The EDPB has now adopted its Guidelines 04/2019 on Article 25 Data Protection by Design and by Default after public consultation.
And this is to briefly share 3 key thoughts and conclusions from the Guidelines which might seem to be not so obvious at first sight.
1. Be sure to understand not only literal and contextual meaning of the GDPR provisions, but also their spirit. Yes, EDPB directly speaks about spirit, and this is new compared to the version for public consultations. See Example 1 in paragraph 70.
2. The notion of ‘necessity’ is understood not only in the context of achievement of purposes of the processing, but also with regard to the ways of how personal data are obtained. This serves the purpose to keep data subjects involved in the processing of their personal data to the highest degree possible. See Example in paragraph 68.
And finally, probably the most important.
3. The EDPB writes that processing options cannot be presented “in such a manner that makes it difficult for data subjects to abstain from sharing their data, or make it difficult for the data subjects to adjust their privacy settings and limit the processing” and “in a way that nudges the data subject in the direction of allowing the controller to collect more personal data than if the options were presented in an equal and neutral way» (Example 1 in paragraph 70). Personally for me, it conjures up images of some cookie banners offering just options «Accept all» and «Settings», thus nudging a user to press the ‘right’ button desirable for controller.
Some DPAs (e.g. Danish #Datatilsynet) has previously stated such type of ‘nudging’ is not allowed.