EDPB Draws Sharper Lines Around Anonymous Data & AI Web Scraping
Key Takeaways
- EDPB Clarifies Anonymization Standards: The Board adopted draft guidelines explaining when data can be considered anonymous under the GDPR, introducing a practical assessment framework informed by recent CJEU case law.
- Three-Criteria Test Introduced: Organizations are advised to assess anonymization by determining whether data prevents record isolation, linkage, and inference, with further analysis required if any criterion is not met.
- AI Web Scraping Guidance Expands GDPR Expectations: New draft guidance explains how existing GDPR principles, including purpose limitation, transparency, accuracy, data minimization, and legitimate interests, apply to web scraping used for generative AI development.
- Sensitive Data Protections Reaffirmed: The EDPB emphasized that processing special categories of personal data through web scraping generally requires both a lawful basis under Article 6 and an applicable exception under Article 9(2), with no blanket exemption available.
- Blockchain Guidelines Finalized: Following public consultation, the Board adopted the final version of its blockchain guidance, providing organizations with recommendations for applying GDPR requirements to different blockchain architectures.
Deep Dive
The European Data Protection Board is attempting to answer some of the questions that have lingered around the GDPR almost since the regulation took effect. When is data truly anonymous? What obligations apply when developers scrape the web to train generative AI? And how should organizations think about personal data on blockchain networks?
At its latest plenary session, the Board adopted draft guidelines on anonymization and on web scraping in the context of generative AI, while also approving the final version of its guidelines on blockchain technologies. Although the three documents address different technologies, they reflect a common objective: reducing uncertainty around how established data protection principles apply in areas where technical practice has evolved faster than regulatory guidance.
The draft guidelines on anonymization and web scraping are open for public consultation until Oct. 30, 2026. The blockchain guidance has completed that process and now represents the Board's final position.
Drawing a Clearer Line Around Anonymous Data
Whether data is anonymous has always carried unusually high stakes under European privacy law. Information that no longer relates to an identified or identifiable natural person falls outside the scope of the GDPR. Reaching that conclusion, however, has rarely been straightforward. The EDPB's new guidance is intended to bring greater consistency to those assessments. In doing so, it draws on recent case law from the Court of Justice of the European Union, including its September 2025 judgment in EDPS v. SRB (C-413/23 P), alongside other decisions interpreting the concept of identifiability.
The Board says anonymity cannot be judged in the abstract. Whether someone is identifiable depends on whether they can be distinguished from others in a particular context using means that are reasonably likely to be employed by a given entity. That assessment may differ from one organization to another because the means available to identify an individual are not necessarily the same in every circumstance.
The guidance also cautions against focusing only on obvious identifiers. Information may relate to an individual because of its content, its purpose, or its effect, even where the connection is not immediately apparent. To help organizations assess whether anonymization has been achieved, the Board introduces a practical framework with two possible approaches.
The first, described as the contextual approach, considers differences in the capabilities of parties that might seek to identify an individual. The EDPB says this reflects the full legal standard for anonymization. The second is a simplified approach that intentionally disregards those differences. While this may lead organizations to treat some data as though it is not anonymous even where certain entities could not identify anyone from it, the Board notes that some controllers may prefer the approach because it provides greater confidence that data has been effectively anonymized.
At the center of the framework is a three-part assessment. Data should not allow the isolation of an individual's record, the linking of records relating to that individual, or the inference of additional information about them. Where any of those conditions cannot be satisfied, the Board says further analysis is needed before concluding that the information can be treated as anonymous.
Applying Familiar GDPR Principles to AI Training
The Board's second set of draft guidelines addresses a practice that has become central to the development of many generative AI systems: web scraping. The guidance describes web scraping as large-scale automated extraction of information that often takes place without individuals being aware that their personal data has been collected. Where those activities involve processing personal data, including collecting, storing, organizing, or retrieving information, the GDPR applies.
Rather than introducing new legal obligations, the Board explains how existing GDPR principles should be applied in that context. Controllers using web scraping should pay particular attention to purpose limitation and transparency, according to the guidance. At the same time, the Board recognizes that informing every individual directly may not always be required where doing so would prove impossible or involve disproportionate effort, depending on how the processing operation has been designed.
The EDPB also offers practical recommendations aimed at supporting compliance with the GDPR's accuracy principle. It recommends scraping data only from reliable sources, recording when information was collected, and validating data before it is used to train AI models. The guidance also discusses measures controllers should consider when complying with the data minimization principle.
Building on its earlier opinion on AI models, the Board provides additional clarification on relying on legitimate interests as the legal basis for web scraping conducted for AI training. The guidance devotes particular attention to special categories of personal data. The Board reiterates that processing such information is generally prohibited unless organizations can satisfy both a lawful basis under Article 6 of the GDPR and an applicable exception under Article 9(2).
It also points to the Court of Justice's judgment in GC & Others (C-136/17) as potentially relevant where special category data is collected only incidentally or residually. That reasoning, however, is not automatic. According to the Board, controllers must act within the framework of their responsibilities, powers, and capabilities while implementing appropriate technical and organizational measures to prevent the collection and dissemination of such data. Each case must still be assessed individually, and the judgment does not create a general exemption from Article 9.
Blockchain Guidance Moves From Draft to Final
Alongside the two new consultations, the EDPB adopted the final version of its guidelines on processing personal data through blockchain technologies following an earlier public consultation. The guidance is intended to help organizations using blockchain technologies comply with the GDPR by explaining how different blockchain architectures operate and examining the implications those architectural choices can have for the processing of personal data.
In keeping with its commitment to stakeholder engagement, the Board also published a report summarizing the outcome of the public consultation, together with a tracked-changes version of the guidelines showing how the final text evolved during the consultation process.
The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

