Summary
- The EDPB adopted guidance on anonymisation, web scraping for generative AI, and blockchain personal data processing.
- The AI scraping guidance covers legal basis, transparency, purpose limitation, accuracy, data minimisation, and special category data.
- The anonymisation guidance gives organisations a three-part test: no record isolation, no linkage, and no inference.
The European Data Protection Board has adopted new guidance on anonymisation, web scraping for generative AI, and blockchain technologies, giving organisations a firmer regulatory frame for data-heavy AI and distributed systems.
The package, adopted during the EDPB’s latest plenary, is not a cybersecurity measure in the narrow sense, but it sits directly inside digital risk governance. AI development, analytics, identity systems, blockchain deployments, and large-scale data architecture all depend on decisions about personal data, lawful basis, transparency, retention, minimisation, and re-identification risk.
The EDPB’s plenary update says its anonymisation guidelines clarify when data can be considered anonymous, taking account of Court of Justice of the EU case law. The guidance sets out a practical framework that can be applied through a contextual approach, which considers differences in capabilities between parties that might identify individuals, or through a simplified approach that gives controllers a more conservative assessment route.
The core test is built around three criteria: no record isolation, no linkage, and no inference. If all three are met, the data can be considered anonymous. If any one is not met, further analysis is required. That formulation is likely to affect AI teams, analytics functions, research partnerships, and data sharing arrangements that have relied on assumptions about anonymised or supposedly non-personal datasets.
The EDPB’s web scraping guidance is aimed at generative AI development, where large-scale automated extraction of public web content may involve personal data. The board says the General Data Protection Regulation applies when scraping involves collection, storage, organisation, or retrieval of personal data. It also says organisations must pay particular attention to purpose limitation and transparency, while recognising that in some designs notifying individuals personally may be impossible or require disproportionate effort.
Scraping from public sources still needs a compliance structure. The EDPB recommends scraping only from reliable sources, recording timestamps, validating data before using it in AI training, and applying measures to satisfy data minimisation. It also clarifies the use of legitimate interest in AI training and warns that processing special category data remains prohibited unless there is both a lawful basis under Article 6 and a valid exception under Article 9.
These details will affect how organisations document AI supply chains. Training data governance cannot end with a broad statement that material was public, licensed, anonymised, or scraped by a supplier. Models, datasets, web crawlers, enrichment pipelines, and synthetic data workflows increasingly need evidence about provenance, filtering, validation, and re-identification risk assessment.
The final blockchain guidelines add another pressure point. Distributed ledgers often create tension with GDPR principles because immutability, replication, and decentralised participation can make erasure, rectification, controller identification, and data minimisation harder to implement. The EDPB’s finalisation of blockchain guidance after consultation gives organisations a firmer basis for assessing whether blockchain is appropriate for personal data processing.
The package reflects a broader European shift in digital governance, where AI and data regulation increasingly overlap with operational risk. A weak data governance decision can become a security, litigation, procurement, or enforcement problem, especially when models are trained on large datasets, embedded into customer workflows, or connected to identity, fraud, financial, health, or public-sector systems.
The anonymisation and web scraping guidelines remain open for consultation until 30 October 2026. Technology companies, regulated enterprises, researchers, and public bodies now have a limited window to test whether the EDPB’s framework can be applied to real AI pipelines and data sharing arrangements.




