Written by Haim Ravia and Dotan Hammer
The European Data Protection Board published the final versions of three guidelines previously published for public comments. The first is the guidelines on “Deceptive design patterns in social media platform interfaces: how to recognize and avoid them”; the second is the guidelines on certification as a tool for cross-border data transfers; the third is the guidelines on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR.
The guidelines on deceptive design patterns offer practical recommendations both to social media operators and users on how to avoid deceptive user interfaces that violate the GDPR. These interfaces attempt to manipulate users to make decisions and actions on social media that are detrimental to data protection and privacy. Examples include interface overloading, impairing the user’s ability to be informed of the data protection implications of their actions, inconsistent or unclear interface design, affecting the choice users would make by appealing to their emotions, or using visual nudges.
The guidelines present best practices and a checklist of deceptive design pattern categories. The recommended best practices cover the user sign-up process, a layered design of the privacy notice, data protection setting menus and controller, communicating a data breach to data subjects, and more.
The guidelines on certification as a tool for cross-border data transfers explain how accredited certifications are usable as a voluntary tool by data importers to legitimize the cross-border transfer of personal data to countries not recognized by an EU adequacy decision.
The certification process evaluates the data importer against the certification criteria. This evaluation is carried out by a certification body accredited either by the national accreditation body in an EU member state, or the national data protection authority of the EU member state. The certification mechanism needs to include an assessment of the legislation in the data importer’s country and the need to use supplementary measures to ensure an equivalent level of data protection, under the EDPB’s Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
The guidelines on the interplay between the application of Article 3 and the provisions on international transfers, per chapter V of the GDPR. The guidelines define cross-border transfer to which chapter V of the GDPR applies as any disclosure or transmission of personal data from an organization subject to the GDPR, to another organization located outside the EU, regardless of whether the other organization is subject to the GDPR. Therefore, the collection of personal data by an organization directly from a data subject does not constitute a transfer that is subject to chapter V of the GDPR.
Once a transfer is subject to chapter V of the GDPR it can only be carried out if the recipient is located in a country recognized by an adequacy decision of the EU, or through the use of one of the other safeguards codified in chapter V of the GDPR. Only in extreme and extraordinary cases, may the transfer take place without safeguards, under the ‘derogations’ enumerated in Chapter V.
Click here to read the EDPB’s guidelines on deceptive design patterns in social media platform interfaces: how to recognize and avoid them.
Click here to read the EDPB’s guidelines on certification as a tool for cross-border data transfers.
Click here to read the EDPB’s guidelines on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR.