Yesterday, the European Fee published over 100 public submissions acquired throughout its closed session on draft joint tips governing the intersection of the Digital Markets Act and the Normal Knowledge Safety Regulation – a doc that, as soon as finalised, will set binding expectations for the way Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft deal with private knowledge throughout their core platforms within the European Union.
The session opened on 9 October 2025 and closed on 4 December 2025 at 23:59 CET. The Fee and the European Knowledge Safety Board introduced on 13 March 2026 that the submissions had been printed in full, with private knowledge redacted. The ultimate tips are anticipated to be adopted in 2026.
The stakes are vital. In line with the session web page printed by the Fee, contributions had been sought “significantly from enterprise customers (particularly SMEs) and finish customers of the gatekeepers’ digital companies in scope of the DMA and associations representing these customers.” What arrived as an alternative was a remarkably broad cross-section: legislation corporations, assume tanks, civil society teams, lecturers, commerce associations, particular person residents and, critically, the gatekeepers themselves. The doc governing each how corporations like Google and Meta could course of private knowledge for promoting, and the way different app retailer operators or messaging companies could entry that knowledge, drew scrutiny from throughout the digital financial system.
Two legal guidelines, one pressure
The DMA and GDPR pursue distinct goals, and that’s the place the complexity begins. In line with the joint tips drafted for public session, “the DMA goals to deal with the potential dangerous results for enterprise customers of unfair practices by laying down harmonised guidelines relevant to gatekeepers making certain, for all companies, contestable and truthful markets within the digital sector throughout the Union.” The GDPR, against this, “goals to guard pure individuals with regard to the processing of non-public knowledge and make sure the free circulation of non-public knowledge within the Union overlaying all knowledge controllers and processors.”
Each frameworks can apply concurrently to the identical entity performing the identical act. A gatekeeper operating an advert community is, without delay, a knowledge controller beneath the GDPR and a regulated entity beneath the DMA. The rules clarify that this overlap is just not coincidental – it’s structural. In line with the doc, “a constant and coherent interpretation of the DMA and the GDPR ought to mutually reinforce and maximise achievement of the respective goals of the 2 frameworks.” The doc additionally warns explicitly that the rules are designed to “keep away from dangers that gatekeepers, controllers and processors instrumentalize their compliance with the GDPR with a view to make their compliance with the DMA much less efficient, and vice-versa.”
That final sentence carries actual industrial weight. Critics of huge platforms have lengthy argued that privateness messaging can operate as a aggressive moat – that invoking knowledge safety obligations can, in observe, restrict what smaller rivals or different shops are permitted to do. The rules try to shut that hole.
What Article 5(2) means for promoting
Probably the most commercially delicate part of the rules issues Article 5(2) DMA, which governs end-user consent for knowledge processing for promoting functions. This provision prohibits gatekeepers from doing 4 issues with out acquiring legitimate consent from finish customers: processing private knowledge from third-party companies for internet marketing; combining private knowledge throughout totally different core platform companies; cross-using private knowledge from one service in one other individually offered service; and signing customers into companies in an effort to mix their knowledge.
In line with the rules, all 4 of those classes “qualify as processing operations inside the which means of Article 4(2) GDPR.” Which means GDPR consent requirements apply – and people are demanding. Consent have to be “freely given, particular, knowledgeable and unambiguous,” in line with Articles 4(11) and seven of the GDPR. Gatekeepers can not depend on authentic pursuits or contractual necessity as a lawful floor for these classes of processing. Consent is the one possibility.
The sensible consequence for digital promoting is appreciable. Efficiency Max from Google, Benefit+ from Meta and comparable AI-driven marketing campaign instruments select audiences automatically across platforms in ways in which could mix knowledge throughout companies. Whether or not these automated picks represent “profiling” requiring consent beneath Article 9 GDPR – significantly when the underlying knowledge infers delicate classes – is a stay regulatory query the rules start to deal with however don’t absolutely resolve.
On consent design, the rules are particular. Gatekeepers should supply a “much less personalised however equal different” to customers who refuse consent – they can not merely deny service. Acceptance and refusal choices have to be offered in equal phrases, “with out nudging finish customers in the direction of consenting.” Pre-ticked containers are usually not legitimate consent and are explicitly described as non-compliant. And as soon as a consumer refuses or withdraws consent, the gatekeeper “is prohibited from repeating its request for consent for a similar goal greater than as soon as inside a interval of 1 12 months.”
That annual restrict is technical and nuanced. In line with the rules, the clock begins from the second a consumer “actively” makes a selection – not from after they dismiss or abandon a consent dialog. If a consumer deletes the cookie or technical report that shops their choice, or switches to a distinct machine, a recent request could also be permissible.
App retailer management attracts the heaviest public fireplace
The biggest cluster of particular person public submissions targeted not on promoting knowledge however on Article 6(4) DMA – the supply requiring gatekeepers to permit and technically allow the set up and use of third-party apps and different app shops on their working programs.
A number of submissions, together with these from a French citizen recognized as Thibaud Boquet, a Czech developer named Jan Bouška, and a Swedish consumer named Samuel Blomster, referenced Google’s August 2025 announcement of a compulsory developer verification programme. In line with one submission dated 7 November 2025, “In August 2025, Google introduced that beginning subsequent 12 months, it should not be attainable to develop apps for the Android platform with out first registering centrally with Google. This registration will contain: paying a price to Google; agreeing to Google’s T&Cs; and itemizing all present and future utility identifiers.”
A number of respondents related this on to the DMA. In line with a submission from Evgeni Kunev of Bulgaria, “Gatekeepers being allowed to require registration by different retailer operators doesn’t appear to adjust to (no less than) the spirit of the GDPR. Gatekeepers don’t have any authentic curiosity in having that info. Moreover this maintains their capability to assemble info on finish customers’ put in functions exterior their respective app shops.”
A Finnish respondent named Andreas Jabbari, writing as an Apple consumer, took a distinct angle – arguing that DMA enforcement itself had produced dangerous outcomes. In line with his submission, “Over 90% of high-profile enforcement actions, fines, and specification proceedings since 2024 have singled out Apple. Options like Wi-Fi sync on Apple Watch, iPhone Mirroring, Dwell Translation, and Dwelling Display screen internet apps are being intentionally crippled or eliminated within the EU solely.”
The strain within the submissions displays a real regulatory problem. The rules themselves acknowledge it. In line with the doc, gatekeepers “shouldn’t search to instrumentalize their compliance with different relevant legal guidelines with a view to make their compliance with Article 6(4) DMA much less efficient.” On the identical time, Article 6(4) does allow gatekeepers to take security-related measures, offered these measures are “strictly mandatory and justified and that there are not any less-restrictive means to realize that purpose.”
Knowledge portability and search knowledge entry
Past promoting and app shops, the rules handle two additional provisions with direct implications for the advertising and marketing expertise ecosystem.
Article 6(9) DMA establishes a proper to knowledge portability for finish customers that goes additional than the equal proper in Article 20 GDPR. In line with the rules, portability beneath the DMA “applies no matter the lawful floor beneath which knowledge has been processed by the gatekeeper beneath the GDPR” and have to be enabled “on a steady and real-time foundation.” There is no such thing as a cost permitted. The authorized foundation for this processing by the gatekeeper is Article 6(1)(c) GDPR – compliance with a authorized obligation – which means the gatekeeper doesn’t want separate consent to port the info, solely to obtain the instruction to take action.
On-device knowledge falls inside scope. In line with the rules, “on-device knowledge that’s offered or generated within the context of the usage of a CPS falls inside the scope of Article 6(9) DMA, no matter whether or not the gatekeeper makes use of such on-device knowledge.” This issues for advertisers and measurement suppliers who depend on device-level indicators that platform house owners could select to not floor by customary APIs.
Article 6(11) DMA addresses a narrower however vital slice: the appropriate of third-party search engine suppliers to obtain entry to rating, question, click on and consider knowledge from a gatekeeper’s search service. This knowledge have to be anonymised earlier than sharing. The rules spend appreciable house defining what anonymisation really means on this context. In line with the doc, “pseudonymised knowledge must be thought of to be private in nature” if it stays attainable – utilizing means “fairly probably” to be employed – to re-identify the top consumer. Gatekeepers ought to choose anonymisation strategies that “protect probably the most high quality and usefulness of the info for the third occasion,” whereas nonetheless assembly the authorized threshold.
For the search promoting market, this issues. Entry to click on and question knowledge from dominant search platforms might, in precept, permit smaller search suppliers to coach rating programs aggressive with these of Google, which has faced sustained DMA enforcement pressure over its European search product since March 2024.
Messaging interoperability and encryption
Article 7 DMA requires gatekeepers designated for number-independent interpersonal communication companies – which presently means Meta’s WhatsApp – to supply interoperability with competing messaging companies at no cost. WhatsApp enabled third-party chats with BirdyChat and Haiket in November 2025 as a primary step towards assembly this obligation.
The rules handle the GDPR implications of interoperability intimately. Finish-to-end encryption presents a selected problem: sharing private knowledge with a third-party messaging service, even to route a message, constitutes knowledge processing beneath the GDPR. In line with the rules, “implementing a well-defined protocol for managing the change and certification of cryptographic keys between gatekeepers and suppliers of NIICS requesting interoperability would tremendously contribute to a safe basis for a dependable implementation of E2EE.” The doc additionally specifies that “gatekeepers ought to think about applicable measures to make sure that the totally different service suppliers can solely use the keys in addition to another corresponding content material exchanged for key settlement acquired from the gatekeeper for the meant goal of enabling interoperability.”
Knowledge safety impression assessments beneath Article 35 GDPR are required. This isn’t discretionary – the rules state that interoperability implementation “may be very prone to fulfil the factors for the requirement to hold out a knowledge safety impression evaluation.”
Coordination between regulators
A closing part of the rules addresses the institutional mechanics of how the Fee and nationwide knowledge safety supervisory authorities (DPAs) are anticipated to cooperate when the identical conduct doubtlessly violates each the DMA and the GDPR.
The Fee holds sole authority to implement the DMA. DPAs implement the GDPR. However when a gatekeeper’s conduct entails each frameworks concurrently – because it nearly at all times does in promoting – the doc establishes mutual session obligations. In line with the rules, “the place the Fee is named upon, within the train of its powers, to look at whether or not a gatekeeper’s conduct is compliant with the DMA, when such examination additionally entails inspecting whether or not the gatekeeper’s conduct is per the provisions of the GDPR,” session with related knowledge safety authorities is required. The duty runs in each instructions.
The rules additionally handle double jeopardy. Gatekeepers “subjected to proceedings or sanctions by the Fee and by a knowledge safety supervisory authority in relation to the identical conduct” face potential ne bis in idem issues. The doc doesn’t resolve this absolutely however establishes session because the mechanism for avoiding it.
This issues virtually. Luxembourg’s Administrative Court annulled Amazon’s €746 million GDPR fine yesterday on procedural grounds – not as a result of the underlying GDPR violations had been discovered to be absent, however as a result of the regulator had skipped required analytical steps. As DMA enforcement scales up and because the two frameworks work together extra often, the procedural coherence the rules try to determine shall be examined repeatedly.
What the session means for advertising and marketing professionals
For digital advertising and marketing professionals, the rules create readability in some areas and uncertainty in others. The prohibition on counting on authentic pursuits or contractual necessity as lawful grounds for cross-service knowledge mixture is unambiguous. If a platform processes knowledge from a third-party web site to serve personalised adverts – or combines a consumer’s search historical past with their procuring behaviour to refine a focusing on mannequin – that processing requires consent.
Check My Ads, an advertising accountability organisation, submitted an in depth response through the session interval. The organisation argued that the rules ought to make clear that “offering internet marketing companies” encompasses the total chain of operations – profiling, focusing on, bidding, optimisation, measurement, frequency capping and attribution – relatively than permitting slender interpretations that would exclude algorithmic focusing on steps from consent necessities.
The consent structure questions are equally stay for advertisers utilizing Consent Mode from Google, which mandates signals aligned with EU privacy rules, and for these working in markets the place platform fines have already been issued. Apple received €150 million from French regulators and €98.6 million from Italian regulators in 2025 for uneven consent designs in its App Monitoring Transparency framework. Meta was fined €200 million in April 2025 for its European promoting consent structure and subsequently appealed the choice. Microsoft mandated consent signals from advertisers by May 2025.
The joint tips, as soon as finalised, will present an authoritative interpretation of how these frameworks work together. They won’t create new legislation – each the DMA and GDPR stay the governing texts – however they’ll set up the Fee’s and the EDPB’s shared studying of ambiguous provisions. For gatekeepers, compliance groups and the advertisers who depend upon these platforms to succeed in European customers, that studying will successfully set the ground.
The ultimate tips are anticipated to be printed in 2026. The Fee and EDPB have said they’ll “fastidiously assessment all submissions” earlier than adoption.
Timeline
Abstract
Who: The European Fee and the European Knowledge Safety Board (EDPB), performing collectively, together with over 100 respondents together with gatekeepers (Alphabet/Google, Amazon, Apple, Meta, Microsoft), civil society organisations, SMEs, lecturers, legislation corporations, and particular person residents.
What: The Fee and EDPB printed all redacted public submissions acquired through the session on draft joint tips that handle the interaction between the Digital Markets Act and the Normal Knowledge Safety Regulation. These tips cowl consent necessities for promoting knowledge, app retailer entry, knowledge portability rights, search knowledge sharing, messaging interoperability, and regulator coordination. The ultimate tips, anticipated in 2026, will set up the authoritative interpretation of how each frameworks apply to the identical conduct by designated gatekeepers.
When: The session ran from 9 October 2025 to 4 December 2025. The submissions had been printed on 13 March 2026. The draft tips had been first launched on 9 October 2025 as a 1.13 MB PDF reference doc.
The place: The method is ruled at European Union degree. The DMA applies to gatekeepers’ core platform companies provided to customers within the Union. Enforcement of the DMA rests with the European Fee; enforcement of the GDPR rests with nationwide knowledge safety supervisory authorities throughout 27 member states, coordinated by the EDPB.
Why: Each the DMA and the GDPR can apply to the identical knowledge processing act by the identical entity on the identical time. With out coordinated steerage, gatekeepers, their enterprise customers and finish customers face authorized uncertainty about learn how to adjust to each concurrently – and face a selected danger that compliance with one framework might be used to undermine compliance with the opposite. The rules are designed to make sure the 2 frameworks “mutually reinforce and maximise achievement of their respective goals.”
Share this text
