Skip to content
Menu
Menu

EDPB Opens Consultation On Using Public Personal Data To Train AI

The draft guidance explains how GDPR applies when organizations collect personal data from publicly available websites for generative AI training.

 

The European Data Protection Board (EDPB), the EU’s top data protection body, opened a public consultation on draft guidance covering the use of publicly available personal data to train generative AI.

The guidance explains how the General Data Protection Regulation (GDPR) applies to those activities.

The draft guidance is for organizations that collect personal data themselves through web scraping, hire another party to collect it, or obtain existing datasets for AI training. Public comments are open until Oct. 30, 2026.

The EDPB says the guidance applies whenever publicly available personal data is processed to develop or improve generative AI models.

The draft states that organizations remain responsible for complying with the GDPR when they collect and use publicly available personal data to train generative AI. It outlines how existing privacy obligations apply throughout the process, from data collection to model training. 

The guidance also discusses legitimate interest, a legal basis organizations may rely on when processing publicly available personal data. Organizations must demonstrate that the processing is necessary to pursue that interest and that individuals’ rights and freedoms do not override it. 

The draft also imposes additional restrictions on the use of sensitive personal data, such as health records, religious beliefs, or other sensitive characteristics. Organizations processing that data must satisfy both the general GDPR requirements for processing personal data and an additional specific exception for sensitive data.

To reduce privacy risks, the EDPB recommends limiting the amount of personal data collected. It also recommends filtering unnecessary information, using synthetic data where appropriate, and applying anonymization or pseudonymization where feasible.

Alongside the AI guidance, the EDPB opened a separate public consultation on draft anonymization guidelines. Those guidelines explain when data can be considered anonymous and therefore fall outside the scope of the GDPR. The guidance introduces three tests to assess whether data is effectively anonymized: no record isolation, no linkage, and no inference.

The consultation on both sets of draft guidelines closes on Oct. 30, 2026. After reviewing public feedback, the EDPB is expected to consider revisions before adopting final guidance.

Clayton Rifkind

Clayton Rifkind is the Founder and Senior Editor of AI Risk Today. He also advises on content development for esgtoday.com, a leading source of ESG investment news and research for institutional investors and corporate leaders. He has 20+ years experience in B2B technology marketing, leading strategy and execution of go-to-market plans across software, enterprise platforms, and mobile applications. He also founded two marketing consultancies, advising startups and Fortune 1000 companies, including Autodesk, Intel, and Microsoft. Clayton began his career in the San Francisco advertising scene, working with brands such as Hewlett-Packard, Intel, Microsoft, Symantec, and Wells Fargo.

Essential AI Risk Intelligence

Daily insights on AI governance, regulation, and enterprise risk management. Trusted by Chief Risk Officers and compliance leaders globally.

By subscribing, you agree to receive our daily newsletter. Unsubscribe anytime.

Advertise with AI RIsk Today, Today!