Skip to main content
ShareEmailLinkedInXWhatappsFacebook
feedback
Share

EDPB sheds light on anonymisation and web scraping for generative AI and adopts final version of guidelines on blockchain

Brussels, 8 July– During its latest plenary, the EDPB has adopted guidelines on anonymisation and guidelines on web scraping in the context of generative AI. In addition, the Board has adopted the final version of its guidelines on the processing of personal data through blockchain technologies. 

Understanding anonymous data

The new EDPB guidelines bring clarity to the notion of anonymous data, taking also into account the ruling of the Court of Justice of the EU in the case C-413/23 P EDPS v SRB of 4 September 2025 and other CJEU jurisprudence.

The guidelines mark a significant milestone in clarifying the notion of anonymous data, establishing clear standards that facilitate the use of data while protecting individuals' fundamental rights.

In developing these guidelines, we incorporated valuable input from our stakeholder event, showing, once more, our strong commitment to collaborative dialogue as outlined in the EDPB Helsinki statement.

EDPB Chair, Anu Talus

Data is anonymous if it does not relate to an identified or identifiable natural person. Whether this is the case may vary from one entity to another.

Information can relate to an individual because of its content, purpose, or effect. The existence of such a link may not be immediately obvious and could require further analysis.

An individual is considered 'identified or identifiable' if they can be distinguished from others in a specific context using means reasonably likely to be used in a way that makes it possible to treat them differently. Whether the means are reasonably likely to be used will depend on the relevant entity’s perspective and should be assessed in light of all objective factors.

The guidelines also provide a practical framework for organisations to determine if anonymisation is successful. The framework can be applied in two ways: either by assessing differences in capabilities between those who might identify the individual (‘contextual approach’) or for simplicity’s sake by not taking such differences into account (‘simplified approach’), if a controller chooses to do so. The contextual approach reflects the full nuances of the legal standard for anonymisation. The simplified approach can go beyond the legal standard and may lead an anonymising controller to treat data as though it is not anonymous even if it would actually be so for some relevant entities, but this approach can be more convenient, and provide greater confidence that data is actually anonymous.

The framework uses 3 criteria to test if data is anonymous: 1) no record isolation, 2) no linkage, and 3) no inference. If all 3 criteria are met, the data can be safely considered anonymous. If any of these criteria are not satisfied, further analysis should be done to determine if the data may be considered anonymous.

The guidelines will be subject to public consultation until 30 October 2026, providing stakeholders with the opportunity to comment and provide feedback.

Clarifying data protection implications of web scraping for AI development

Web scraping is a large-scale automated data extraction process that often operates without individuals being aware, and which may pose significant risks to the protection of their personal data. In its guidelineson web scraping in the context of generative AI*, the Board clarifies various aspects of the GDPR compliance of web scraping, including the legal basis for such activities and the conditions under which special categories of data can be processed in this context.

The GDPR applies to web scraping when it includes personal data processing operations, such as collection, storage, organisation and retrieval

When relying on web scraping, particular attention needs to be paid to the purpose limitation principle, and to the transparency principle. However, depending on how the data processing is precisely designed, the controller might not have to inform individuals personally if this proves to be impossible or require excessive effort.

The EDPB recommends scraping data only from reliable sources, recording the timestamp, and validating the data before using them in AI training to ensure compliance with the accuracy principle. The guidelines also advise on measures the controller should implement to comply with the data minimisation principle.

Building on the EDPB Opinion on AI models, the guidelines provide further clarifications and examples on the use of the legitimate interest legal basis in the specific context of web scraping for AI training.

Finally, the EDPB recalls that processing special categories of personal data is in principle prohibited. If web scraping involves such data, both a lawful basis under Art. 6 of GDPR and an exception under Art. 9(2) of the GDPR are required. The EDPB suggests that the Court ruling in GC & Others (C-136/17) may be relevant for incidental or residual collection of special categories of personal data, provided the controller acts within the ”framework of their responsibilities, powers, and capabilities” and implements appropriate technical and organisational measures to prevent the collection and dissemination of such data. The Board emphasises that there is no general exemption from the requirements of Art. 9 GDPR and each case must be assessed individually to determine whether the Court’s reasoning applies.

The guidelines will be subject to public consultation until 30 October 2026, providing stakeholders with the opportunity to comment and provide feedback

Blockchains guidelines finalised after public consultation

Following public consultation, the EDPB has adopted the final version of its guidelines on blockchain technologies. The guidelines help organisations using blockchain technologies to comply with the GDPR. The EDPB explains how blockchains work, assessing the different possible architectures and their implications for the processing of personal data.

In line with the Helsinki statement’s objective to strengthen the dialogue with stakeholders, the Board has also released a report on the outcome of the dedicated public consultation, as well as a track changes version of the guidelines.

Note to editors: 
*Generative AI is a technology aiming to create new content by learning patterns from existing data. It uses specialised machine learning models designed to produce a wide and general variety of outputs such as text, image or audio.