Comments to European Commission Regarding Joint Guidelines on the Interplay Between DMA and GDPR
Introduction
On October 9, 2025, the European Commission (Commission) launched a public consultation on the “Draft Joint Guidelines” on the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR).[1] While the GDPR is designed to protect the data of consumers and the DMA is supposed to promote competition in digital markets, the Draft Joint Guidelines rightly acknowledge that “issues of GDPR application may arise in the context of the implementation of the DMA by gatekeepers.”[2] In view of this intersection, the Draft Joint Guidelines attempt to “ensure that the DMA and the GDPR are interpreted and applied in a compatible manner.”[3]
The Information Technology and Innovation Foundation (ITIF), the world’s top-ranked science and technology policy think tank, greatly appreciates the opportunity to respond to this important public consultation.[4] In short, while the GDPR and DMA may have harmonious goals in the abstract, the Draft Joint Guidelines confirm that in practice their relationship is anything but complementary. Specifically, in view of the redundancy of the consent requirements for gatekeepers in Article 5(2) DMA with the consent requirements for data controllers in the GDPR, the Commission seems to justify the existence of the former by problematically expanding its scope and requiring free and less personalized data sharing alternatives without any cognizable competition benefits. Moreover, the access requirements of Article 6(4) DMA force gatekeepers into a troubling choice between minimizing compliance risk under the DMA and under the GDPR. With respect to Article 6(9) DMA, the Draft Joint Guidelines treat the DMA as effectively having veto power over parts of the GDPR related to data portability—despite the priority that should be given to the GDPR.
Article 5(2)
As the Draft Joint Guidelines explain, “[a]ll processing activities covered by Article 5(2) DMA qualify as processing operations within the meaning of Article 4(2) GDPR.”[5] Indeed, not only is it true that both Article 5(2) DMA and Article 4(11) GDPR require specific consent, but “Article 5(2) DMA prohibits gatekeepers from carrying out certain processing operations without end users’ valid consent, within the meaning of the GDPR.”[6] In view of this redundancy, rather than prudently focus its enforcement resources elsewhere, the Draft Joint Guidelines confirm that the Commission has decided to justify the existence of Article 5(2) DMA through a heavy-handed interpretation that extends it well beyond the GDPR. For example, unlike the Court of Justice of the European Union’s treatment of the GDPR in Meta Platforms and Others, the Commission has held that Article 5(2) DMA necessarily requires the provision of a less personalized alternative for free.[7]
The incentive for the Commission to interpret Article 5(2) DMA in a way that condemns behavior that should be lawful under the GDPR is not likely to benefit European consumers or businesses. To be sure, while it is true that, unlike the GDPR, Recital 36 of the DMA does expressly contemplate gatekeepers providing a less personalized alternative to promote contestability, the enforcement action against Meta has nothing to do with fighting exclusionary conduct. Rather, it reflects the worst kind of regulation, in which the government “attempts to determine market outcomes.”[8] What’s more, the Commission’s expansive interpretation of Article 5(2) DMA is likely to come at an economic cost through reduced advertising on Meta’s platforms, whose ad services generate €3.98 in revenue for every €1 spent by firms—including small businesses.[9] In other words, European businesses would have a harder time reaching European consumers.
Article 6(4)
The Draft Joint Guidelines are clear that “Article 6(4) DMA requires gatekeepers providing operating system CPS to (inter alia) allow and technically enable the installation and effective use of third-party software applications or software application stores on their operating system,” and that “gatekeepers should ensure that the measures they implement in compliance with Article 6(4) DMA also comply with applicable laws, including the GDPR.”[10] Yet, Article 6(4) DMA comes at a clear cost to consumer privacy (and security), which, as ITIF has made clear in other contexts, is already resulting in the chilling of innovation in the EU.[11]
Recognizing the increased risks to consumer privacy that Article 6(4) DMA entails, the Draft Joint Guidelines broadly require gatekeepers to “select the measures that less adversely affect the pursuit of the objectives of Article 6(4) DMA, provided that they remain effective in ensuring compliance with the GDPR.”[12] But while the application of a least restrictive alternative principle is not uncommon in antitrust law, as a legal matter, it is disfavored for unilateral conduct rules, including in a broader regulatory context.[13] More importantly, as a practical matter, the negative feedback loop between complying with Article 6(4) DMA and the GDPR presents gatekeepers with a perverse set of incentives: reducing Article 6(4) DMA compliance risk means increasing GDPR compliance risk—a relationship of substitutes, not one of complementarity.[14]
Article 6(9)
The Draft Joint Guidelines describe how Article 6(9) DMA both “enshrines the right to data portability for end users” and “complements the data portability right established by Article 20 GDPR.”[15] However, while the “requesting end user under Article 6(9) DMA is also a data subject as defined by the GDPR,” Article 6(9) goes beyond the GDPR in key ways.[16] For example, Article 6(9) DMA differs from the GDPR by requiring “gatekeepers to enable continuous and real-time data portability to end users or third parties authorised by them;” moreover, “[p]ortability under Article 6(9) DMA should also be enabled by gatekeepers at no additional cost to end users or authorized third parties.”[17]And, “[u]nlike Article 20 GDPR, data within the scope of Article 6(9) DMA are not limited to personal data concerning the data subject/end user.”[18]
Here again, the relationship described in the Draft Joint Guidelines between this provision of the DMA and the GDPR reflects anything but a healthy complementarity—despite their statement that “DMA compliance is without prejudice with other legal obligations, including the GDPR.”[19] Specifically, the Draft Joint Guidelines propose not just that complying with Article 6(9) DMA is lawful under Article 6(1), point (c) GDPR, but that “gatekeepers fulfilling data portability requests under the conditions set forth in Article 6(9) DMA are not responsible for the subsequent processing of data by the end user or authorised third party receiving the data”—contrary to their obligations under the GDPR.[20] As such, the Draft Joint Guidelines suggest that in certain respects the DMA will simply supersede the GDPR, which is inconsistent with the priority given to the GDPR in Article 1(5) of the EU’s Data Act, a model that the DMA should follow.
THE DIGITAL OMNIBUS CONTEXT
Notably, the Draft Joint Guidelines arrive at a moment of significant regulatory flux. On November 19, 2025, the Commission published its Digital Omnibus proposal, which acknowledges that the EU’s digital regulatory framework has become fragmented and burdensome, and proposes substantial amendments to the GDPR, which include the introduction of automated consent preference mechanisms to address cookie banner proliferation and clarifications when data protection impact assessments are required.[21] The Commission's Digital Omnibus proposal thus creates the potential for considerable uncertainty around the Draft Joint Guidelines, which, as noted above, incorporate GDPR standards in several respects, such as Article 5(2) DMA’s understanding of valid consent. In light of both the priority that the GDPR should be given relative to the DMA and the substantial changes proposed in the Digital Omnibus proposal, the Commission should therefore consider that the effectiveness of the Draft Joint Guidelines at providing gatekeepers with greater certainty as to the interplay between the DMA and the GDPR may be limited until there is greater resolution surrounding the Digital Omnibus proposal.
Recommendations
For these reasons—reinforced by the uncertainty created by the pending Digital Omnibus proposal—ITIF has significant concerns about the Draft Joint Guidelines and offers the following recommendations:
- Reconsider enforcement of Article 5(2) DMA: The GDPR already stipulates that processing personal data requires freely given and specific consent. The Commission’s expansive interpretation of the specificity condition in Article 5(2) DMA to condemn conduct lawful under the GDPR does not appear to have any firm basis in promoting the DMA’s competition goals. For this reason, the Commission should not spend valuable resources enforcing Article 5(2) DMA, but instead allow national authorities to continue policing the relevant unlawful behavior under the GDPR.
- Scale back Article 6(4) DMA: The privacy risks created by compliance with Article 6(4) DMA have resulted in a trade-off in which reducing regulatory risk under the DMA means increasing regulatory risk under the GDPR. The Draft Joint Guidelines’ suggestion that gatekeepers impose privacy protections in the way that is least adverse to complying with Article 6(4) DMA is not likely to provide workable guidance to gatekeepers but instead illustrates why the Commission should scale back enforcement of Article 6(4) DMA to ensure that it does not undermine the privacy and security goals of the GDPR.
- GDPR should take primacy over the DMA: Rather than being complementary, the Draft Joint Guidelines appear to contemplate Article 6(9) DMA superseding the GDPR with respect to areas such as controller responsibilities surrounding third-party processors. Not only is this in tension with the priority given to the GDPR in other regimes like the Data Act, but it also privileges a novel and highly problematic competition regulation over the Commission’s far better established and more well-founded data protection framework.
Conclusion
ITIF commends the Commission for issuing the Draft Joint Guidelines to help gatekeeper-controllers navigate the difficult questions that arise amid their extensive good faith efforts to comply with both the DMA and the GDPR. Unfortunately, however complementary the objectives of protecting consumer privacy and promoting competition may be at a high level, complying with several key DMA prohibitions will undermine—not enhance—the privacy goals of the GDPR. Implementing the GDPR thus presents yet another justification for reassessing the need for enforcing the DMA, which is not only targeting U.S. tech companies in a way that is damaging the transatlantic relations that are critical to keeping the West techno-economically ahead of China, but also harming EU consumers—including through greater privacy risk.[22]
Thank you for your consideration.
Endnotes
[1]. European Commission, “Commission and EDPB gather feedback on draft guidelines on interplay between DMA and GDPR,” (Oct. 9, 2025), https://digital-markets-act.ec.europa.eu/public-consultation-joint-guidelines-interplay-between-dma-and-gdpr-2025-10-09_en.
[2]. European Commission and European Data Protection Board, Joint Guidelines on the Interplay between the Digital Markets Act and the General Data Protection Regulation, Executive Summary (Oct. 2025), https://www.edpb.europa.eu/system/files/2025-10/joint_com-edpb_gls_interplay_dma_gdpr_for_public_consultation_en.pdf [hereinafter Draft Joint Guidelines].
[3]. Id.
[4]. 2020 Global Go To Think Tank Index Report, Univ. of Pa. (2021), https://repository.upenn.edu/think_tanks/18/.
[5]. Draft Joint Guidelines ¶ 18.
[6]. Id. at Executive Summary.
[7]. Judgment of 4 July 2023, Meta Platforms and Others, Case C-252/21, EU:C:2023:537; Case DMA.100055 – Meta – Article 5(2), Digital Markets Act (Apr. 23, 2025).
[8]. Lilla Nóra Kiss, The EU’s DMA Fine Against Meta: GDPR in Disguise, ITIF (Aug. 7, 2025), https://itif.org/publications/2025/08/07/eu-dma-fine-against-meta-gdpr-disguise/.
[9]. Meta Research, Meta proudly supports the people and economy of the United States and around the world (2025), https://research.facebook.com/economiccontribution/.
[10]. Draft Joint Guidelines at Executive Summary.
[11]. Joseph V. Coniglio and Lilla Nóra Kiss, Comments to the European Commission for Its First Review of the Digital Markets Act, ITIF (Sept. 24, 2025), https://itif.org/publications/2025/09/24/comments-to-the-european-commission-for-its-first-review-of-the-digital-markets-act/.
[12]. Draft Joint Guidelines at Executive Summary.
[13]. Verizon Commc’ns, Inc. v. Law Offices of Curtis V. Trinko, 540 U.S. 398, 415-16 (2004) (discussing how U.S. antitrust law “does not give judges carte blanche to insist that a monopolist alter its way of doing business whenever some other approach might yield greater competition”).
[14]. Interestingly, the Draft Joint Guidelines do not contain any discussion of the interoperability obligations in Article 6(7) DMA which also requires compliance measures that serious create privacy and security risks.
[15]. Draft Joint Guidelines at ¶¶ 103-4.
[16]. Id. ¶ 104.
[17]. Id.
[18]. Id. ¶ 104.
[19]. Id. ¶ 129.
[20]. Id. ¶ 106.
[21]. European Commission, Proposal for a Regulation of the European Parliament and of the Council amending Regulations as regards personal data and non-personal data, cybersecurity and artificial intelligence (Nov. 19, 2025), https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal.
[22]. Joseph V. Coniglio and Lilla Nóra Kiss, Comments to the European Commission for Its First Review of the Digital Markets Act, ITIF (Sept. 24, 2025), https://itif.org/publications/2025/09/24/comments-to-the-european-commission-for-its-first-review-of-the-digital-markets-act/.
