GDPR and New Digital Regulations: Toward Stronger Coherence in the European Data Protection Framework

The GDPR as a Cross-Cutting Foundation of New European Digital Regulations

The European Data Protection Board (EDPB) is increasingly asserting the central role of the GDPR within the European digital regulatory ecosystem. The GDPR is now conceived as a structuring reference framework, designed to interact with the Digital Markets Act (DMA), the Digital Services Act (DSA), and the forthcoming Artificial Intelligence Act (AI Act).

This approach is part of the EDPB’s 2024–2027 strategy, which explicitly aims to strengthen regulatory coherence, legal certainty, and the effective protection of fundamental rights in a context marked by the multiplication of digital obligations.

The Interaction Between the GDPR and the DMA: Major Institutional Clarifications

The joint guidelines published by the EDPB and the European Commission represent a structural advancement in European digital governance. Their purpose is to ensure complementary application of the GDPR and the DMA, particularly with regard to platforms designated as gatekeepers.

Several key principles are reaffirmed:

• Primacy of GDPR principles: obligations imposed by the DMA cannot justify processing activities that run counter to the principles of data minimisation, purpose limitation, or proportionality;
• Strict framework for consent: where the DMA imposes certain functional obligations (interoperability, access to data), reliance on consent remains required whenever the processing is not strictly necessary to comply with a legal obligation;
• Protection of fundamental rights: mechanisms for data access or enhanced portability must be designed in a way that preserves the rights of data subjects.

These clarifications reflect an explicit intention to prevent any autonomous interpretation of the DMA that could weaken the level of protection guaranteed by the GDPR.

GDPR and the AI Act: Complementarity Based on the Protection of Fundamental Rights

The gradual entry into force of the European Artificial Intelligence Act (AI Act) confirms this logic of regulatory articulation. The European legislator has expressly provided that the AI Act applies without prejudice to the GDPR, particularly where AI systems involve the processing of personal data.

Several key points of attention emerge:

• Cumulative legal qualification: a system may simultaneously qualify as a high-risk AI system under the AI Act and as processing subject to the GDPR, thereby triggering parallel obligations (documentation, governance, risk analysis);
• Training and testing data: the AI Act strengthens requirements relating to data quality, representativeness, and absence of bias, which complement the GDPR principles of lawfulness, data minimisation, and accuracy;
• Impact assessments: in certain cases, a data protection impact assessment will need to be coordinated with the risk assessment required under the AI Act.

The EDPB and the European Data Protection Supervisor have repeatedly emphasised that the GDPR remains the central instrument for protecting individuals against intensive uses of artificial intelligence.

Operational Recommendations for Practical Compliance

Beyond high-level legislative texts, the EDPB continues to adopt a resolutely pragmatic approach by publishing targeted recommendations addressed to economic operators.

Among the issues recently addressed is the mandatory creation of user accounts in e-commerce. The EDPB recalls that:

• account creation cannot systematically be a prerequisite for making a purchase;
• alternatives such as guest checkout must be offered, unless there is an objective necessity (subscriptions, personalised services);
• the design of user journeys must be guided by the principle of data minimisation.

These recommendations illustrate the EDPB’s intention to make the GDPR more operational by directly targeting website architectures, customer journeys, and CRM systems.

Strengthened Effectiveness of Rights: Coordinated Action on the Right to Erasure

The EDPB has also launched a coordinated European enforcement action focusing on the right to erasure (Article 17 GDPR), involving more than thirty national data protection authorities.

This initiative pursues two main objectives:

• harmonising control methods and interpretations across national authorities;
• improving the practical effectiveness of a right that is still applied unevenly across sectors.

This type of action marks a significant evolution in the role of the EDPB, which is now fully engaged in the operational coordination of GDPR enforcement at the European level.

Conclusion

Recent developments confirm the transformation of the EDPB into a true pillar of European digital regulation. By clarifying the interaction between the GDPR, the DMA, and the AI Act, by issuing operational recommendations, and by coordinating the actions of national authorities, the EDPB contributes to consolidating a coherent, protective, and effective legal framework.

The GDPR thus appears not as an isolated text, but as the cross-cutting foundation of an integrated regulatory ecosystem, designed to sustainably govern digital uses, structural platforms, and artificial intelligence systems.

European Data Protection Board (EDPB), Strategy 2024–2027
DMA and GDPR: EDPB and European Commission endorse joint guidelines to clarify common touchpoints | European Data Protection Board

‍