EU officials discuss alignment on digital simplification, interplay goals at EDPB workshop

As EU institutions continue their work toward a final agreement on simplification of the bloc's digital rulebook, areas of consensus are becoming more clear. One point of alignment is the role regulatory interplay has despite the EU's efforts to simplify organizational compliance through the proposed Digital Omnibus and Digital Omnibus on Artificial Intelligence.

At the European Data Protection Board's workshop on regulatory interplay 17 March, European Commission Executive Vice-President for Technological Sovereignty, Security and Democracy Henna Virkkunen and European Parliament Committee on Civil Liberties, Justice and Home Affairs Chair Javier Zarzalejos each shared remarks on the importance of regulations complementing each other where necessary.

The workshop focused on how the EU General Data Protection Regulation interacts with competition themes, particularly when riding up against or connecting to matters covered by the Digital Markets Act and the Digital Services Act.

"The interplay of different rules must be seamless. Enforcement must be consistent and the rules must be clear," Virkkunen said.

Simplification will help address friction brought on by what Virkkunen characterized as "parallel structures," but she added enforcement cooperation, including "dialogue on a national level, between data protection authorities and digital services coordinators," will also play a crucial role.

Zarzalejos focused on the interconnectivity of digital matters, with issues like targeted advertising and social media harms falling under a range of EU regulatory scopes. Those intersections are "no longer optional," he said, and proper enforcement is "essential for fair markets, for fundamental rights safeguarding and for the trust that underpins our digital economy."

"What we are witnessing is not just a series of disconnected challenges. It is a structural shift, and we need to act," he added.

Where interplay fits

Cybersecurity and data protection are among of the many areas where interplay is complementary and cannot be ignored, according to Virkkunen. The Commission recognized that with its omnibus proposal to harmonize data breach reporting through a single portal for required reports under the EU General Data Protection Regulation, NIS2 Directive, Digital Operational Resilience Act, Critical Entities Resilience Directive and the upcoming Cyber Resilience Act.

"In practice, it means that the same event may need to be reported under both legal acts to different authorities, often across several member states, using different tools and timelines," said Virkkunen, adding the proposed mechanism represents "a concrete and very pragmatic response" to breach reporting fragmentation and challenges.

She also discussed strong and necessary connections between the GDPR and DSA, given how aspects of the DSA require personal data considerations. The DSA's age verification requirements to prevent access to harmful content and user opt-out preferences for content recommendations were among the data protection links raised.

"Building a bridge to the GDPR the DSA is therefore not meant to be interpreted in a vacuum, because both these regulations must be applied together," Virkkunen said.

Zarzalejos clarified the GDPR-DSA connection further, clarifying how each has a role to play in the data economy.

He said the GDPR "governs how data may be used" and "ensures that personal data processing remains anchored in fundamental rights." Meanwhile, the DSA covers "how platforms must structure and supervise the digital environment built on that data" and "ensures that platforms address systemic risks to public discourse and user safety."

"Together, they reflect a distinctly European approach combining rights based data protection with the structure of platform regulation to create a more accountable digital ecosystem," Zarzalejos added.

The IAPP Resource Center carries a suite of infographics depicting the interplay the GDPR has with the DSA and other digital regulations.

Additional omnibus musings

The workshop was held as EU institutions are at different stages of omnibus negotiations.

Recent work by European Parliament and the Council of the European Union out mostly aligned negotiating positions for EU Artificial Intelligence Act amendments under the proposed Digital Omnibus on AI. The commonalities among proposals will support aims to expedite upcoming trilogue negotiations, which will begin once Parliament finalizes its preliminary position.

Zarzalejos commented on AI in a broader context beyond the proposed omnibus, highlighting the need for continuous attention to evolving risks and implications of the collection and utilization of personal data for AI training purposes.

"While AI holds the potential to mend human capabilities, enhance security and foster efficiency, it also introduces risks," he said. "It also poses risks, including greater opportunities for control, manipulation and discrimination. And in addition, it might disrupt social interaction, expose individuals to harm from technological malfunctions or undermine fundamental rights and societal values."

The omnibus concerning the GDPR and the rest of the EU digital acquis is requiring more provisional debate than the AI package. Discussions in Parliament and among EU member states are ongoing.

Virkkunen briefly addressed the Commission's thinking on proposed amendments to the GDPR's definition of personal data, which has proven to be controversial among EU institutions. Notably, the Council of the European Union continues to resist the proposed change while the EDPB issued an opinion on the omnibus that opposed the definition update.

"The aim is to support our companies in applying the GDPR in practice, not to redefine the notation of personal data," she said. "We believe that these amendments do not lower the level of protection. They are, however, important to bring rapid and practical relief to businesses through simplification."