Competition law and data protection: UK-EU convergence and where it goes next
In short: Competition law and data protection are no longer enforced as separate regimes. The EDPB and the European Commission announced joint guidance work on 28 April 2026, the latest in the EDPB’s cross-regulatory programme. The UK reached the same starting point in May 2021 through the CMA-ICO joint statement and runs the convergence through the DRCF.
If a UK or EU firm has market power in a data-driven sector, competition law and data protection are no longer enforced as two separate compliance regimes. Dominant platforms, financial services firms with scaled consumer-data footprints, telecoms operators with scaled subscriber data, large adtech firms and large AI infrastructure providers all face one conduct question with two regulatory entry points: how their consent design, data combining and default settings sit against both regimes at once. The point of convergence now exists on both sides of the Channel.
On 28 April 2026 the European Commission’s competition directorate and the European Data Protection Board (EDPB) announced joint work on guidance addressing the interplay between EU competition law and data protection law. The short announcement was published the same day as the Commission’s first Article 53 review of the Digital Markets Act, which attracted most of the immediate attention and is covered in our DMA review post. The joint workstream announcement is the more consequential development for the medium term: a small paragraph that fixes the start of a substantial new piece of EU regulatory architecture, sitting inside an EDPB programme of cross-regulatory work that has been building since January 2025.
How the two regimes drifted together: the CJEU Meta judgment
The substantive convergence began in case law on 4 July 2023. In Case C-252/21 Meta Platforms Inc and Others v Bundeskartellamt (ECLI:EU:C:2023:537), the Grand Chamber of the Court of Justice held that a national competition authority assessing abuse of dominance under Article 102 TFEU may take account of an undertaking’s compliance with the General Data Protection Regulation, where this is necessary to establish the abuse, provided that it cooperates with the competent data protection supervisory authority and does not replace that authority’s role. The reference came from the Oberlandesgericht Düsseldorf in proceedings on the Bundeskartellamt’s 2019 decision against Meta’s combining of Facebook user data with off-Facebook data without valid GDPR consent; the Court’s ruling addressed the preliminary questions on the legal basis for that approach, not the merits of the German decision.
The Court added that cooperation between competition authorities and data protection authorities is in some cases mandatory and not optional, by virtue of the duty of sincere cooperation in Article 4(3) of the Treaty on European Union. National competition authorities cannot substitute themselves for data protection authorities on questions of GDPR compliance; they must consult and cooperate. The decision left the law without a coherent cooperation framework: the duty exists, but the practical mechanics had to be built.
The European Commission then embedded the principle into competition methodology. The Commission Notice on the definition of the relevant market of 22 February 2024 explicitly recognises the protection of privacy and personal data offered to consumers as a parameter of competition for market-definition purposes, particularly in digital and tech mergers. Data protection moved from the sidelines of competition analysis to a named parameter of competition between dominant undertakings in the digital economy.
The EDPB competition law and data protection programme builds out
The EDPB adopted its Position paper on the interplay between data protection and competition law on 16 January 2025. The paper sets out the EDPB’s view that cooperation between regulators is in some cases mandatory under the duty of sincere cooperation; identifies four maturity levels of existing cooperation models across Member States, ranging from informal ad hoc consultation to fully structured arrangements with both legal requirements and practical machinery; and recommends cooperation protocols as the most effective way to ensure reciprocal consultation and avoid duplicative enforcement where two authorities sanction the same conduct under different frameworks.
The Helsinki Statement of 3 July 2025 set the broader EDPB strategy. The Board committed to enhanced clarity, support and engagement, with structured cooperation with non-data-protection regulators expressly identified as a strategic objective under the EDPB 2024-2027 strategy.
The first joint EDPB-Commission output landed on 9 October 2025. The Board and the Commission endorsed joint guidelines on the interplay between the Digital Markets Act and the GDPR, named by both bodies as “the first joint guidelines by the Board and the European Commission“. Public consultation closed on 4 December 2025 with over 100 contributions; the contributions were published on 12 March 2026. Final adoption is expected in Q4 2026. The EDPB had separately adopted its own Guidelines 3/2025 on DSA-GDPR on 12 September 2025; these are EDPB-only guidelines, not a joint EDPB-Commission instrument.
The EDPB then adopted its Work Programme 2026-2027 on 12 February 2026. The programme names joint EDPB-Commission guidelines on the interplay between the AI Act and the GDPR for adoption in 2026, joint guidance with competition authorities on data protection interplay, and an ongoing programme of cross-regulatory engagement. The 28 April 2026 DG COMP announcement formalised the start of the competition law and data protection strand and is the third joint EDPB-Commission output to be initiated, alongside DMA-GDPR and the forthcoming AI Act-GDPR set. The EDPB stakeholder event on 29 June 2026 is the next public milestone.
Competition law and data protection: the UK position
The UK put the same issue on an institutional footing earlier. The Competition and Markets Authority and the Information Commissioner’s Office published their joint statement on competition and data protection law on 19 May 2021, before the CJEU Meta judgment of July 2023 and almost four years before the EDPB Position Paper of January 2025. Both regulators described the statement as the first of its kind globally. It sets out the agreed position that competition and data protection are complementary rather than opposing agendas; that data, including personal data, plays a central role in the digital economy as a parameter of competition; and that the two regulators would work collaboratively to overcome perceived tensions between their objectives, with practical examples already in train at the time.
The operational framing sits in the Digital Regulation Cooperation Forum (DRCF), formed in July 2020 between the CMA, the ICO and Ofcom, with the FCA joining as a full member in April 2021. The DRCF publishes an annual workplan; the 2025/26 workplan continues ICO-CMA cooperation on privacy and competition in digital advertising markets as a named workstream, with further joint work on online safety and data protection (ICO-Ofcom) and financial services AI (ICO-FCA). The DRCF is a coordination forum, not a joint enforcement authority; each regulator retains its own statutory powers.
The UK statutory substrate runs broader than the EU’s. Concurrent competition powers sit with the sector regulators under sections 54 to 56 of the Competition Act 1998 and Schedule 10, as modernised by Part 4 of the Enterprise and Regulatory Reform Act 2013 and the Concurrency Regulations 2014 (SI 2014/536). Ofcom holds concurrent powers under section 371 of the Communications Act 2003; the FCA under section 234I of the Financial Services and Markets Act 2000; the PSR under section 61 of FSBRA 2013. The DRCF sits above this; concurrency operates beneath it on the legal layer.
The strategic market status regime under Part 1 of the Digital Markets, Competition and Consumers Act 2024, in force from 1 January 2025, adds an ex-ante conduct layer to the picture. The CMA designated Apple and Google as having SMS in their respective mobile platforms on 22 October 2025 and has run conduct-requirement consultations through 2026. SMS designation triggers conduct requirements that bear directly on data combining, consent design and default settings. The interplay with UK GDPR is, in practical terms, what the CMA-ICO joint statement of 2021 anticipated. A refresh of the 2021 statement to reflect the DMCC Act 2024 was on the 2024/25 DRCF workplan but was deferred; it remains promised but not delivered.
Where the EU and UK architectures diverge
The EU and the UK have ended up at substantively similar positions through architectures that diverge in five ways: forum, source of cooperation duty, output type, substantive coverage and the role of an ex-ante conduct overlay.
| Feature | EU (EDPB and the Commission) | UK (DRCF, CMA, ICO and the concurrent regulators) |
|---|---|---|
| Forum | EDPB and Commission services produce joint guidance instruments; the EDPB High Level Group of EU digital regulators coordinates DMA implementation across sectoral regimes | Digital Regulation Cooperation Forum (CMA, ICO, Ofcom, FCA), formed July 2020; produces joint papers, case-coordination workplans and joint statements |
| Source of cooperation duty | CJEU C-252/21 Meta v Bundeskartellamt: cooperation between competition and data protection authorities is in some cases mandatory under the duty of sincere cooperation in Article 4(3) TEU | Voluntary and operational through DRCF and bilateral cooperation; concurrent competition powers under CA 1998 ss 54-56 and SI 2014/536 allocate sectoral enforcement but do not mandate cross-regulator coordination on the convergence |
| Output type | Joint EDPB-Commission guidelines: DMA-GDPR (draft 9 October 2025, final Q4 2026); AI Act-GDPR (in preparation, 2026); competition law-GDPR (announced 28 April 2026). Separately, EDPB-only Guidelines 3/2025 on DSA-GDPR (adopted 12 September 2025, consultation closed October 2025) | CMA-ICO joint statement (19 May 2021, refresh deferred); DRCF annual joint papers; bilateral MoUs between regulators |
| Substantive coverage | Per-instrument: DMA, AI Act and now general competition law on the joint EDPB-Commission track; DSA on the EDPB-only track | Per-issue: digital advertising (ICO-CMA), online safety and data protection (ICO-Ofcom), financial services AI (ICO-FCA), platform M&A and SMS regime conduct |
| Ex-ante conduct overlay | DMA Regulation 2022/1925 imposes direct conduct obligations on designated gatekeepers; AI Act, DSA, Data Act sit alongside; the new competition law and data protection guidance is regime-agnostic on type of undertaking | DMCC Act 2024 Part 1 SMS regime in force from 1 January 2025; firm-by-firm designation; bespoke conduct requirements and pro-competition interventions; Apple and Google designated 22 October 2025; commitments accepted 1 April 2026 |
The substantive overlap is high. The EU joint competition-GDPR guidance, once adopted, will sit alongside the existing DMA-GDPR set and apply to dominant undertakings under Article 102 TFEU whether or not the undertaking is a DMA-designated gatekeeper. The UK substrate is regime-agnostic in the same way: Chapter II of the Competition Act 1998 applies to any dominant undertaking, and the UK GDPR applies to any UK data controller. The two pieces fit together on both sides; the assembly mechanics differ.
Competition law and data protection: where it goes next
Three things will shape the next twelve to eighteen months in the EU. First, the final adoption of the EDPB-Commission joint DMA-GDPR guidelines in Q4 2026 sets the template for the competition-GDPR guidance that follows. The DMA-GDPR draft contains detailed positions on specific choice and valid consent under Article 5(2) DMA, on combining and cross-using personal data in core platform services, and on third-party app distribution, data portability and messaging interoperability. Those positions will travel into the competition-GDPR guidance with adjustments for the broader Article 102 scope.
Second, the AI Act-GDPR joint guidelines, scheduled for 2026 adoption with the AI Office of the Commission, will complete the four-instrument EDPB cross-regulatory programme on the EU’s main horizontal digital and competition regimes.
Third, the EDPB stakeholder event on 29 June 2026 is the first public window into how the competition-GDPR guidance is being framed. The Board’s stakeholder events on prior joint guidance have shaped the substantive direction of the resulting text; the call for expressions of interest will be open ahead of the event. UK data controllers with EU operations and EU data protection counsel both have material reason to engage.
For the UK side, two refresh points are due. The CMA-ICO joint statement of May 2021 is overdue for an update to take account of the DMCC Act 2024 SMS regime, the ICO’s enforcement settlement framework and the Data (Use and Access) Act 2025 (DUAA) Article 22 automated decision-making regime. The DRCF 2026/27 workplan, when published, will indicate whether the refresh has been picked back up. Separately, the CMA’s post-designation work on Apple and Google mobile platforms moved from designation into commitments on 1 April 2026; consent design and default-settings cases under the SMS regime will be the first practical test of how the UK regulators coordinate on conduct that engages both regimes.
Section 60A of the Competition Act 1998 still matters for UK undertakings with EU operations. It requires UK courts and authorities, when applying Chapter I and Chapter II, to avoid inconsistency with pre-IP completion day EU competition law principles, subject to statutory exceptions. Post-transition EU case law and Commission decisions are not binding but may be considered. The EDPB-Commission competition-GDPR guidance, when adopted, will therefore raise the regulatory bar across both jurisdictions in substance even where the procedural routes diverge. UK enforcement on dominant data-driven firms will not lag the EU by much.
Viewpoint
The 28 April 2026 announcement received less attention than it deserved on the day it landed. The DMA Article 53 review report attracted most of the immediate attention because it answered an existing political question (is the DMA tough enough); the joint workstream announcement opens a new one (how does the GDPR sit inside competition analysis). The relative attention paid to the two announcements is a useful signal in itself about which story has the greater long-term significance.
The most interesting question for the joint guidance is whether it travels beyond the gatekeeper context the DMA-GDPR draft is anchored to. Article 102 TFEU is regime-agnostic on the type of dominant undertaking caught; the guidance can in principle apply to any dominant data-driven firm whether or not it is a DMA-designated gatekeeper. The EDPB Position Paper’s reference to “exceptional circumstances” for valid consent where a clear imbalance of power exists, drawing on the Board’s Opinion 08/2024 on Consent or Pay, hints at a broader sweep. The practical bite of the guidance will sit not in the headline DMA obligation but in the alignment of consent flows across linked services and the audit trail behind them. That is the operational consequence of the EDPB’s “no adverse consequences” standard for valid consent in conditions of power imbalance. The UK CMA-ICO refresh should land in the same territory.
This is the conduct-side analysis in our continuing series on EU/UK regulatory convergence; the DMA-specific strand is at our DMA review 2026 post and the merger-control strand at our EU Merger Guidelines data post.
Frequently asked questions
What is the EDPB-Commission joint workstream on competition law and data protection?
On 28 April 2026 the European Commission’s competition directorate (DG COMP) and the European Data Protection Board announced joint work on guidance addressing the interplay between EU competition law and data protection law. The work will focus on selected situations where data protection law is relevant for competition assessment and where competition concepts inform data protection assessment. It builds on the EDPB’s Position Paper of 16 January 2025 and on the existing joint EDPB-Commission DMA-GDPR guidelines published in draft on 9 October 2025.
When was the UK joint statement on competition law and data protection published?
19 May 2021. The Competition and Markets Authority and the Information Commissioner’s Office described it as the first joint statement of its kind globally. It sets out the regulators’ shared view that competition and data protection are complementary rather than opposing agendas, that data is a parameter of competition in digital markets, and that the regulators will work collaboratively to overcome perceived tensions between their objectives. A refresh to take account of the DMCC Act 2024 was on the 2024/25 DRCF workplan but was deferred.
Does the CJEU Meta v Bundeskartellamt judgment apply in the UK?
The judgment is not directly binding on UK courts. Under section 60A of the Competition Act 1998, UK courts and authorities are required to act with a view to securing consistency with EU competition law principles as they stood at the end of the transition period, which was before C-252/21 (4 July 2023). UK courts may have regard to the judgment but are not bound by it. The CMA and ICO have, however, operated on substantively similar principles since their May 2021 joint statement.
What is the Digital Regulation Cooperation Forum?
The Digital Regulation Cooperation Forum (DRCF) is a voluntary forum formed in July 2020 between the Competition and Markets Authority, the Information Commissioner’s Office and Ofcom, with the Financial Conduct Authority joining as a full member in April 2021. The DRCF coordinates regulatory approach to digital markets and AI across its four members. It does not have joint enforcement powers; each regulator retains its own statutory functions. The DRCF publishes an annual workplan and joint papers under its programme of work.
When will the EDPB-Commission joint guidelines on competition law and data protection be adopted?
The EDPB and the Commission have not published the content of the planned guidance or a timetable for adoption. The EDPB Work Programme 2026-2027, adopted 12 February 2026, names the initiative as a 2026 deliverable. A remote stakeholder event is scheduled for 29 June 2026 as the first public consultation milestone. For comparison, the EDPB-Commission joint DMA-GDPR guidelines published in draft on 9 October 2025 are expected to reach final adoption in Q4 2026.
For advice on competition law and data protection compliance for dominant data-driven firms operating in the UK and EU, contact Rob Bratby at Bratby Law. We also advise on data protection and transactions in regulated sectors across the UK and EU regulatory layers, including AI and data governance advice for firms whose market power triggers both regimes.
