Module 8 · Dark patterns (Guidelines 03/2022), AI & the EU AI Act
Dark patterns are deceptive interface designs that manipulate users about their personal data; EDPB Guidelines 03/2022 set out six categories. AI can make automated decisions, engaging Article 22; the EU's ethical principles are respect for human autonomy, prevention of harm, fairness and explicability. The EU AI Act (passed 13 March 2024) is risk-based with four tiers and is extraterritorial, covering providers and deployers.
| Category | Idea |
|---|---|
| Overloading | Flooding users with too many options/requests to wear them down. |
| Skipping | Designing so users overlook or skip privacy-protective choices. |
| Stirring | Using emotion or visuals to nudge a particular choice. |
| Hindering | Making it hard to exercise rights or change settings. |
| Fickle (Fickling) | Inconsistent, unclear interface that confuses users. |
| Left in the dark | Hiding information so users can't understand the processing. |
Dark patterns violate fair processing, transparency, data minimisation, accountability, purpose limitation, consent, and data protection by design and default.
AI can make automated decisions, engaging Article 22 (profiling/automated decisions). The EU Commission's ethical principles for trustworthy AI are respect for human autonomy, prevention of harm, fairness and explicability.
| Tier | Treatment / example |
|---|---|
| Unacceptable | Prohibited |
| High risk | Most heavily regulated |
| Limited risk | Transparency obligations |
| Minimal / no risk | Largely unregulated (e.g. spam filters) |
The EU AI Act (passed 13 March 2024) is extraterritorial: it covers providers and deployers in the EU, providers placing products in the EU, and operators outside the EU whose output is used in the EU. Exemptions include military/national security, R&D, certain third-country public authorities, non-professional personal use and some open-source AI.