What the EDPB Actually Adopted
On July 8, 2026, the European Data Protection Board used its plenary to adopt two significant pieces of guidance: Guidelines 03/2026 on web scraping in the context of generative AI, and new guidelines on anonymisation. Both are now open for public consultation until 30 October 2026, 23:59 CET, alongside a finalized set of guidelines on blockchain data processing. Nothing here is binding law yet — the EDPB is soliciting feedback before finalizing — but the direction of travel is unmistakable, and any AI developer training on EU-origin data should be reading this now, not in November.
The headline finding is not surprising in the abstract: the Board confirms that web scraping for generative AI training falls squarely within GDPR scope whenever it touches data about identified or identifiable people. What's new is the granularity. The guidelines walk through the entire scraping lifecycle — collection, storage, training, deployment, deletion — and tie it to specific obligations under GDPR Articles 5, 6, 9, 10, 14 and 89, a level of prescriptiveness the industry hasn't previously had to reckon with from Brussels on this specific practice.
Consent Is Effectively Off the Table
The most consequential line in the guidance is procedural rather than dramatic: consent, the EDPB says, will "most probably not serve as a workable legal basis for scraping," because companies scraping the open web have no direct relationship with the individuals whose data they collect. Publishing something publicly, or a site's failure to post a robots.txt file, does not amount to consent either. That forecloses the legal basis most AI labs have quietly assumed was available and pushes nearly everyone toward Article 6(1)(f) legitimate interest — a three-part test requiring a legitimate purpose, necessity (can the same result be achieved with less data, or synthetic data), and a documented balancing test weighing the controller's interest against the individual's reasonable expectations, with robots.txt directives and CAPTCHA walls now treated as relevant signals of an individual's or platform's opposition.
Special category data gets its own, stricter track. Even incidental collection of political opinions or health information swept up from social media triggers Article 9 obligations; the guidelines lean on the CJEU's GC and Others ruling (C-136/17) to say incidental collection may be tolerable only if the controller stays within the "framework of their responsibilities, powers and capabilities" and builds in filtering and output safeguards against model memorization and regurgitation.
Anonymisation Gets a Real Test
The companion anonymisation guidelines matter just as much for AI training pipelines, since "truly anonymous" data falls outside GDPR entirely. The EDPB now applies a three-criteria test — no record isolation, no linkage, no inference — built explicitly on the CJEU's EDPS v SRB ruling (C-413/23 P) of September 4, 2025. As EDPB Chair Anu Talus put it, "data is anonymous if it does not relate to an identified or identifiable natural person" — but whether a dataset clears that bar "may vary from one entity to another," which is precisely the kind of context-dependent standard that makes blanket anonymization claims risky for any lab hoping to sidestep GDPR by de-identifying scraped corpora.
The Case for the Guidance
The strongest argument for this approach isn't abstract. Large language models are trained on personal data that individuals never agreed to hand over, scraped at a scale and opacity no one can meaningfully consent to, and — once embedded in model weights — cannot be cleanly deleted the way a database row can. That asymmetry, between a handful of well-resourced labs and billions of people with no visibility into whether their writing, photos, or medical forum posts became training data, is a legitimate regulatory concern, and a documented balancing test is a reasonable response to genuine opacity, not a bureaucratic reflex.
Where It Overreaches
The cost is compliance friction that scales poorly with company size. A rigorous, case-by-case legitimate-interest balancing test — repeated across every dataset, every model version, every jurisdictional signal like robots.txt — is exactly the kind of standing legal overhead that large incumbents can staff and smaller EU-based or EU-facing labs cannot. The guidance stops short of a bright-line rule and instead hands lawyers a multi-factor test whose outcome is genuinely hard to predict in advance, which is a worse outcome for open, competitive AI development than either a clear prohibition or a clear safe harbor would be. That's a real risk to the EU's own stated goal of fostering competitive, homegrown AI development, not just an inconvenience for Big Tech.
What to Watch
With the window open until October 30, the practical move for any AI developer training on EU data is to start documenting legitimate-interest assessments now, rather than waiting for the final text — the EDPB's track record, including finalizing its blockchain guidance in the same session after its own consultation period, suggests the substance rarely softens much between draft and final.