Anonymous data (and anonymisation) meaning

The Opinion arose from a referral by the Irish Data Protection Commission (DPC) under Article 64(2) of the EU General Data Protection Regulation, Regulation (EU) 2016/679 (the EU GDPR). Article 62(4) allows any EU data protection authority (DPA) to put questions to the EDPB that are of general relevance or have implications across more than one EU Member State, with the aim of enhancing harmonisation and clarity on such matters. Over the past twelve months in particular, DPAs have been wrestling with AI, and the DPC—acting as lead DPA for many of the world’s largest technology companies—has frequently led on the most urgent issues. While EDPB Opinions, akin to guidelines, do not have binding legal force, they will strongly shape how DPAs proceed; accordingly, we should expect the Opinion’s principles to appear in national guidance and enforcement actions. What issues did the Opinion address? In broad terms, the Opinion tackles three central themes: anonymity, legitimate interests, and the impact of unlawfully training an AI model on any later...

This Practice Note examines the law and practice in relation to anonymisation, pseudonymisation and privacy enhancing technologies (or PETs). It specifically outlines what constitutes robust anonymisation and pseudonymisation and sets out core methods that can be applied. It further introduces the suite of tools referred to as PETs. It assesses the framework under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), alongside the UK Data Protection Act 2018 (DPA 2018). Where pertinent to the UK GDPR, EU case law and guidance are taken into account. For information on the position under the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), see Practice Note: in the EU. On this topic, key differences exist between the UK GDPR regime and the EU GDPR. That said, at a high level the UK GDPR and EU GDPR remain closely aligned. For background on the UK GDPR and how it relates to the EU GDPR, see Practice Note: The UK General Data Protection Regulation (UK GDPR)—Summary of...

FORTHCOMING CHANGE This Practice Note sets out the present legal landscape; bear in mind that aspects of it are expected to shift under the Digital Omnibus proposals released on 19 November 2025, aligned with the European Commission’s ‘simplification’ programme and related initiatives. For further details and updates, see Practice Note: EU Digital Omnibus—tracker. The Note also supplies additional guidance on principal definitions within the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (the EU GDPR). Scope of this Practice Note This Practice Note examines EU GDPR rules applicable across EEA states at the supranational tier only—please consult guidance from the competent national data protection authorities and domestic statutes, as appropriate, for the approach likely to be followed in any EEA jurisdiction. Owing to the substantial movement of data between the EEA and other regions, practitioners may need to evaluate not only the extra-territorial scope of the EU GDPR in non-EEA jurisdictions, but equally the extra-territorial reach of third countries’ data protection laws to processing and use within...

This Practice Note offers additional guidance on the principal definitions found in the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (the UK GDPR). For a high-level overview of UK data protection legislation, see Practice Notes: The UK General Data Protection Regulation (UK GDPR) and Data protection law—new starter guide. The UK data protection law collection brings together further general guidance and is a recommended first point of reference for research. Scope of this Practice Note Given the significant volume of data moving between the UK and the EEA, corresponding EEA data protection rules remain particularly relevant to UK practitioners. There continues to be substantial similarity between: the EU GDPR (which was applicable under UK laws until the close of the Brexit implementation period at 11 pm UK time on 31 December 2020 and still applies within the EEA) the UK GDPR (which has applied under UK laws from the end of the Brexit implementation period and is largely derived from the...