GDPR GAZET

01     EDPB: New guidelines on 'dark patterns'

​

At the beginning of this month, the public consultation on de new EDPB guidelines on 'dark patterns' on social media platforms to an end. A final version can therefore be expected soon.

 

With the guidelines, the EDPB aims to provide the designers, providers and users of social media platforms with practical recommendations on how to avoid implementing or using “dark patterns” that violate theGDPR. The EDPB defines “dark patterns” in the context of the guidelines as interfaces and user experiences on social media platforms that lead users to make unintentional, unwanted and potentially harmful decisions regarding the processing of their personal data by influencing their behavior to their detriment.

 

The EDPB describes various forms of “dark patterns” (overloading, skipping, stirring, hindrance, fickle, left in the dark) on the basis of detailed use cases. In doing so, it assesses, among other things, accountability and the principles of transparency and privacy by design & by default. The guidelines therefore provide valuable insights for companies that (want to) design or offer social media platforms and provide insight into which implementations may violate theGDPRcan yield.

​

​

​

02     EDPB: Final guidelines on codes of conduct as a 'transfer tool'

​

 

The EDPB has her published final guidelines on codes of conduct as a 'transfer tool'.

 

When exporting personal data outside the European Economic Area (EEA), organizations must comply with additional GDPR obligations, such as providing appropriate safeguards. This can be done, among other possibilities, through a specific code of conduct that controllers and processors outside the EEA who are not themselves subject to the GDPR subscribe to. In doing so, they must make enforceable commitments by contract or other legally binding instruments to apply the safeguards contained in such code of conduct.

 

To be able to use this 'transfer tool', a procedure must be followed whereby the competent supervisory authority approves the draft code of conduct and the European Commission subsequently declares it generally valid. In the guidelines, the EDPB clarifies this procedure and provides a checklist of elements that must be included in a code of conduct intended to legally frame international transfers. The EDPB clarifies the application of Articles 40(3) and 46(2)(e) GDPR.

​

​

​

​

​

​

​

03     New EU-US Privacy Framework on its way

​​

 

The European Commission and the US have announced that they have agreed on a new Trans-Atlantic Data Privacy Framework, which would again promote data sharing between the EU and the US. In doing so, the US would like to make strong commitments to address the concerns raised in the Schrems II decision of the Court of Justice of the EU, which found that thePrivacy Shield at the time offered insufficient guaranteesto export personal data from the EU to American organizations on this basis. It was therefore found to be in violation of the GDPR. This is mainly due to the broad possibilities provided by US law for intelligence services to access the databases of US companies, without clear conditions and restrictions. Moreover, there were insufficient administrative or judicial options available for those involved to oppose this.

 

It is a political agreement that still needs to be translated into concrete legal texts. When the time comes, the EDPB will analyze whether the collection of personal data for US national security purposes is this time limited to what is strictly necessary and proportionate. The EDPB will also verify whether the announced independent mechanism to challenge the relevant processing operations by US intelligence services is in line with the GDPR and the rights to an effective remedy and due process. This, among other things, through the intervention of an authority that is able to impose binding decisions on the intelligence services, and the possibility of challenging decisions of this body in court.

​

​

​

04     Data regulation under way and subject to EDPB/EDPS advice​

​

The European Commission has in February 2022published a proposalfor a new regulation that should stimulate data sharing among government institutions and companies. This may also concern personal data. The EDPB and the EDPS have formulated their comments on the proposal in a joint opinion.

 

With the proposal, the European Commission wants to achieve that data is shared more between different sectors and between public and private organisations. The regulation will contain rules for all economic sectors in the EU about who can use and view which data and for what purposes. This is with a view to reducing ambiguity about who is allowed to use and have access to data generated when using various products and services, including 'smart' devices, medical or health devices and virtual assistants. The aim is to remove obstacles to access to data and to continue to stimulate data generation with a view to promoting further innovation, consumer choice and public service.

 

The Data Regulation will, among other things, build on the right to data subjectsinsightand portability, extending these rights to all data generated by "smart" or connected products, whether personal or non-personal, for consumers to access and transfer. 

 

The EDPB points out that the Data Regulation will also apply to sensitive personal data and urges regulators to ensure that the rights of data subjects are respected, including by ensuring that access to, use and sharing of personal data by any other entities than the data subjects themselves, is done in full compliance with all data protection principles and rules. She points out that the GDPR should always take precedence when personal data are involved. If data sharing is therefore permitted (or mandatory) under the Data Regulation, this could only actually happen with regard to personal data if this is also possible under the GDPR. In this regard, the EDPB and EDPS express in their opinion on the proposed legal text including their concern that governments (at national level, but also EU institutions) would be given too much room under the Data Regulation in its current draft form to demand personal data from companies, in particular in 'exceptional circumstances', without clear conditions being attached to this. It is now up to the European Parliament and the governments of the EU member states to further assess the proposal and reach an agreement.

​

​

​

05     GBA concerned about legislative change​

 

At the beginning of March, theData Protection Authorityalready know that it is concerned about developments that could jeopardize its independence and operation, in particular proposed amendments to the GBA Act and the lack of resources that would be allocated to it. She issued a  about thisformal advice uit that she provided to, among others, the Council of State and the European Data Protection Board.

 

The GBAhas several problems with the proposed amendment to the law. For example, the preliminary draft law provides for parliamentary interference in the setting of priorities and the internal organisation. In addition, the renewal of the mandate of its directors is subject to a positive evaluation by the Chamber of Representatives, without the preliminary draft providing for objective criteria. This system, according to the GBA, can lead to "anticipated obedience" to the Chamber and political influence that hinders the independent fulfillment of its duties. The GBA would also be obliged to call on a shared service center for, among other things, internal policy and management regarding HR, IT, information security and finance.

 

In addition, the GBA once again denounces its lack of human and financial resources. The 45.9 file managers (FTEs) would not be enough to perform the 21 different tasks prescribed by the GDPR. She would be there compared to many othersEuropean colleaguesalso deteriorating further.

 

The EDPB has taken note of the concerns of the DPA and expressed its concerns in a open letter addressed to the Belgian legislator and government. It remains to be seen to what extent this will be followed up in the further legislative process.

​

​

​