Interaction of EU digital laws and regulators: EDPB and EDPS views

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have separately weighed in with their thoughts on how the matrix of EU digital rules should be navigated. In the EDPS’s case, this takes the form of its Towards a Digital Clearing House 2.0 concept note published on 15 January 2025 (Concept Note), whilst the EDPB published the following day its position paper on the Interplay Between Data Protection and Competition Law (Position Paper).

Interplay of EU Digital Laws

The EDPS notes the Data Governance Act, Data Act, the Digital Services Act (DSA) and the Digital Markets Act (DMA) include provisions making it clear that the existing protections under EU data privacy law remain fully applicable. In addition, the CJEU has previously ruled that where two EU legal acts of the same hierarchical value (such as two regulations) do not establish priority of one over the other, they should be applied in a compatible manner. It is therefore clear that the EU General Data Protection Act (GDPR) must be complied with in addition to the requirements of these newer digital laws.

The EDPB has also recognised this interplay and committed in its 2024-2025 work programme to publish guidelines on the interplay between the GDPR and other EUs laws, including the AI Act, the DSA, the DMA and competition laws, the latter being the Position Paper it recently published. 

Interaction of GDPR and EU competition laws

The EDPB notes that personal data is at the heart of many business models and as a result data privacy has become in some cases an important parameter of competition. In support of this it points to the EU Commission Notice on the definition of the relevant market published in February 2024 which states that the protection of privacy and personal data offered to consumers may be one of the parameters of competition to be considered. The EDPB therefore concludes that strengthening the link between the protection of personal data and competition can contribute to the protection of individuals and the well-being of consumers by reinforcing the common consideration of respect for their fundamental rights and the proper functioning of competitive markets.

The EDPB draws on the concept of freely given consent under the GDPR as an example of this link between the regimes, noting that a dominant position of a business is liable to affect the freedom of choice of a user, who might be unable to refuse or withdraw consent without detriment. This would create an imbalance of power, and so require the organisation to take extra steps to demonstrate that consent has been given to the required GDPR standard. Obviously a dominant position does not automatically mean that consent is invalid, but does mean that an organisation in this position would need to give extra consideration to this requirement. 

This echoes the EDPB’s previous Opinion on consent or pay models for large online platforms, as well as the recent guidance from the UK Information Commissioner’s Office (ICO) on these models more generally (see our previous blog). 

The EDPB therefore concludes that a better understanding of the relationship between concepts in data privacy and competition law is required to strengthen the ability of data privacy authorities to take into account the relevant economic context, as well as the ability of competition authorities to incorporate potentially relevant data privacy considerations into their assessments and decisions. 

Closer regulator co-operation

In the Concept Note the EDPS notes that parallel investigations by various authorities into the same practices have revealed the importance of a coherent regulatory approach in applying data protection, consumer rights and new digital laws. In particular it notes that simultaneous actions by various regulators have highlighted the potential for conflicts and inconsistencies when data-related practices are scrutinised from different legal perspectives. 

The EDPS believes a revised approach is needed to the Digital Clearing House, which first met in 2017, to provide a forum to exchange and coordinate on issues of common interest. This would more closely reflect the approach in the UK which created the Digital Regulation Cooperation Forum which consists of the ICO, Competition Markets Authority, Financial Conduct Authority and the Office of Communications (Ofcom). Similar initiatives also exist in Ireland, Germany and France.

The EDPB in its Position Paper also noted the need for cooperation between data privacy and competition regulators, asserting that in some cases that this is mandatory and not optional. 

Streamlining regulation and regulators

The EDPS’s Position Paper also suggests that legislation may be needed to address issues of inconsistency and tensions arising from the application of different parts of the EU Digital Rulebook. For instance, to clarify the relationship been obligations in different EU acts and to reduce the number of regulators overseeing closely-related frameworks. 

Outlook

With the increase in EU digital laws continuing, steps to support regulators to take a consistent and co-ordinated approach are welcome, as is the suggestion of addressing inconsistencies in the legislation itself. The suggestion that the number of regulators be reduced would potentially be of benefit to organisations as it should avoid parallel investigations, but it seems rather less likely that the EDPS’s proposal on this front will be taken forward.

Regardless of whether any of the proposals are taken forward, the complexity of the matrix of digital regulation is only set to increase, so the promised guidance from the EDPB on the interplay between the GDPR and the EU digital regulations, in addition to the Position Paper focusing on competition law, is to be welcomed. This of course does not address the interplay between those other regulations. This is perhaps where the EDPS’s proposed Digital Clearing House 2.0 could play an important role.