What happened
During its July plenary (guidelines dated/published July 7-8, 2026, per EDPB source documents and multiple law-firm trackers including ReedSmith, Aphaia, and Pierstone), the European Data Protection Board adopted draft Guidelines 03/2026 on web scraping in the context of generative AI, alongside draft guidelines clarifying the GDPR concept of anonymous data (building on CJEU case C-413/23 P, EDPS v SRB), and finalized (post-consultation) blockchain-processing guidelines. The web-scraping guidelines set out a three-part legitimate-interest test for AI training data collection, treat robots.txt/ai.txt/CAPTCHAs/login-walls as relevant signals for the balancing test, and require purpose limitation, transparency, data minimisation and accuracy safeguards across the AI training lifecycle. Public consultation on the anonymisation and web-scraping guidelines runs until October 30, 2026.
Why it matters
This is the EU's first comprehensive GDPR-specific framework addressing the core data-sourcing technique behind most generative AI model training. While not yet final/binding, EDPB guidelines carry substantial legal weight and are routinely relied upon by national DPAs in enforcement; the anonymisation guidance also has broad impact on companies claiming datasets fall outside GDPR scope for AI training purposes.
Action needed
GenAI developers and dataset suppliers with EU training-data pipelines should review scraping practices against the legitimate-interest balancing test, document source reliability/timestamps/opt-out mechanisms, and consider submitting comments before the October 30, 2026 consultation deadline.