> The General Data Protection Regulation (GDPR) gives individuals the right to ask for their data to be deleted and organisations do have an obligation to do so, except in the following cases:
> there is a legal obligation to keep that data;
https://commission.europa.eu/law/law-topic/data-protection/r...
Except that transferring the data to the US is likely illegal in the first place, specifically due to insufficient legal protections against overreach like this.
The legal obligation has to come from relevant member state or EU law. Not third party countries' laws.
This at best is force majeure that prohibits OpenAI with satisfying its contractual obligations that are there to comply with EU law. But contractual obligations are not the only control organizations have to ensure compliance with EU law, so this is not a defense.
From the law itself:
> 1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay...
> 3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
> e. for the establishment, exercise or defence of legal claims.
https://gdpr-info.eu/art-17-gdpr/
The law makes no reference to the idea that the legal claims must be under a member state or EU law.