Dark Patterns: What You Always Wanted to Know But Were Afraid to Ask...

Legal Watch No. 45 – March 2022.

This difficult-to-translate English term is found in many publications concerning information technology. 

Related to "nudging" which aims to subtly encourage Internet users to adopt the desired behavior, "dark patterns" aim for the same goal through the design of web interfaces.

On March 14, the European Data Protection Board adopted guidelines regarding "dark patterns" in the interfaces of social media platforms. 

The document, which is subject to public consultation, is aimed at users to help them identify these techniques, and at designers, to whom it offers best practices to facilitate compliance with the GDPR. 

The document lists in what resembles a Prévert-style inventory different practices: 

• Information overload confronts the user with an avalanche of data or options (for example, an endless list of cookie recipients), leading them to share more information than they wish. 

• Skipping leads the user to forget to check certain conditions of use of his data, for example by drawing his attention elsewhere.

• Stirring influences users' choices by playing on their emotions (for example, to encourage them not to unsubscribe from a social network)

• Obstruction (hindering) prevents Internet users from making their choices, via non-functional links, information that is longer than necessary or misleading.

• Design inconsistency (fickle) will make it difficult to navigate through control tools, via a decontextualized or non-hierarchical presentation of information.

• Finally, the design can leave the Internet user in the dark, using conflicting, ambiguous information (differently colored buttons enabled or disabled by default), or a discontinuity in the languages used (switching from French to English).

One would almost be in awe of such techniques and imagination, if these practices were not illegal because they are contrary to the principle of loyalty set out in Article 5(1)(a) of the GDPR, as well as to the principles of transparency, data minimization, accountability, purpose, and validity of consent.

The EDPB guidelines provide examples for each type of technique, and advice to simplify users' choices. 

Good practices include: 

• Using shortcuts to enable quick actions (unsubscribing from an account).

• The use of banners or pop-ups in the event of a change or particular risk (security breach for example).

• The use of simple and consistent language.

• A list of definitions.

• The use of examples.

• Explanation of the consequences of the different options proposed.

• The systematic display of the site map and a “back” button allowing the user to resume their navigation.

It should be noted that the CNIL's decisions last January against Google and Facebook, which fined these companies 150 and 60 million euros respectively, punish the use of dark patterns in the use of cookies: the interfaces offered a simple option for activating cookies, with one click, while several actions were necessary to refuse all cookies. 

While the attention of supervisory authorities has so far focused on cookies, a broader set of practices is now at stake. The role of interface designers is becoming all the more crucial.

And also

France:

A judicial investigation has been opened by the cybercrime section of the Paris prosecutor's office concerning a massive leak of medical data. 

The data leak is believed to have affected approximately 500,000 individuals and originated from around thirty medical biology laboratories. Investigations are also being carried out by ANSSI and CNIL, in conjunction with the publisher of the management software used by the laboratories.

Another massive data leak prompted the National Health Insurance Fund to issue a statement on March 17 stating that the accounts of at least 19 healthcare professionals on the Amelipro portal had been compromised by hackers.  

The identification data and social security numbers of approximately 500,000 policyholders are affected by this cyberattack.

Still in the health sector, the shared medical record (DMP) was integrated into the digital health space (ENS, or “My health space”) in January 2022.  

The CNIL provides a reminder on its website of how these two systems work and the rights of the people concerned.

On June 28, 2022, the CNIL will organize the first edition of Privacy Research Day in Paris., an international conference dedicated to research in the field of privacy and personal data protection.

Europe: 

An agreement is in sight between Europe and the United States regarding the transfer of personal data. 

Ursula Von der Leyen and Joe Biden announced a political agreement on the subject on March 25, an announcement clarified by European Commissioner for Justice Didier Reynders, who indicated that it was an agreement on the "principles" of a future transatlantic agreement. 

The new legal framework would succeed the "Safe Harbour Principles" and the "Privacy Shield", both of which were declared obsolete by the European Court of Justice for non-compliance with European data protection principles. 

The European Commission's proposed extension of the Covid certificate regulations (EUDCC) is in the crosshairs of data protection authorities. 

The EDPS and the EDPB expressed reservations about the lack of an impact assessment prior to the Commission's proposals to renew these certificates for one year.  

The Committee and the European Data Protection Supervisor, however, acknowledged that the extension of the types of tests accepted and the inclusion in the certificate of the number of doses administered did not substantially change the current provisions.

In mid-March, Amazon employees filed a mass request for access to data the company holds about them, in order to verify the conditions of surveillance in their workplaces.  

The applicants, from Germany, the UK, Italy, Poland and Slovakia, made their request under Article 15 of the GDPR in cooperation with the Global Workers' Union (UNI) and the NGO NOYB.  

In addition to its guidelines on “dark patterns” in social media, The European Data Protection Board adopted guidelines on the application of Article 60 of the GDPR regarding cooperation between data protection authorities at its plenary meeting on 14 March. 

This document aims to improve the application of the provisions of the single window. 

The system provides for a contact authority for companies established in the European Union based on their principal place of establishment, and a procedure for cooperation with all other authorities involved due to complaints or annexed establishments in their country. 

The Italian Data Protection Authority fined Clearview IA €20,000,000 on February 10. for using biometric recognition systems on public internet sources in violation of the GDPR. It ordered the deletion of the data. The UK Data Protection Authority fined a law firm €117,000 on 28 February. for violation of Articles 5(1)(f) and 32 of the GDPR and in particular for failure to implement appropriate security measures. 

Spain approved a code of conduct on February 17 concerning data protection in the context of clinical trials and pharmacovigilance.

The Irish Data Protection Authority fined Meta (formerly Facebook) €17 million on March 15 following several security breaches. : the supervisory authority considered that the company had not taken the technical and organizational measures required to ensure data security. 

The decision taken following a cooperation procedure with the other European supervisory authorities concerned by the case (art 60 GDPR).

In Germany, the Bremen Data Protection Authority fined a property management company (Brebau GmbH) €1,900,000 on March 3 for illegally processing sensitive data. concerning more than 9,500 candidate tenants. 

Skin color, religion, sexual orientation, health status, hairstyle and body odor were among the data processed.

International : 

In a settlement order dated March 4, The United States Federal Trade Commission demands that WW International (Weight Watchers) destroy algorithms or artificial intelligence models designed using the personal data of minors. without prior parental consent. 

The company was also fined $1.5 million and ordered to destroy the illegally collected data. 

This is the third time the FTC has demanded the destruction of an artificial intelligence algorithm in a settlement order.  

THE Sri Lanka adopted a law on the protection of personal data on March 19, 2022.

Nokia, which announced it was stopping operations in Russia due to the war in Ukraine, is accused of leaving behind a telecommunications system that enabled the surveillance of the Russian population. 

According to internal documents revealed by the New York Times, Nokia has been supplying Russia with equipment and services for more than five years to connect the Russian surveillance system SORM (System for Operative Investigative Activities) to Russia's largest telecommunications service, MTS.

Anne Christine Lacoste  Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.