On September 10, 2024, the European Commission (EC) offices in charge of the enforcement of the Digital Markets Act (DMA) and the European Data Protection Board (EDPB)—the European body composed of all EU data protection regulators that oversees the consistent application of the General Data Protection Regulation (GDPR)—announced that they intend to provide guidance on the interplay between the DMA and GDPR.
This planned guidance aims to ensure the coherent application of the GDPR and the DMA. This is a much-welcome step, as potential inconsistencies and ambiguities between the data-related obligations under the DMA and the obligations under the GDPR create uncertainty for companies. However, the EDPB’s involvement signals that forthcoming guidance on the DMA may apply stringent GDPR principles, potentially increasing scrutiny for businesses and impacting their compliance strategies.
Background
The DMA applies to large digital platforms that provide “core platform services” (e.g., online marketplaces, online platforms, social networking, cloud services, advertising services, video sharing) and have been designated as “gatekeepers.” To date, the EC has designated seven gatekeepers—Alphabet, Amazon, Apple, Bytedance, Meta, Microsoft, and Booking.com—with respect to 24 core platform services (CPS). (See the EC’s information page on Gatekeepers.) As the market evolves, more gatekeepers may be designated by the EC.
The DMA imposes far-reaching ex ante obligations on these gatekeepers, including rules related to data combination, use of platform data, data access by business users or rivals, interoperability, ad transparency, and self-preferencing.
Some of these obligations entail processing of personal data subject to the GDPR, and there have been concerns over potential inconsistencies, shortcomings, or conflicts between the two regulations. Such concerns arise, for example, in cases where the wording of the DMA directly refers to GDPR concepts and thus raises interpretation issues, or where these obligations are in conflict with pre-existing GDPR principles.
Interplay of the DMA and GDPR
The GDPR aims to provide individuals with control over their personal data, while the DMA is meant to foster competition in the digital sector.
The DMA promotes the idea that the possession of vast amounts of data—including personal data—constitutes a barrier to entry for new market players and therefore hampers competition. To address this issue, the DMA introduced data-related requirements, some of which involve processing of personal data. Examples of such requirements include Article 5(2) DMA, which prohibits gatekeepers from sharing personal data between two of their services when at least one core platform service is involved without obtaining end-user consent; Article 6(9), which requires gatekeepers to provide end-users with portability of their data generated in the context of the their use of the CPS; Article 6(10), which requires gatekeepers to provide business users with access and use to data, including personal data, generated in their use of the CPS; and Article 6(11), which requires providers of search engines that have been designated as a CPS to provide competitor search engines with access to search data generated by users.
Given that the GDPR applies to any organization that processes personal data, gatekeepers must not only comply with these new DMA requirements, but also with their pre-existing GDPR obligations, as emphasized in Recital 37 of the DMA (i.e., “this Regulation is without prejudice to [the GDPR]”).
These data-related requirements raise at least two types of issues with respect to their interplay with the GDPR:
- First, some of these DMA requirements directly refer to GDPR concepts. For example, Article 5(2) refers to “consent within the meaning of [the GDPR]” and provides exceptions to the consent requirement if the gatekeeper relies on other specific GDPR legal bases (i.e., legal obligation, vital interests, and public interest). Another example is Article 6(11), which requires gatekeepers that provide search engines to anonymize search data that constitutes personal data prior to sharing that data with third parties. The inclusion of GDPR concepts in the wording of DMA requirements raises the issue of their interpretation when applying and enforcing the DMA, given the divergent objectives pursued by both laws (i.e., providing individuals with more control over their personal data versus fostering competition in the digital sector). Such issues become particularly apparent in cases where there is a lack of consensus among data protection authorities on key GDPR concepts.
- Second, certain DMA obligations may come into conflict with GDPR principles. For example, the data-sharing obligation under Article 6(10) raises the issue of compliance with the data minimization principle (i.e., controllers should limit the processing of personal data to what is necessary to accomplish a specific processing purpose).
In an attempt to address these issues, the EC, EDPB, and European Data Protection Supervisor (EDPS) have already engaged in discussions concerning data-related and interoperability obligations within the High-Level Group for the DMA, which comprises various European bodies and networks in areas such as data protection, competition, and consumer protection. The proposed guidance builds on this engagement.
Key Takeaways
While awaiting the guidance, both gatekeepers and business users of their services should be mindful of the tensions between the DMA and the GDPR. Gatekeepers should consider assessing compliance with both frameworks, including reviewing consent mechanisms and data-sharing practices. Business users of core platform services, particularly those relying on gatekeepers for data access, should also monitor developments to ensure alignment with legal requirements and avoid breaching GDPR obligations when processing shared data.
The involvement of the EDPB is noteworthy, given its reputation for adopting conservative and stringent interpretations of data protection law. Its participation suggests that the forthcoming guidance could follow a rigorous application of GDPR principles within the DMA context. This could have significant implications for businesses, particularly gatekeepers, as it may result in heightened scrutiny and a more rigorous interpretation of the interplay between the DMA and GDPR. Companies should closely monitor how the EDPB’s approach may shape the enforcement of these regulations and prepare for the impact this guidance could have on their compliance strategies.
Michelle Zang contributed to the preparation of this Wilson Sonsini Alert.
