By Belle Beems Assistant professors at Leiden University, Europa Institute, Department of Public Law.
Following the ASCOLA declaration of interests, the author declares no conflicting interests.
On 9 October 2025, the European Commission and the European Data Protection Board (EDPB) published a draft of their Joint Guidelines on the Interplay between the Digital Markets Act and the General Data Protection Regulation (Guidelines). This marks a significant institutional first: it is indeed the first time that the EDPB and the European Commission have prepared guidelines jointly. The Guidelines, which according to EDPB Chair Anu Talus are the result of a fruitful cooperation, aim to provide guidance for the coherent and consistent interpretation of both the DMA and of the GDPR, in relation to some provisions of the DMA that concern or may entail the processing of personal data by gatekeepers or include references to GDPR concepts and definitions. To this end, the Guidelines elaborate on important common concepts, such as end-user choice and consent, the right to data portability and the right to data access.
The effort of the Commission and the EDPB is laudable, as different legal instruments increasingly overlap and coordination between authorities is essential to guarantee effective enforcement, as I have argued in my recently published monograph. However, and notwithstanding the importance of cross-disciplinary cooperation, the interaction between enforcers of different legal areas is not straightforward, as the different – yet interacting and complementary – objectives of the legal branches have to be reconciled. The diverging regulatory focus of authorities make cross-disciplinary cooperation (even) more complicated than cooperation between authorities of a single legal branch, for example within the European Competition Network (ECN).
The additional complexity of cross-disciplinary cooperation is clearly reflected in responses to the consultation on joint guidelines on the interplay between DMA and GDPR. While competition law scholars stress that the Guidelines appear to place greater emphasis on personal data protection and ensure the free flow of personal data in the Union under the GDPR than on the objectives of the DMA, Aolan Li, a data protection scholar, observes that the Guidelines are heavily driven by the DMA’s structure and obligations. This goes to show that it is not straightforward to reconcile different perspectives: striking a balance to safeguard the complementary objectives of legal branches without jeopardizing the individual goals of the respective legal regimes is by no means an easy exercise.
Yet, and regardless of those complexities, the Commission and EDPB make a good effort in streamlining the application of the DMA and the GDPR. This approach may resolve some of the concerns relating to the interplay of both instruments. The draft Guidelines are a step in the right direction, but several challenges remain. As discussed in SCIDA’s response to the Consultation on the Joint Guidelines various principles render further clarification and the issue of AI training should be explicitly addressed.
Apart from the substantive discussion, the Guidelines trigger more fundamental and institutional questions, which are the focal point of this blog. I’d like to highlight – in the particular context of the Guidelines – three main points, i.e. (i) the risk of privacy washing and politicization, (ii) the degree of binding effect of the guidelines, (iii) the institutional implications for cooperation between authorities.
Privacy washing and politicization
In the context of digital markets, several authors observe a trend of gatekeepers claiming adherence to the prohibitively high data protection standards, when such conduct allows them to circumvent other laws. Remarkably, GDPR compliance is no priority if it does not serve a business interest. Big Tech weaponizes data protection laws to avoid compliance with other laws, in particular competition law and the DMA. In other words, online platforms apply a shield and armour strategy by utilizing privacy protection as a means to engage in unfair and exploitative practices, stifling innovation and enjoying the benefits of a monopolistic position.
This shield and armour strategy is clearly visible in the debate on the draft Guidelines. ITIF – a non-profit think tank that is supported by several tech giants, including Alphabet, Apple, Microsoft and Meta – for example highlight the ‘’troubling choice between minimizing compliance risk under the DMA and under the GDPR’’. Additionally, the think tank argues that implementing the GDPR is yet another justification for reassessing the need for enforcing the DMA. According to ITIF, the DMA is targeting U.S. tech companies in a way that is damaging transatlantic relations that are critical to keeping the West economically ahead of China, but also harming EU consumers – including through greater privacy risks.
These statements do not only amount to privacy washing, but also reflect the dangerous trend of politicizing the enforcement of competition law and digital regulation. In the public and political debate, DMA fines are falsely portrayed as discriminatory treatment or non-tariff barriers. In shaping cooperation frameworks, it is important to keep these dynamics in mind. It can and should not be overlooked that the DMA is not a political instrument, but an instrument that is firmly grounded in the goal of protecting effective competition for the benefit of consumers.
While public consultations are important and input of stakeholders, including big tech firms, is valuable in shaping effective soft law documents, it cannot be overlooked that privacy washing and an inaccurate and politicized portrayal of the DMA are dangerous. The legal rules of the DMA, neither corresponding soft law instruments such as the Guidelines, should be brought in the political arena. DMA enforcement should not be treated as a bargaining chip, but taken seriously as Europe’s constitutional obligation.
Binding effects of guidelines
A second important point relates to the binding effect of the Guidelines. It is well-established that – while soft law generally does not have binding force – authorities can to a certain extent be bound by their own guidelines. For instance, the CJEU ruled that the Commission, by adopting the de minimis notice imposes a limit on the exercise of its discretion and must not depart from the content of the notice without being in breach of the general principles of law, in particular the principles of equal treatment and the protection of legitimate expectations.
However, guidelines issued by EU institutions are not binding upon national authorities. In this light, the Commission’s soft law is not binding upon Member States, and consequently, not upon national competition authorities.
In the context of the Guidelines, the discussion on binding effect is even more complex and multi-faceted. First, paragraph 11 of the Draft Guidelines stresses that the Guidelines are ‘without prejudice to the respective powers of the Commission and of the EDPB to issue, within the framework of their respective competences, any further guidance on any provision of the DMA and the GDPR respectively’. While this paragraph seems to indicate that the guidelines do not limit the Commission’s and EDPB’s discretion to issue further guidelines, it is questionable whether future guidelines by either of the authorities could go against the jointly established guidelines. The CJEU’s caselaw seems to leave limited room for such an approach, although existing case law does not explicitly touch upon the binding effect of joint guidelines. Conversely, paragraph 11 of the Guidelines seems to indicate a very limited limitation of the respective authorities’ discretion. It should be clarified to what extent the individual authorities may deviate from the guidelines. Furthermore, as discussed in SCIDA’s response to the consultation, it should be clarified whether if the GDPR allows for an interpretation that can lead to circumvention of the DMA, interpretative soft law documents can change this.
A second interesting issue relating to the (non)binding nature of the guidelines relates to the position of national data protection authorities. As explained above, it is clear that guidelines adopted by the Commission cannot bind national competition authorities. From this perspective, it is logical that the text of the Guidelines cannot bind national data protection authorities (or courts for that matter). In the context of data protection law, which is enforced in a decentralized enforcement model, this may give rise to trouble. While the Commission’s discretion will be limited, national data protection authorities would remain free to take their own approach. If national data protection authorities will not comply with the Guidelines, this will limit the practical effect of the Guidelines. This hypothetical scenario will furthermore potentially reveal tensions within the EDPB, as national data protection authorities are strongly represented within the EDPB.
Institutional considerations
Apart from guidance on substantive obligation, Section 8 of the Guidelines elaborates on the issue of coordination, cooperation and consultation. The Commission and EDPB highlight that cooperation and coordination between the Commission, the EDPB and national data protection supervisory authorities within the remit of their respective powers and competences is required by the principle of sincere cooperation as laid down in Article 4(3) TEU. The Guidelines, furthermore, highlight that cooperation between the Commission and data protection supervisory authorities is essential to ensure a consistent, effective and complementary application of the DMA and Union data protection law and continue by reiterating that consultation is required in multiple scenarios. Building on the one-stop-mechanism of the GDPR, paragraph 218 of the Guidelines stresses the leading supervisory authority should be the relevant interlocutor of the Commission. In turn, this leading supervisory authority relies on the appropriate mechanisms laid down in the GDPR to inform other concerned supervisory authorities. While it is inevitable that the Guidelines build on the GDPR’s institutional structure, it should be stressed that the DMA’s one-stop-shop and country of origin model are not free of problems. Indeed, the shortcomings of the GDPR’s cooperation mechanism have been discussed extensively in literature. It is important that these concerns are addressed, since they may negatively spill-over thereby jeopardizing effective cooperation between the Commission and national data protection supervisors.
Another issue that arises relates to the exchange of confidential information. While it is clear that the Commission, EDPB, national data protection can cooperate on general matters of implementation and the high-level promotion of a consistent regulatory approach, cooperation on a case-by-case basis is less straightforward. The Guidelines do not explicitly address the issue of exchanging sensitive or confidential information. The lack of a legal basis to exchange confidential information has previously posed an obstaclebetween the Commission and data protection supervisors. Although guidelines are not a suitable instrument to introduce a legal basis to exchange evidence, this procedural element should not be neglected.
Wrapping up
In short, the Guidelines are a laudable effort to reinforce cross-disciplinary cooperation between the Commission and the EDPB. Although there is room for improvement, the fact that the Commission and EDPB show a clear interest in the overlap of competences is a step in the right direction. Having said that, it is important to keep in mind what guidelines can and cannot do. Guidelines are a suitable instrument to facilitate a cooperative approach. As a result, potential tensions between frameworks may be resolved in the decision-making process. However, if an irresolvable clash between frameworks were to be arise, the guidelines are not well-placed to resolve this. In this scenario, the CJEU would ultimately have to resolve the matter, also considering the fundamental nature of data protection law as enshrined in the Treaties and the CFR.
