4 minute read
2.3 Data pro tectio n by design
All the data pro tectio n principles set o ut in Article 5 GDP R are specified further in the GDP R. Article 5 (1) (a) GDPR stipulates that perso nal data shall be pro cessed in a transparent manner in relatio n to the data subject. The Guidelines o n Transparency specify the elem ents o f transparency as laid do wn by Article 12 GDPR, i. e. the need to pro vide the info rm atio n in a co ncise, transparent, intelligible and easily accessible fo rm, using clear and plain language .13 These Guidelines also pro vide guidance o n ho w to fulfil the info rm atio n o bligatio ns under Articles 13 and 14 GDP R regarding so cial media providers.
In additio n, the text o f the data protectio n principles of Article 5 (1) (a) GDP R and o ther special legal pro visio ns within the Regulatio n co ntain m any mo re details o f the principle o f transparency, which are linked to specific legal principles, such as the special transparency requirem ents in Article 7 GDPR fo r o btaining co nsent.
Advertisement
2.3 Data pr o tec tion by desi gn
In the co ntext o f the Guidelines 4/2019 o n Article 25 Data P ro tectio n by Design and by Default, there are som e key elements that co ntro llers and pro cesso rs have to take into acco unt when im plem enting data protectio n by design regarding a social m edia platfo rm. One o f them is that with regard to the principle o f fairness, the data pro cessing info rm atio n and o ptio ns sho uld be provided in an o bjective and neutral way, avo iding any deceptive o r m anipulative language o r design.14 The Guidelines identify elements o f the principles fo r Data P ro tectio n by Default and Data P ro tectio n by Design, am o ng o ther things, which becom e even mo re relevant with regard to dark patterns:15
Auto nomy Data subjects sho uld be granted the highest degree o f auto no my po ssible to determ ine the use m ade o f their perso nal data, as well as auto nom y over the sco pe and co nditio ns o f that use o r pro cessing.
Interactio n Data subjects m ust be able to co mm unicate and exercise their rights in respect o f the perso nal data pro cessed by the co ntro ller.
Expectatio n P rocessing sho uld co rrespo nd with data subjects reaso nable expectatio ns.
Co nsumer cho ice The co ntro llers sho uld no t lo ck in their users in an unfair m anner.
Whenever a service processing perso nal data is proprietary, it m ay create a lo ck-in to the service, which m ay no t be fair, if it im pairs the data subjects po ssibility to exercise their right o f data po rtability in acco rdance with Article 20 GDPR.
P ower balance P ower balance sho uld be a key objective o f the co ntro ller-data subject relatio nship. P ower im balances sho uld be avo ided. When this is no t po ssible, they sho uld be reco gnised and acco unted fo r with suitable co untermeasures.
No deceptio n Data pro cessing info rmatio n and o ptio ns sho uld be provided in an o bjective and neutral way, avo iding any deceptive o r m anipulative language o r design.
Truthful the co ntro llers m ust m ake available info rm atio n abo ut how they pro cess perso nal data, sho uld act as they declare they will and not m islead data subjects.
13 Article 29 Working Party Guid eline s on transparency under Regulation 2016 /679, endor s ed by the EDPB https://ec. europa.eu/ne wsro om/articl e29/it em-detail.c fm ?ite m_id =622 227. 14 See Guid eline s 4/20 219 on Ar ticle 25 Data Prote ction by Design and by Default, p. 18, para. 70. 15 Excerpt - for the full li st, se e Guideline s on Article 2 5 Data Protection by Design and by Default, para. 70.
Com pliance with Data P rotectio n by Default and Data P ro tectio n by Design is im po rtant when assessing dark patterns, as it wo uld result in avo iding im plem enting them in the first place. Indeed, co nfro nting o ne s service and asso ciated interfaces to the elements com prising Data P ro tectio n by Default and by Design principles, such as the o nes mentio ned above, will help identify aspects o f the service that wo uld co nstitute a dark pattern befo re launching the service. For exam ple, if data pro tectio n info rm atio n is pro vided witho ut fo llowing the principle No deceptio n , then it is likely to co nstitute a Hidden in Plain Sight o r Emotional Steering dark pattern that will bo th be further develo ped in use case 1.
