Stirring: affects the choice users would make by appealing to their emotions or using visual nudges. Hindering: an obstruction or blocking of users in their process of getting informed or managing their data by making the action hard or impossible to achieve. Fickle: the design of the interface is inconsistent and not clear, making it hard for users to navigate the different data protection control tools and to understand the purpose of the processing. Left in the dark: an interface is designed in a way to hide information or data protection control tools or to leave users unsure of how their data is processed and what kind of control they might have over it regarding the exercise of their rights. In addition to regrouping dark patterns in these categories according to their effects on users’ behaviour, dark patterns can also be divided into content-based patterns and interface-based patterns to more specifically address aspects of the user interface or user experience. Contentbased patterns refer to the actual content and therefore also to the wording and context of the sentences and information components. In addition, however, there are also components that have a direct influence on the perception of these factors. These interface-based patterns are related to the ways of displaying the content, navigating through it or interacting with it. It is essential to keep in mind that dark patterns raise additional concerns regarding potential impact on children, registering with the social media provider. The GDPR provides for additional safeguards when the processing is about children’s personal data, as the latter may be less aware of the risks and consequences concerned their rights to the processing.7 It is explicitly provided that, considering the specific protection required for processing of their data, any information provided to children when their personal data are being processed, should be given in a clear and plain language so to make children understand.8 In addition, the GDPR explicitly includes the processing of individuals’ data, particularly those of children, to be among the situations where the risk to the rights and freedoms of individuals of varying likelihood and severity, may result from data processing that could lead to physical, material or non-material damage.9
2 PRINCIPLES APPLICABLE – WHAT TO KEEP IN MIND? Regarding the data protection compliance of user interfaces of online applications within the social media sector, the data protection principles applicable are set out within Article 5 GDPR. The principle of fair processing laid down in Article 5 (1) (a) GDPR is a starting point for an assessment of existence of dark patterns. As the EDPB already stated, fairness is an overarching principle which requires that personal data shall not be processed in a way that is detrimental, discriminatory, unexpected or misleading to the data subject.10 If the interface has insufficient or misleading information for the user and fulfils the characteristics of dark patterns, it can be classified as unfair
GDPR, Recital 38. GDPR, Recital 58. 9 GDPR, Recital 75; see also EDPB Guidelines 8/2020 on targeting of social media users, para. 16 https://edpb.europa.eu/system/files/202104/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf. 10 EDPB Guidelines 4/20219 on Article 25 Data Protection by Design and by Default, version 2.0, adopted on 20 October 2020, p. 16; https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-42019article-25-data-protection-design-and_en. 7 8
Adopted - version for public consultation
8
