In these changing times, anonymization cannot keep up with AI

"Come senators, congressmen, please heed the call."

Bob Dylan wrote those words as a warning to institutions struggling to keep pace with change. It was not a polite suggestion. It was a recognition that systems built for one era rarely survive intact into the next.

Nearly 60 years later, the same tension is playing out again — this time in privacy law.

In 2025, we argued that anonymization had become contextual or "subjective." The idea was that whether data is anonymous depends on who holds it, what additional data they possess and what capabilities they can deploy. In one set of hands, data may be anonymous — outside the bounds of the law. In another, it may still be personal data and subject to the full scope of regulation.

At the time, this aligned with the direction of travel. Regulators — including through the Court of Justice of the European Union Single Resolution litigation and emerging EU reforms such as the Digital Omnibus — appeared to accept that identifiability is relative, anchored to the EU General Data Protection Regulation's Article 26 "means reasonably likely" to be used by a given actor.

But that warning applies here, too.

The times have changed — much, much faster than we anticipated. And with that, so too must our position.

The illusion of stability

Anonymization has always been something of a paradox.

On the one hand, it is foundational. If data can truly be anonymized, it falls outside the scope of data protection law altogether. On the other hand, its definition has never been stable. Even within the EU, regulators have oscillated between absolute and relative standards, whether reidentification must be impossible or merely unlikely.