Interoperability and Privacy: A Balancing Act Under EU Law

 Key Takeaways 

• On 9 October 2025, the European Commission (EC) and European Data Protection Board (EDPB) have published Draft Guidance clarifying how Digital Markets Act (DMA) interoperability obligations interact with GDPR requirements.
• Gatekeepers face a dual compliance challenge: enabling interoperability while respecting privacy and data minimization principles.
• Businesses should anticipate heightened enforcement coordination between competition and data protection authorities. 

Why It Matters 

The DMA’s interoperability mandates—particularly for messaging services, operating systems, and app stores—are designed to reduce lock-in and foster competition. However, these obligations often require data sharing and technical integration, which raises significant privacy concerns under GDPR. 

The Draft Guidance signals that competition and privacy regulators are working hand-in-hand, creating a new compliance frontier for gatekeepers and their business partners. 

Interoperability Under the DMA 

• Messaging Services (Article 7 DMA): Gatekeepers must enable interoperability with third-party messaging apps, including exchange of text, images, and files.
• Operating Systems & App Stores (Article 6(4) DMA): Gatekeepers must allow third-party app stores and sideloading, reducing exclusivity. 

These measures aim to open ecosystems, but they inherently involve data flows across platforms, triggering GDPR obligations. 

Privacy Constraints 

The Draft Guidance emphasises: 

• Data Minimization: Gatekeepers must share only what is strictly necessary for interoperability.
• DPIAs Required: Before enabling interoperability, gatekeepers must conduct Data Protection Impact Assessments to identify and mitigate risks.
• Consent & Transparency: Where personal data is exchanged, GDPR-compliant consent and clear user information are mandatory. 

The Competitive Angle 

Interoperability could erode gatekeepers’ network effects, lowering barriers to entry and promoting competition. Yet, privacy safeguards may limit the scope of data sharing, potentially reducing the pro-competitive impact of DMA obligations. 

This tension creates strategic uncertainty: 

• Will privacy constraints blunt interoperability’s competitive benefits?
• Could excessive data sharing under the guise of interoperability lead to enforcement actions from DPAs? 

Implications for Competition Strategy 

• Anticipate Privacy as a Competitive Variable: Privacy compliance is no longer a siloed issue—it directly affects the feasibility and scope of interoperability. Gatekeepers should integrate privacy risk into their competition strategy.
• Leverage Interoperability for Market Entry: Smaller players can use DMA-driven interoperability to reduce switching costs. But they must design solutions that minimize personal data processing to avoid GDPR pitfalls.
• Prepare for Coordinated Enforcement: Expect joint investigations by EC and DPAs. Competition lawyers should collaborate with privacy teams to ensure interoperability measures do not trigger enforcement under either regime.
• Monitor Technical Standards: Future EC implementing acts may define interoperability protocols. Early engagement in standard-setting could secure competitive advantages. 

✅ DMA–GDPR Compliance Checklist for Gatekeepers

1. Interoperability Obligations

• [ ] Conduct DPIAs before enabling interoperability (messaging, app stores, OS).
• [ ] Ensure data minimization: share only what is strictly necessary for interoperability.
• [ ] Implement technical safeguards to prevent excessive data flows. 

2. Consent Management

• [ ] Obtain GDPR-compliant consent for:
   ο Combining personal data across services (Article 5(2) DMA).
   ο Sharing data with business users or third parties (Article 6(10) DMA).
• [ ] Design user-friendly consent flows (no dark patterns, no functionality loss if refused).
• [ ] Provide clear, layered information about processing by gatekeeper and third parties. 

3. Data Portability

• [ ] Enable DMA-expanded portability rights (beyond GDPR scope).
• [ ] Include data about other individuals where required, applying safeguards.
• [ ] For transfers outside EEA, obtain explicit consent and explain risks. 

4. Anonymization & Search Data

• [ ] Apply GDPR-standard anonymization for third-party search providers (Article 6(11) DMA).
• [ ] Monitor EC implementing acts for technical standards on anonymization. 

5. App Store & OS Compliance

• [ ] Allow third-party app stores and sideloading without compromising privacy.
• [ ] Ensure compliance with e-Privacy Directive (e.g., consent for device access). 

6. Governance & Documentation

• [ ] Maintain records of processing activities for interoperability features.
• [ ] Document risk assessments and mitigation measures for EC and DPAs.
• [ ] Train teams on dual compliance (competition + privacy). 

7. Enforcement Readiness

• [ ] Prepare for joint EC–DPA investigations.
• [ ] Align internal compliance programs to avoid conflicting obligations.
• [ ] Monitor public consultation outcomes and update compliance roadmap. 

Tip: Treat privacy as a competitive variable—robust compliance can reduce enforcement risk and support strategic positioning in a more open ecosystem. Interoperability under the DMA is not a free pass to data access. Privacy remains a hard constraint, and businesses must navigate this balancing act carefully to avoid regulatory pitfalls. 

Author: Carter Chim  

 

Carter Chim

“Carter is a leading specialist in competition law in Hong Kong and is known for his deep legal knowledge in EU and Hong Kong competition law. He is a very collaborative and effective communicator, he gives pragmatic advice that addresses commercial realities and client sensitivities, and his persuasive style and ability to distill complex legal concepts into accessible language make him a compelling advocate.”
Legal 500 Asia-Pacific 2025, Competition — Leading Juniors 

Carter has been recognised by The Legal 500 (Legalease) as a Leading Junior (Tier 1) in Competition Law for five consecutive years (i.e. 2021 to 2025).

Carter has acted in a number of landmark constitutional and administrative law cases before the Hong Kong Court of Final Appeal, including Secretary for Justice v Leung Kwok Hung [2021] HKCFA 32 (concerning the scope of parliamentary privilege enjoyed by a member of the Legislative Council in the course of proceedings).

General civil matters form a core part of Carter’s practice. Matters which he is regularly instructed to handle include winding up petitions (for the successful petitioner in Re Yuan Tong Global Financial Group Ltd [2021] HKCFI 1534), water leakage cases, property disputes, discrimination cases, and more.

View Carter’s profile for more information.

This article was first published on 15 October 2025.

Disclaimer: This article does not constitute legal advice and seeks to set out the general principles of the law. Detailed advice should therefore be sought from a legal professional relating to the individual merits and facts of a particular case. The photographs which appear in this article are included for decorative purposes only and should not be taken as a depiction of any matter to which the case is related. The views and opinions expressed in this article/material are solely those of the members authoring it and do not necessarily reflect the official policy or position of Denis Chang’s Chambers, or of any other member or members of Denis Chang’s Chambers.