The European Data Protection Board (EDPB) has recently published, after a public inquiry with different segments of European society, three new guidelines related to the protection of personal data. They are the following:
- Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
- Guidelines 07/2022 on certification as a tool for transfers
- Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them
The following is a brief description of each of them:
1.1. GUIDELINES 05/2021 ON THE INTERPLAY BETWEEN THE APPLICATION OF ARTICLE 3 AND THE PROVISIONS ON INTERNATIONAL TRANSFERS AS PER CHAPTER V OF THE GDPR
Given that the GDPR (General Data Protection Regulation) does not define what “transfer of personal data to a third country or to an international organization” is, the EDPB used three cumulative criteria to qualify a processing operation as a transfer. Thus, if the three criteria identified by the EDPB are met, it regards a transfer and Chapter V of the GDPR is applicable. They are:
- A controller or a processor (“exporter”) is subject to the GDPR for the given processing;
- The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”); and
- The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.
Thus, the transfer of personal data to a third country or to an international organization may only occur in the context of an adequacy decision by the European Commission (Article 45) or by providing of appropriate safeguards (Article 46).
If the three criteria are not met, Chapter V of the GDPR does not apply, but the controller must comply with the remaining provisions of the GDPR, in particular Article 5 (“Principles relating to the processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of Processing”).
The risks of such personal data processing in a foreign country not complying with the GDPR are especially focused on conflicting national laws or disproportionate government access.
The examples are the highlight of these guidelines. They are an aid in understanding the issue in practical cases, as shown below:
1.2. GUIDELINES 07/2022 ON CERTIFICATION AS A TOOL FOR TRANSFERS
The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organizations. Among these safeguards, certification emerges as a new transfer mechanism (Articles 42(2) and 46(2) (f).
According to Article 44 of the GDPR, any transfer of personal data to third countries or international organizations must comply with the conditions of the remaining provisions of the GDPR in addition to compliance with its Chapter V. Therefore, each transfer must comply, among others, with the data protection principles of Article 5 of the GDPR, comply with Article 6 of the GDPR and with Article 9 of the GDPR in the case of special data categories.
Thus, a two-step test should be applied. As a first step, one must ensure compliance with the general provisions of the GDPR. Then, as a second step, one must comply with the provisions of Chapter V of the GDPR.
Pursuant to Article 46(2)(f) of the GDPR, such appropriate safeguards, such as respecting the rights of data subjects, can be provided by an approved certification mechanism, together with binding and enforceable commitments from the controller or operator in the third country.
The EDPB is empowered to approve EEA-wide certification criteria (European Data Protection Seal) and to provide opinions on Supervisory Authorities’ draft decisions on certification criteria and accreditation requirements of the certification bodies so as to ensure consistency. It is also competent for collating all certification mechanisms and data protection seals and marks in a register and making them publicly available.
The Supervisory Authorities (SAs) approve the certification criteria when the certification mechanism is not a European Data Protection Seal. They might also accredit the certification body, design the certification criteria and issue certification if established by the national law of their Member State.
On the other hand, the National Accreditation Body may accredit third party certification bodies by using ISO 17065 and the SAs additional accreditation requirements, which should be in line with section 2 of these guidelines. In some Member States, the accreditation can be offered as well by the competent SA as well as being carried out by a national accreditation body or by both.
And finally, the Scheme Owner is another important stakeholder. It is an organisation which has set up certification criteria and the methodology requirements according to which conformity is to be assessed. The organisation carrying out the assessments could be the same organisation that has developed and owns the scheme, but there could be arrangements where one organisation owns the scheme, and another (or more than one other) performs the assessments as Certification body.
Furthermore, the data exporter who wants to use a certification as appropriate safeguard according to Article 46 (2) (f) GDPR is notably obliged to verify whether the certification it intends to rely on is effective in light of the characteristics of the intended processing. To that end, the data exporter must check the issued certification in order to verify if the certificate is valid and not expired, if it covers the specific transfer to be carried out and whether the transit of personal data is in the scope of certification, as well as if onward transfers are involved and an adequate documentation is provided on them. Considering that the exporter is responsible for all provisions in Chapter V being applied, it has also to assess whether the certification it intends to rely on as a tool for transfers is effective in the light of the law and practices in force in the third country that are relevant for the transfer at stake.
Considering that the exporter is responsible for all provisions in Chapter V being applied, it has also to assess whether the certification it intends to rely on as a tool for transfers is effective in the light of the law and practices in force in the third country that are relevant for the transfer at stake. Therefore, certification should be based on the assessment of certification criteria according to a mandatory audit methodology.
The following minimum criteria must be considered by the certification mechanism with respect to processing:
- the purpose;
- the type of entity (controller or operator);
- the type of data transferred taking into account whether special categories of personal data as defined in Article 9 GDPR are involved;
- the categories of data subjects; and
- the countries where the data processing takes place.
With regard to Transparency and the Data subjects’ rights, the certification criteria should:
- Require that information on the processing activities should be provided to data subjects, including, where relevant, on the transfer of personal data to a third country or an international organisation (see Articles 12, 13, 14 GDPR);
- require that data subjects are guaranteed their rights to access, rectification, erasure, restriction, notification regarding rectification or erasure or restriction, objection to processing, right not to be subject to decisions based solely on automated processing, including profiling, essentially equivalent to those provided for by Articles 15 to 19, 21 and 22 GDPR;
- require that an appropriate complaint handling procedure is established by the data importer holding a certification in order to ensure the effective implementation of the data subject rights
- require assessing whether and to what extent these rights are enforceable for the data subjects in the relevant third country and any additional appropriate measures that may need to be put in place to enforce them, e.g. requiring that the importer will accept to submit itself to the jurisdiction of and cooperate with the supervisory authority competent for the exporter(s) in any procedures aimed at ensuring compliance with these rights and, in particular, that it agrees to respond to enquiries, submit to audits and comply with the measures adopted by aforementioned supervisory authority, including remedial and compensatory measures.
Additional certification criteria include assessment of third country legislation, general obligations of importers and exporters, rules on onward transfers, redress and enforcement of data subject rights, process and actions for situations in which national legislation prevents compliance with commitments taken as part of certification, dealing with requests for data access by third country authorities and additional safeguards concerning the exporter.
Again, a list of examples of complementary measures to be implemented by the importer in case the transit is included in the scope of the certification is a high point of the guidelines. They are the following:
Another list of examples of complementary measures in case the transit is not covered by the certification and the exporter has to ensure them is equally interesting:
1.3. GUIDELINES 03/2022 ON DECEPTIVE DESIGN PATTERNS IN SOCIAL MEDIA PLATFORM INTERFACES: HOW TO RECOGNISE AND AVOID THEM
These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called “deceptive design patterns” in social media interfaces that infringe on GDPR requirements.
Regarding the data protection compliance of user interfaces of online applications within the social media sector, the data protection principles applicable are set out within Article 5 GDPR. The principle of fair processing laid down in Article 5 (1) (a) GDPR serves as a starting point to assess whether a design pattern actually constitutes a “deceptive design pattern”.
The EDPB gives concrete examples of deceptive design pattern types for the following different use cases within this life cycle. They are: the sign-up, i.e. registration process; the information use cases concerning the privacy notice, joint controllership and data breach communications; consent and data protection management; exercise of data subject rights during social media use; and, finally, closing a social media account.
The deceptive design patterns addressed within these Guidelines result from an interdisciplinary analysis of existing interfaces. They can be divided into the following categories:
- Overloading: users are confronted with an avalanche/ large quantity of requests, information, options or possibilities in order to prompt them to share more data or unintentionally allow personal data processing against the expectations of data subject.
- Skipping: designing the interface or user journey in a way that the users forget or do not think about all or some of the data protection aspects.
- Stirring: affects the choice users would make by appealing to their emotions or using visual nudges.
- Obstructing: an obstruction or blocking of users in their process of getting informed or managing their data by making the action hard or impossible to achieve.
- Obstructing: an obstruction or blocking of users in their process of getting informed or managing their data by making the action hard or impossible to achieve; and
- Left in the dark: an interface is designed in a way to hide information or data protection control tools or to leave users unsure of how their data is processed and what kind of control they might have over it regarding the exercise of their rights.
As the EDPB already stated, fairness is an overarching principle which requires that personal data shall not be processed in a way that is detrimental, discriminatory, unexpected or misleading to the data subject. If the interface has insufficient or misleading information for users and fulfils the characteristics of deceptive design patterns, it can be classified as unfair processing. The fairness principle has an umbrella function and all deceptive design patterns would not comply with it irrespectively of compliance with other data protection principles.
Consent freely given, specific, informed at the registration step. For social media providers who ask for users’ consent for varying purposes of processing, the EDPB Guidelines 05/2020 on consent provide valuable guidance on consent collection. Social media platforms must not circumvent conditions, such as data subjects’ ability to freely give consent, through graphic designs or wording that prevents data subjects from exercising said will. In that regard, Article 7 (2) GDPR states that the request for consent shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. Users of social media platforms can provide consent for ads or special types of analysis during the sign-up process, and at a later stage via the data protection settings. In any event, as Recital 32 GDPR underlines, consent always needs to be provided by a clear affirmative act, so that pre-ticked boxes or inactivity of the users do not constitute consent.
In accordance with Article 7 (3) phrase 1 GDPR, users of social media platforms shall be able to withdraw their consent at any time. Prior to providing consent, users shall also be made aware of the right to withdraw the consent, as required by Article 7 (3) phrase 3 GDPR. In particular, controllers shall demonstrate that users have the possibility to refuse providing consent or to withdraw the consent without any detriment. Users of social media platforms who consent to the processing of their personal data with one click, for example by ticking a box, shall be able to withdraw their consent in an equally easy way. This underlines that consent should be a reversible decision, so that there remains a degree of control for the data subject. The easy withdrawal of consent constitutes a prerequisite of valid consent under Article 7 (3) phrase 4 GDPR and should be possible without lowering service levels. As an example, consent cannot be considered valid under the GDPR when consent is obtained through only one mouse-click, swipe or keystroke, but the withdrawal takes more steps, is more difficult to achieve or takes more time.
Again the examples make understanding deceptive media standards easier. They are:
In conclusion, the three guidelines are examples of good practices to guide society in general.