arXiv:2604.21571 'Separable Expert': architecture for LLM personalization enabling GDPR right to erasure without retraining

Chris Schneider, Philipp Schoenegger and Ben Bariach published on April 23, 2026 on ArXiv the paper “Separable Expert Architecture: Toward Privacy-Preserving LLM Personalization via Composable Adapters and Deletable User Proxies” (arXiv:2604.21571). The work addresses one of the hardest problems in the industrial deployment of personalized LLMs: how to respect users’ right to erasure without the catastrophic cost of model retraining.

Why is GDPR a problem for personalized LLMs?

GDPR Article 17 — Right to Erasure gives every EU resident the right to request complete deletion of their personal data from an operator’s systems. For traditional SQL databases this is trivial: DELETE FROM users WHERE id = X. But for LLMs personalized on user data — e.g., an assistant that remembers your writing style, preferences, past conversations — the data is distributed through billions of parameters shared with other users. The authors put it this way: “Current model training approaches incorporate user information directly into shared weights, making individual data removal computationally infeasible without retraining”. In other words, the only “correct” way to delete is to retrain the entire model — which costs millions of dollars for GPT-class models.

How does the Separable Expert architecture work?

The proposed approach is a three-layer decomposition:

1. Static model base — e.g., Phi-3.5-mini or Llama-3.1-8B in unmodified state, shared among all users
2. Composable domain-expert LoRA adapters — low-rank adapters that shape behavior (medical domain, legal domain, code) without embedding user data. LoRA (Low-Rank Adaptation) is a fine-tuning technique that modifies model behavior through small additional matrices rather than changing the full model.
3. Per-user proxy artifacts — small, isolated files specific to an individual user whose deletion “constitutes deterministic unlearning” — mathematically equivalent to the complete removal of the user’s influence.

What do the experimental results show?

The authors evaluate the architecture on Phi-3.5-mini and Llama-3.1-8B models. Key metrics: after proxy deletion, KL divergence (a measure of the difference between two distributions, expressed in nats) is approximately 0.21 nats — confirming “return to baseline” behavior. Verification pass rate is 82–89%, and cross-user contamination is “near-zero”. In other words, one user’s data does not leak into another user’s outputs — which is critical for multi-tenant SaaS deployment.

Security implications beyond GDPR

Beyond the Right to Erasure, the architecture “by construction” mitigates three classic attacks on LLMs:

• Model inversion — attempting to reconstruct training data from model weights
• Membership inference — determining whether a specific record was in the training set
• Training data extraction — directly extracting verbatim data from model responses

Additionally, the architecture is compatible with DP-SGD (Differentially Private Stochastic Gradient Descent) for improving shared components with formal privacy guarantees.

What does this mean for EU AI Act compliance?

The EU AI Act, in full implementation phase during 2026, sets very high standards for high-risk systems — including mandatory mechanisms for user control over personal data. Without technical solutions like Separable Expert, companies providing personalized LLM services in the EU face serious regulatory risk. This paper provides a production path to compliance without economically ruinous retraining — and could become the reference architecture for the next generation of enterprise AI products.