Anonymous or not? The EDPB's new draft guidelines on anonymisation
On 7 July 2026, the European Data Protection Board (EDPB) adopted a draft version of the long-waited Guidelines 02/2026 on Anonymisation (the Draft Guidelines) and released them for public consultation. The Draft Guidelines offer an updated framework for a crucial question in data protection law: when does data cease to be personal and therefore fall outside the scope of the GDPR? This question is generally relevant for all businesses dealing with data. Over the past years, it became particularly relevant for businesses aiming to use data for the purposes of AI training or for scientific-related activities (e.g. in the health sector). Therefore, the publication of the Draft Guidelines has been highly anticipated.
The Article 29 Working Party's Opinion 05/2014 on anonymisation techniques (WP 216) as the foundational reference point until now was published more than a decade ago. Since then, the legal, technological and privacy-engineering landscapes have shifted considerably. The CJEU has developed case law on the concept of personal data, new laws on the use of data have been introduced (such as the EU Data Act), EU-wide data spaces have emerged or will be established, and advances in AI and re-identification techniques have changed what is technically possible. The Draft Guidelines are intended to update the WP 216, refining the criteria set out there and situating them within this evolved environment.
Reinforcing the relative approach to personal data
The threshold of identifiability is one of the decisive factors in determining whether information constitutes either regulated “personal data” or unregulated “anonymous data” / “non-personal data”. The Draft Guidelines solidify the relative approach to identifiability that has already been (re-)confirmed by recent case law. In the landmark CJEU ruling in EDPS v SRB (Case C-413/23 P) in September 2025, the CJEU held that pseudonymised data may not be classified as personal data in all cases and for every recipient (relative understanding of anonymity). Rather, if a receiving entity lacks any reasonable means to re-identify any individual, the dataset is, from that recipient's perspective, anonymous.
The Draft Guidelines build directly on this relative understanding by providing more detailed guidance on the exact circumstances that determine identifiability. Whether a natural person is identified or identifiable depends on the extent to which they can be distinguished from others in a given context and thereby treated differently. The EDPB details the specific, objective circumstances that practitioners must evaluate to determine whether an entity's means of identification are “reasonably likely to be used”. These circumstances include all objective factors such as:
- the properties of the data itself, such as its granularity, uniqueness, and level of aggregation;
- the technological environment, taking into account current state-of-the-art tools as well as foreseeable technological developments;
- the cost, time, and labour required to obtain any necessary additional information for re-identification; and
- the legal and context-specific barriers that may effectively prevent an entity from using those means.
For practitioners, this relative framework means that a dataset might be treated as anonymous under the GDPR for a recipient who lacks the practical means to re-identify, even if the transferring controller retains the key and continues to treat its own copy as personal data.
The EDPB's new Re-Identification Risk Assessment
To operationalise the test of whether data is anonymous, the Draft Guidelines set out a structured analytical technique.
Organisations may apply it in one of two ways:
- a contextual approach, which takes into account the differing capabilities of the various entities who might re-identify individuals, or
- a simplified approach, which disregards those differences for the sake of convenience.
The contextual approach reflects the full legal standard and allows a controller to reach a nuanced conclusion, while the simplified approach is more cautious, potentially treating data as personal even where it would be anonymous for some entities. The two testing approaches can be combined; for instance, beginning with the simplified approach to identify whether re-identification is possible in theory, then pivoting to the contextual approach to test whether the relevant means are actually reasonably likely to be used.
At the heart of the anonymisation framework sit three cumulative criteria that allow organisations to test the limits of anonymisation by evaluating susceptibility to modern re-identification techniques. This new Re-Identification Risk Assessment consists of the following criteria:
- No possibility of record isolation (singling out): This criterion is met if it is impossible to isolate a specific record in a dataset that relates to a single, unique individual. The EDPB notes that as datasets grow in dimensionality and resolution, the likelihood of unique, isolated records may increase significantly. For example, in a corporate office, “working in the finance department” or “leaving the building after 8:00 PM” may not be unique behaviors, but a dataset tracking the combination of both attributes (or more attributes) may quickly isolate a single, unique employee.
- No possibility of linkage: This requires that records within the dataset cannot be linked to other records or external databases relating to the same individual. To satisfy this, the information must not be correlated with similar data collected in other contexts, as even “noisy” or slightly inaccurate data can often be linked using auxiliary sources. For example, a customer database stripped of direct identifiers but containing a customer’s birth year, gender, and generalised location remains vulnerable to linkage if a business partner’s marketing database or a public registry contains those same matching attributes including direct identifiers.
- No possibility of inference: This criterion is satisfied if no specific and meaningful deductions can be drawn from the data to attribute new characteristics to an individual. The EDPB notes that this applies to both record-level and aggregate data, including situations where an outlier's attributes can be deduced from group-level statistics or where generative AI models can be queried to leak individual training data. An example of this is a company publishing aggregate salary data showing that its engineers receive a total of EUR 550,000; if combined with internal team reports showing five specific engineers earn EUR 480,000, it allows an observer to easily infer that the sixth engineer earns EUR 70,000.
If all three criteria are met under either the contextual or simplified approach, the data can be considered anonymous. Conversely, if any criterion is not met, the data does not automatically become personal, but – according to the Draft Guidelines – the organisation must conduct a deeper Re-Identification Risk Assessment to determine whether the real-world risk of re-identification remains insignificant.
Further GDPR compliance clarifications in relation to anonymous data
Beyond refining the analytical criteria, the Draft Guidelines clarify further compliance aspects.
The EDPB confirms that anonymisation is itself a processing activity requiring a legal basis under Article 6 GDPR and, where special categories of data are involved, an applicable exemption under Article 9(2) GDPR. Where anonymisation forms part of the same processing activity and pursues the same purpose as the preceding processing, that legal basis or legal exemption may be presumed to coincide.
Organisations are also reminded of their transparency obligations meaning that data subjects must be told that their personal data will be anonymised, and misleading labels such as “anonymous” or “de-identified” must be avoided where individuals in fact remain identifiable.
On documentation, the Draft Guidelines call for organisations to adequately record the anonymisation process, including the testing of supposedly anonymous datasets, and to retain that documentation afterwards in order to demonstrate both GDPR compliance and the effectiveness of the anonymisation.
Furthermore, the EDPB emphasizes that the likelihood of re-identification typically increases over time as technology and the availability of additional data evolve, especially pronounced in the context of AI and machine learning. It therefore recommends periodic reassessment of anonymised data, so that data which was genuinely anonymous when created is not quietly rendered personal by later developments. In that regard, the Draft Guidelines also address data incidents. A data incident may trigger a further Re-Identification Risk Assessment, particularly where the assessment relied on certain information remaining confidential, and may in turn give rise to notification obligations.
Outlook
How the Draft Guidelines will play out in practice remains to be seen. The framework is principled and adaptable, but its application will depend heavily on the specific facts of each dataset and processing context, and organisations may find that reaching confident conclusions requires meaningful analytical effort.
It will also be important to monitor how these principles evolve alongside the broader legislative reforms under the Digital Omnibus on Data and Cyber initiative, which may provide an opportunity to clarify the question of identifiability at the level of the GDPR text itself. The Commission’s Draft on a reform of the GDPR suggested the addition of clarifying language to the definition of personal data by adding the essence of the EDPS v SRB case into legal text. However, any such amendments are unlikely to be adopted before late 2026 or early 2027.
For the moment, organisations should closely follow further developments. There is also an opportunity to provide feedback to the Draft Guidelines by 30 October 2026 and it can be expected that various organisations will provide feedback individually or via associations in which they are members. However, as in previous (also controversial) cases, it appears rather likely that the essence of the final guidelines remains unchanged. Therefore, organisations must be prepared to revisit their anonymisation techniques and potentially create supporting documentation such as Re-Identification Risk Assessments in light of the evolving guidance. Further, the Draft Guidelines make clear that anonymity may not be treated as a one-off determination but as an assessment that warrants periodic review.
