European Data Protection Board has adopted new guidelines: Article 60 GDPR, “dark patterns”

Please click here to read the details.

On the 15
th of March the European Data Protection Board (“EDPB”) has announced that the following developments were adopted: 

  • Guidelines on Article 60 GDPR;
  • Guidelines on dark patterns in social media platform interfaces.


Guidelines on Article 60 GDPR. Key takeaways! This guideline is aimed to develop the concept of “one-stop-shop” which was established with the introduction of GDPR. What does it mean? If you perform cross-border data transfers, you shall work with the supervisory authority of the EU Member State country where your company is established (so called “lead supervisory authority”). This guideline is to handle the regulation of cooperation of different supervisory authorities with each other, with the EDPB and with the third parties under Article 60 GDPR. It is stated that:

  • described in the guide procedure of cooperation applies to all cases of cross-border data transfers;
  • the lead supervisory authority is primarily responsible for handling such cases, without being empowered to ultimately decide on its own;
  • the cooperation procedure does not impact the independence of the supervisory authorities, which retain their own discretionary powers within the framework of cooperation.

It is important that national procedures and regulations do not limit the cooperation prescribed by the GDPR.


Guidelines on dark patterns in social media platform interfaces. What are the dark patterns? Guidelines define it as interfaces and/or user experiences which force users to make unintended and potentially harmful decisions regarding the processing of their personal data. These could be mechanisms and methods to affect the user’s behaviour and make not very conscious choices. Therefore, this guideline has an objective to show the most widespread dark patterns, ways how to avoid it, procedures for data protection authority with regard to dealing with such dark patterns in accordance with GDPR requirements. 


Main GDPR issues in question regarding dark pattern are the (i) principle of fair processing, with use of which it is possible to define whether a particular design is a dark pattern; (ii) transparency, data minimisation and accountability, purpose limitation; (iii) data protection by design and by default; (iv) consent. Therefore, using dark patterns may lead to a number of GDPR violations which can lead to huge fines, as we have already seen with big tech companies.    


What are the examples of dark patterns? 


  • Overloading means that users receive a big amount of information, requests or possibilities, therefore losing track of what data is really important and more willingly provide their consents or personal data;
  • Skipping means that design of the platform was made purposely for user to miss some of the important information; 
  • Stirring means to use people’s emotions in order to obtain some benefits from it;
  • Hindering means blocking users or hiding from users some information making it impossible to achieve their purpose of knowing more about platform or processing of their data; 
  • Fickle means inconsistent and confusing interface making it hard for user to navigate. 


The EDPB gives examples where dark patterns are possible in the lifecycle of a digital product: registration; the information use cases concerning the privacy notice, joint controllership and data breach communications; consent and data protection management; exercise of data subject rights during social media use; deleting a social media account. In addition, EDPB shows best practices in order to be in compliance with the new rules presented by the guideline. The deadline for public comments on the guidance is May 2.


All in all, EDPB works actively in improving EU data protection legislation. Therefore, if your business operates in the EU or collects data from European users, it is important to track such changes and trends in order to be in compliance. Sometimes it may be hard, therefore it is important to attract professional privacy lawyers to deal with all these issues and Legal IT Group as your Data Protection Officer will be happy to help ☺ 

Reminder: to make a donation please click here.

    Your question to IT lawyers