Joris DeeneOn 9 October 2025, the European Commission and the European Data Protection Board (EDPB) published joint draft guidelines on the interaction between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). At first glance, this seems like a technical discussion for "gatekeepers" like Google and Meta. However, a thorough analysis shows a different picture: these draft guidelines contain interpretations that threaten to change the application of the GDPR for ALL businesses in the EU. The impact extends far beyond the walls of Big Tech and could touch the foundations of your data processing and online services.
From gatekeepers to SMEs: a shared legal playing field
The DMA aims to limit the power of the largest digital platforms and ensure fairer and more open digital markets. The GDPR, on the other hand, protects the personal data of all European citizens and applies to virtually every business. The new guidelines should clarify how these two important regulations co-exist.
The danger, however, lies in the details. Under the guise of regulating gatekeepers, the EDPB is introducing interpretations of the GDPR that could set a precedent. If adopted in their current form, these guidelines could lead to a stricter and more restrictive reading of the GDPR for everyone.
Article 5(2) DMA - The redefinition of consent
This article is perhaps the most sweeping, prohibiting gatekeepers from combining personal data, crossing between different services, or using it for targeted advertising without valid end-user consent. To still be allowed to perform these processing operations, gatekeepers must meet two cumulative conditions: they must offer a specific choice (including an "equivalent alternative") and the user must give explicit, valid GDPR consent to do so. Several dangers lurk here.
The 'equivalent but not identical' service: an impossible split
The draft guidelines state that the alternative for users who do not give consent must be "less personalized but equivalent." They then tighten this concept: the alternative service must not be of "degraded quality" and must not differ in "performance, experience and conditions of access."
This is a fundamentally contradictory requirement. By definition, a service without personalization (e.g., a news feed that is not tailored to reading behavior) offers a different experience. The proposition that experience should not differ is illogical and creates an unworkable, subjective standard. It opens the door to endless discussions about what exactly constitutes an "equivalent experience," leading to immense legal uncertainty for anyone wishing to offer alternative (e.g., paid, ad-free) versions of a service.
Practical impact: This logic can trickle down to the discussion of 'cookie walls' and 'pay or okay' models for all websites. If a non-personalized or paid version is considered "non-equivalent" because the "experience" is different, it undermines legitimate business models that rely on advertising revenue.
The subjective bar for user interfaces
The draft guidelines rightly state that interfaces should not be misleading. However, the draft guidelines go much further. They state that design choices that "may mislead or nudge end users into providing unintended and thus invalid consent accordingt" are prohibited. The text adds that an interface should not cause users not to "think about all or some of the implications of providing their consent."
This formulation is problematic. The terms "nudge," "unintented," and "not to think" are extremely subjective. What one user sees as a helpful suggestion (nudging), another may perceive as manipulation. It also places an unrealistic burden of proof on the designer. How can a company prove that a user has "nudged"? What if a user consciously chooses a fast, standardized interface? Requiring a design to force users to consider all implications is unrealistic and could make any standardised, user-friendly interface vulnerable to legal proceedings.
Practical impact: This creates a climate of enormous legal uncertainty for Web designers and developers. Any attempt to make a permission flow smooth and efficient can be attacked as "nudging. The bar is set so high that it becomes almost impossible to design an interface that is both user-friendly and legally unassailable.
The hierarchy of legal grounds: a creeping danger
Perhaps the most fundamental risk is the implicit message that consent (Article 6(1)(a) GDPR) is a "better" legal ground than contractual necessity (6(1)(b)) or legitimate interest (6(1)(f)). The draft guidelines explicitly state that for processing operations under Article 5(2) DMA, gatekeepers cannot rely on the performance of a contract or their legitimate interest. The justification for this is "ensuring a high level of protection of personal data."
This sets a dangerous precedent. The GDPR provides in article 6 six possible legal grounds for processing personal data, including consent, contractual necessity and legitimate interest. The GDPR itself provides no hierarchy; each legal ground is valid if the conditions are met. By suggesting that excluding certain legal grounds leads to "better" protection, it systematically erodes the value of legitimate interest - a crucial and flexible legal ground for innovation, security and service improvement.
Practical impact: If this reasoning is adopted by regulators, it may be for any company become more difficult to invoke legitimate interest for essential activities such as fraud prevention, network security, or even improving its own services. This would lead to an inflation of consent requests, resulting in "consent fatigue" among users.
Section 6(4) DMA - App Stores and controller responsibility
This article requires gatekeepers offering an operating system to allow the installation and use of third-party software and app stores (known as sideloading). However, the gatekeeper may take "strictly necessary and proportionate" measures to ensure the integrity and security of the hardware and operating system.
The draft guidelines make a crucial legal clarification here that is relevant to all platform ecosystems: the gatekeeper (as the operating system provider) and the third-party app developer are basically considered separate and independent data controllers.
This means that the gatekeeper may not dictate how the app developer meets its own GDPR obligations. The gatekeeper can provide technical tools (e.g., for asking for consent), but the developer remains responsible and should be free to choose its compliance strategy.
Practical impact: For any Belgian company operating on a third-party platform (be it an app store, an e-commerce marketplace or a social network), this affirms a fundamental principle. Be critical of platform terms and conditions that try to dictate to you how to handle your customer data. Basically, you are an independent data controller and bear your own responsibility.
Section 6(9) DMA - Data portability 2.0 and its implications
Article 6(9) creates an enhanced right to data portability. It goes beyond the well-known Article 20 of the GDPR. Users (and third parties authorized by them) must be given "continuous real-time access" to all the data they have provided or that has been generated by their activity .This right is free and applies regardless of the original legal basis for the processing.
The draft guidelines work out some complex scenarios:
- Third-party data: What if the data set that a user wishes to take with them also contains personal data belonging to other individuals (e.g., contacts, photos with others)? The draft guidelines confirm that this falls within the scope. The gatekeeper must facilitate the transfer, but the recipient (the user or authorized third party) becomes a data controller for that data itself and must comply with the GDPR.
- International pass-throughs: If a user wishes to transfer their data to a service in a country outside the EEA without an adequate level of protection, the gatekeeper must obtain the user's explicit and informed consent for that specific high-risk transfer, in accordance with Article 49 GDPR.
Practical impact: For enterprises that want to build innovative services by combining data from different platforms (with user consent), this article presents enormous opportunities. At the same time, it brings significant responsibilities. If you receive data through this mechanism, you become fully responsible for its proper processing, including informing all data subjects whose data you indirectly obtain.
Article 6(11) DMA - The high bar for data anonymization
To promote competition in the search engine market, this article requires gatekeepers to give competing search engines access to anonymized ranking, query, click and view data. The crucial condition is that all personal data must be "anonymized."
The draft guidelines dive deep into the definition of anonymity, citing recital 26 of the GDPR. Data is anonymous only when a person is no longer identifiable, taking into account "all means reasonably available" by anyone to identify that person. The challenge here is the inherent tension that the draft guidelines themselves recognize: anonymization must be effective, but at the same time must not "“substantially degrading the quality or usefulness of the data".
Practical impact: This illustrates the extremely high threshold for effective anonymization under the GDPR. For any company working with anonymized or pseudonymized datasets, this is a warning sign. The techniques must be robust and the risk of re-identification (e.g., by combining the data with other datasets) must be negligible. True anonymization is complex and requires thorough technical and legal analysis.
What can you do? Public consultation is crucial
These draft guidelines are not law, but they give a clear indication of the direction European regulators want to go. The implications for non-gatekeepers could be significant. Fortunately, a public consultation has been opened where all interested parties can provide their feedback. This runs until December 4, 2025.
It is vital that business, from SMEs to larger players, make their voices heard. The voice of practitioners is essential to prevent theoretical and unworkable principles from becoming the norm. Speak to your industry federation or consider submitting a contribution yourself.
Conclusion: a Trojan horse for the GDPR
The joint Commission and EDPB guidelines are more than a technical document for a handful of tech giants. They threaten to be a Trojan horse that ushers in a much more restrictive interpretation of the GDPR throughout the European Union. The proposed principles around legal grounds, equivalent services and interface design create uncertainty and could hurt the innovation and competitiveness of European companies. Vigilance and active participation in the public debate are now crucial.
Dutch 
English