Commission’s enforcement efforts may fall short, limited to audits and fines without judicial backing.

The Legal Fraternity: Missing in Action

Despite data protection being embedded in Ghanaian law for over a decade, few lawyers have specialized in this field. Law schools rarely teach it. Judges seldom encounter it in court, and when they do, it’s tangled in constitutional clauses rather than the precise language of Act 843.

Even in landmark cases involving surveillance, biometric data collection, or unlawful disclosures by public institutions, the law is often interpreted narrowly. The absence of data protection analysis in these rulings sets a dangerous precedent for future violations to go unchecked.

Why This Matters: Real Harm, Real People

Let’s make this real. When a child’s school shares their academic records with third-party app developers without consent, it is not just a breach of data. It is a betrayal of trust. When a hospital leaks patient files online, it is not merely a system error. It is an assault on dignity. When facial recognition is used in public spaces without informing citizens, it is not just innovation. It is surveillance. Each of these scenarios deserves proper legal scrutiny and remedies. But if the judiciary lacks the knowledge and confidence to handle these issues, then victims suffer in silence.

The Way Forward: Building a Legally Literate Ecosystem

Mandatory Legal Training on Act 843: Judicial Service training programs should include compulsory modules on data protection law and its intersections with human rights, tort law, and constitutional law.
Law School Curriculum Reform: Ghana’s law faculties must incorporate Data Protection and Digital Rights Law into their LLB and post-graduate programs.
Bar Association Involvement: The Ghana Bar Association must take leadership in organizing CLE (Continuing Legal Education) courses and certification in data protection for practicing lawyers.
Judicial Bench Books: The Judicial Service, in collaboration with the Data Protection Commission, should publish interpretive guidance and benchmark cases to aid judges in data-related rulings.
Strategic Litigation: Civil society and legal think tanks should support strategic litigation that brings data protection issues directly to the courts and frames them within the correct legal context.
Collaboration with the DPC: Lawyers and judges should engage regularly with the Data Protection Commission to stay updated on enforcement trends, legal interpretations, and policy developments.

A Call to Action

We are at a tipping point. Ghana has the legal tools, the regulatory infrastructure, and the public will to protect data privacy. But if the courts continue to rule without reference to these laws, then they become relics—not remedies.

The legal fraternity must rise to the occasion. Judges must issue rulings that serve as data protection precedents. Lawyers must stop filing yesterday’s cases in today’s courts. Legal educators must prepare students for the digital legal challenges of tomorrow. And the citizenry? They must demand that their rights are protected not only by law but also by practice, precedent, and principle. Because in a world where data is power, justice begins with understanding how that power is used, abused, and, most importantly, held accountable.

Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
June 3, 2025

“Every patient that walks through your hospital doors brings more than just a health concern—they bring trust. Trust that their personal information, their diagnosis, their treatment history, and even their deepest fears will be kept safe. But what happens when that trust is broken—intentionally or accidentally?”- Emmanuel Gadasu 

Case Brief: Gifty Amoakowaa v Peace and Love Hospital

Gifty Amoakowaa has filed a human rights suit against Peace and Love Hospital for installing a CCTV camera in a medical examination room without her knowledge or consent. The case challenges the legality of surveilling patients during sensitive breast examinations, citing violations of Ghana’s 1992 Constitution (Articles 15 & 18), the Data Protection Act 843, and the Patients’ Charter under the Public Health Act. It raises key questions about informed consent, doctor-patient confidentiality, and the ethical limits of surveillance in healthcare. The applicant seeks damages, the removal of the CCTV system, and deletion of any footage. The outcome could set a major precedent for privacy in Ghana’s medical sector.

In a likely-to-be landmark human rights case with major implications for privacy in healthcare, Gifty Amoakowaa is taking Peace and Love Hospital to court for allegedly breaching her constitutional and data protection rights. At the heart of the case is a simple yet provocative question:

Can a patient undergoing a sensitive medical examination be unknowingly surveilled in the name of safety? 

At stake are constitutional guarantees of human dignity and privacy (Articles 15 and 18(2) of Ghana’s 1992 Constitution), the Ghanaian Data Protection Act, 2012 (Act 843), and comparable standards under the European Union’s General Data Protection Regulation (GDPR).

The context: a CCTV camera installed in a consulting/examination room where breast examinations are conducted, without the patient's knowledge or consent. 

CCTV Surveillance in Healthcare: A Breach of Trust?

Both Ghana’s Data Protection Act 2012 (Act 843) and the GDPR classify health data as special category data requiring enhanced protection. The use of CCTV in examination rooms where intimate procedures are performed, without prior notification or consent, falls squarely outside acceptable processing grounds under both frameworks.

Act 843, Sections 17 and 20, require that:

Personal data be collected fairly and lawfully;
Data subjects be informed of the purpose of data collection (Section 21);
Consent must be explicit, especially when sensitive data is involved;
Processing should be necessary, proportionate, and with appropriate safeguards.

The GDPR echoes this through Articles 5(1)(a)-(f) and 9. Consent must be freely given, specific, informed, and unambiguous. The data subject should know about the existence of the surveillance, the reason for it, how footage is handled, and their rights to object.

In Gifty Amoakowaa’s case, she alleges she was never informed that a CCTV camera was operating during her examination. If proven, this violates not only her constitutional right to dignity and privacy, but also clear obligations under both Act 843 and GDPR. Even under hospital safety justifications, covert surveillance in an environment requiring utmost confidentiality undermines the core of the doctor-patient relationship.

Is Consent Always Required in Surveillance?

Yes, especially in medical contexts. Unlike bank lobbies or public buildings, consulting rooms are zones of high privacy expectation. Surveillance here requires not only consent but also a strong justification.

Under Act 843, consent is not just a procedural formality; it must be:

Informed
Prior to collection
Given freely
Withdrawable at any time

If the patient wasn’t informed or didn’t consent, the collection and storage of video footage becomes unlawful processing. Additionally, failure to label the room as under surveillance or display visible CCTV signs constitutes a lack of transparency and a violation of the fairness principle.

What Could Peace and Love Hospital Have Done Differently?

Use a Chaperone: Instead of CCTV, sensitive procedures can be monitored ethically with a trained chaperone present—a standard best practice in many jurisdictions.
Get Explicit Consent: If surveillance is truly necessary, the hospital should explain:Why the camera is thereWhat it recordsWho sees the footageHow long it’s kept
Install Signage: Clearly label rooms under surveillance and provide privacy notices.
Data Minimization: Refrain from recording in high-privacy areas unless absolutely necessary. CCTV can be focused on entrances for security without compromising private examinations.

Chaperone vs. Camera: A Cultural and Legal Shift

Chaperones not only ensure professional integrity during examinations; they also protect both parties from legal challenges. Cameras, by contrast, record permanently, risk breaches, and strip patients of dignity. The use of chaperones is recognized in clinical guidelines across Europe and parts of Africa as a preferred alternative.

The Patients’ Charter Section 167 of the Public Health Act 851 – Sixth Schedule – Patients Charter subsections 7, 8 and 9 states as follows:

7. The patient has the right to privacy during consultation, examination and treatment and in cases where it is necessary to use the notes of the patient’s case for teaching and conferences, the consent of the patient must be sought.
8. The patient is entitled to confidentiality of information obtained about the patient and that information shall not be disclosed to third party without the consent of the patient or the person entitled to act on the consent of the patient or the person entitled to act on behalf of the patient except where the information is required by law or is in the public interest.
9. The patient is entitled to the relevant information regarding policies and regulation of the health facilities that the patient attends.

Is there a breach of the Patients’ Charter? YES. Section 167 and the Sixth Schedule of Ghana’s Public Health Act, 2012 (Act 851) mandates that patients have a right to:

Confidentiality
Dignity
Informed consent

Installing hidden or undisclosed CCTV violates all three. The psychological trauma cited by the applicant further emphasizes how trust was eroded.

A Precedent in the Making

This case is a wake-up call to all healthcare institutions in Ghana and beyond. While protecting medical staff and facilities is important, it cannot come at the cost of patient dignity, trust, and privacy. Technology should enhance care, not surveil it.

As data protection professionals, we must advocate for ethical practices that balance safety with rights. In a world growing ever more digitized, privacy is not a privilege—it is a patient’s right.

I conclude by saying “In a world where health records can be leaked with a single click, and one misplaced file can cost millions or even lives, data protection is no longer a ‘nice-to-have.’ It is a professional obligation. As health professionals, you don’t just save lives—you also safeguard identities.”

Emmanuel K. Gadasu CEH, CDPS, CIPM, CIPP-E, BSc IT, MSc IT and Law, LLB* Email: ekgadasu@gmail.com Phone: +233 24391 3077

Faustina Abbey v. Telecel Ghana Ltd
In this case, Faustina Abbey, the Plaintiff, is suing Telecel Ghana Ltd (formerly Vodafone Ghana) for unlawfully using her photograph in advertisements for their Red Save product across multiple platforms—including billboards, social media, and traditional media—without her consent. The case was filed on the 23rd May 2025 at the High Court – General Jurisdiction, Accra.

The Plaintiff claims that this action:

• Violated her right to privacy and personal liberty, and
• Abused her image rights under Ghanaian law.

She is seeking:

1. Declarations from the court acknowledging the breach of her privacy and image rights.
2. GHS 2 million in compensation for the harm suffered.
3. An order to remove all unauthorized advertisements featuring her image.
4. Costs, including legal fees.

Data Protection Lessons for Individuals

1. Your image is your personal data – Using someone’s photo for commercial or promotional purposes without their consent is a clear violation of privacy and image rights.
2. Always read the fine print – Be cautious when photos are taken at events or for services; ensure you’re not unknowingly giving permission for commercial use.
3. You have the right to say no – Consent must be freely given, specific, informed, and explicit under the Data Protection Act, 2012 (Act 843).
4. You can seek legal redress – If your image or personal data is used without permission, you have the right to take legal action and claim compensation.
5. Awareness is power – Understanding your data protection rights helps you protect your identity, dignity, and digital footprint.

WHAT DOES THIS MEAN FOR YOU?
Your personal data is a right—not a resource. Know how it’s being used and demand accountability when your privacy is compromised.

WHAT DOES THIS MEAN FOR ORGANIZATIONS?
The case highlights the importance of explicit customer consent and robust verification processes before using personal data for unrelated purposes. Failure to do so amounts to negligence and can cause reputational and financial damage.

Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
June 9, 2025

We are living in a transformative era where generative artificial intelligence (AI) is rapidly reshaping how we work, create, and communicate. From drafting documents and generating images to automating conversations and solving complex problems, these tools offer what once felt like science fiction—on demand. But beneath the marvel of this innovation lies a less-glamorous, often-overlooked truth: generative AI is built to remember, not to forget. For years, I’ve urged individuals and organizations alike to pause before feeding these systems their most personal, sensitive, or proprietary information. Not out of fear of the future, but out of understanding of the present: once data enters a generative AI model, it’s nearly impossible to guarantee where it goes, how it’s used, or who can access it. That caution was once a theoretical concern. Now it has legal teeth. In a landmark development, a federal court in the case of New York Times v. OpenAI has made clear what many of us in the data privacy world have known all along: AI systems remember more than they should—and often in ways that challenge ownership, accountability, and ethical stewardship.

The Machine That Doesn’t Forget

At their core, generative AI systems function by learning from vast datasets—millions of articles, conversations, codebases, images, and yes, sometimes even confidential or copyrighted material. These systems are trained to detect patterns, replicate linguistic nuance, and generate content that mimics what humans might say or write. But unlike humans, AI doesn’t forget. A fleeting input—a confidential business strategy, an internal memo, a personal confession—may seem like a drop in the digital ocean. But once it’s entered, it’s no longer fleeting. It becomes part of a system designed to optimize based on accumulated information. And while companies implement privacy policies, redaction tools, and training filters, absolute deletion or isolation of such inputs is nearly impossible after training. This isn’t just a software limitation. It’s a fundamental design principle of how machine learning works.

The Illusion of Control

Many users—especially in organizations—assume that using AI tools is as secure as using an internal knowledge base. The user interface feels simple. Clean. Trustworthy. But here’s the truth: your data does not disappear when the chat ends. It can be retained in logs, potentially reused for training (depending on terms of service), or even inadvertently surface in future outputs—particularly if systems are misconfigured or improperly deployed. For companies, this can mean accidental exposure of trade secrets. For individuals, a permanent record of personal details they never intended to share publicly. And for society, it raises troubling questions about digital consent, ownership, and long-term consequences. This was precisely the concern raised in New York Times v. OpenAI. The court’s findings signal a new chapter in our reckoning with AI: we can no longer pretend that AI is neutral or forgetful. It isn’t. And it doesn’t.

We Must Rethink Trust in the Age of AI

The heart of the issue is trust. Not just in AI companies, but in the entire ecosystem that surrounds the development and deployment of generative models. Trust requires transparency: How is the data used? Where does it go? What safeguards are in place? Trust requires consent: Did the individual or organization knowingly agree to have their data absorbed, memorized, and potentially regenerated? Trust requires accountability: If harm is done—if data is leaked, plagiarized, or misused—who is held responsible? Currently, our answers to these questions are murky at best. That’s not just a policy failure—it’s an ethical crisis.

The Path Forward: Responsible Use, Not Reactive Regulation

We cannot turn back the clock on generative AI. Nor should we. The benefits are real: educational equity, creative empowerment, productivity gains, and access to knowledge at unprecedented scale.

But we must build better guardrails—and fast.

Data Minimization by Default: AI tools should collect the bare minimum information required for functionality, and delete transient data wherever possible.
Privacy-Aware Design: Privacy must be embedded into the AI lifecycle—from design and data collection to model training and deployment.
Organizational Governance: Companies must develop internal AI usage policies that prohibit the input of sensitive data into generative tools and mandate regular audits.
User Empowerment: Individuals should be educated not just on what AI can do, but on what it remembers—and how to keep their data safe.
Clear Consent and Control: Users must have the right to know if their data was used to train a model—and the ability to opt out.

Conclusion: A Call to Conscious Use

The age of generative AI is here—and it’s not going away. But neither should our commitment to privacy, ethics, and digital dignity. When we use generative tools, we are not just leveraging convenience—we are participating in a system that collects, remembers, and sometimes reuses what we give it. Let us not confuse innovation with immunity. Let us not confuse access with safety. Let us instead choose to be vigilant, informed, and intentional. Because in the end, what AI remembers is only as responsible as what we choose to teach it. And we all play a role in shaping what it learns.