Introduction
The European Data Protection Board (“EDPB”) has issued detailed guidelines on anonymisation and web scraping in the context of generative AI. These guidelines clarify when data can be considered truly “anonymous” and therefore outside the scope of the EU General Data Protection Regulation (“GDPR”).
Although the guidelines are not binding in India, they are highly relevant for entities operating under the Digital Personal Data Protection Act, 2023 (“DPDP Act”). Indian data fiduciaries and processors increasingly rely on anonymisation to enable analytics, AI/ML and data‑sharing, yet DPDP provides limited detail on what qualifies as effective anonymisation. Adopting EDPB‑style tests and documentation can help Indian organisations avoid “anonymity‑washing”, align with global best practices, and strengthen their DPDP compliance posture.
Why Anonymization is central under DPDP Act
The DPDP Act applies to “digital personal data” which is data about an identifiable individual processed in digital form. Once personal data is irreversibly anonymised, it no longer falls within the core statutory obligations. This distinction already underpins several compliance and business strategies in India: Using anonymized datasets for advanced analytics and AI/ML, without repeatedly seeking consent, sharing anonymised information with group entities or partners to build new products and services and reducing regulatory exposure in high‑risk sectors such as fintech, health‑tech, ad‑tech and HR‑tech.
However, DPDP Act and the Rules provide only a high‑level indication of anonymisation. They do not spell out what technical and organisational measures are expected to render data non‑identifiable and further, how to differentiate between truly anonymized data and pseudonymised or otherwise de‑identified data.
The EDPB Anonymization guidelines
The EDPB’s new guidelines were designed for the GDPR framework, especially given the rise of AI and large‑scale data processing. But the underlying concepts are technology‑neutral and relevant wherever identifiability is the dividing line.
At a high level, the guidelines:
- Confirm that data is anonymous only if it does not relate to an identified or identifiable natural person, considering realistic means and auxiliary data available for re‑identification.
- Emphasize a context‑specific analysis: what counts as “reasonably likely” means of identification depends on the specific controller or processor, their environment, and the data ecosystem they operate in.
- Offer two analytical approaches for controllers a contextual approach, which carefully accounts for different actors’ capabilities and access to additional information and a simplified approach, where controllers adopt a more conservative stance, assuming broader re‑identification possibilities and treating borderline datasets as within data‑protection law.
The Three‑Criteria Test: When is Data Truly “Anonymous”?
Under the EDPB framework, anonymisation is considered successful when three core risks are mitigated:
- No record isolation: It should not be reasonably possible to single out an individual’s record within a dataset. If a dataset has small or unique combinations of attributes that allow singling out one person, record isolation risk remains.
- No linkage: It should not be possible to link records relating to the same individual across different datasets or data sources. If a dataset allows linking, even without direct identifiers, pseudonymization rather than anonymisation is more accurate.
- No inference: It should not be possible to infer new identifying or sensitive information about an individual from the data. If a dataset enables robust inferences about specific persons’ behaviour, health, finances or other sensitive attributes, anonymisation may be inadequate.
If any of these three criteria are not satisfied, the guidelines recommend treating the data as still within the scope of EU data‑protection obligations. For organisations, this means anonymisation must be approached as a risk‑based, documented process, not a simple transformation or label.
Relevance for India: DPDP Act and global practice
From an Indian law perspective, the EDPB guidelines do not change DPDP’s text or directly create new obligations. However, they can influence DPDP‑era practice in several important ways:
- Global privacy programs and group standards: Indian entities that are part of multinational groups or serve EU‑based clients will often be expected to follow the group’s global privacy standard. If the group adopts the EDPB three‑criteria test as its baseline, that standard will be applied, across all operations, including purely India‑facing data processing, and to internal policies, training, and audit checklists that Indian teams must comply with.
- Contractual and vendor expectations: Data‑processing agreements and data‑sharing contracts increasingly include detailed definitions of “anonymised data” and “pseudonymised data” based on recognised regulatory guidance. Over time, Indian processors may be required to warrant that their anonymisation practices meet a standard consistent with EDPB‑style criteria, and provide transparency into techniques and assessments used to justify treating data as out‑of‑scope.
- Interpretive influence on DPDP enforcement: When Indian authorities, boards or courts examine whether DPDP applies to a dataset, they may draw on mature foreign standards as persuasive references. EDPB’s guidance offers a structured way to analyse identifiability and residual risk and a language and toolkit for discussing re‑identification, linkage and inference in a consistent manner.
What Indian data fiduciaries and processors should do now
In light of this development, Indian businesses can take practical steps to strengthen their DPDP compliance and global readiness:
- Re‑assess “anonymous” datasets: Review datasets currently treated as anonymous and ask:
- Can individual records be singled out (record isolation)?
- Can records be linked across different systems (linkage)?
- Can sensitive or identifying information be reasonably inferred (inference)?
If the answer to any of these is “yes” or “uncertain”, treat the dataset as within DPDP and apply appropriate obligations.
- Treat anonymisation as a documented process: Incorporate anonymisation assessments into:
- Data Protection Impact Assessments (DPIAs).
- Internal data‑mapping and inventories.
- Privacy‑by‑design reviews for new products and features.
Document techniques used (aggregation, generalisation, noise addition, synthetic data, etc.) and the risk analysis that supports your classification.
- Clarify definitions in contracts and policies
Ensure that internal policies and external contracts clearly differentiate between:
- Anonymised data (irreversibly non‑identifiable).
- Pseudonymised or de‑identified data (still falls within DPDP and other obligations).
Where appropriate, tie these definitions to risk‑based criteria rather than broad, untested assumptions.
AMLEGALS Remarks
The EDPB’s anonymisation guidelines reflect a wider global trend: regulators are moving away from formalistic labels and towards substantive, risk‑based accountability. For Indian organisations under the DPDP Act, this is an opportunity rather than a burden. Further, it allows them to design privacy programs that are defensible in India and internationally and reduces the chance of over‑reliance on “anonymous data” in ways that may later be challenged by regulators or data principals. While encouraging closer collaboration between legal, compliance, technology and business teams in defining how anonymization should work in practice.
For any queries or feedback, feel free to connect with mridusha.guha@amlegals.com or Khilansha.mukhija@amlegals.com

