Notes from the IAPP Europe: The EU's focus on cross-regulatory interplay and cooperation

The European Data Protection Board organized a 17 March workshop on cross-regulatory interplay and cooperation in the European Union, focusing on the data protection perspective. 

EDPB Chair Anu Talus noted in her opening speech that the "digital economy does not operate in silos so nor should we." She stated the EDPB is taking the current EU digital regulatory complexity very seriously and recognizes the need for clarification and consistency. 

Hence, the EDPB has set up an expert subgroup on cross-regulatory interplay and cooperation and is working on developing joint guidance with the European Commission on interactions between the EU General Data Protection Regulation and the AI Act, as well as the Digital Markets Act. 

Guidance on the latter is expected to be published before the end of this year. Recently, the EDPB has also started working on another project with the Commission — joint guidelines on the interplay between data protection and competition, which will be open for public consultation soon.  

Talus underlined that for different EU digital legal frameworks to work harmoniously, regulators must focus on shared interpretation, the three key principles of which are consistency, consistency and once again, consistency. She explained that to successfully navigate today's digital environment, frameworks must be mutually reinforced — authorities must be able to retain their mandates and at the same time have structured dialogues. 

The EDPB workshop was divided into three panels, the first focusing on reaping the synergies between data protection and competition. During this panel, speakers discussed different approaches to cross-regulatory cooperation in the context of data protection and competition, comparing: the structured U.K. system, established through the Joint Statement of 2021; the case-by-case system in Germany, where authorities cooperate as issues arise; as well as the example of the Polish platform, which discusses all EU digital frameworks and their coherence. 

Covington and Burling Partner Claudia Berg, who previously worked at the U.K. Information Commissioner's Office and the U.K. Competition and Markets Authority, highlighted that a key synergy shared by the frameworks is a wish for user choice and control, concluding that the more users understand what is happening to data, the more companies see data protection as a competitive advantage. 

Head of European Competition Network and Private Enforcement Unit in the European Commission Massimiliano Kadar confirmed Berg's conclusion. "If data protection is valued by consumers, companies will develop products to respond to the needs of consumers," he said.  

He also spoke about areas of interplay between the two frameworks, including the different focuses on consumer protection — fundamental freedoms versus contestable markets — and siloed remedies — competition investigations not interfering with data protection rights. 

The speakers agreed the key to consistency is communication between regulators. It was also noted that the various enforcement authorities have something to learn from each other, mentioning the benefits of the EDPB's pooling of resources in cross-border cases. 

Panelists recognized that for enforcement to work, clear priorities need to be set but authorities encounter certain issues, including resource allocation. It was also acknowledged that more needs to be done from each framework's side for personal data to work well for the market. 

The second discussion followed the first panel's topic, but zoomed in on the relationship between the GDPR and the DMA. A key point raised was the importance of applying both instruments compatibly. There was a general agreement that joint DMA and GDPR guidelines are a good step toward clarification of the interplay between the two. 

The final panel looked at the interplay between the GDPR and the Digital Services Act. Here, the Commission noted that the goal is to provide a consistent regulatory approach to industry. Among the challenges, a representative of the French Regulatory Authority for Audiovisual and Digital Communication mentioned different levels of maturity of the GDPR and the DSA, with some member states still falling behind when it comes to fully empowering their Digital Services Coordinators. 

Moreover, the different governance structures were highlighted, with equal national regulators in each EU member state under the GDPR, and the Commission having the primary power to directly enforce the DSA for very large online platforms and very large online search engines. 

An industry representative from the European Tech Alliance explained that organizations want to comply with digital EU laws — they dedicate 30% of their workforce to compliance issues. However, they also want to be competitive, and for that there is a need for clarity between texts and enforcement, and a true single market. 

The event also featured two keynote speeches from the European Commission Executive Vice-President Henna Virkkunen and the European Parliament Committee on Civil Liberties, Justice and Home Affairs Chair Javier Zarzalejos. 

The EDPB's workshop is part of its efforts to focus on cross-regulatory competition, a goal raised in its 2024-27 strategy as well as last year's Helsinki Statement. Talus concluded the event with a promise to continue guidance on the interplays between different pieces of EU digital legislation.