A healthcare startup trained a disease prediction model on 50000 patient records. Three months after deployment they receive 200 GDPR erasure requests. (1) Does deleting the patients records from the database satisfy the GDPR right to erasure? Why or why not? (2) Describe three approaches to machine unlearning for this scenario with tradeoffs in cost completeness and feasibility. (3) The company is considering federated learning for their next model. What privacy benefit does this provide and what residual privacy risk remains?