The emergence of dark patterns as a legal concept in case law

On the 23 February 2023, the Italian Data Protection Authority (DPA) issued a decision against Ediscom S.p.A. (Garante per la Protezione dei Dati Personali, 2023) explicitly referring to “dark patterns”1, i.e. online design choices that manipulate users’ decision-making to benefit digital services. The imposed fine of 300,000 euros was due because, on some of its websites, the company employed dark patterns (hereafter DPs) to illegally entice data subjects to consent to the processing of their personal data for marketing purposes. This decision is significant as it is the first time in Europe that a DPA directly states that the use of DPs amounts to GDPR infringements, namely of the lawfulness, transparency and fairness principles (Article 5(1.a)), consent requirements (Articles 4(11), 7(2)) and data protection by design and by default (Article 25). So far, case law sanctioned (Brignull et al., 2023) certain design practices without referring explicitly to DPs. This pioneer ruling sets a precedent for further regulatory decisions and case law.