EDPB: Guidelines on Anonymisation and AI Web Scraping
On 8 July 2026, the EDPB adopted draft guidelines on anonymisation and on web scraping in the context of generative AI for public consultation. Consultation open until 30 October 2026.
On 8 July 2026, the EDPB released two draft guidelines for consultation: one on anonymisation and another on web scraping in the context of generative AI. The public consultation runs until 30 October 2026.
Key facts
Meeting in Brussels, the European Data Protection Board adopted the “Guidelines 202602 on Anonymisation” and the “Guidelines 03/2026 on web scraping in the context of generative AI”. The texts clarify when data can be considered truly anonymous and under which conditions scraping personal data to train AI models is lawful. The EDPB notably indicates that where scraping collects special categories of data, both a legal basis under Article 6 GDPR and an Article 9(2) exception are required.
Legal framework and basis
- Anonymisation: updated interpretation of what no longer qualifies as “personal data” under Article 4(1) GDPR, in light of CJEU case C‑413/23 P EDPS v. SRB (4 September 2025). The EDPB stresses that qualification depends on context and on the means reasonably likely to be used by a given actor. To explore the GDPR framework, see our overview.
- Web scraping for generative AI: framing automated collection operations with a legal basis (Art. 6 GDPR) and, for sensitive data, an Art. 9(2) exception; transparency duties for indirect collection (Art. 14), information to data subjects and modalities to exercise rights (Arts. 15–22, including the Art. 21 right to object); application of data minimisation (Art. 5(1)(c)) and privacy by design (Art. 25).
What changes for Luxembourg businesses
- Data/AI teams and model providers: scraping compliance becomes more concrete. Legitimate interest (Art. 6(1)(f)) alone is not enough; you must assess, dataset by dataset, whether special categories emerge (political opinions, health, beliefs, sexual orientation, etc.) and, if so, justify an Art. 9(2) exception. Otherwise, training becomes unlawful. Expert support in AI governance can help structure these assessments.
- Controllers performing “anonymisation”: the EDPB ties analysis to case C‑413/23 P: anonymity is assessed from the actor’s perspective and the reasonable means available. “Pseudonymised” or insufficiently aggregated datasets remain personal data and fall under GDPR (records, DPIA, transfers).
- Timeline: even at consultation stage, these texts reflect the authorities’ expected state of the art. Luxembourg actors (banks, insurers, e‑commerce, media, EdTech, AI providers) should align now, considering CNPD supervision, NIS 2 and DORA in Luxembourg requirements on data/AI risk governance.
Immediate actions to take this week
- Map training datasets and web collections: identify sources, legal bases (Art. 6), potential presence of Art. 9 data, and exclusion criteria; suspend any scraping involving sensitive data without a documented Art. 9(2) exception.
- Review “anonymisation” vs “pseudonymisation”: run independent re-identification tests, document threat models and “reasonably likely” means per C‑413/23 P; if risk remains, treat the dataset as personal (DPIA, Arts. 25/32 measures, contracts).
- Transparency and rights: update Art. 14 notices, provide dedicated information on scraping/training, effective opt-outs, and a process to handle access/erasure requests relating to training datasets.
If you need to accelerate compliance, our team can support your CNPD-aligned GDPR compliance in Luxembourg and the alignment of your AI practices.
Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →