On February 24, 2023, the European Data Protection Board published its adoption of the final versions of three guidelines after public consultation on (1) the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V GDPR, (2) certification as a tool for transfers and (3) deceptive design patterns in social media platform interfaces. 

Image by pch.vector on Freepik

Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V GDPR

The guidelines clarify the scenarios applying the requirements of Chapter V by identifying three cumulative criteria to qualify a processing operation as a transfer: 

1. A controller/ processor (“exporter”) is subject to the GDPR for the given processing,
2. The exporter make the personal data subject to this processing available to another controller, joint controller or processor (“importer”), 
3. The importer is in a third country, regardless of his establishment jurisdiction, or is an international organisation.     

Consequently, the transfers subject to this provision shall only take place under certain conditions. For instance, there must be an adequacy decision from the European Commission (art. 45) or appropriate safeguards (art. 46). Moreover, the guidelines include various examples of data flows to third countries. 

Certification as a tool for transfers

To the extent of the appropriate safeguards provided in art. 46 GDPR, art. 42(2) and 46(2)(f) introduce the certification as a new mechanism to transfer the data to third countries or international organisations. The guidelines contain: 

1. the process for obtaining a certification, 
2. the interpretation of the accreditation of certification bogies in accordance with ISO 17065, Guidelines 4/2018, and art. 43 GDPR, 
3. the certification criteria listed in Guidelines 1/2018, additional specific criteria covering the assessment of the third country legislation, general obligation of importers and exporters, rules on onward transfers, redress and enforcement, process and action where the local legislation and practices prevent the compliance, 
4. the elements of binding and enforceable commitments that controllers/ processors not subject to the GDPR should take to provide appropriate safeguards to data transfers to third countries.       

Deceptive design patterns in social media platform interfaces

The guidelines replaced the term “dark pattern” by “deceptive design patterns”. It defines the “deceptive design patterns” as interfaces and user journeys on social media platforms. These patterns attempt to influence users into making unintended, unwilling and potentially harmful decisions. They often are against the users’ best interests in respect of the personal data processing. These patterns’ objective is the impact on users’ behaviour, obstruction to their capacity to effectively protect their personal data, and make conscious choices. If the deceptive design patterns result in the infringements of the GDPR regulations, the data protection authorities may impose the sanction against the use of these patterns. These guidelines would be great examples for the UI/ UX designers working on social media platforms to avoid the infringement caused by overloading, skipping, stirring, obstructing, fickle and left in the dark designs. 

The EDPB provided examples throughout the entire life cycle of user accounts, including registration process, data protection management, execution of the data subjects’ rights, etc. The user interfaces of online applications and platforms of social media must comply with the principles set out in Article 5 GDPR. It imposes the principles of fair processing, transparency, data minimisation and accountability. Accordingly, they are the ground to assess whether the design pattern constitutes a “deceptive design pattern”. Furthermore, the assessment must take into account the conditions of consent (art. 4(11), 7 GDPR) or respect of the data subjects’ rights (art. 12, third chapter of GDPR) and the requirements of data protection by design and default (art. 25 GDPR).

Source: https://edpb.europa.eu/news/news/2023/edpb-publishes-three-guidelines-following-public-consultation_en

For more information of personal data protection in the EU on AstraIA Gear: https://www.astraiagear.com/2023/02/23/update-on-data-protection-in-the-eu-this-week/