Online Interface Design and Organization
This topic is needed to specifically address DSA requirements regarding how online service providers must design and organize their interfaces to ensure transparency, accessibility, and compliance with content moderation and user information obligations. It bridges interface design principles with regulatory compliance requirements.
interface design online interface interface organization user interface platform design content organization interface accessibility interface transparency
Overview
Legal Framework
The design and organization of online interfaces is governed by the Digital Services Act (DSA), specifically as articulated in Recitals 83 and 87. Recital 83 establishes that systemic risks can stem directly from the design, functioning, or use of very large online platforms and search engines, particularly where there is a negative effect on public health, minors, mental well-being, or gender-based violence. Recital 87 imposes a corresponding obligation on providers of these services to implement mitigating measures, which explicitly include adapting their online interface design. This legal requirement is further informed by the foundational principles of data protection by design and by default under Article 25 of the General Data Protection Regulation (GDPR), which mandates that controllers implement appropriate technical and organizational measures to ensure data protection principles are embedded into processing activities from the outset.
Practical Application
The DSA recitals integrate interface design directly into systemic risk mitigation. This means that for Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs), the assessment and mitigation of systemic risks under Articles 34 and 35 DSA must include a review of how the interface’s architecture may contribute to identified harms. The requirement extends beyond mere functionality to encompass how design choices can manipulate user behavior or amplify harmful content. While specific DSA case law is still developing, the established interpretation of Article 25 GDPR by authorities like the Dutch Data Protection Authority provides a critical parallel: appropriate measures include disabling non-essential data processing functionalities by default and ensuring interface designs minimize unnecessary data collection. For DSA compliance, this principle translates to designing interfaces that, by default, do not promote or facilitate the circulation of illegal content or systemic risks.
Key Considerations
- Integrate Design into Risk Assessments: VLOPs/VLOSEs must specifically evaluate how interface elements (e.g., recommendation algorithms, notification systems, sharing features) could exacerbate systemic risks identified under Article 34 DSA and document design adaptations as part of their mitigation measures under Article 35.
- Apply Privacy by Design Principles: Adhere to the GDPR Article 25 standard by implementing data minimization and user protection into the interface architecture from the design phase, such as ensuring default settings prioritize user well-being and do not encourage excessive engagement or data disclosure.
- Document Design Decisions: Maintain clear records demonstrating how interface design choices were evaluated and potentially modified to comply with DSA risk mitigation obligations and GDPR data protection principles, as this will be central to demonstrating due diligence to regulators.
Laws (18)
Guidance (8)
Richtsnoeren 05/2020 inzake toestemming overeenkomstig Verordening 2016/679
guidelines toestemming
Richtsnoeren 06/2020 inzake de wisselwerking tussen de tweede richtlijn betalingsdiensten en de AVG
guidelines wisselwerking toepassing artikel 3 en hoofdstuk V AVG
Guidelines 05/2020 on consent under Regulation 2016/679
Guidelines on consent
Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them
Guidelines on deceptive design patterns in social media platform interfaces: how to recognise and avoid them
These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called 'deceptive design patterns' in social media interfaces that infringe on GDPR requirements. To this end, the EDPB recommends that controllers make use of interdisciplinary teams, consisting, among others, of designers, data protection officers and decision-makers. It is important to note ...
ARTICLE 29 DATA PROTECTION WORKING PARTY
Guidelines on transparency
Richtsnoeren 3/2022 betreffende het herkennen en vermijden van misleidende ontwerppatronen in de interfaces van socialemediaplatforms
guidelines misleidende ontwerppatronen
Deze richtsnoeren bieden praktische aanbevelingen aan aanbieders van sociale media als verwerkingsverantwoordelijken van sociale media, ontwerpers en gebruikers van socialemediaplatforms, over het beoordelen en vermijden van zogenaamde 'misleidende ontwerp patronen' in de interfaces van sociale media die inbreuk maken op de vereisten van de AVG. Daartoe beveelt de EDPB aan dat verwerkingsverantwoordelijken gebruikmaken van interdisciplinaire teams, bestaande uit onder meer ontwerpers, func...
Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
GROEP GEGEVENSBESCHERMING ARTIKEL 29
guidelines transparantie
News (3)
EDRi welcomes EU preliminary findings on TikTok’s addictive platform design
The European Commission preliminarily found that TikTok was in breach of the Digital Services Act (DSA) due to the addictive design of its platform. EDRi welcomes this decision and urges TikTok to swiftly mitigate the risks to which its users are exposed. The post EDRi welcomes EU preliminary findings on TikTok’s addictive platform design appeared first on European Digital Rights (EDRi).
The Homeland Security Spending Trail: How to Follow the Money Through U.S. Government Databases
This guide was co-written by Andrew Zuker with support from the Heinrich Boell Foundation. The U.S. government publishes volumes of detailed data on the money it spends, but searching through it and finding information can be challenging. Complex search functions and poor user interfaces on government reporting sites can hamper an investigation, as can inconsistent company profiles and complex corporate ownership structures. This week, EFF and the Heinrich Boell Foundation released an update to
What Happened to the Risk-Based Approach to Data Transfers?
The GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgment, according to Lokke Moerel, Professor of Global ICT Law at Tilburg University and a Dutch Cyber Security