EDPB Draft Anonymisation Guidelines Raise the Bar | TLY

AI Regulation Tracker  /  Consultation

EDPB Draft Anonymisation Guidelines Raise the Bar for Keeping AI Data Outside the GDPR

Regulatory summary: The European Data Protection Board (EDPB) adopted draft Guidelines on Anonymisation at its plenary on 8 July 2026, alongside separate draft guidelines on web scraping for generative AI and a final version of its blockchain guidelines. The anonymisation guidelines set a three-part test for when data is truly anonymous and.

The European Data Protection Board adopted draft Guidelines on Anonymisation at its 8 July 2026 plenary, setting a three-part test (no record isolation, no linkage, no inference) and folding in the Court of Justice ruling in C-413/23 P. Any firm relying on anonymisation to place AI training or output data beyond the GDPR now faces a stricter, contextual standard. The draft is open for public consultation until 30 October 2026.

Primary source

EDPB Draft Anonymisation Guidelines Raise the Bar for Keeping AI Data Outside the GDPR regulation briefing
The Leveraged Years AI Regulation Tracker

Key takeaways

  • The EDPB set out an updated framework for judging when data is anonymous, structured around three criteria that must all be satisfied: no record isolation, no linkage, and no inference. It aligns that framework with the Court of Justice ruling in C-413/23 P (EDPS v SRB, 4 September 2025) and distinguishes a contextual approach, which weighs the differing capabilities of parties who might attempt re-identification, from a simplified approach that sets those differences aside. The effect is a tighter, more explicitly risk-based bar than a loose claim that identifiers were stripped.
  • Data protection officers and privacy counsel; AI governance and compliance teams; health and HR data teams that rely on de-identified datasets; martech and adtech operations built on hashed or pseudonymous identifiers; and any organisation using scraped or user data to train or fine-tune AI models on the theory that the data is anonymous.
  • Status: Adopted as a draft at the 8 July 2026 EDPB plenary and released for public consultation.
  • Inventory every dataset and model where anonymisation is the reason GDPR is treated as not applying, then stress-test each one against the three criteria and the contextual approach. Where the claim is weak, plan for the data to be handled as personal data, and consider filing consultation feedback before 30 October 2026 if the draft affects your operations.
DateJurisdictionRuleAffected professionalsStatus or effective date
2026-07-09European UnionThe EDPB set out an updated framework for judging when data is anonymous, structured around three criteria that must all be satisfied: no record isolation, no linkage, and no inference. It aligns that framework with the Court of Justice ruling in C-413/23 P (EDPS v SRB, 4 September 2025) and distinguishes a contextual approach, which weighs the differing capabilities of parties who might attempt re-identification, from a simplified approach that sets those differences aside. The effect is a tighter, more explicitly risk-based bar than a loose claim that identifiers were stripped.Data protection officers and privacy counsel; AI governance and compliance teams; health and HR data teams that rely on de-identified datasets; martech and adtech operations built on hashed or pseudonymous identifiers; and any organisation using scraped or user data to train or fine-tune AI models on the theory that the data is anonymous.Adopted as a draft at the 8 July 2026 EDPB plenary and released for public consultation. Not final and not binding. Stakeholders can submit feedback until 30 October 2026, after which the EDPB is expected to consider comments and adopt a final version.

Frequently Asked Questions

Are the EDPB anonymisation guidelines binding law?

No. They are draft guidelines adopted on 8 July 2026 and open for public consultation until 30 October 2026. EDPB guidelines interpret the GDPR and guide enforcement, but they are not legislation, and this version is a draft that can change before a final text is adopted.

What is the three-part test for anonymous data?

Data is treated as anonymous only if all three criteria are met: no record isolation (no singling out of an individual), no linkage (records cannot be linked to the same person), and no inference (information about a person cannot be deduced). If any one fails, the data remains personal data under the GDPR.

Does this mean stripping names is no longer enough?

In many cases, yes. Removing direct identifiers does not by itself make data anonymous if an individual can still be singled out, records can be linked, or information can be inferred. The guidelines assess re-identification risk in context rather than accepting identifier removal as sufficient on its own.

How does the Court of Justice ruling in C-413/23 P fit in?

The guidelines incorporate the judgment in C-413/23 P, EDPS v SRB, of 4 September 2025. It supports assessing identifiability by reference to means reasonably likely to be used and to the situation of the party holding the data, so the same dataset can be anonymous for one recipient and personal data for another.

When does the public consultation close?

The consultation on the draft anonymisation guidelines, and on the companion draft web scraping guidelines for generative AI, is open until 30 October 2026. Stakeholders can submit feedback to the EDPB until that date.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.