The Connecticut legislature passed Connecticut SB 6 on April 28, 2022.  If signed by the governor, the bill would take effect on July 1, 2023, though the task force created by the bill will be required to begin work sooner.

The bill closely resembles the Colorado Privacy Act, with a few notable additions.  Like the

The German Conference of Independent Supervisory Authorities (“DSK”) published on March 23, 2022 a statement on scientific research and data protection (see here, in German).  The DSK published the statement in response to the German Government’s initiative on a general law on research data as part of its Open Data Strategy, announced

As many readers will be aware, a key enforcement trend in the privacy sphere is the increasing scrutiny by regulators and activists of cookie banners and the use of cookies. This is a topic that we have been tracking on the Inside Privacy blog for some timeItalian and German data protection authorities have

On March 21, 2022, the European Data Protection Board (“EDPB”) published its draft Guidelines 3/2022 on Dark patterns in social media platform interfaces (hereafter “Guidelines”, available here), following the EDPB’s plenary session held on March 14, 2022.  The stated objective of the Guidelines is to provide practical guidance to both designers and users of social media platforms about how to identify and avoid so-called “dark patterns” in social media interfaces that would violate requirements set out in the EU’s General Data Protection Regulation (“GDPR”).  In this sense, the Guidelines serve both to instruct organizations on how to design of their platforms and user interfaces in a GDPR-compliant manner, as well as to educate users on how certain practices they are subject to could run contrary to the GDPR (which could, as a result, lead to an increase in GDPR complaints arising from such practices).  The Guidelines are currently subject to a 6-week period of public consultation, and interested parties are invited to submit feedback directly to the EDPB here (see “provide your feedback” button).

In this blog post, we summarize the Guidelines and identify key takeaways.  Notably, while the Guidelines are targeted to designers and users of social media platforms, they may offer helpful insights to organizations across other sectors seeking to comply with the GDPR, and in particular, its requirements with respect to fairness, transparency, data minimization, purpose limitation, facilitating personal data rights, and so forth.

Setting the Stage

At the outset of the Guidelines, the EDPB defines “dark patterns” as “interfaces and user experiences implemented on social media platforms that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data”.  The EDPB then provides a taxonomy of 6 defined categories of dark patterns, namely:

  1. Overloading– overwhelming users with a large quantity of requests, information, options, or possibilities to prompt them to share more data;
  2. Skipping– designing the interface or user experience in a way that causes users to forget (or fail to consider) all or certain data protection aspects of a decision;
  3. Stirring– appealing to the emotions of users or using visual nudges;
  4. Hindering– obstructing or blocking users from becoming informed about the use of their data or exercising control it by making certain actions hard or impossible to achieve;
  5. Fickle– designing the interface in an inconsistent and unclear manner which makes it difficult to navigate user controls or understand processing purposes; and finally,
  6. Left in the dark– designing the interface in a way to hide information or privacy controls, or to leave users uncertain about how their data is processed and the control they can exercise over it.

The EDPB notes that these six categories can also be thematically framed as “content-based patterns” (i.e., referring to the content of information presented to users, including the context, wording used, and informational components) or “interface-based patterns” (i.e., referring to the manner that content is displayed, navigated through, or interacted with by users, which can have a direct influence on the perception of dark patterns).

Beneath the six over-arching categories of dark patterns outlined above, the EDPB then identifies 15 specific dark pattern behaviors and considers how each them can manifest during the lifecycle of a social media user account, a continuum which the EDPB breaks down into the following 5 stages: (1) opening a social media account; (2) staying informed on social media; (3) staying protected on social media; (4) exercising personal data rights on social media; and (5) leaving a social media account.
Continue Reading EDPB Publishes Draft Guidelines on the Use of “Dark Patterns” in Social Media Interfaces

In his State of the Union address last week, President Biden declared that he wants to: “strengthen privacy protections, ban targeted advertising to children, and demand tech companies stop collecting personal data on our children.”  This statement comes just a couple of weeks after Senators Richard Blumenthal (D-CT) and Marsha Blackburn (R-TN) introduced the Kids

In 2021, European lawmakers and agencies issued a number of proposals to regulate artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAV”), and data privacy, as well as reports and funding programs to pursue the developments in these emerging areas.  From the adoption of more stringent cybersecurity standards for IoT devices to the deployment of standards-based autonomous vehicles, federal lawmakers and agencies have also promulgated new rules and guidance to promote consumer awareness and safety. While our team tracks developments across EMEA, this roundup focuses on a summary of the key developments in Europe in 2021 and what is likely to happen in 2022.

Part I: Internet of Things

With digital policy being a core priority for the current European Commission, the EU has pursued a range of initiatives in the area of IoT.  These developments tend to be interspersed throughout a range of policy and legislative decisions, which are highlighted below.

Connecting Europe Facility and IoT Funding

In July 2021, the European Parliament and Council of the EU adopted a regulation establishing the Connecting Europe Facility (€33.7 billion for 2021-2027) to accelerate investment in trans-European networks while respecting technological neutrality.  In particular, the regulation noted that the viability of “Internet of Things” services will require uninterrupted cross-border coverage with 5G systems, to enable users and objects to remain connected while on the move.  Given that 5G deployment in Europe is still sparse, road corridors and train connections are expected to be key areas for the first phase of new applications in the area of connected mobility and therefore constitute vital cross-border projects for funding under the Connecting Europe Facility.  The Parliament had also called earlier for “stable and adequate funding” for investments in AI and IoT, as well as for building transport and ICT infrastructure for intelligent transport systems (ITS), to ensure the success of the EU’s data economy.

In May 2021, the Council adopted a decision establishing a specific research funding programme (€83.4 billion for 2021-2027) under Horizon Europe.  In specifying the EU’s priorities, the decision identified the importance of IoT in health care, cybersecurity, key digital technologies including quantum technologies, next generation Internet, space, and satellite communications.
Continue Reading EMEA IoT & CAV Legislative and Regulatory Roundup 2021 and Forecast 2022

On February 24, 2022, the Irish Data Protection Commission (“DPC”) published its 2021 annual report setting out its activities and outcomes for last year (see press release here and the full report here).  At 120 pages long, it is detailed and specific, and in places, comes with a targeted and reflective commentary.  Overall, it provides readers with useful insights into the work of a supervisory authority at the forefront of Europe’s data protection whirlwinds.

Addressing the Critics

The DPC introduces the report with commentary that is critical of the narrative that equates the size of fines imposed under the EU General Data Protection Regulation (“GDPR”) with regulatory efficacy.  This is the elephant in the room tackled up front.  It is a narrative that has been repeated against the DPC in recent times by critics complaining about the level of control (or lack thereof) that the DPC exercises over large technology platforms, many of which have established their center of EU operations in Ireland.  In response to this sentiment, the DPC refers to the ongoing work of European data protection authorities to identify a set of performance metrics to quantity regulatory output across all Member States, stating that “such metrics must, however, move past both superficial totting exercises and assumptions to the effect that the bigger the fine, the greater the change of behaviour it will herald.”

Further, to illustrate the varying levels of complexity that the report refers to, the DPC cites to the example of a decision that ran to “several hundred pages and touch[ed] on the complex operating processes of large multinational organisations, impacting on millions of people” in contrast with another decision comprising “a two-line treatment of a comparatively simple issue that has minimal ramifications for data subjects in general.”

About More Than The GDPR

While cognizant that the control enjoyed by large technology platforms may need to be tackled by more than a single regulatory discipline, whether “data protection, competition law or content regulation”, there is, according to the DPC, “no question” that the GDPR is and will remain the best-available framework in Europe for protecting personal data.  However, in recognizing the limitations of the GDPR, the DPC goes on to say it is not the role of the DPC or any other supervisory authority to “target all manifestations” of platform power.

Given the suite of forthcoming EU laws and frameworks seeking to address data-related issues, the DPC also emphasizes the importance of cross-regulatory structures to deal with the type of issues already escalated by the one-stop-shop mechanism under the GDPR.
Continue Reading Irish Data Protection Commission Publishes 2021 Annual Report