Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
The draft Joint Guidelines on the Interplay between the Digital Markets Act and the EU General Data Protection Regulation embody the commitment of the European data protection authorities and the European Commission to collaborate more closely on the application of EU digital legislation. This is in response to growing friction and challenges emerging as a result of the interplay of laws. It also reflects a clear trend within organizations to do away with silos between areas of digital governance.
The interplay between the DMA and the GDPR raises questions about their coexistence in practice, as most DMA provisions became applicable in May 2023. The draft guidelines "focus on those provisions of the DMA in relation to which there are significant overlaps with substantive rules stemming from the GDPR that merit clarification and a common interpretation" among authorities. Legal basis for processing, data portability, access rights, anonymization, interoperability, and international data transfers are, indeed, all featured.
The draft guidelines trigger reflections on the value of consent, colored by the possible imbalance of power between gatekeepers and end-users. For example, they introduce into the equation notions that are arguably not legal concepts but rather notions of humanities. For example, they explain that "consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will," for instance where the controller's position in the market "leads the data subjects to note that there are no other realistic" alternatives. Notions such as compulsion will inevitably be subject to varying interpretation and require contextual evaluation.
Another illustration rests with the portability section. The draft guidelines state "gatekeepers should not restrict in any way portability requests involving the transfer of personal data outside the EEA to a third country offering an adequate level of protection as recognised by a Commission decision." Adding later for such transfers to nonadequate countries, in line with derogations in Article 49(1)(a) of the GDPR, the gatekeeper should seek "the end user's explicit and specific consent to the envisaged transfer, after having informed him or her of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards."
The articulation of these laws also has a joint impact on gatekeepers' business models. The compliance of consent-or-pay models has been a particularly visible example of the latter. Enforcers' cooperation could therefore contribute positively to legal certainty and harmonization, as the worlds of competition and privacy build this consistency in practice.
The European Data Protection Board and Commission are running a public consultation on the draft guidelines until 4 Dec. The final guidelines would be adopted "in 2026."
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.