Recital 26 has long been cited in data privacy discussions, but it’s now moving from background guidance to centre stage. With the EU’s latest regulatory push, through Digital Omnibus, the question is no longer whether data is simply “deidentified,” but whether that claim can withstand scrutiny. This shift puts pressure on organizations to revisit how they handle, assess, and justify their data practices. What used to be a technical exercise is quickly becoming a core compliance issue.

By bringing the essence of Recital 26 closer to the definition of personal data under Article 4, regulators are signalling a need for clearer reasoning, stronger controls, and more defensible decisions in handling PII. Deidentification measures are, therefore, going to be more strongly scrutinized. At the same time, there’s going to be a need to balance the effects of deidentification with the utility of data for AI model training. Let’s see how the recital might reshape expectations around data privacy compliance, especially with deidentification. We will explore what the regulators are now expecting and how organizations should react.

Recital 26 and the Question of Identifiability

Recitals in EU law provide the context, intent, and interpretive guidance behind the binding articles of a regulation. While they’re not enforceable, they play a critical role in explaining how legal provisions should be understood and applied. Recital 26, in particular, has always been central to data privacy because it defines when data can be considered anonymous.

• Boundary between personal and anonymous data: Recital 26 is fundamental because it clarifies when data falls outside the scope of data privacy laws altogether. Instead of treating anonymization as a purely technical outcome, it frames anonymity as a legal threshold. Data is only considered anonymous if individuals are no longer identifiable in a realistic sense.
• Shift in identifiability from absolute to contextual: Recital 26 makes it clear that identifiability is not a fixed property of data, but something that depends on context. The same dataset may be considered anonymous in one environment and personal in another, depending on who holds it and what additional data or capabilities they possess.
• Role of external data and evolving technology: The recital implicitly accounts for the fact that re-identification risk is influenced by external datasets and technological progress. Even if direct identifiers are removed, individuals may still be identifiable through linkage with other available information.
• Responsibility on organizations to assess risk: While Recital 26 does not prescribe a specific methodology, it makes organizations responsible for evaluating whether identification is reasonably likely. This introduces a layer of judgment and accountability, requiring more than a checkbox approach.

Preparing for a New Standard of Deidentification

Many existing deidentification approaches were designed with a static, technical mindset. They are focused on removing or masking direct identifiers without fully accounting for context, evolving data ecosystems, or advances in re-identification techniques. Here’s how organizations can prepare upcoming developments in GDPR thanks to Digital Omnibus and Recital 26.

• Reassess current deidentification practices against real-world risk: Organizations should revisit how they currently deidentify data, not just from a technical standpoint but from a risk perspective. Recital 26 emphasizes identifiability based on what is “reasonably likely,” which means companies need to evaluate factors like available technology, external data sources, and realistic attack scenarios. What worked as a compliance approach earlier may not hold up if it does not reflect how re-identification could actually occur in practice.
• Documentation and justification processes: One of the most immediate changes is the need to document and defend deidentification decisions. Organizations should begin creating clear records of how data was transformed, what assumptions were made, and why re-identification is considered unlikely. This will be essential for audits and regulatory scrutiny, where companies must demonstrate their reasoning.
• Account for context and data ecosystem dependencies: Companies need to evaluate identifiability in context, including who has access to the data and what other datasets might be available for linkage. Recital 26’s approach means that the same dataset may carry different risks depending on the recipient or environment. Preparation should include mapping data flows, understanding third-party access, and assessing how context changes identifiability.

Truyo Scramble: Deidentify Data for AI Without Losing Utility

One of the emerging challenges with deidentification is not just compliance, but usability, especially in the context of AI. Many traditional approaches prioritize strong masking or encryption, but in doing so, they often strip away the structure and relationships within the data. This makes the data less useful for training machine learning models, particularly large language models that rely on patterns, context, and semantic consistency.

With Recital 26 coming in the data privacy fold, organizations would require ways to balance the competing needs of PII protection while preserving the analytical value of the data.  Truyo Scramble is designed with this balance in mind. By transforming data in a way that protects sensitive elements while retaining its underlying structure, they enable organizations to use deidentified data more effectively for AI and analytics use cases without losing sight of evolving data privacy expectations under frameworks like Recital 26.

Path Forward for Data Privacy

Recital 26 is moving beyond interpretive guidance and becoming a practical benchmark for how organizations approach data privacy compliance. As regulatory expectations evolve, companies that treat deidentification as a one-time technical step may find themselves exposed. The focus is shifting toward clearer reasoning, stronger internal alignment, and the ability to demonstrate why data can be considered non-identifiable in a given context. Preparing for this shift now will not only reduce compliance risk but also enable more confident and responsible use of data across the organization.