Abstract Healthcare AI depends on high-dimensional, sensitive data from clinical records, imaging, genomics and wearables, creating heightened risks of identifiability that require rigorous anonymization. We present a practice-oriented approach to operationalize anonymization as measurable reductions in singling out, linkability, and inference under the General Data Protection Regulation (GDPR), aligned with the European Union Artificial Intelligence Act (EU AI Act). The synthesis integrates regulatory guidance (EDPB, ICO, CNIL) with international frameworks (OECD, NIST, WHO) and technical studies on privacy-enhancing technologies to define testable criteria. We develop an acceptance-tested methodology (validated against pre-defined success criteria) comprising test plans, context-calibrated thresholds and auditable evidence, supported by a dual documentation architecture linking Data Protection Impact Assessments (DPIAs) and AI Act technical files. Comparative analysis of GDPR, Health Insurance Portability and Accountability Act (HIPAA), Personal Information Protection Law (PIPL), and India’s Digital Personal Data Protection Act (DPDP Act) shows cross-border governance implications, and findings support a measurement-first strategy that reconciles privacy protection with data utility and fairness at scale.
Peng et al. (Tue,) studied this question.