27 Apr 2022
The European Data Protection Board addresses Dark Patterns in Social Media Platforms - Tricks to make you say ‘’yes’’
As of the 15th
of March 2022, the European Data Protection Board [EDPB], established by the General Data Protection Regulation 2016/679 [GDPR], published guidelines which give concrete examples of ‘dark patterns’ in social media platforms, emphasizing the need for an effective cooperation of EEA and third country SAs, supporting EDPB’s Strategy and work programme 2021-2022 to support effective enforcement and efficient cooperation between national Supervisory Authorities (SAs). In doing so, the guidelines focus on monitoring and diminishing any danger threatening the operation of GDPR and in turn, intend to protect the fundamental rights and freedoms of users relating to the processing of their personal data. The aim is that of a ‘one-stop-shop mechanism’.
‘Dark patterns’ are a worldwide phenomenon that emerged with the development of technology and threatens the protection of personal data. Specifically, dark patterns are interfaces implemented on social media platforms, tricking users to unwillingly make potential harmful decisions regarding the processing of their personal data. Many platforms inform the user and most of the times (but not always) provide the user with an option to decline the processing of their data. However, the disclaimer is not presented in an appropriate and clear manner, with the intention of tricking the user to consent to the processing of his personal data. Such behaviour conflicts with Article 7(2) of the GDPR.
The article emphasises that the request of consent shall be presented in a manner which is clearly distinguishable from other matters in an ‘intelligible and easily accessible form, using clear and plain language’ for effective data protection.
Guidelines and Key Actions
The relevant guidance on Article 60 of GDPR is part of EDPB’s Strategy and Work Programme 2021-2022 and aims to promote the idea of a one-stop-shop mechanism, achieving an effective and consistent application of GDPR. Respectively, the guidance allows SAs to apply their own national procedures, in a way that conforms with the one-stop-shop mechanism in achieving an effective cooperation between the SAs. The guidance contains specific recommendations for designers of these platforms by using examples on dark patterns in assessing and avoiding them. The EDPB focuses on four key objectives in its strategy, ensuring a consistent application of data protection rules and advancing cooperation between the SAs. The idea is that of a unified approach of data protection at a cross border level.
Objective No.1: Cooperation and Compliance
EDPB’s first objective is to enhance cooperation and compliance to limit the fragmentation of data protection rules among the member states and at the same time to provide a practical, straight-forward guidance for effectively implementing data protection into practice. The EDPB recommends three key actions in achieving this. Firstly, it addresses important aspects of EU data protection, such as the scope of the data subject’s rights and the concept of legitimate interest and, thereby guaranteeing a consistent application of data protection law, addressing potential gaps in interpretation and practices among member states. Moreover, it recommends investing efforts for dedicated workshops and staff training to stimulate compliance mechanisms for controllers and processors. Lastly, the EDPB suggests promoting tools that aim to raise awareness, specifically tailored for non-expert professionals such as SME’s and data subjects including children, limiting the awareness gap.
Objective No.2: Efficient enforcement and Cooperation of SAs
The next objective focuses on promoting efficient cooperation between all national SAs for the development of an effective EU-wide enforcement culture among SAs. In doing so, the EDPB encourages a full use of cooperation tools, removing the inconsistencies between different national enforcement procedures, promoting a common application of key concepts, and strengthening communication between the SAs. Additionally, it suggests the implementation of a Coordinated Enforcement Framework (CEF), for facilitating joined actions in a flexible but coordinated manner, using common methodologies. Furthermore, it supports the establishment of a Support Pool of Experts (SPE), for providing support in the form of expertise to enhance cooperation between all SAs, by complementing their strengths and addressing their operational needs.
Objective No. 3: Protection of fundamental human rights
EDPB strives to ensure that fundamental and human rights are protected for all people by monitoring emerging technologies. As expressed by the EDPB the goal is to ‘help shape Europe’s digital future in line with our common values and rules’. This can be achieved by monitoring and assessing new emerging technologies and providing clear guidance on implementing protection principles effectively, ensuring that in the end individuals are in sufficient control of their personal data. Outmost protection is at the core of the guidance, hence the EDPB suggests intensifying engagement and cooperation with other regulators and policymakers for individuals to receive optimal protection.
Objective No. 4: An ‘Example to follow’
Lastly, the EDPB seeks to promote EU and global standards for data protection and transfers to third countries. It recommends the concept of a one-stop-shop mechanism, a global model in achieving consistent and effective data protection beyond EU borders. Accordingly, it promotes the use of transfer tools and the provision of guidance, in ensuring an equivalent level of protection between the EEA and third countries. Moreover, it promotes engagement with the international community showing that they are an example to follow, establishing high standards of protection worldwide. In doing so the EDPB draws attention on the need for effective cooperation with the SAs of third countries.
Overall, EDPB’s aim of a one-stop-shop mechanism, also acknowledged by GDPR itself in Recital 127, is an ideal model for an effective protection of personal data on a global level. On the other hand, the strategy includes mere recommendations, which may only have a limited impact on achieving a unified global data protection. These guidelines need to be implemented into national law at a global level, to allow for an effective harmonization and operation of the one-stop-shop mechanism.