Design issues in data protection

Interfaces are the first medium between law, rights and individuals. The way those are designed has a huge impact on individuals’ ability to understand how their data are collected and used, to control and manage their data and to exercise their rights. The facts show that today many designs are made to nudge users in data disclosing behaviours, so called dark patterns, or they just fail to properly inform individuals on the data processing, such as privacy policy, which are, most of the time, left unread.

This talk is about what a regulatory body in charge of data protection in France, the CNIL, can do when faced with such situation.

The CNIL’s Digital Innovation Lab (LINC) delved into this complex issue and published a series of material, aimed at designers, to foster creative approaches to the issue of data protection in the design of interfaces. Identifying key structural issues in its sixth innovation and prospective report “Shaping Choices in the Digital World”, such as the weaponisation of design by some companies or the war on user’s attention through design tricks, the lab launched the Data & Design initiative (design.cnil.fr) to achieve 3 things:

1. bringing together and actively engage with a community of designers concerned by the question of privacy and data protection in the service and products they design;

2. give the tools and methodologies to designers and their direct collaborators (Product owner, project manager, etc.) to be autonomous in assessing their design and create new ones in light of data protection principles;

3. improve globally UX and UI design practices for data protection and privacy so that users can better understand how their data are used, with whom their data are shared and what they can do to control their data flow.

The Data & Design online platform introduces three regulatory concepts on which designers can act on: information, consent and the exercise of the rights; as well as gathers case studies, coming from the community, to practically show how regulatory requirements can be implemented within digital interfaces. In addition to those materials published online, workshops and events are regularly organised where the participants learn to take into account data protection considerations directly when creating a new service or product.