President of the Personal Data Protection Office, Mirosław Wróblewski, took part in a discussion on cooperation between European regulators

On 17 March, a conference entitled “Cross‑regulatory cooperation in the EU: a data protection perspective” was held in Brussels, organised by the European Data Protection Board. President of the Personal Data Protection Office, Mirosław Wróblewski, spoke during a panel dedicated to the practical interactions between the GDPR and the Digital Services Act (DSA).

The opening address was delivered by Anu Talus, Chair of the EDPB. She emphasised that the provisions of the GDPR intersect in many respects with the DSA, the DMA (Digital Markets Act), and numerous other regulations. For this reason, cooperation between the regulatory authorities responsible for enforcing these rules is essential – and indeed already taking place, proving helpful in many areas. Such cooperation facilitates compliance and enforcement, while also providing greater legal certainty.

“The digital economy does not operate in silos, and neither should we. The same cases may fall under data protection law, consumer law, competition law or platform regulation. Exchange of experience between authorities working in different fields is indispensable. Three principles should guide us: consistency, consistency and once again consistency. We should build a culture of cooperation and good governance, as well as strengthen trust. Public authorities must, however, retain their competences – through cooperation and knowledge‑sharing they will be better prepared to maintain economic competitiveness while protecting citizens’ rights.” – said EDPB Chair Anu Talus.

Mirosław Wróblewski, President of the Personal Data Protection Office, participated in the third panel, entitled “DSA and GDPR: how they interact in practice”. In his opening remarks, he noted that both acts have equal legal force and, although they protect different rights, they overlap to a significant extent. Conflicts are therefore unavoidable.

“As Anu Talus pointed out, we very much need a consistent and proportionate approach. The most important areas where these acts overlap arise from the legal bases of both the DSA and the GDPR.” – said President Wróblewski.

For example, the obligation to actively identify illegal content may conflict with the principles of lawful personal data processing. However, the President of the Personal Data Protection Office stressed that processing data for the purpose of fulfilling DSA obligations does not necessarily have to rely on consent, and platforms should avoid excessive data collection when doing so.

He added that the GDPR and the DSA also define transparency differently. He highlighted two aspects: the implementation of eIDAS and the provisions on the protection of minors, which will allow both proper protection and the minimisation of personal data processing. It is therefore possible to reconcile freedom of expression with the ability to identify individuals.

Cooperation between supervisory authorities under both the DSA and the GDPR is essential. Implementing these regulations separately in each Member State may lead to inconsistencies in interpretation and decision‑making. National authorities therefore bear significant responsibility for developing cooperation mechanisms, including national procedures. Such cooperation is also crucial for effective enforcement, particularly in relation to international companies.

The panel also featured Marco Giorello, Head of the DSA Monitoring and Cooperation Unit at the European Commission. He indicated that the most important areas requiring cooperation include ensuring access to data for research purposes and collaboration within the eight working groups of the European Board for Digital Services.

Benoit Loutrel, a member of the Board of Arcom (the French regulator for digital communications and audiovisual services), pointed out the structural differences between the GDPR – a universal and broad regulation – and the DSA, which imposes different obligations on different categories of entities. The most significant provisions concern VLOPs (very large online platforms). Experience has shown that such platforms may invoke the GDPR to refuse researchers access to data. As a result, researchers are unable to verify how algorithms operate or whether platforms are fulfilling their obligations.

Victoria de Posson, Secretary General of the European Tech Alliance, presented the business perspective. She stressed that European companies, in order to remain competitive, must employ more engineers than lawyers. They therefore need uniform and consistent enforcement of regulations – and this remains a distant goal.

Mirosław Wróblewski also emphasised that notice‑and‑action mechanisms must not become tools of surveillance. He pointed to the problem of deepfakes, which are currently used both to influence election campaigns and to deceive individuals into investing money or purchasing fake medicines. Platforms, meanwhile, profit from advertising such fraudulent content.

“We need effective tools to ensure meaningful protection. This is demonstrated by certain actions taken by platforms – for example, combating so‑called celeb‑bait requires monitoring mechanisms by supervisory authorities. We also have examples of good cooperation between data protection authorities and social media operators. In this respect, the DSA and the GDPR work hand in hand to provide protection against illegal content and the misuse of personal data to create deepfakes.” – said the President of the Personal Data Protection Office.

He stressed that privacy protection already exists at the constitutional level, but requires proportionality and judicial assessment – both national and European. In this context, he recalled the Russmedia case (UODO’s statement on the case: https://uodo.gov.pl/pl/138/4021). . The CJEU held that a balance must be struck between the obligation of platforms to actively monitor content and the requirement to ensure technical and organisational measures for data protection. However, the balance should shift away from excessive surveillance towards effective counteraction of deepfakes.

Other panels at the conference addressed the synergies between data protection law and competition law, as well as the complementary relationship between the GDPR and the Digital Markets Act. Short addresses were also delivered by Henna Virkkunen, EU Commissioner for Technological Sovereignty, Security and Democracy, and Javier Zarzalejos, MEP and Chair of the Committee on Civil Liberties, Justice and Home Affairs (LIBE). They presented the key priorities of the institutions they represent.