The European Data Protection Board today opened a public consultation on Guidelines 02/2026 on Anonymisation, a 33-page framework that replaces the three-criteria test the Article 29 Working Party set out in 2014 and adds a new fourth element addressing inference-based re-identification. The guidelines were adopted on 07 July 2026 and cover how organisations, including those in advertising and marketing technology, should determine whether a dataset has been successfully stripped of its connection to identifiable individuals.

The document responds to more than a decade of change since the original Working Party Opinion 05/2014. According to the guidelines, developments in case law from the Court of Justice of the European Union, the establishment of EU-wide data spaces, and advances in artificial intelligence created a need to update the earlier criteria. The consultation period runs from 08 July through 30 October 2026, with comments due by 23:59 CET on the closing date.

Anonymised data sits outside GDPR's scope entirely. Personal data that has been successfully anonymised is no longer subject to the regulation, which creates a strong commercial incentive across ad tech, retail media, and identity resolution to demonstrate that a given dataset qualifies. The stakes of getting the assessment wrong, however, are equally significant: if anonymisation fails and a dataset is later found to contain identifiable individuals, the controller becomes retroactively accountable for processing personal data without a lawful basis throughout the period the data was mistakenly treated as anonymous.

A test built on two questions

At the core of the updated framework sits what the guidelines call a two-question test. Does the information relate to a natural person, and if so, is that person identified or identifiable? If the answer to either question is no, the guidelines direct that the data should be considered anonymous. The nuance, which the document spends considerable space unpacking, is that the answer to both questions can vary depending on who is looking at the data.

The guidelines describe this as differing perspectives among relevant entities. Information might unambiguously relate to an individual, yet only one organisation possesses the means to actually identify that person. In that scenario, the data counts as personal for the organisation that can identify the person and anonymous for everyone else who cannot. This relativity principle did not originate with the new guidelines; it traces directly to a Court of Justice ruling that PPC Land covered when it was delivered.

That case, EDPS v Single Resolution Board (C-413/23 P), reached judgment on September 4, 2025, after originating from the SRB's 2017 resolution of Banco Popular Español. The SRB had transferred pseudonymised comments from affected shareholders to Deloitte, an independent valuation firm, without disclosing the transfer in its privacy statement. The Court of Justice held that whether information constitutes personal data must be assessed from the perspective of the recipient, and that pseudonymised data transferred to a party lacking reasonable means of re-identification might not be personal data for that party. The new anonymisation guidelines build directly on this recipient-perspective principle, citing the SRB judgment more than a dozen times across their footnotes.

Two ways to run the assessment

The guidelines set out two distinct methods for applying the anonymity test, each with its own tradeoffs. The contextual approach accounts for differences in capability among the various parties who might attempt to identify a data subject. It reflects, according to the document, the full nuances of the legal standard and permits a controller to conclude that data is anonymous for some entities while remaining personal for others.

The simplified approach disregards those differences entirely. Rather than asking whether a specific entity can realistically use a particular re-identification technique, it asks only whether re-identification is possible in theory by anyone. According to the guidelines, this approach can go beyond the legal standard, potentially leading a controller to treat data as though it is not anonymous even where it would, in fact, qualify as anonymous for particular relevant entities. What the simplified method sacrifices in precision, it offers back in convenience and in a more cautious level of protection, since it shifts the risk of error from false positives toward false negatives.

Notably, the guidelines observe that a combination of the two approaches will often prove most practical. A controller might start with the simplified method, asking whether re-identification is possible at all; if it is not, the assessment ends there. If the simplified method flags a theoretical vulnerability, the controller can then shift to the contextual approach and examine whether the specific entities involved actually possess the means to exploit it.

No Record Isolation, No Linkage, No Inference

The technical heart of the framework rests on three criteria, all of which a dataset must pass, under either approach, for the guidelines to presume it anonymous.

No Record Isolation asks whether the data contains a unique combination of attribute values tied to a single individual. The guidelines illustrate this with a hypothetical dataset of five patient records, each combining sex, date of birth, postcode, and an autoimmune disease diagnosis. Because every combination of those four fields turns out unique across the five records, the dataset fails this criterion outright. As the guidelines put it, the larger a record and the more attributes it contains, the higher the likelihood that record will prove unique within the wider dataset.

No Linkage examines whether a record in the given dataset could be matched, with certainty or high likelihood, to a record in a separate dataset relating to the same individual. The guidelines' worked example involves a board game shop testing whether its purchase records, once stripped of direct identifiers, could still be linked to a public website where customers log which games they own. Finding matching records on that external site would mean the shop's data fails the No Linkage criterion, even though no name, email, or phone number appears anywhere in the retailer's own file.

No Inference, the newest of the three criteria in its explicit formulation, addresses situations where a relevant entity could draw a specific and meaningful conclusion from the data without needing to isolate a record or link it externally. The guidelines distinguish carefully between inferences that are merely specific, meaning they relate to one identified person, and those that are both specific and meaningful, meaning the inference also relies on the underlying dataset and could not have been derived from general population-level knowledge. A hypothetical involving anonymised bank loan data illustrates the distinction: an inference about a new applicant's default risk, drawn from patterns in the historical dataset, does not violate the criterion if it reflects population-level correlations that would apply regardless of whether that particular applicant's data appears in the original file.

The guidelines devote particular attention to inference risks tied to artificial intelligence. According to the document, membership inference, the ability to determine that a specific individual's data was included in a training set, can itself violate the No Inference criterion even without extracting any other detail about that person. The guidelines also flag de-aggregation attacks capable of extracting data from AI models that were presumed anonymous, and note that developments in agentic AI are likely to reduce both the time and cost required to deploy increasingly sophisticated re-identification techniques.

What happens when a criterion fails

Failing one of the three criteria does not automatically mean a dataset must be treated as personal data. The guidelines set out a compiled results table spanning all three criteria and both assessment approaches, directing controllers toward further analysis whenever a criterion is violated rather than an immediate conclusion of personal data status.

For a No Record Isolation failure, the guidelines direct controllers to test whether the isolated, unique records actually permit singling out an individual, given whatever additional information a relevant entity might reasonably access. If singling out proves impossible, even though the record technically remains unique, the guidelines state that the data can still be considered anonymous. A worked example describes a cinema survey containing thirty free-text questions per respondent; because of the volume of questions, nearly every response set turns out unique, yet nothing in the survey ties any answer set back to an identifiable person, so the dataset can still pass overall despite the Record Isolation violation.

A rebuttable presumption that the law will be followed

One of the more consequential clarifications in the guidelines concerns how controllers should weigh the possibility that an entity might break the law to re-identify someone. The Court of Justice previously held that means do not need to be considered reasonably likely to be used if they are prohibited by law and that prohibition is genuinely effective. The new guidelines caution against treating this as an automatic exemption.

According to the document, the general assumption that people will follow the law can be rebutted where there is sufficient evidence of a concrete risk that unlawful means are nevertheless reasonably likely to be deployed. Relevant factors include evidence that a legal prohibition is not effectively monitored or enforced, evidence that the potential gains from breaking the prohibition outweigh the associated costs and risks, and evidence that comparable prohibitions have previously been breached or circumvented in similar situations. A worked example involves a media company relying on a legal prohibition against third-party access to its servers, only to discover that its own out-of-date network security measures mean the prohibition provides no real practical barrier against determined intruders, prompting the company to upgrade its defences before re-testing.

The guidelines separately caution against using an entity's presumed lack of motivation as a factor in this analysis. Motivation, the document notes, can be difficult to demonstrate objectively and may not remain consistent with an entity's subsequent actions; identification can occur through accident, negligence, or circumstances that force an otherwise unmotivated party to act.

Relevant entities span a wide range

The guidelines list categories of entities that may need to be considered relevant when assessing identifiability, and the range extends well beyond the controller and its immediate contractual partners. Alongside receiving entities and rogue employees, the list includes investigative journalists, particularly for data concerning individuals in or approaching public life, domestic and foreign law enforcement or intelligence agencies, unethical companies that might exploit legal grey areas, and cybercriminals who simply disregard the law altogether. Not every category applies in every case, according to the guidelines, but the assessment depends on the specific circumstances and the entities directly or indirectly positioned to receive the data.

The document also addresses what happens when anonymisation succeeds for a receiving entity but not for the party carrying out the anonymisation itself. In that scenario, the guidelines state, the anonymising controller must continue to treat the data as personal for its own purposes and comply with the full range of GDPR obligations, even though the same data qualifies as anonymous once it reaches the recipient.

Where this sits inside a wider regulatory contest

The anonymisation guidelines arrive as the European Commission's Digital Omnibus package remains under active negotiation. That package, introduced by the Commission on November 19, 2025, includes a proposed amendment to the GDPR's definition of personal data intended to codify elements of the SRB judgment. According to Alliance Digitale's position paper, the proposal would amend Article 4 of the GDPR to state that information is not personal data for an entity lacking the reasonably likely means to re-identify an individual.

The EDPB and the European Data Protection Supervisor have already objected to how far that proposed codification goes. In a joint opinion the two authorities adopted on 10 February 2026, they warned that the Commission's proposed text goes beyond a targeted modification or a mere codification of Court of Justice jurisprudence. Specifically, the authorities flagged a clause stating that data does not become personal for an entity merely because a subsequent recipient has means reasonably likely to be used for identification, arguing this contradicts the SRB ruling's own finding that otherwise-anonymous data can become personal when placed at a capable recipient's disposal.

The new anonymisation guidelines do not resolve that legislative dispute, since they operate under the GDPR as it currently stands rather than as the Commission has proposed to amend it. But the guidelines' heavy reliance on the SRB judgment, and their explicit incorporation of a recipient-perspective analysis into the technical framework, suggest the EDPB intends its own interpretation of the case law to anchor the debate regardless of how the Digital Omnibus negotiations conclude.

Germany separately pushed the Commission toward anonymisation and pseudonymisation clarity through an October 2025 proposal, arguing according to the German federal government that it remains unclear what anonymisation and pseudonymisation requirements need to be fulfilled to comply with the GDPR. That proposal predates the EDPB's own guidelines by roughly nine months, and the new framework's release gives regulators, industry associations, and national governments a fresh document to weigh against whatever legislative text eventually emerges from Brussels.

Consequences for the marketing sector

For advertising and marketing technology specifically, the guidelines matter because so much of the industry's infrastructure depends on datasets that fall somewhere between clearly personal and clearly anonymous. Identity resolution platforms, clean rooms, and cross-context measurement systems routinely process pseudonymised identifiers, hashed emails, device fingerprints, and aggregated audience segments, each of which could plausibly sit anywhere along the spectrum the guidelines describe.

The document's fingerprinting example speaks directly to advertising practice. A website that identifies visitors through a unique combination of browser, operating system, screen resolution, and time zone, then uses that fingerprint to track them from page to page, is according to the guidelines using an identifier in the same sense as a name or an ID number. The example involving several websites sharing fingerprint-derived pseudonyms with a common advertising provider goes further, noting that the third party can use those pseudonyms to link data across sites and decide which advertisements to show, meaning the individuals in question remain identified or identifiable from that third party's perspective even though it never directly interacts with them.

The inference criterion carries separate implications for programmatic infrastructure and AI-driven personalisation. A dataset that permits a demonstrably meaningful inference about a specific person, even one never included in the original file, can fail the No Inference test if that inference relies on patterns unique to the underlying data rather than general population knowledge. Given how heavily targeted advertising depends on inferred attributes rather than declared ones, the distinction the guidelines draw between population-level and individual-specific inference sets a technical bar that lookalike modelling, propensity scoring, and similar techniques will need to be tested against.

The guidelines' emphasis on periodic reassessment carries its own operational weight. According to the document, the likelihood of re-identification typically increases over time as re-identification techniques and additional information both become more available, and it recommends that entities processing anonymised data periodically reassess that likelihood wherever appropriate. A dataset anonymised and deployed today under the 2014 Working Party criteria was not required to be retested against this newer framework, according to the guidelines' own transitional note, though the document describes periodic reassessment as good practice regardless of which framework originally applied.

The consultation window

Stakeholders have until 30 October 2026 to submit comments through the EDPB's provided form. The board has stated it will publish submitted comments directly on its website, and that submissions may separately be subject to access requests under Regulation 1049/2001 governing public access to European Parliament, Council, and Commission documents. The EDPB Secretariat screens replies before publication solely to block unauthorised or spam submissions; the attached files themselves are not altered.

Whether the final version of the guidelines, once adopted, will track closely with this consultation draft remains an open question, particularly given how actively the underlying legal definition of personal data is being contested through the Digital Omnibus process running in parallel. The three-month feedback window gives industry associations, individual companies, and civil society groups a formal channel to weigh in before the framework hardens into its final form.

Timeline

  • April 10, 2014: Article 29 Working Party adopts Opinion 05/2014 on anonymisation techniques, establishing the original three-criteria framework.
  • April 26, 2023: General Court annuls an EDPS decision against the Single Resolution Board, ruling that pseudonymised data transferred to Deloitte was not personal data from Deloitte's perspective.
  • January 16, 2025: EDPB adopts Guidelines 01/2025 on Pseudonymisation, version for public consultation.
  • February 6, 2025: Advocate General delivers an opinion supporting the recipient-centric approach to personal data assessment in the SRB case.
  • September 4, 2025: Court of Justice of the European Union delivers judgment in EDPS v SRB (C-413/23 P), confirming that identifiability must be assessed from the relevant entity's own perspective.
  • October 23, 2025: Germany submits a proposal to the European Commission calling for legislative clarification of anonymisation and pseudonymisation standards.
  • November 19, 2025: European Commission formally presents the Digital Omnibus package, including a proposed amendment to the GDPR's definition of personal data.
  • December 12, 2025: EDPB convenes a stakeholder event on anonymisation and pseudonymisation, gathering input from 115 participants.
  • February 10, 2026: EDPB and EDPS adopt a joint opinion warning that the Commission's proposed personal data amendment goes beyond a mere codification of the SRB ruling.
  • April 15, 2026: EDPB publishes draft Guidelines 1/2026 on processing of personal data for scientific research purposes and announces a dedicated sprint team to finalise the anonymisation guidelines.
  • July 7, 2026: EDPB formally adopts Guidelines 02/2026 on Anonymisation, version 1.0.
  • July 8, 2026: Public consultation on the anonymisation guidelines opens, running through October 30, 2026.

Summary

Who: The European Data Protection Board, the body representing the European Union's national data protection authorities, adopted the guidelines and opened them for public comment.

What: Guidelines 02/2026 on Anonymisation, a 33-page framework replacing the Article 29 Working Party's 2014 anonymisation criteria with an updated legal analysis and a three-part technical test covering No Record Isolation, No Linkage, and No Inference.

When: The guidelines were adopted on July 7, 2026, and the public consultation opened today, July 8, 2026, running through October 30, 2026.

Where: The guidelines apply across the European Union and European Economic Area under the General Data Protection Regulation, published through the EDPB's public consultations portal.

Why: Anonymised data falls entirely outside GDPR's scope, giving organisations, including those across advertising, identity resolution, and retail media, strong commercial reasons to demonstrate their datasets qualify. The guidelines arrive while the European Commission's Digital Omnibus package is simultaneously attempting to amend the GDPR's underlying definition of personal data, meaning the framework for assessing anonymity and the legal text it interprets are both in motion at once.