European Data Protection Board („EDPB”) Guidelines on certification, data transfers and deceptive design patterns
The National Commission on Information and Liberties in France (Commission nationale de l’informatique et des libertés or „CNIL”) announces that EDPB recently adopted new guidelines regarding the certification, data transfers, deceptive design patterns. CNIL is a co-rapporteur institution with EDPB aiming for the optimal implementation of the regulations.
In short, CNIL is the authority entrusted in France with the mission of informing individuals/legal entities and responds to any requests relating to the respect/management of personal data made by either of the beforementioned. Therefore, CNIL participates in symposiums, trade fairs or conferences to capture needs and trends, advise and educate the market.
In relation to the above, following a period of public consultation, on 14 February 2023 the European Data Protection Board („EDPB”) adopted a series of guidelines meant to improve the practical applicability in the field of personal data protection. These guidelines concern three important aspects, namely:
A. The guidelines on certification as a transfer tool (Guidelines 07/2022);
B. The guidelines on the interplay between Article 3 (scope) and Chapter V (data transfer) of the GDPR (Guidelines 05/2021);
C. The guidelines on deceptive design patterns in social network interfaces Guidelines 03/2022.
A. About the Guidelines on certification as a data transfer tool
These guidelines seek to provide guidance as to the application of the GDPR on transfers of personal data to third countries or to international organizations based on certification. To be more specific, these guidelines are meant to clarify and to complete previous guidelines on the parties` (exporter, importer and certification body) relation and responsibility, namely Guidelines 1/2018 on certification and addresses specific requirements from Chapter V of the GDPR and the Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the GDPR.
The document we are referring to is structured in four sections, each one outlining information about specific aspects of the certification as a data transfer tool. For instance:
Firstly, it clarifies that the guidelines supplement the already existing general Guidelines 1/2018 on certification and addresses specific requirements from Chapter V of the GDPR when certification is used as a transfer tool, it contains information on the process for obtaining a certification to be used as tool for transfers. Also, it describes the actors who are involved and their core roles in this context, with a special focus on the role of the data importer who will be granted a certification and of the data exporter who will use it as a tool to frame its transfers. In this context the certification can also include measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
Secondly, it implements guidance on the accreditation requirements applicable to the certification body.
Thirdly, it provides guidance on the specific certification criteria already listed in Guidelines 1/2018 and establishes additional specific criteria that should be included in a certification mechanism to be used as a tool for transfers to third countries to demonstrate the existence of adequate warranties for data transfer.
Last, but not least, these guidelines provide elements that should be addressed in the binding and enforceable commitments that controllers or processors not subject to the GDPR should take for the purpose of providing appropriate safeguards to data transferred to third countries.
B. About the Guidelines on the articulation between Article 3 (scope) and Chapter V (data transfer) of the GDPR
Bearing in mind that GDPR does not define the notion of data transfer to third countries or to international organizations, these new Guidelines are clarifying the situations when it must be considered that a data transfer is made. In this regard, there are three cumulative conditions, namely:
A data controller or processor who „exports data” is subject to the GDPR;
The exporter transmits or makes available such data to another controller, joint controller or processor which is the „importer”;
Either this importer is located in a third country, even if it is not subject to the GDPR itself, or it is an international organization.
The novelty and improvement brought by these Guidelines are that the new examples have been included and supplementary details were introduced regarding the obligations and warranties to be applied in certain situations.
C. About the Guidelines on deceptive patterns in social media platform interfaces
The „deceptive design patterns” can be defined as interfaces and user journeys implemented on social media platforms that attempt to influence users into making unintended, unwilling and potentially harmful decisions, often toward a decision that is against the users’ best interests and in favor of the social media platforms interests, regarding the processing of their personal data.Therefore, given that GDPR determines that personal data may not be collected or used in a way that is unexpected or misleading for data subjects, these Guidelines aim to support the development of clear user interfaces that respect the rights of individuals.
To this end, following public consultations, improvements were made to the process by including them in the Guidelines in discussion; for instance, the list of best practices has been extended with new elements such as privacy dashboards, self-explanatory URLs for data protection settings, forms for exercising data subjects’ rights.
Also, the EDPB gives concrete examples of deceptive design pattern types for the following different use cases within this life cycle: the sign-up, i.e., registration process; the information use cases concerning the privacy notice, joint controllership and data breach communications; consent and data protection management; exercise of data subject rights during social media use; and, finally, closing a social media account.
As a conclusion, in view of the above, we can say that the recent EDPB guidelines are welcome in the practice of both professionals and individuals, bringing an added pragmatism to respect GDPR.