Data Privacy

Navigating the Digital Maze: GDPR's Interplay with Europe's New Tech Regulations

Japanese Attorney at Law - Bengoshi L.L.

6 min read
Slide mapping GDPR and new EU tech laws: DSA, DMA, Data Act, DGA, AI Act—overlap zones, unique duties and integrated compliance roadmap for businesses.

TL;DR

  • GDPR remains the foundation of EU data protection, but new laws—DSA, DMA, Data Act, DGA and the forthcoming AI Act—layer sector-specific obligations on top.
  • Overlaps appear in legal basis, transparency, profiling/ADS rules, dark-pattern bans and children’s protection, making siloed GDPR programs obsolete.
  • Firms must build an integrated compliance framework that maps data flows against every regulation and anticipates multi-agency enforcement.

Table of Contents

  • A Quick Look at the New Rulebook
  • How GDPR Intersects with the New Digital Regulations
  • Navigating the Regulatory Ecosystem
  • Conclusion

The European Union's General Data Protection Regulation (GDPR), implemented in May 2018, fundamentally reshaped data privacy globally and remains the cornerstone of personal data protection in Europe. However, the EU's regulatory ambitions in the digital sphere haven't stopped there. Recent years have seen a wave of significant new legislation aimed at governing various aspects of the digital economy. Key examples include the Digital Services Act (DSA), the Digital Markets Act (DMA), the Data Act, the Data Governance Act (DGA), and the forthcoming AI Act.

For businesses operating in or targeting the EU market, particularly those from the US, understanding how these newer regulations interact with, overlap, and sometimes create new complexities alongside the foundational GDPR is crucial for effective compliance. This post explores the key connections and interplay between GDPR and this expanding EU digital rulebook.

A Quick Look at the New Rulebook

Before diving into the interplay, here's a brief reminder of the primary goals of these new regulations:

  • Digital Services Act (DSA): Focuses on creating a safer online environment by regulating online intermediaries (hosting providers, platforms, search engines). Key aspects include tackling illegal content, enhancing transparency (especially for advertising and recommender systems), and imposing stricter obligations on Very Large Online Platforms and Search Engines (VLOPs/VLOSEs). Fully applicable since February 17, 2024.
  • Digital Markets Act (DMA): Aims to ensure contestable and fair markets in the digital sector by imposing ex ante obligations on large platforms designated as "gatekeepers." It prohibits certain unfair practices related to data use, app stores, self-preferencing, and interoperability. Became applicable from May 2023, with gatekeepers needing to comply with most obligations by March 2024.
  • Data Act: Designed to unlock the value of data by setting rules on access to and use of data, particularly data generated by connected devices (IoT). It includes provisions on data sharing between businesses, government access to private sector data in emergencies, cloud switching, and interoperability. Applies from September 12, 2025.
  • Data Governance Act (DGA): Establishes frameworks to facilitate data sharing by increasing trust. It regulates data intermediation services and promotes data altruism (data donation for public good purposes). Applied from September 24, 2023.
  • AI Act: Takes a risk-based approach to regulating artificial intelligence systems placed on the EU market. It prohibits certain AI practices deemed unacceptable risk, imposes strict requirements on "high-risk" AI systems (in areas like employment, critical infrastructure, law enforcement), sets transparency obligations for others (like chatbots), and leaves minimal-risk AI largely unregulated. Political agreement reached December 2023; formal adoption expected in 2024, with phased application.

How GDPR Intersects with the New Digital Regulations

While each regulation has a distinct focus, they frequently intersect with GDPR because personal data is often the underlying subject matter or a key element affected by their rules. GDPR remains the horizontal baseline for any processing of personal data within the scope of these newer laws.

1. Legal Basis for Processing Personal Data:

  • GDPR requires a valid legal basis (Article 6) for all personal data processing. The new regulations often impact which bases are available or add conditions.
  • Data Act: While facilitating access to IoT data, it explicitly confirms that if this data is personal, GDPR applies. Sharing personal IoT data with third parties at the user's request must still rely on a valid GDPR legal basis (e.g., user consent, potentially contractual necessity if the sharing is integral to a service requested by the user).
  • DMA: Directly impacts gatekeepers' ability to use personal data. For instance, Article 5(2) restricts gatekeepers from combining personal data sourced from different core platform services or from third-party services with core platform data for advertising purposes, unless the user has been offered a choice and given specific consent compliant with GDPR standards. This limits reliance on other legal bases like legitimate interests for such combining activities.
  • AI Act: Training or deploying AI systems often involves processing vast amounts of data, including personal data. This processing must adhere to GDPR's requirements, including having a valid legal basis. For high-risk AI, ensuring the data used is relevant, representative, and error-free has GDPR implications regarding data quality and accuracy (GDPR Art. 5(1)(d)). Processing sensitive data categories (GDPR Art. 9) for AI training or operation requires meeting one of the strict exceptions, typically explicit consent.

2. Transparency and Information:

  • GDPR mandates extensive transparency (Articles 12-14) about data processing activities. The new laws often add layer-specific transparency requirements.
  • DSA: Imposes significant transparency obligations on platforms regarding content moderation decisions, advertising practices (requiring clear identification of ads, the advertiser, and key parameters used for targeting – complementing GDPR's Art. 13/14 information duties), and the main parameters used in recommender systems.
  • AI Act: Requires providers of high-risk AI systems to provide comprehensive documentation and instructions for users, including information about the AI's capabilities, limitations, intended purpose, and the data it processes – information often relevant under GDPR's transparency principles when personal data is involved.

3. Data Subject Rights:

  • GDPR grants individuals fundamental rights like access, rectification, erasure, restriction, and data portability. These rights remain paramount whenever personal data is processed under the newer regulations.
  • Data Act: Creates new rights specifically related to IoT data, including a user's right to access data generated by their connected devices and a right to share that data with third parties. This access right complements GDPR's Article 15 access right, while the sharing right echoes GDPR's Article 20 data portability right but applies potentially more broadly to generated IoT data, not just data provided by the user or observed.
  • DMA: Grants business users of gatekeeper platforms rights to access data they generate on the platform, which might include personal data relating to end users (subject to GDPR compliance).

4. Profiling and Automated Decision-Making:

  • GDPR places specific rules on profiling and solely automated decision-making that produces legal or similarly significant effects (Article 22), generally requiring human intervention or explicit consent. It also grants the right to object to profiling for direct marketing (Article 21).
  • DSA: Adds specific prohibitions. Online platforms cannot present targeted advertising based on profiling using sensitive personal data categories (as defined in GDPR Art. 9). Furthermore, platforms aware that a user is a minor cannot present targeted advertising based on profiling to them (Art. 28). VLOPs/VLOSEs must also offer users at least one recommender system option not based on profiling (Art. 38).
  • DMA: Restricts gatekeepers from using profiling techniques combining data across services without GDPR-compliant consent (Art. 5(2)).
  • AI Act: Targets risks associated with profiling. It prohibits certain applications like social scoring by public authorities and manipulative AI systems. High-risk AI systems used for profiling in critical areas (e.g., recruitment, creditworthiness) face stringent requirements regarding risk management, data quality, transparency, and human oversight, complementing GDPR Art. 22 protections.

5. Dark Patterns:

  • Deceptive user interface designs ("dark patterns") that manipulate users into sharing more data or making choices against their interests are problematic under GDPR, particularly as they can invalidate consent (Art. 7). The EDPB has issued guidelines on recognizing and avoiding deceptive design patterns in social media interfaces.
  • DSA (Art. 25): Directly prohibits online platforms from designing, organizing, or operating their online interfaces in a way that deceives or manipulates recipients of the service or materially distorts or impairs their ability to make free and informed decisions. This provides a specific legal hook against dark patterns, reinforcing GDPR's principles of fairness and valid consent.

6. Child Protection:

  • GDPR affords children's personal data specific protection, notably requiring parental consent for information society services offered directly to children below a certain age (Art. 8) and enhancing the right to erasure (Art. 17).
  • DSA (Art. 28): Mandates that online platforms accessible to minors implement appropriate measures to ensure a high level of privacy, safety, and security for them. As noted, it also bans targeted advertising based on profiling minors.
  • AI Act: Requires providers of high-risk AI systems that could be accessed by or affect children to specifically consider their vulnerabilities in risk management (Art. 9).

The EU's approach is creating a dense web of interconnected digital regulations. While GDPR provides the overarching framework for personal data protection, businesses must now also contend with the specific obligations arising from the DSA, DMA, Data Act, DGA, and AI Act where applicable. Key challenges include:

  • Jurisdictional Overlap: Determining which authority (DPA, NCA, DSA Coordinator, AI authority) takes precedence or how they cooperate in investigations involving overlapping issues.
  • Compliance Complexity: Managing the cumulative burden of ensuring compliance across multiple, detailed regulations.
  • Potential Tensions: Balancing objectives, such as the Data Act's goal of facilitating data sharing versus GDPR's principle of data minimization.

Conclusion

GDPR remains the bedrock of personal data protection in the EU. However, it no longer stands alone. The DSA, DMA, Data Act, DGA, and AI Act build upon, interact with, and sometimes impose stricter or more specific requirements than GDPR in their respective domains. For businesses, particularly US tech companies operating extensively in Europe, navigating this complex digital regulatory landscape requires a holistic compliance approach that integrates GDPR principles with the specific demands of these newer, often sector-specific or activity-specific, regulations. Understanding the interplay is key to mitigating risk and operating successfully within the EU's evolving digital single market.