Products Pricing Methodology Contact
Client Portal Contact Us
Cresthaven Analytics Intelligence Brief

EDPB Data Protection Brief

April 1, 2026 · 14:07 UTC · European Data Protection Board · EU

By Cresthaven Analytics Research Desk

Headline

EDPB formalises cross-regulatory joint guidelines spanning AI Act, DMA, DSA, and competition law

Executive Summary

On 17 March 2026, the EDPB convened a formal conference in Brussels titled 'Cross-regulatory interplay and cooperation in the EU: a data protection perspective,' confirming three active or forthcoming joint guidelines workstreams — DMA-GDPR (post-consultation finalisation), AI Act-GDPR (in progress), and a newly announced competition law-GDPR joint guidelines initiative — establishing a structural cross-regulatory coordination posture between the EDPB and the European Commission.

Key Regulatory Signals

  • AI Act–GDPR Joint Guidelines Confirmed: The EDPB and European Commission have confirmed active joint guidelines work on the AI Act-GDPR interplay; organisations deploying AI systems that process personal data must treat this workstream as a live compliance dependency and monitor for consultation publication, which will define lawful basis, transparency, and high-risk AI obligations under both frameworks simultaneously.
  • DMA–GDPR Joint Guidelines Entering Final Phase: The DMA-GDPR joint guidelines have completed public consultation and are proceeding to finalisation; gatekeepers and their data-sharing counterparties must review consultation feedback signals — particularly the panel emphasis that DMA obligations must not be granted primacy over GDPR — to anticipate final compliance parameters.
  • Competition Law–GDPR Joint Guidelines Newly Announced: The EDPB has formally agreed to develop joint guidelines with the European Commission on the interplay between competition law and data protection; organisations subject to both competition scrutiny and GDPR face an emerging dual-framework compliance obligation that does not yet have defined parameters.
  • DSA–GDPR Coherence Mandate Reinforced: Panel conclusions explicitly framed DSA online safety obligations and GDPR lawful processing as requiring coherent joint interpretation, with age verification cited as a concrete pressure point; platforms subject to DSA obligations must audit age verification and minor protection mechanisms for simultaneous GDPR compliance.
  • Cross-Regulatory Enforcement Coordination Signalled: EVP Virkkunen and LIBE Chair Zarzalejos both confirmed institutional commitment to seamless cross-regulatory enforcement cooperation; compliance functions should anticipate coordinated investigative activity between the EDPB, European Commission DG COMP, and Digital Services Coordinators rather than siloed enforcement proceedings.

Regulatory Delta

The EDPB's prior cross-regulatory posture was largely reactive and advisory — issuing opinions on specific legislative proposals and participating in inter-institutional consultations without formalised joint output mechanisms. The current item represents a structural departure: the EDPB is now a co-author of binding-adjacent joint guidelines with the European Commission across three concurrent regulatory intersections, a coordination model with no direct EDPB precedent prior to the DMA-GDPR guidelines workstream. The AI Act intersection is directly relevant, as the forthcoming AI Act-GDPR joint guidelines will be the primary instrument resolving the unresolved tension between AI Act Article 10 data governance requirements, high-risk system obligations under Annex III, and GDPR lawful basis and purpose limitation principles.

Materiality Classification

High — EDPB's formalization of three concurrent joint guidelines workstreams (AI Act, DMA, and competition law) with the European Commission establishes the EDPB as a co-regulator across the EU digital regulatory stack, creating multi-framework compliance obligations for any organization subject to GDPR and the AI Act, DMA, DSA, or competition enforcement.

Time Horizon

Medium-Term (90-180 days) — DMA-GDPR joint guidelines in finalization phase; AI Act-GDPR joint guidelines under active development; organizations should begin dual-framework compliance mapping now.

Intelligence Outlook

Monitor the EDPB for publication of the final DMA-GDPR joint guidelines and the consultation draft of AI Act-GDPR joint guidelines. Watch the European Commission DG COMP for the forthcoming competition law-GDPR joint guidelines initiative that will define obligations at the intersection of data dominance and competition enforcement.

More briefs in Technology, AI & Competition