Summary
- The EDPB has adopted guidance on anonymisation and web scraping for generative AI, with consultation open until 30 October 2026.
- The guidance reinforces that scraping personal data for AI training remains subject to GDPR duties around lawful basis, transparency, minimisation, accuracy, and special-category data.
- AI developers and enterprise buyers will need stronger evidence that datasets are lawful, documented, and genuinely anonymised where claimed.
The European Data Protection Board has adopted new guidance on anonymisation and web scraping for generative AI, tightening the compliance framework around two of the most contested foundations of the AI economy: the collection of public web data and the claim that data has been made anonymous.
The guidance, adopted during the Board’s latest plenary, will go through public consultation until 30 October 2026. It sits alongside final EDPB guidelines on personal data processing through blockchain technologies, extending the regulator’s recent work across AI, distributed ledgers, and data protection engineering.
Although the decision is not an enforcement action, it gives organisations clearer ground rules at a point when generative AI developers, enterprise deployers, and procurement teams are still wrestling with a basic question: what data can be used, under what legal basis, and with what evidence that people’s rights have not been bypassed.
The anonymisation guidance is particularly important because many data strategies depend on the proposition that datasets can be moved outside GDPR once identifying characteristics have been removed. The Board’s approach is more demanding than a superficial removal of names, email addresses, or account numbers. It says organisations should assess whether data can still be linked, inferred, or isolated in a way that could identify or single out an individual.
That test becomes harder in AI systems because models are trained across large, high-dimensional datasets, while the wider market now contains more tools capable of combining fragments of information from multiple sources. A dataset may look anonymous inside one organisation’s system, but become identifiable when combined with another party’s data, analytical tools, or access rights. Companies sharing data across suppliers, research partners, public bodies, or AI vendors therefore need to understand not only what has been removed, but whose capabilities must be considered when assessing re-identification risk.
The web scraping guidance addresses a different but related problem. Generative AI developers have often treated public availability as though it were a proxy for legal availability. The EDPB is making the opposite point: GDPR can apply when scraping involves the collection, storage, organisation, retrieval, or other processing of personal data, even where that data was publicly visible online.
The Board’s guidance covers legal basis, transparency, purpose limitation, data minimisation, accuracy, and special-category data. It also indicates that organisations may not always need to inform individuals personally where doing so is impossible or would involve disproportionate effort, but that does not remove the need for a lawful and documented processing framework. The argument will move from whether scraped data was public to whether the processing design can withstand regulatory scrutiny.
Enterprise AI buyers will increasingly need sharper procurement questions around training data, fine-tuning datasets, provenance controls, and vendor indemnities. Public bodies and regulated industries may face higher evidential burdens because trust, auditability, and citizen or customer rights sit closer to the centre of deployment decisions.
The guidance also narrows the gap between AI governance and data protection compliance. The EU AI Act sets rules around risk, transparency, and obligations for different AI actors, but GDPR remains a live constraint wherever personal data is used. As AI products become embedded in customer service, HR, finance, health, legal operations, and public administration, data protection will shape what products can be procured, what datasets can be reused, and what evidence must sit behind claims of compliance.
For AI companies, the burden will not be evenly distributed. Larger vendors may absorb more detailed documentation, dataset governance, and privacy engineering as part of enterprise sales. Smaller AI businesses may find that proving lawful data practices becomes another barrier to entering regulated markets, especially where buyers demand warranties that upstream data collection was lawful.
The consultation gives industry a chance to challenge, refine, or clarify the practical application of the guidance. Yet the direction is already visible. Scraping and anonymisation are not being treated as purely technical choices. They are becoming board-level questions about legal exposure, product design, vendor risk, and the conditions under which Europe’s AI market can scale without eroding the data rights on which its digital rulebook rests.










