GDPR and DMA: Strengthened Cooperation Between EC and EDPB

The General Data Protection Regulation (GDPR) and the Digital Markets Act (DMA) are two fundamental regulatory frameworks shaping the landscape of digital services and platforms in the European Union. These regulations, although distinct in their objectives, intersect significantly, particularly regarding digital gatekeepers and the obligations they must fulfill. Recently, the European Commission services responsible for enforcing the DMA and the European Data Protection Board (EDPB) announced enhanced cooperation to provide clarity on how these regulations should be applied in a complementary and coherent manner. This collaboration highlights the importance of aligning the regulatory frameworks to ensure that digital gatekeepers comply with both the GDPR and DMA in a consistent manner.

Source

[1]

EDPB to work together with European Commission to develop guidance on interplay GDPR and DMA | European Data Protection Board

European Data Protection Board

[2]

Commission services and EDPB will start joint work on guidance on the interplay between DMA and GDPR

This enhanced dialogue between Commission’s services and the EDPB will focus on the applicable obligations to digital gatekeepers under the DMA which present a strong interplay with the GDPR.

Digital Markets Act (DMA)

The enhanced collaboration also stems from the EDPB’s strategic commitment for the 2024-2027 period, which places a strong emphasis on fostering cross-regulatory consistency. The EDPB aims to develop specific guidelines on the interplay between the DMA and GDPR to provide digital gatekeepers with clear interpretations of how these regulations intersect. Importantly, these guidelines will ensure that the GDPR remains fully applicable even when gatekeepers are subject to DMA obligations, with gatekeepers continuing to be supervised by independent data protection authorities.

The DMA explicitly states that it applies without prejudice to the GDPR, meaning gatekeepers must still comply with GDPR obligations, particularly around personal data processing. This underscores the need for comprehensive guidance from the EDPB, which is tasked with safeguarding GDPR compliance while considering the market-based obligations imposed by the DMA. The High-Level Group (DMA HLG), created by the European Commission as part of the DMA, is instrumental in ensuring the alignment of these two frameworks. The group comprises 30 representatives from key regulatory bodies, including the EDPB and European Data Protection Supervisor (EDPS), ensuring expert guidance and advice on how the DMA and GDPR can be implemented in a coherent and complementary manner.

The Digital Markets Act (DMA)

The DMA is a cornerstone of the EU's digital policy, specifically targeting large online platforms designated as "gatekeepers." These gatekeepers wield significant market power and control key digital services, such as search engines, social networking services, and app stores. The DMA’s main goal is to ensure fair competition in the digital markets, prevent monopolistic behaviors, and foster innovation by imposing specific obligations on gatekeepers.

Some of the core obligations for gatekeepers under the DMA include:

• Data access and portability: Gatekeepers must allow users and businesses to access and transfer their data across platforms.
• Interoperability: Gatekeepers must ensure that third-party services can work seamlessly with their own platforms.
• Transparency and non-discrimination: Gatekeepers must not favor their own products over those of competitors.

While the DMA primarily focuses on maintaining competitive markets, many of these obligations have a significant overlap with data protection principles enshrined in the GDPR, particularly concerning personal data handling, user consent, and transparency.

According to the EDPB's ongoing work on the guidelines regarding the intersection of the DMA and GDPR, the guidance will specifically address how personal data processed by gatekeepers in the context of DMA obligations will remain under the purview of GDPR standards. This is crucial since many DMA requirements (e.g., data sharing and interoperability) inherently involve the handling of personal data, which must be carried out in compliance with GDPR principles such as lawful processing, purpose limitation, and data minimisation.

GDPR: A Primer on Data Protection

The GDPR is a comprehensive legal framework that governs the processing of personal data in the EU. Its primary objectives are to ensure the privacy of EU citizens and to harmonize data protection laws across EU member states. The GDPR grants individuals rights over their personal data, including:

• Right to access: Individuals have the right to request access to their personal data.
• Right to erasure ("right to be forgotten"): Individuals can request the deletion of their data under certain conditions.
• Consent requirements: Processing of personal data must be based on explicit and informed consent, unless certain exceptions apply.

GDPR is enforced by national data protection authorities (DPAs), with oversight from the European Data Protection Board (EDPB). Given its emphasis on privacy and data protection, many of the obligations under the GDPR naturally intersect with the requirements set forth by the DMA for digital gatekeepers. This is particularly true when gatekeepers handle vast amounts of personal data, and there is a pressing need to ensure that DMA obligations concerning data sharing and portability are aligned with GDPR’s stringent data protection requirements.

The EDPB’s response to the European Commission also indicates that the cooperation is aimed at creating a joint deliverable. This initiative is designed to foster legal certainty and cross-regulatory consistency, including in enforcement practices, which would go beyond independently produced documents. This joint deliverable would further clarify how digital gatekeepers can effectively meet both the data protection obligations under GDPR and the market competition objectives outlined in the DMA, particularly in areas where there are cross-cutting regulatory requirements.

GDPR & DMA: Cooperation Between the Commission and the EDPB

The recent cooperation between the Commission services in charge of enforcing the DMA and the EDPB signifies an important step toward ensuring a unified interpretation and application of the two regulatory frameworks. This collaboration is critical because it addresses potential interplay challenges where the DMA and GDPR both impose obligations on digital gatekeepers, particularly in relation to:

• Data access and sharing: The DMA mandates that gatekeepers must facilitate access to data for businesses and users. However, the GDPR imposes strict conditions on how personal data should be handled, ensuring that any data processing is lawful, transparent, and respects the rights of data subjects. The cooperation aims to clarify how gatekeepers can comply with both sets of obligations without infringing on data protection rights.
• Interoperability and data privacy: The DMA's emphasis on interoperability could require gatekeepers to allow third-party access to their platforms. This could raise concerns under the GDPR, where sharing of personal data must adhere to stringent consent and security measures. The EDPB and the Commission are likely to issue guidelines to ensure that interoperability obligations under the DMA do not compromise the principles of data protection under the GDPR.
• Data-driven competition and user rights: The GDPR provides individuals with control over their data, while the DMA seeks to break down the monopolistic control that gatekeepers have over user data. The cooperation between the Commission and the EDPB will focus on ensuring that gatekeepers comply with both data portability requirements under the GDPR and fair competition rules under the DMA without conflicting the regulatory intents.

Coherent Application Across GDPR and Digital Markets Act Regulatory Frameworks

Achieving a coherent application of the GDPR and DMA is paramount to prevent regulatory confusion, ensure legal certainty, and foster innovation while protecting individual rights. Gatekeepers, as powerful digital intermediaries, often process vast amounts of personal data, making it crucial that their obligations under both frameworks align.

• Consistency in enforcement: With the Commission’s services enforcing the DMA and national DPAs enforcing the GDPR, inconsistency in application could create regulatory gaps. Enhanced cooperation ensures that both authorities work in tandem, especially when dealing with cross-cutting issues related to data privacy and competition law.
• Complementary objectives: The GDPR and DMA are complementary in many respects. The GDPR aims to protect individuals’ privacy rights, while the DMA promotes fair competition and consumer choice in digital markets. By aligning their enforcement efforts, regulators can ensure that gatekeepers not only protect user data but also do not abuse their dominant positions to stifle competition.
• Data sharing vs. data protection: One of the main areas of overlap is the data-sharing obligation under the DMA, which requires gatekeepers to allow third parties to access user data. This must be reconciled with the GDPR's strict requirements for lawful data processing. Cooperation between the Commission and the EDPB will ensure that such data-sharing obligations under the DMA comply with the GDPR’s provisions on user consent, purpose limitation, and data minimization.

The EDPB Task Force on Competition & Consumer Law, alongside the DMA High Level Group (DMA HLG), will play a critical role in ensuring that these guidelines are well-coordinated and reflect the competencies of each regulatory body. The EDPB is also open to discussions regarding the parameters of a joint deliverable with the Commission, aimed at providing further clarity and consistency between the DMA and GDPR enforcement practices.