Legal Rules Shift as AI Challenges Data Anonymization Standards
New regulations expand oversight of anonymized data amid AI-driven privacy risks.
Why it matters: Legal teams must update compliance practices as AI techniques can undo traditional anonymization, increasing privacy and regulatory challenges.
- U.S. DOJ’s 2025 Data Security Program covers anonymized, pseudonymized, and de-identified data, expanding regulatory scope.
- EU GDPR exempts only data that cannot be reasonably re-identified, reflecting AI's impact on privacy.
- EU AI Act, effective August 2026, designates healthcare AI as high-risk, requiring strict data governance and bias monitoring.
- A 2019 study showed AI can re-identify 99.98% of individuals in de-identified datasets using just 15 demographic traits.
Regulations on anonymized data are evolving as artificial intelligence changes what privacy means in practice. The U.S. Department of Justice’s Data Security Program, set to take effect April 8, 2025, expands oversight to include anonymized, pseudonymized, and de-identified data types. This signals a shift: these categories, once viewed as low-risk, now fall under stronger regulatory controls.
In Europe, the General Data Protection Regulation (GDPR) continues to exclude truly anonymous data from its rules. However, for data to qualify as anonymous, it must be nearly impossible to re-identify individuals through any reasonable methods — a standard growing stricter due to AI capabilities.
The European Union AI Act, which will be enforceable starting August 2, 2026, identifies AI systems used in healthcare as 'high-risk.' These systems must comply with rigorous requirements, including data quality checks and efforts to detect bias throughout the data lifecycle, recognizing that AI complicates traditional anonymization.
Research highlights the risks: a 2019 study found AI methods could re-identify 99.98% of individuals within a U.S. health dataset that was otherwise de-identified, using just 15 demographic attributes. This example underlines that anonymization procedures once considered secure are vulnerable to modern AI techniques.
Privacy expert Giles Pratt advises that "relying on weak anonymization or overstating data protection levels exposes organizations to significant legal and reputational risks." He stresses the need for legal and compliance teams to stay informed on patchy global standards as advancements in AI rapidly reshape data privacy norms.
Additional context comes from the U.S. Department of Justice announcement, which explicitly underscores these expanded requirements and offers guidance on adapting organizational policies to new standards.
By the numbers:
- 2025 — Effective date of U.S. DOJ expanded data security rule covering anonymized data
- August 2, 2026 — EU AI Act enforcement start, imposing strict rules on healthcare AI
- 99.98% — Re-identification rate achieved by AI on a de-identified dataset in a 2019 study
Yes, but: While AI increases re-identification risks, some experts note that no anonymization method is foolproof, requiring layered data protection strategies.
What's next: Organizations should prepare for enforcement of the EU AI Act by August 2026 and monitor evolving U.S. DOJ guidance to update data handling policies accordingly.