EDPB’s Landmark Guidelines on Anonymisation, AI Web Scraping, and Blockchain

Table of Contents

Being called a A New Era of Clarity and Accountability: The European Data Protection Board (EDPB) has taken a major step forward in shaping how organizations handle data in the age of artificial intelligence and emerging technologies. During its July 2026 plenary, the Board adopted three significant sets of guidelines: one on anonymisation, another on web scraping in the context of generative AI, and the final version of its long-awaited guidelines on blockchain and personal data processing. These documents provide much-needed practical guidance while reinforcing core GDPR principles.

For privacy professionals, tech companies, AI developers, and any organization working with large datasets or decentralized technologies, these guidelines represent both opportunity and obligation. They clarify long-standing ambiguities, introduce structured assessment frameworks, and set clear expectations for compliance. Public consultation on the anonymisation and web scraping guidelines runs until 30 October 2026, giving stakeholders a final opportunity to shape the final texts.

Understanding Anonymous Data: Moving Beyond the Binary

One of the most impactful contributions from the EDPB is its new guidance on what constitutes anonymous data under the GDPR. Building on the Court of Justice of the EU’s ruling in case C-413/23 P (EDPS v SRB) from September 2025 and other key jurisprudence, the guidelines establish that data is anonymous only when it does not relate to an identified or identifiable natural person.

This determination is not always straightforward. Information can relate to an individual through its content, purpose, or effect — and the link may not be obvious at first glance. An individual is considered identifiable if they can be distinguished from others in a specific context using means that are reasonably likely to be used. The assessment must consider all objective factors and is taken from the perspective of the relevant entity.

The EDPB introduces a practical three-criteria framework to test whether anonymisation has been successful:

  • No record isolation — Individuals cannot be singled out within the dataset.
  • No linkage — It should not be possible to combine the data with other datasets to re-identify individuals.
  • No inference — The data should not allow meaningful inferences about individuals.

If all three criteria are met, the data can generally be treated as anonymous. If any criterion fails, further analysis is required. Organizations can choose between a “contextual approach” (which accounts for differences in re-identification capabilities between potential recipients) or a simpler approach that ignores those differences for convenience and added caution. The contextual approach aligns more closely with the legal standard, while the simplified one may lead organizations to treat data more conservatively than strictly required.

This framework is a welcome development. It moves the conversation beyond the outdated “anonymous vs. personal data” binary and acknowledges the reality that anonymisation is highly context-dependent. For companies building datasets for analytics, AI training, or sharing, these guidelines provide a structured way to document decisions and demonstrate accountability — a key GDPR requirement.

Importantly, the guidelines emphasize that whether data is anonymous can vary between entities. What is anonymous for one recipient might not be for another with greater technical capabilities or access to additional data sources. This has direct implications for data sharing arrangements and vendor management.

Web Scraping for Generative AI: Navigating High-Risk Data Collection

Web scraping — the automated, large-scale extraction of data from websites — has become a foundational technique for training generative AI models. However, it often occurs without individuals’ knowledge and carries significant privacy risks. The EDPB’s new guidelines on web scraping in the context of generative AI address this directly and build on the Board’s earlier Opinion on AI models.

The GDPR applies whenever web scraping involves personal data, including collection, storage, organization, and retrieval. Two principles receive particular attention: purpose limitation and transparency.

Under purpose limitation, organizations must ensure that scraped data is used only for the specific, explicitly stated purposes for which it was collected. Using web-scraped data for AI training when the original purpose was something entirely different (such as public indexing) raises serious compliance questions. The guidelines stress the need for careful purpose definition at the outset.

Transparency is equally challenging. While controllers generally must inform individuals, the EDPB acknowledges that individual notification may be impossible or require disproportionate effort in large-scale scraping scenarios. In such cases, organizations should still provide clear public information about their scraping activities and data use.

The Board offers several practical recommendations for compliance:

  • Scrape data only from reliable sources.
  • Record timestamps of collection.
  • Validate data before using it in AI training to meet the accuracy principle.
  • Implement measures to comply with data minimisation — collect only what is strictly necessary.

On legal bases, the guidelines provide further detail on using legitimate interest for web scraping aimed at AI training. Organizations must conduct a balancing test that carefully weighs their interests against the rights and freedoms of data subjects, particularly when scraping involves large volumes of data from public websites.

Special categories of personal data (sensitive data under Article 9 GDPR) receive strong emphasis. Processing is in principle prohibited unless both a lawful basis under Article 6 and an exception under Article 9(2) are met. The EDPB notes that incidental or residual collection of special category data may sometimes be addressed under the framework established in the GC & Others ruling (C-136/17), provided the controller acts within its responsibilities, powers, and capabilities and implements robust technical and organisational measures to prevent collection and dissemination. There is no general exemption — each situation requires individual assessment.

These guidelines send a clear signal: web scraping for AI is not a free-for-all. Organizations that have been indiscriminately harvesting internet data for model training now have a detailed compliance roadmap — and significant exposure if they fail to follow it.

Blockchain Technologies: Final Guidance After Stakeholder Input

The EDPB has also adopted the final version of its guidelines on the processing of personal data through blockchain technologies. Following public consultation, the Board released both a report on the consultation outcomes and a track-changes version of the guidelines, demonstrating its commitment to transparency and stakeholder dialogue as outlined in the Helsinki statement.

Blockchain presents unique GDPR challenges because of its core characteristics: immutability, decentralization, and distributed consensus. Once data is recorded on a blockchain, it can be extremely difficult — or practically impossible — to modify or delete it, raising direct conflicts with rights such as erasure and rectification.

The guidelines help organizations navigate these issues by explaining how different blockchain architectures (public vs. private, permissioned vs. permissionless) affect data protection responsibilities. They clarify roles of controllers and processors in blockchain environments and discuss technical measures that can help achieve compliance, such as off-chain storage for personal data, encryption, and careful design of smart contracts.

Key themes include accountability, data minimisation, and the tension between blockchain’s immutability and individuals’ rights. The final version incorporates feedback from the consultation, making it more practical and balanced than earlier drafts.

For organizations exploring or already using blockchain — whether for supply chain tracking, digital identity, financial services, or decentralized applications — these guidelines are essential reading. They provide a structured way to assess GDPR compliance before committing significant resources to blockchain projects.

Cross-Cutting Themes and Practical Compliance Implications

Taken together, these three sets of guidelines reflect several important trends in European data protection:

Contextual and Risk-Based Approaches: The EDPB consistently emphasizes that compliance depends on context — the capabilities of different actors, the specific use case, and the risks to individuals. One-size-fits-all solutions are increasingly insufficient.

Accountability and Documentation: Organizations are expected to demonstrate how they reached compliance decisions. The anonymisation framework, web scraping recommendations, and blockchain analysis all encourage robust documentation and technical/organisational measures.

Balancing Innovation and Rights Protection: The guidelines support responsible innovation in AI and distributed technologies while insisting on strong safeguards, particularly around transparency, purpose limitation, and special category data.

Stakeholder Engagement: The public consultation periods and release of consultation reports show the EDPB’s commitment to dialogue, as highlighted in the Helsinki statement.

For organizations, immediate practical steps include:

  • Review existing datasets and data processing activities against the new anonymisation criteria.
  • Conduct or update legitimate interest assessments specifically for any web scraping or large-scale data collection used in AI development.
  • Map blockchain use cases against the final guidelines, paying particular attention to data subject rights and data minimisation.
  • Prepare for the end of the public consultation period by submitting feedback where relevant.
  • Update internal policies, training, and vendor due diligence processes to reflect these expectations.

Non-compliance carries real risks. The web scraping guidelines in particular highlight how activities that were once seen as low-risk technical operations can now trigger significant GDPR obligations and potential enforcement action.

EDPB guidelines

These EDPB guidelines arrive at a pivotal moment. Generative AI continues its rapid development, blockchain adoption is growing across industries, and questions around anonymisation remain central to data sharing and analytics strategies. By providing clearer rules of the road, the Board is helping organizations navigate these complex areas while upholding the fundamental rights that the GDPR protects.

The public consultation period until 30 October 2026 offers a valuable window for companies, industry associations, and privacy professionals to influence the final shape of the anonymisation and web scraping guidance. Engaging meaningfully now can help ensure the guidelines are both protective and workable in practice.

At Captain Compliance, we view these developments as an opportunity for organizations to strengthen their data governance practices proactively. The organizations that treat these guidelines as a strategic advantage — rather than just another compliance burden — will be best positioned to innovate responsibly while building trust with users and regulators alike.

The EDPB has delivered clarity where it was needed most. The real work now begins as organizations translate these principles into concrete technical and organisational measures. If your team needs support assessing current practices against these new guidelines, preparing consultation responses, or building compliant AI and blockchain programs, we are ready to assist.

Privacy compliance in 2026 and beyond will increasingly reward those who embrace nuance, context, and rigorous documentation. These EDPB guidelines are a clear step in that direction.

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.