Back to blog
Actualites

The EDPB wants AI training data to be timestamped: what the draft guidelines say

In its draft guidelines on web scraping for generative AI, the EDPB recommends recording the timestamp of collected data before using it. A look at a text open for consultation until 30 October 2026.

7 min read
The EDPB wants AI training data to be timestamped: what the draft guidelines say

Timestamping rarely stepped outside the field of proof of priority. On 8 July 2026, it turned up where you would not expect it: in a draft set of guidelines from the European Data Protection Board (EDPB) on web scraping for generative artificial intelligence. In it, the regulator explicitly recommends recording the timestamp of collected data before using it to train a model.

The signal is interesting, but it should be read with care. This text is not final: it is a draft, open for public consultation. Here is what it says, what it does not, and why dated traceability is becoming a topic well beyond creators.

!
A text in consultation, not a rule in force

Unlike the blockchain guidelines, adopted in final form on 8 July 2026, the guidelines on anonymisation and web scraping for generative AI are a draft open for consultation until 30 October 2026. Their wording may change. This article describes a direction, not a settled obligation.

What the EDPB draft recommends

In the section on web scraping, the EDPB addresses how personal data collected from the web can be processed lawfully for generative AI. Among the measures put forward, one sentence stands out for our topic.

The EDPB recommends "scraping data only from reliable sources, recording the timestamp, and validating the data before using them," as relayed by France's CNIL. The stated goal: to comply with the accuracy principle.

That principle is not new. It appears in Article 5(1)(d) of the GDPR: personal data must be "accurate and, where necessary, kept up to date." What the draft adds is a method: date the collection so you can later demonstrate the state of a data point at the moment it entered the training set.

Why dating collected data changes something

Data scraped from the web is not fixed. A page changes, information becomes stale, content is corrected or removed. Without a temporal marker, there is no way to know what the data looked like when it was captured.

Recording a timestamp answers three concrete needs:

  • Trace the origin: on what date, from which source, was the data extracted?
  • Document the state: the data used for training corresponded to this version, on this date.
  • Answer a challenge: if the accuracy, freshness, or lawfulness of a data point is questioned, a verifiable timestamp makes objective what was used.
i
Content timestamping and collection timestamping

Two uses converge. Priority timestamping proves a file existed on a given date. Collection timestamping, here, documents the moment a data point entered a process. In both cases the mechanics are the same: a fingerprint, a date, an independent verification.

What it proves, what it does not

It would be wrong to conclude that "timestamping your data makes an AI processing operation compliant." Timestamping is a link in traceability, not compliance in itself.

The EDPB draft also recalls that processing special categories of data (sensitive data within the meaning of Article 9 GDPR) is in principle prohibited, with no general exemption: dating a collection obviously does not lift that prohibition. Likewise, lawful scraping requires a legal basis, respect for minimisation, and informing individuals.

In other words, timestamping documents the when and the what. It resolves neither the why (the purpose) nor the right (the legal basis). It is a useful evidentiary building block, provided you do not make it say more than it does.

A reflex that reaches beyond AI

Beyond teams that train models, this direction illustrates a deeper trend: documenting the date and integrity of a data point as it enters a process is becoming a compliance and traceability reflex.

A company building an evidence file, a service archiving deliverables, an organisation that must prove what it held at a given moment: all have an interest in freezing a dated fingerprint rather than relying on approximate memory. The EDPB draft merely applies to AI a logic already tested elsewhere.

Where does LegalStamp fit in?

LegalStamp produces exactly this kind of marker: a SHA-256 fingerprint computed locally, anchored to the Bitcoin blockchain via OpenTimestamps, and an independently verifiable receipt. The file never leaves your machine; only the fingerprint is published.

For a data team or a controller, this makes it possible to freeze the state of a dataset, a collection log, or a batch of files on a precise date, without depending on a third party for later verification. Timestamping does not replace data governance; it adds a solid temporal proof to it.

LegalStamp remains a non-qualified timestamping service under eIDAS: the evidentiary weight of the receipt is assessed case by case, within the framework of free assessment of evidence.

Trace your data at scale

To timestamp batches of files or collection logs on an ongoing basis, LegalStamp's Pro and Team plans cover the volume with folder organisation and an API. See the pricing →

Conclusion

The EDPB draft guidelines send a clear signal: timestamping is no longer confined to intellectual property, it enters the traceability of the data itself. But as long as the text remains in consultation until 30 October 2026, it should be treated as a direction, not an established rule.

The right stance is twofold: anticipate the good practice (date and validate your data upstream) while keeping in mind that timestamping documents, without dispensing with full compliance.

FAQ

In its draft guidelines on web scraping for generative AI, the EDPB recommends scraping data only from reliable sources, recording its timestamp, and validating it before using it for training, in order to comply with the accuracy principle under the GDPR.
No. Unlike the blockchain guidelines adopted in final form on 8 July 2026, the guidelines on anonymisation and web scraping for generative AI are a draft open for public consultation until 30 October 2026. Their content may change before final adoption.
Recording the collection date lets you trace the origin and state of a data point at the moment it entered the training set. If the accuracy, freshness, or lawfulness of a data point is challenged, a verifiable timestamp documents what was used and when.
No. Timestamping is one traceability tool among others. Lawful scraping also requires a legal basis, respect for minimisation, informing individuals, and appropriate handling of special categories of data. The EDPB recalls that processing sensitive data is in principle prohibited absent an applicable exception.
The accuracy principle, set out in Article 5(1)(d) of the GDPR: data must be accurate and, where necessary, kept up to date. Timestamping and validating data before training helps demonstrate that this principle was taken into account when the dataset was built.
Beyond AI, the logic generalises: documenting the date and integrity of a data point as it enters a process becomes a compliance and traceability reflex. Any organisation that must prove what it held, and when, is concerned by this good practice.

Disclaimer: this article is provided for informational and educational purposes. It does not constitute legal advice and comments on a draft text under consultation that may change. For the compliance of a data processing operation or an AI project, have your strategy validated by a legal professional or your data protection officer.

Jeremy

Jeremy

Fondateur de LegalStamp, passionne par la blockchain et la protection des creations.

Share:

Related articles

Ready to protect your creations?

Create your first proof of priority for free in less than 30 seconds.