Transparency by Design in Data-Informed Research: a Collection of Information Design Patterns

Rossi, Arianna, and Gabriele Lenzini. "Transparency by design in data-informed research:

A collection of information design patterns." Computer Law & Security Review 37 (2020):

105402.

Acknowledgements:

Availableonlineatwww.sciencedirect.com

journalhomepage:www.elsevier.com/locate/CLSR

Transparency

by

design

in

data-informed

research:

A

collection

of

information

design

patterns

Arianna

Rossi

∗

,

Gabriele

Lenzini

SnT(UniversityofLuxembourg),29AvenueJ.F.Kennedy,L-1855,Luxembourg

a

r

t

i

c

l

e

i

n

f

o

Keywords: Transparency GDPR Dataprotection Informationduties Informedconsent Designpatterns Informationdesign Legaldesign Transparency-enhancing technologies Privacybydesign

a

b

s

t

r

a

c

t

Oftentimesinformationdisclosuresdescribingpersonaldata-gatheringresearchactivities aresopoorlydesignedthatparticipantsfailtobeinformedandblindlyagreetotheterms, without graspingtherightstheycanexerciseandtherisksderivedfromtheir coopera-tion.Torespondtothechallenge,thisarticlepresentsaseriesofoperationalstrategiesfor transparentcommunicationinlinewithlegal-ethicalrequirements.These “transparency-enhancingdesignpatterns” canbeimplementedbydatacontrollers/researchersto maxi-mizetheclarity,navigability,andnoticeabilityoftheinformationprovidedandultimately empowerdatasubjects/researchsubjectstoappreciateanddeterminethepermissibleuse oftheirdata.

© 2020AriannaRossiandGabrieleLenzini.PublishedbyElsevierLtd.Allrightsreserved.

1.

Introduction

SincetheadventoftheGeneralDataProtectionRegulation,1 in thescientific communitythere hasbeen an appreciable rise ofambivalentperceptions,and evenactual misconcep-tions,concerningtheconstraintsandburdensthatthe Reg-ulationimposesonscientificresearchersandtheiractivities (Vayenaetal.,2019).TheGDPRisoftenconsideredforits sti-flingeffectsoninnovationanddevelopment:somenovellegal requirementsimpacthowscientificresearchshallbecarried out.Moreover,therearesomegrayareaswherelegal clarifica-tionwouldbeneeded.

However,manyofthewidespreadbeliefsabouttheGDPR as a research-inhibiter legislation are misplaced: on the

∗_{Correspondingauthor:AriannaRossi,SnT(UniversityofLuxembourg),29AvenueJ.F.Kennedy,L-1855,Luxembourg.}

E-mailaddresses:[email protected](A.Rossi),[email protected](G.Lenzini). 1 _{Regulation(EU)2016/679.Hereafter:GDPR}

2 _{Even thoughithasproventobeamajorroadblockforpersonaldataexchangebetweenEuropeanandnon-Europeancountries} (Rabesandratana,2019).

contrary,withitsharmonizationofdataprotectionrulesand the several derogations forscientific research,for instance those about consent and processing ofdata for secondary purposes(Ho,2017),theGDPR hasset anewgoldstandard fortheaccess,exchangeand(re)useofscientificdataacross Europeanborders2_{,withthegoalofincreasingcross-national} researchcollaborations,whilesafeguardingtherightsofthe datasubjects(Vayenaetal.,2019).

In this article,we explorethe principle of transparency asenshrinedbytheGDPRinapplicationtoanyscientific re-searchdomainwherepersonaldata,andespeciallysensitive data,aregatheredandautomaticallyor semi-automatically analyzed.Throughoutthisarticle,wewillemploytheterms research and scientific research interchangeably. However, we excluderesearch for marketingpurposes. In Section 2,

https://doi.org/10.1016/j.clsr.2020.105402

we explore the legal obligations that impose toconcretely embed transparency measures into the researchers’ pro-cessing practices.Underthe GDPRtransparency becomesa by-designrequirementthatmustbedevisedandbuiltintothe conceptionanddevelopmentofthedata-gatheringprocess.

Wefocusoninformationdisclosures,whichentail infor-mationofdualnature,namelylegalnotionsofdataprivacy anddataprotection,andscientificnotionsoftheresearch pro-cess.Therefore,disclosuresconsistincomplexlegal-technical documentsthatare,however,criticalforreasonsof compli-anceand fairnesstowardsresearchparticipants.Insteadof adoptingapessimisticview,weemphasizehowthenewrules ontransparencycansupporttheproperdesignofinformation disclosuresandtherebyrebalanceinformationasymmetries between data controllers / researchers and data subjects / research subjects, by empowering the latter to appreciate, andultimatelydetermine,thepermissibleuseoftheirdata.

In Section 3, we illustrate the well-known obstacles to effective disclosures both in the domains of data privacy and research, and we motivate why individuals are rarely informedaboutthefateoftheirinformationandabouttheir rights. In Section 4,we argue that, in order to respond to thesechallenges,itisnecessarytomovebeyondapproaches thatfixateonplainlanguageandhenceembraceadesignerly visualturn.InSection5,wethereforedescribethetoolsand methods thathavematured inthe researchareas of infor-mation design, Legal Design and Transparency-Enhancing Technologies(hereafter:TETs)toconceiveusableand effec-tivesolutionsforchallengingcommunicativesituations.

Wefocus ontransparency-promotingoperational strate-giesthatcanbeemployedtomaximizetheclarity,navigability, and memorabilityoftheinformationprovidedtodata sub-jects,asboththelawandgoodscientificpracticerequire.We propose definitions and provide examples of transparency designpatterns,definedasreusablesolutionstocommon in-formationalfailures.Wealsoarguethatitistimetodevelopa systematicapproach– i.e.adesignspace(Schaubetal.,2015) – todefineandimplementtransparencyasasocio-technical concept,namelyasalegalprinciplewhosemodalityof im-plementation depends onmultiple factors,like the subject matter,thecharacteristicsandinformationalneedsofthe in-tendedaudience,thecontextofapplication,thetiming,andof channelofcommunication.Lastly,inSection6,wereasonon thecurrentgapsthatneedtobefilledtoensurethesuccessful applicationoftheGDPRtotheresearchworldandpromotea cultureoftransparencyamongothergoodresearchpractices. Toconcludethisintroduction,webelieveitisnecessaryto dedicateafewwordsabouttheaudienceofthisarticleandits subjectmatter.Themajorityoftheexistingliteratureabout the interplay between GDPR and scientific investigations shows skewed results, since it focuses on the biomedical domain, as noticed by Vayena et al. (2019). Although this articlestrivestobevaluablecross-domain,italsoshowsthe samebiassincewemainlyprovideexamplesextractedfrom geneticapplications.3_{However,webelievethatthiscasecan} be paradigmatic because of the centrality of this area for 3 _{Insection5,wewillalsoconsiderexamplesofinformation} pro-visionbycompaniesthatprocesspersonaldataforresearch pur-posesasanadd-onactivity.

currentandfuturescientificadvancements,theinvolvement ofhumansubjects,andthe sensitivityofthedataathand. Thetransparency-enhancingstrategiesproposedinSection5, though,aspiretobeapplicabletoanyresearcharea:this ar-ticleisaddressedtoallthosescientiststhataspiretoinform study participants efficiently,compliantly, and fairly when they carry out data-informed investigations intended in a broadsense. We includein this set,forinstance, notonly biomedicineandhealthcare,butalsodatamodellingand sim-ulationsinrobotics,computervision,humanmobility, indi-viduals’decision-making,andeducation.Wealsoincludeany kindofdata-gatheringexperiencethatmakesuseofanonline platformfortheregistrationandundertakingofastudy.

We deliberately abstain from referring to transparency-enhancing strategies for informed consent forms, whilst, rather,wefocus oninformationdisclosuresforthreemain reasons.Firstly,albeitthereisanextensivebodyofresearch investigating the failures of informed consent forms, re-sourcesstudyingthetransparencyandqualityofinformation disclosures in the research domain are scarce. Secondly, the information design strategies aimed at ameliorating the transparency of mandated disclosures are part of the broader information provision process that is meant to enable informed consent.Thirdly, informed consentis not alwaysthemostappropriatelegalgroundfortheprocessing of data in scientific investigations, especially for sensitive datagatheringandforthereuseofdatabeyondthepurposes specifiedatthe moment ofcollection (Vayenaet al., 2019). Nevertheless,controllers are subject toinformation duties, unlesstheprovisionofsuchinformationwouldprove impos-sibleorrepresentadisproportionateeffort.Yet,eveninsuch cases, appropriate measures should be adopted to oppose informational opacity, including making the information publiclyavailable(Art.14.5(b)GDPR),e.g.onwebsites.

2.

Transparency

and

information

duties

2.1. User-centrictransparency

InEUlaw,thevalueoftransparencyhasbeenconcretizedin legal principleswiththedesiredgoal of“engenderingtrust intheprocesseswhichaffectthecitizensbyenablingthem tounderstand, and if necessary,challenge those practices” (Article29 Data Protection WorkingParty,2018,p.4). Under theGDPR,transparencyisintrinsicallyrelatedtothefairness ofprocessingofpersonalinformationandassumesa funda-mentalroleinaccomplishingcompliancewiththeprinciple ofaccountability.Inthis sense, transparencycan empower “data subjects to hold data controllers and processors ac-countable and to exercisecontrol over their personal data by,forexample,providingorwithdrawinginformedconsent andactioningtheirdatasubjectrights” (Article29Data Pro-tectionWorkingParty,2018,p.5).Thisdescriptionresonates transparency in research applications on human subjects, whichreferstobeingopenabouttheprocess,outcomes,and entailedrisksofthestudy.

andcomprehensibilityoftheinformationisasimportantas theactualcontentofthetransparencyinformation” (Article 29DataProtectionWorkingParty,2018,p.5).Inotherwords, merely providing (frequently illegible and unintelligible) informationaboutdatapracticesisnowconsideredunlawful: rather,itisessentialtodesignthecommunicationfollowing theinformationalneedsoftheintendedaudiencethatshould beenabled tounderstand anduse that informationwithin aspecifiedcontext.Transparencymustthereforebereadas asocio-technicalconceptthatintegrateshuman,functional, and contextualaspects tothe legal and technicalfeatures: transparency-enhancing solutions should be designed for thegoalsofspecificusersingivenenvironments.Moreover, theimplementation ofsuchsolutionsshouldbemotivated, whilst their efficacy should be empirically proved. The prominence given to user-centricity marks a paradigmatic shift in long-established malfunctioning,even detrimental, communication practices and thus has the potential to promptinnovationandencourageempiricalinvestigationsto establishbestpracticesandstandards.

Concretely,user-centriccommunicationinthecontextof scientificresearchshouldconsiderthecharacteristicsofthe intended audience (e.g., what is their level of literacy and theirage?);thetypeofinformationthatitintendstotransmit (e.g.,doesitdelivertemporalinformation?);anditsobjectives (e.g.,doesit intendtowarnabout specificaspects?Doesit wanttoexplaincomplexprocesses?).User-centricdisclosures shouldallowindividualstoformexpectationsaboutthe de-velopmentoftheresearchandtoreasonaboutthemodality ofretentionandanalysisoftheirpersonaldata.Disclosures shouldtherebyenabledatasubjectstodecideinafreeand au-tonomousmannerwhethertheywishtoparticipateinastudy andaccepttherisksinvolved,especiallyiftheprocessingis likelytoresultinhighrisksforthedatasubject.Individuals should also be empowered to understand how they can exercisetheirrightsconcretely,liketherighttoaccessthe in-formationheldaboutthemandtherighttowithdrawconsent. 2.2. Transparencybydesign

To properly implement transparency in its multi-dimensionality,wearguethat datacontroller should adopt a transparency by design approach. Namely, they should embodytransparencymeasuresinto thedesignofthedata processingoperations,insteadofappendingthemasan af-terthought.Thisproposalisinlinewiththedataprotectionby designandbydefaultapproachenshrinedbyArticle25GDPR, thataimstominimizerisksbyfocusingoneffectiveexante

protectionembeddedearly oninthe designoftheprocess, asopposed toexclusivelydeviseex postremedies (Hartzog, 2018).Accordingtothisview,dataprocessingoperationsand protectionsshouldbecomethe“outcomeofadesignproject” (European Data Protection Supervisor, 2018, p. 6) oriented to fulfill the principles laid down in Article 5: lawfulness, fairness,andtransparency.

Such a stance resonates with the proactive approach thatisnecessaryforthoseresearchapplicationsthatdonot onlybenefitindividualsandhumanityatlarge,butcanalso potentially impact their rights and their well-being: data controllers should provide legal protection by design,

pro-motethesafetyandwelfareofthedatasubjects,andprevent problemsfromarisingtothemaximalpossibleextent(Rossi andHaapio,2019).Thisalsomeansthatinformationnotices shouldmirrorthe transparencyofthe processingthatthey describeinthetransparencyoftheirlanguageandtheir pre-sentation.Indeed,thedesignofinformationandtechnologies is not a technical, value-neutral translation of functional requirements,as it iscommonly believed (Van den Hoven etal.,2015).Onthecontrary,bydeterminingaffordancesand constraintstowhichuserswillbesubject,designalsodefines theirpossibilitiesandtheirlimits.

Ifsuchforward-looking approachcan beascribed tothe practiceofProactiveLaw(SiedelandHaapio,2010),itcanalso beframedwithin the practiceofLegalDesign, whichisan interdisciplinaryapproachtoapplyhuman-centereddesign topreventorsolvelegalproblems(Ducatoetal.,2018). Follow-ingthebedrockofhuman-centereddesignpractices,oneof themainpillarsofLegalDesignresidesintheconsideration thatusersofthelegalsystemandlegalinformationarenot only lawyers, judges and regulators,but a wider circle of stakeholders.Inthecasecurrentlyunderanalysis,usersare primarilyresearchers in charge ofdesigning informational materialandconsentexperiences,andresearchparticipants thatneed tobeable tonavigateand decodethat informa-tion to decide whether and how to disclose personal,and even sensitive, data about them. This indicates the need foreasy-to-implementsolutionsthatontheonehandhelp data controllers to observe their compliance duties in a built-inmanner(i.e.,bydesign),andontheotherhand,that informdatasubjectsadequately.Section5willillustratehow informationdesignpatternscanprovideoperationalwaysto promotetransparencyandinformedconsent,bytranslating abstractlegalprinciplesintoapplicablesolutions.

2.3. Informationduties

Inthecontextofpersonaldata-driven research,individuals andinstitutionsactingasdatacontrollershavespecific infor-mationdutiestowardsdatasubjectsfollowingArticles12to 14GDPR.Furthermore,ifresearch involveshumansubjects formedicalpurposes,theClinicalTrialRegulation4_imposes additionalobligationsontheinvestigatorsaimedatavoiding datamisuseandresearchmisconduct.Wheninformed con-sentisemployedasthe lawfulgroundfordataprocessing, legalrequirementsconcerninghowthatconsentissignified alsoapply(Article4,7and9GDPRandArticle12.21,29and30 CTR).Ifdataarecollectedthroughadigitalplatform,amobile applicationor awearabledevice,theobligatorypovisionof precontractualinformationmayalsoapply– seee.g.,Albrecht (2013) – following the Consumer Rights Directive5 _{and the} UnfairContractTermsDirective.6

TheinformationdutiesdescribedsimilarlyintheEU leg-islationmentionedabovehavebeenclassicallyimplemented through the regulatory tool of mandated disclosures: it is believed that establishing full transparency would reduce information asymmetries, create a level playing field for

all the actors involved in a transaction, and pinpoint the decision-makingoftheweakestparty(Rossietal.,2019).The legalandethicalrequirementsaboutdisclosureandconsent are mosttypically realizedthroughdocumentslike privacy policies,informationsheets,consentforms,andterms and conditions.Itfollowsthatindividualscanbeconfrontedwith a highly intricate informational texture. In the next para-graphs, wedescribein greater detailwhat the information dutiesexactlyentail.7

2.3.1. Informationdutiesfordatacontrollers

Article13 GDPRdictatestoprovidethe identityofthedata controller,theco-controllers,andtheprocessorsifapplicable (e.g.,alltheresearchinstitutionsinvolvedindatahandling); thecontactinformationoftheorganization’sDataProtection Officer8_{;thespecificresearchpurposes;anexplanationthat} processingisallowedbyvirtueofconsentandthatconsent canbewithdrawn;therightsofthedatasubjectsandthe ex-ceptionsforresearch9_{;thedataretentionperiod,considering} thepeculiarresearchers’obligationstoguarddataforagiven periodoftimeandtopublishdataindefinitely(Vrije Univer-siteitAmsterdam,n.d.);andtherighttolodgeacomplaintto therelevantsupervisoryauthority.Ifdataaretransferred out-sidetheEuropeanUnion,thenaclarificationaboutthelegal safeguardsforthetransferisneeded.Ifautomated decision-making is applied,than meaningful informationabout the logicand theconsequencesofsuchprocessingshould also beprovided.Iftheinformationisnotobtaineddirectlyfrom thedatasubjects,Article14GDPRprescribestomentionthe categoriesandthesourcesofpersonaldataconcerned.

In addition, Article 12 provides indication on how the informationaddressedtodatasubjectsshouldbedesigned, namelyinaconcise,transparent,intelligible,andeasily acces-sibleform,usingclearandplainlanguage.Suchrequirements also apply to any communication about the rights of the datasubjectandaboutdatabreaches.Thearticlealsoaffirms theroleoficonstoprovideaneasilyvisible,intelligible,and clearlylegibleoverviewofthedataprocessing.

2.3.2. Informationdutiesforresearchinvestigators

Inaresearchcontext,the followingitemsmustalsobe ex-plicitly mentioned(Summers,2018a):thepurposeand type of research; the voluntary nature of the cooperation; the advantages and risksinvolved; the conditions towithdraw fromthestudy;theusageofthedataduringresearch, dissem-ination and storage,including how theinformationwill be sharedwithparticipants;anyapplicablebenefits-sharing;the futurepublishing,archivingandreuseofthedata,explaining to participants the benefitsof data sharing and indicating whetherresearchdatawillbedepositedinadatarepository; thecontactdetailsoftheresearcher,withinstitution,funding 7 _{Forthescopeofthispaper,weexcludeananalysisof} trans-parencyrequirementsinconsumerlaw.Foranalogieswithdata protectionlaw,though,werefertoRossietal.(2019).

8 _{Hereafter:theDPO.}

9 _{I.e.,theexceptionstotherighttoinformationwhendataare} notdirectlyobtainedfromthedatasubject,totherightoferasure, totherightofobjectingtoprocessingandpossiblenational dero-gations(Vayenaetal.,2019,p.61).

source,andinstructionsonhowtofileacomplaint. Depend-ingonthetypeofdata,additionalrequirementsmayapply, e.g., those for informed consent described bythe Helsinki declarationonmedicalresearch(WorldMedicalAssociation, 2013)andthoseoftheNagoyaprotocolobligationsforgenetic data(Secretary-GeneraloftheUnitedNations,2010).

2.3.3. Informationdutiespinpointinglawfulinformedconsent

Whenconsentisidentifiedasthelegitimatelegalgroundfor thedataprocessing,researchersshouldinformparticipants aboutthestudy,ensureparticipants’comprehension,and em-phasizethevoluntarinessoftheirparticipation(Dankaretal., 2019).Theaccompanyinginformationshoulduncoverthe re-searchpurposes,clarifythedataretentionandsharingpolicy, specifythemeasurestakentosafeguardanonymityand confi-dentiality,andoutlinetherighttowithdrawfromtheresearch (Summers,2018b).Sinceboththecontentandthequality un-derpinthevalidityofdisclosures,consentrequestsshouldbe presentedinanintelligibleandeasilyaccessibleform,using clearandplainlanguageundertheGDPR.Similarly,itshould be drafted in a way that is comprehensive, concise, clear, relevant,andunderstandabletoalaypersonundertheCRD.

3.

Documented

issues

to

effective

disclosures

Followingregulatoryrequirements,theinformationthatshall beprovidedtoresearchparticipantsisnotonlyabundant,but alsolegallyand technicallycomplex innature.Considering that attention to the quality of communication is almost never prioritized, this provokes an informational Babel of lengthy,cumbersome,andjargon-riddendocumentsthatnot onldonotcomplywithapplicablelawsand,furthermore,do notservetheinformationalneedsofthehumansubjects. 3.1. Dolengthyandunstructureddisclosuresfulfill transparencygoals?

Both in the domains of data protection (Calo, 2012) and research(MansonandO’Neill,2007),“themoreinformation, thebetter” hastraditionallybeentheunderlyingassumption toaidindividuals’decision-making.Legalrequirementshave placedaprimaryfocusonthecompletenessofthe informa-tion provided, with the aim ofpreventing data controllers fromomittingrelevantdetails,therebyunderminingpeople’s ability to make informed choices. Yet, exhaustiveness of informationisoftentimesatoddswithunderstandabilityand otherconsiderationsconcerningusability,sinceitgenerates informationfatigue and cognitive overload that drive indi-vidualsto“skim,freeze,orpick outinformationarbitrarily” (Calo,2012, p.1054),instead ofbolstering their abilities of comprehensionanddecision-making.

Lengthinessisexacerbated bythe lackofanylogical in-formationarchitecture,whichcausesimportantdetailstobe lost in a sea of impenetrable text and discourages people fromreading.Thereexistsanextensivebodyofliteraturethat pointstothecompletelackoffunctionalityofprivacynotices andotherlegaldocuments10_{.Generallyspeaking,oneofthe}

limitationsoflegalcommunicationconsistsintheemphasis placedon“theessenceandprecisionoftherules,butnotatall ontheneedsandabilitiesoftheindividualstaskedwith un-derstandingandactinguponsuchrules”Passera(2015,p.342). In addition, an impressive number of people are func-tionallyilliterate:forinstance,theOrganisationforEconomic Co-operationandDevelopmentfoundoutthatinalmostall countries surveyed in 2016, a sizable proportion of adults haspoorreadingskillsandisnotabletoextractinformation from longandcomplextexts(Kankaraš etal.,2016).Unless theyreceivespecificeducation,individualsfailtograsplegal and scientific(e.g.,medical) knowledgeduetotheirlackof expertiseinthedomain.Forinstance,participantsgenerally showlowcomprehensionofinformationsheetsandconsent forms(Falagasetal.,2009;MontalvoandLarson,2014),e.g.,for whatconcernsrisksandbenefitsofhealth-relatedresearch, mainlyduetolimitedliteracyandtolanguagebarriers(Davis etal.,1998;Sudoreetal.,2006).

Themajorityofexistinginsightsaboutthe incomprehensi-bilityofinformationalmaterialandinformedconsentforms11 highlights theirlowreadibilitylevel.Hence,theyresult un-intelligibletoagreatpartofthepopulation(Paasche-Orlow et al.,2003; Sugarman et al., 1999),provoking blind agree-menttotheterms.Consideringtheuseofcomplexresearch methodsinvolvingartificialintelligenceandbig data analy-sesinmanydomains,andthe necessityofexplainingtheir functioning according to the GDPR, the necessity of find-ing accessible and comprehensible communication means becomesevenmorepressing.

3.2. Communicatinginablendedenvironment

Besides,nowadaysdata-drivenresearchhappensinablended environment, where data are growingly gathered through mobiledevices,sensors,wearables,andothertechnologies.It followsthatthetaskofinformingparticipantsalsoshiftstoan onlineenvironmentwherecommunicationtakesplace asyn-chronously.Therefore,risksofnon-comprehensionmightbe evenhigherinsucharemotesetting,sinceparticipants can-notreceiveimmediatefeedbackabouttheircomprehension, norcleartheirdoubts.Nevertheless,thedigitalenvironment also offers unrivaled opportunities to maximize the effi-cacy ofcommunication,forinstance interms ofvarietyof information presentation methods (i.e., e-mail, messages, webpages,videos,chatbots,etc.),ofinteraction,ofscalability (GovernanceTeam,2019)andoftiming.

Indeed, the moment at which information is provided sensiblyimpactsthecapacityoftheaudiencetounderstand andactuponsuchinformation(Schaubetal.,2015).Oneof the main limitations ofexisting approaches resides in the beliefthatinformationprovisionforconsentisa“single-point transactionthatmustbecompletedinordertoenroll partici-pants” (Wilbanks,2018,p.110).Asaconsequence,information dutiesarenormallyimplementedthroughadocumentshown beforethedatacollectiontakesplace.Yet,peopletakingpart inaresearchstudyliveawholecomplexexperiencethatis 11 _{Mostly focusing on informed consent forms used in the} biomedicaldomain.

composedofmultiplephases:discoveringthestudy; under-standing what it entails in terms ofprocedures, risksand benefits; taking part in it, sometimes over a long period; making sense of the results; and eventually finishing the study orwithdrawing fromit.Eachphasetriggersdifferent informational needsthat should betackledseparately and appropriately to serve the right to self-determination and informeddecision-making.Forinstance,adynamicconsent modelprovidesforthemicro-managementofdataprocessing permissionsatdifferent points intime.This should trans-lateintoinformationopportunelyprovidedtoallowinformed choices,whileconcurrentlyavoidingtooverburdenuserswith anexcessivenumberofchoices,whichwouldcausedecision fatigue.

3.3. Specificobstaclestotransparency-friendly informationdisclosures

Previous work (Rossi et al., 2019) (pp.92–97) has identified classicalhurdles toeffectivecommunicationinthecontext ofdata privacyand data protection.Many of these issues tendtoaffectlegalandtechnicalwritingingeneralandmay alsoariseininformationnotices.Insomecases,itseemsthat theseare present out oflegal-ethicalreasons,but theyare notdesignedforspecifiedusersinspecificcontexts,norare theyconceivedtoreachspecificgoalsofeffectiveness.

Wesummarizeinthe followingthe mainproblemsthat precludeeffectivelegal-technicalcommunication:

1.Languagecomplexity:excessiveuseoflegal-technical jar-gonandcomplexsyntacticchoicesimpactreadabilityand makeitcumbersomeformostindividualstounderstand themeaningofadocumentwithoutexpertadvice; 2.Vagueness ofterms:excessiveuse ofvague terms leave

theindividualsbaffledabouttheirintendedmeaning; 3.Wall oftext: documents are displayed aswalls oftexts

that result impenetrable,while details are lost in asea of text. Without information hierarchy and meaningful visualorganization(e.g.,paragraphs,headlines,spacing), readerscannotnavigatethetextandefficientlyfindsalient information;

4.Excessive length:althoughcompleteness ofinformation iskey,itstranslationintooverlylengthytextscause infor-mationoverloadanddiscourageindividualsfromreading; 5.Lack of audience-tailoring: language and presentation ofinformationnoticesare notadjustedfortheintended audience,itsinformationalneedsinspecificcontexts,and itscognitivecapacities;

6.Bad timing:althoughbylawinformationmust begiven beforethe dataprocessingstarts,thismightcause indi-vidualstodisregardorforgetit.Moreover,pre-processing requirements donotprevent controllers from providing information at different times of the data processing relationaccordingtothecontextualusers’needs;

8.Scatteredinformation:ifdifferentaspectsoftheresearch participation are scattered around different documents and places (e.g., analogical information sheets, online privacypolicies, contracts,etc.),it becomesarduous for anindividualtofindspecificinformationandtointegrate knowledgecomingfromspatiallyortemporallyseparated sources.

3.4. Darkstrategies

Ithasbeenmaintained(Böschetal.,2016)thatmakingithard fordatasubjectstolearnhowtheirpersonaldataiscollected, stored, and processed constitutes a darkstrategy that has theaim– orthesubstantialeffect,evenifunintentional– to mislead and deceive them.Indeed,by exploiting cognitive load, long and impenetrable privacy notices alienate their audience from reading, or nudge them to disengage from unravelingtheirintendedmeaning.Iftermsareunintelligible, individuals cannotformexpectations nor understandtheir rights. If risks are not explained, individuals unpleasantly discover consequences when it is too late to retain their data. If, in other words, the visible interface of data pro-cessingisobscure,toocomplex,orincomplete,participants mightdecidetoabstainfromcooperationorwithdrawfrom the study.Inthe worstcase scenario,the lackofproactive transparency-enhancingstrategiescanbecometheobjectofa legaldispute.Darkstrategiesarethereforetheoppositeofthe “inform” privacy-enhancingdesignstrategy(Hoepman,2014) and contradict mostofthe Privacy byDesign foundational principles(Cavoukian,2009).

It is opinion of the authors of this article that dark strategiesinscientificresearcharerarelyintended:theyare rather the outcome ofthe investigators’ lackofknowledge or capacities needed tohandle personal dataand practice transparency.Withoutdataculture,itisunrealistictoexpect that privacy notices and consent forms will be accurate, exhaustive,andintelligible.Moreover,thereisatendencyto exclusively assigndata protectionmatterstothe organiza-tion’sDataProtectionOfficer– or,atworst,considerthemas ahindrancetoresearchadvances.

Inthefollowingparagraphs,hence,wefocusonpractical strategies thatcan serve adoublegoal: firstly,theycan be implementedtoclearlycommunicatewiththedatasubjects and,secondly, theycan serve internallyto clarifythe data flowandretentionpolicy,thusfacilitatingcompliance,aswill bearguedinSection6.

4.

Beyond

readibility:

the

design

of

legal

and

scientific

information

Although existing research has thoroughly analyzed the hurdles toeffectivecommunicationbothinprivacynotices and consentforms,less attention hasbeen devoted tothe conceptionanddevelopmentofsolutionstothoseproblems, ifweexcludethereiteratedrecommendationsontheuseof plainlanguage. Inthefollowing,wegoonestepfurtherby introducingconsiderationsonthedesignofinformationand ofchoicearchitecture.

4.1. Beyondplainlanguage:informationandchoice architecture

Albeitlanguagesimplificationstillconstitutestheexception rather than the rule, such a goal has been already touted extensively.Guidelinescontainingcriteriafortheevaluation ofthereadabilityofeducationalmaterialandconsentforms already exist,e.g. see Terranovaet al. (2012).Yet, readabil-ity, we argue, is but one of the properties that constitute transparency. What ismissing, on the contrary,are strate-giesthatbroadlyactoninformationdesign,namelyonthe organization, navigation, and explanation ofa document’s content.Plainlanguageisnecessary,butnotsufficient: “visu-allydisorganizeddocumentsandwalls-of-textslookandfeel

difficult” (Passera,2018,p.230),causingpeopletoanticipate highmentaleffortsandthereforeabstainfromengagingwith thereadingaltogether.

Theinterpretationsoftheprincipleoftransparencybythe Article29DataProtectionWorkingParty(2018)andtheCNIL (Chatellier et al., 2019) support this view: data controllers should pay attention and invest resources in the design of a meaningful and non-deceptive choice architecture. In other words, they have the responsibility to organize the contextinwhichpeoplemakedecisions(Thaleretal.,2014), which cannudge them toeither makeoptimalchoicesor, conversely,suboptimal ones.Weclaimthat itistimetogo beyondreadabilityand considerthe wholeuser experience todesignameaningfulandempoweringchoicearchitecture that responds to users’ needs and capacities in a usable, transparentandfairmanner.

Indeed, documents are not mere containers of infor-mation. Rather, they should be “structured around users’ strategic needsto accessdifferent information atdifferent timesforparticularpurposes” (Waller etal.,2016,p.9).The notionofdocumentliteracyiskeyinthiscontext,namely“a formofliteracythatgoesbeyondreadingthewordstoinclude strategicreading-searchingdocumentsforanswersto ques-tions,assemblinginformationfromdifferentdocuments,and determiningtherelevanceofinformation” (Walleretal.,2016, p.9).Individualsdonotonlyneedtoaccessanddecode infor-mation,butalsotomakeuseofittotakedecisions(e.g.,give orwithholdconsentforcertainprocessingpurposes)ortoact accordingly(e.g.,followinstructionsdescribinghowtodelete theirpersonalaccount).Hence,itisnotonlyimportanttofind appropriate means and formats to makesuchinformation readilygraspable,butitisalsonecessarytoempowerpeople tofindthatinformation,prioritizecertainitemsoverothers, andlearnhowtomakeuseofit.Researchersshouldaimat creating “forms that are shorter,more readily understood, lessconfusing,thatcontainall ofthe keyinformation,and thatcanserveasanexcellentaidtohelpsomeone makea gooddecisionaboutwhethertoparticipateinastudy” (Food andDrugAdministration,2011).

instance,thelanguageregisterandadifferentiationbetween reasonablyexpectabledatapracticesfromunexpectableones. Aneffective noticeshould focus oncommunicating intelli-gibly,saliently,andconcretelytheunforeseenconsequences of scientific investigations. Especially when the audience isnotknowledgeableabout the domain,suchexplanations areindispensabletohelppeopleformrealisticexpectations about whatisgoingtohappennextandabout thebenefits andrisksinheritedwithcooperation.

4.2. Evidencesupportingavisualturn

Amereinterventiononlanguage shouldnotconstitutethe onlymeansinthecontroller’stoolkittoimpactinformation understandability. Evidence shows that visual communi-cation improves understanding and enhances short- and long-termretention ofkey informationabout theresearch. Thelabel“visualcommunication” coversforagreatvarietyof graphicaldesignmeans:experimentationtoenhance trans-parencyofscientific(mostlybiomedical)informationsheets and consent forms has mainly revolved around pictorial charts(Vallelyetal.,2010),comics(Steenberg,2017),pictures (Peregrin, 2010), videos (O’Lonergan and Forster-Harwood, 2011),pictographs(Taitetal.,2010a),tables(Taitetal.,2010b) andamixofothermethods12_.

Moststrikingly,eventhelegaldomainhasrecentlystarted to includegraphical communicationinto arealm that has traditionallybeenverbo-centric(Brunschwig,2011)andtotest itagainstpureprose.Researchshowsthatgoodinformation structureandgraphicalelementscanhelphumanreadersin navigatinglegaltexts,clarifytheirmeanings,maximizetheir understandability,make assumptionsvisible,and reinforce the intended message(Barton et al.,2019).Moreover, visu-alizations can lower the chances of misunderstandings by makingabstractinformationeasiertograsp(Passera,2017). Studies oncontractvisualization,forinstance,haveshown thatlegalcontentisunderstoodmoreaccuratelyand faster whensupportedbyvisualmeans(Passera,2012;Passeraand Haapio,2013;Passeraetal.,2013).

Whereaslongdocumentscanbeoff-putting(Walleretal., 2016),graphical elementscanreducecognitiveloadderived bylengthy agreementsand assist theactivity ofskimming throughthetexttofindrelevantinformation(Passeraetal., 2013).Theycanalsosupportmemorizationandretentionof legal information(Passeraand Haapio, 2013). Visual narra-tivesthroughcomics canevenreplacethe legaltext intoto

(Haapioetal.,2016),thereby,improvingthemotivationtoread the legalterms andeasingtheadequate comprehensionof contractualrights,obligations,andconsequences,especially amongpoorlyeducatedindividuals(Botes,2017).

Intheonlineenvironment,theinclusionofvisualizations increases theattention andthe timethat peopledevote to reading onlinecontracts (KayandTerry,2010)and improve comprehension accuracy (Botes, 2017). Displaying icons to illustratekeypoints,rephrasingkeytermsasfrequentlyasked questions,providinginformationinshortchunksattheright 12 _{We addressthe readere.g.,to Nishimuraetal. (2013)fora} systematicliteraturereviewoninterventionstoenhanceconsent formsinthebiomedicaldomain.

time, and embedding illustrations and comics into online privacy policies and terms and conditions also ostensibly enhancethe understandingand engagementofindividuals withlegalterms(TheBehaviouralInsightsTeam,2019).

5.

Transparency-enhancing

design

patterns

for

research

5.1. Transparency-enhancingtechnologiesanddesign patterns

Notwithstanding the merits ofthe interventions described inthe previous paragraphs,it seems verydifficult,or even impossible,forpeoplewithouttherelevantexpertiseto prop-erlymaterializethoseideas:learningstrategiesandmindsets toameliorateinformationdesignisnotpartoftheclassical educationalpathoftheprospectivescientificresearcher.Yet, given the centrality of transparency and the relevance of awarenessraisingandknowledgesharinginlegalandethical conduct,cost- and time-effective solutions must be devel-oped:whereastherearemanystudiesanalyzingthemerits ofcertain interventions,what is still missing are concrete and implementable indicationsfor non-experts. Therefore, inthe followingwepresenttransparency-enhancingdesign patterns,i.e.,reusablesolutionstotackleclassicalproblemsof legal-scientificdocuments,accompaniedbyconcrete guide-linesofferingguidanceonhowandwhentousethepatterns. Wemaintainthattransparencydesignpatternscanbe con-sideredTETs,i.e.,toolsthataimatreducingtheinformation asymmetrybetweenthedatacontrollerandthedatasubject (Zimmermann,2015),byprovidingthelatterwithknowledge abouttheusageoftheirpersonaldata(Spagnueloetal.,2018). TETs complement Privacy-Enhancing Technologies in that theydonotofferwaystolimitdatasharingorconcealone’s identity,buttheyratherprovideinsightintotheintendedor actualcontroller’sdata practices.Notably,transparency de-signpatternscanbeframedasassertionTETs(Zimmermann, 2015),thatistosaytechnologiesconveyinginformationabout the purported data processing practices of the controller, albeitwithoutthepossibilitytoverifytheirveracity.

5.2. Rootsandstructureofdesignpatterns

Table1– Thedesignpatternsorganizedpercategory.

Explanation Navigation Overview Emphasis

Illustrative examples Meaningful organization Layered notice Highlighted text

FAQs Companionicons Videos Alerticons

Timeline Swimlane Comics

2010;Romanoskyetal.,2006),butalsointerfacedesignand legal information design(Haapio and Hagan, 2016; Haapio andPassera,2017;Rossietal.,2019;Walleretal.,2016).

Eventhoughpatternlanguagesvary,aprototypicalpattern structure describes the solution to one or more problems in a specific context, together with the expected positive and negativeconsequences ofthe implementationof such pattern (Meszaros and Doble,1997). We organize the next sections according tofour categories ofobjectives that the patternsmainlyintendtosupport:explanationinSection5.3; navigationinSection5.4;overviewinSection5.5;emphasis in Section 5.6. Table 1 arranges the patterns according to these categories. Indeed, although increased transparency is commonly associated with increased comprehensibility, it should alsoaim toenhance the navigability ofcomplex andabundantinformation,augmentthesalienceofthemost relevantfacts, andenablepeople toreceive anoverviewat firstglance,whilelaterdelveintothedetails.

The structure of the patterns contains the following attributes:

• summary illustrates the functioning, the goal, and the expectedoutcomeofthepattern;

• problem(s) refers to the problem or problems (summa-rizedinSection3.3)thatthepatternaimstosolve(Fig.1 providesasummarizingtable);

• constraintsdescribesrestrictionsandconditionsapplying tothepatternimplementation;

• applicationproposesinformationtypesthat canbe most properlyrepresentedthroughthepattern;

• example reports a good implementation of the pattern. Examples are either drawn from existing research or constituteourowndesignprototypes.

5.3. Explanation

Explanation patterns enhance the clarity and intelligibility of the research steps and ofthe personal data processing involved.

5.3.1. Illustrativeexamples

• Summary: Examples clarify complex technical, legal,or proceduraltermsthatcanresultunfamiliartotheresearch participants.Theycanalsomakeabstractconceptsmore tangible(Rossietal.,2019).

• Problem(s):Languagecomplexity,vaguenessofterms,lack ofaudience-tailoring,lackoffamiliarity.

• Constraints: To resultmeaningful,examples shouldnot coverallaspectsoftheresearch,but ratherrelate tothe

most cumbersome, unexpected, or relevant practices inthat context forthat audience. They can respond to the most frequently asked questions. However, by giv-ing salience to one aspect, they should not omit other practices(e.g.,questionableorprivacy-invasive).

• Example:“WemayshareAggregateInformation,whichis informationthathasbeenstrippedofyournameand con-tactinformationandcombinedwithinformationofothers sothatyoucannotreasonablybeidentifiedasan individ-ual,withthirdparties.[...]Forexample,Aggregate Informa-tionmayincludeastatementthat“30%ofourfemaleusers share a particular genetic trait,” without providing any dataortestingresultsspecifictoanyindividualuser.”13_. • Application:mostcomplexdataprocessingpracticesand

scientific practices(e.g., automated decision-making on research data); abstract risks entailed in the research participation.

5.3.2. FAQs

• Summary: Simple and straightforward answers to fre-quentlyaskedquestionsprovideadhoc,relevant explana-tionsforthe intendedaudienceand canbefoundwhen needed(i.e.,atrequest).

• Problem(s): Language complexity; vagueness of terms; walloftext;excessivelength;lackofaudience-tailoring; wrongtiming;lackoffamiliarity;scatteredinformation. • Constraints: Beforedata collection, FAQs canact as

an-ticipatoryexplanations,dismissfearsanddebunkmyths, therebypotentiallyattractingparticipants.Duringorafter datacollectionandprocessing,FAQscanclarifythemost common doubts about research practices, thus saving researchers’ time. Yet, they should not substitute the contactperson,nor the complete legal and educational documents.FAQsshould beorganizedinalogical order andinaneasy-to-navigatedisplaytoefficientlysupport informationfinding.

• Example:Fig.2.

• Application: answers to common questions about data gatheringprocessesandrelativerisks(e.g.,“Howaremy data protected?”); instructions about common practices (e.g.,“HowdoIwithdrawfromthestudy?”,“HowdoIerase myaccount?”).

5.3.3. Timeline

• Summary:Timelineslogicallydisplayasequenceofsteps orevents(forinstance,actions,deadlines,processes).They helpindividualstoconcretelyenvisagehowaprocesswill takeplace.Theycanalsosupporttheirunderstandingof whenandinwhatordertheyneedtoinitiatecertainsteps toreachacertaingoal.Timelinesmaketemporaland log-icalrelationshipsmorevisiblethaninproseandthereby guidecorrectinterpretations.Moreover,theintegrationof visualandtextualelementsfacilitatescognitiveprocesses anddecreasescognitiveload(Passera,2018).

Fig.1– Matrixillustratingtheproblem(s)thateachdesignpatterncansolve.Thedifferentshadesofcolorsindicatethe categorytowhichthepatternbelongs.

Fig.2– AncestryDNAhasgroupedthemostfrequentquestionsitreceivesononeoftheirtoppages.Availableat:

https://www.ancestry.com/dna/(last accessed: 31 October 2019).

• Problem(s):Vaguenessofterms;walloftext;wrongtiming; lackoffamiliarity;scatteredinformation.

• Constraints:Timelinesshouldbeusedwhentemporalor logicalsequencesarehardtofollowortogiverelevanceto actionsthatindividualsneedtoperform.

• Application:dataretentionanddeletionpolicy(e.g.,data retentionforactiveorcompletedresearchprojects);entire data processing cycles, including collection, analyses, resultscommunicationanddestruction.

Fig.3– Thistimelineillustratesthestepstheuserhastoinitiatetodeleteheraccount.Re-elaborationisourown.Werefer totheoriginalprovisionsin“5.d.Accountdeletion”,availableathttps://www.23andme.com/en-int/about/privacy/(last accessed:31October2019).

Fig.4– Thisprototypeofaswimlaneillustratesanexcerptoftherightsofthedatasubjectsvis-a-visoftherespective responsabilitiesofthecontroller.Theexamplealsomakesuseofastructuredlayout,meaningfulheadings,andcompanion iconstoimprovenavigability.TheiconsbelongtotheDataProtectionIconSet(RossiandPalmirani,2020)availableat:

5.3.4. Swimlane

• Summary: Swimlanes are diagrams illustrating rights, obligations and responsibilities of the different parties involvedintheresearch(HaapioandPassera,2017). Swim-lanes offer an easy-to-consult summary that guide the parties through their responsibilities, especially when informationisscatteredacrossdifferentdocuments.They alsogiveprominencetotherightsthatdatasubjectshave, whichareoftentimestuckedawayattheendofthenotice. • Problem(s): Vagueness of terms; wall of text; lack of audience-tailoring; wrong timing; lack of familiarity; scatteredinformation.

• Constraints:Swimlanes canbecombinedwithtimelines andotherdiagramstoelicittheinterdependenceamong differentsteps.

• Application: rights and obligations of the data subjects andofthedatacontrollers,andlimitationsthereof (e.g., security measures; right to access and to erasure of personaldata).

• Example:Fig.4.

5.3.5. Comics

• Summary:Comicscombinetextualandgraphicalmeans to illustrate concepts and courses of action. They use conversationalstyleanddevelopanarrativeinaspecific context, thus they allow readers to identify with the characters.Comics can alsoattractand retainattention byfightingnoticefatigue(Rossietal.,2019),i.e.the habit-uationand alienationderived bythe longstandinghabit ofexperiencinginscrutableprose.Theycanthusmotivate young people, people with low (scientific) literacy, and non-native speakers to read. Moreover, like examples, theymakeabstractnotionsmoretangible and theycan reinforcelearningandretention.

• Problem(s): Language complexity; vagueness of terms; walloftext;excessive length;lackofaudience-tailoring; lackoffamiliarity.

• Constraints: Comics can capture and illustrate specific research aspects, but do not usually substitute whole documentswithdueexceptions.Thereforetheycanalso beconsideredasanimplementationofinformation lay-ering.Theycanfocusonspecificaspectsoftheresearch procedure, while omitting others: this should not be a strategy to conceal privacy-invasive or risky practices. Attention should bedevoted to the conversational tone andthedepictionofcontextandcharacters,thatshould beappropriatefortheintendedaudience(e.g.,adultsvs children)sothatthemessageresonateswiththem. • Application:themostrelevant,complex,orcontroversial

aspectsofaresearchstudy.

• Example:Figs.5and6.Theimagesdisplayanexcerptof the comic stripsketched by Steenberg (2017)to explain genomeprocessingresearchandobtaininformedconsent from the San population in South Africa. San people generallyhavelow incomebackground,loweducational levels,and speak adifferent language than researchers. Moreover,giventheiruniquegeneticheritage,theyhave been repeatedly involved in scientific studies and con-vincedwithquestionablemethods.Thereforealternative methodstoprosehadtobedevisedtoensureclarityand

gaintheirtrust.Theuseofcomicsproducedgeneralhigher comprehensionrateswithrespecttothepre-comics con-ditionandhelpedtheSanpopulationtoidentifywiththe depictedcharacters.

5.4. Navigation

Navigation patterns improve the hierarchical and logical organizationofinformationanditspresentation,facilitating thereby theskimmability ofthedocumentand the easeof findingthedesiredinformation.

5.4.1. Meaningfulorganization

• Summary:Ameaningfulorganizationofthedocument’s contentcorrespondstoalogicalinformationarchitecture: differenttopicsareorderlyexplainedinseparatesections andarelabeledwithanappropriateinformativeheading (orsubheading),thusgivingvisualandthematichierarchy to the document. A well-structured layout that breaks down long documentscan attractthe readers,decrease theinformationload,andenablethemtoefficientlyskim read the textto findanswers totheir questions (Waller et al.,2016).Headingscanalsobephrased asquestions, likeFAQs.

• Problem(s):Walloftext;scatteredinformation.

• Constraints:Headingsmustcorrespondtothecontentof thesectiontheyidentify.Byorderlyorganizingthecontent ofthedocument,thecompletenessofinformationcanbe alsoverified.

• Application:Researchinformationsheetsshouldatleast containthefollowingitems:Whatistheresearchabout? Whoiscarryingouttheresearch?Whichpersonaldataare collectedandprocessed?Forwhichpurpose(s)?Whereand forhowlongwillthedatabestored?TowhatdoIconsent? CanIwithdrawmyconsent?Whataremyrights?Referto 2.3foracompletelist.Ameaningfulorganizationshould notonlybeappliedtoinformationsheets,butratherbea generalguidingprincipleforanycommunicativemeans, e.g.,forFAQs,comicsandvideos.

• Example:Fig.7.

5.4.2. Companionicons

• Summary:Companioniconsarepictogramsthatrepresent the meaningofthechunkoftexttheyaccompany.They attractattentionandprovidesaliencetokeytopicsofthe document (The Behavioural Insights Team, 2019). This easesthetaskoffindingrelevantinformationandbolsters knowledgeretention(Rossietal.,2019).

• Problem(s):walloftext;scatteredinformation.

• Constraints: Icons must bepertinenttothe notionthey represent and their use must be sparse. They should accompanytextratherthansubstituteit.Iconsaremore easily recognized if they depict concrete objects and leverage commonlyusedsymbols.If thereadersarenot familiar with the code of icons, they might be baffled, insteadoffacilitated,bythepictograms,thusstandardised iconcodesshouldbepreferred.

Fig.7– TheprivacynoticedesignedbytheEuropeanSocialSurveyemploysameaningfulorganizationofitscontentand informativeheadingsintheformofquestions.Originalavailableat:https://www.europeansocialsurvey.org/about/privacy. html(last accessed: 31 October 2019).

and skimmableheadings”),althoughconcrete and well-known notions should be preferred. Article 12(7) GDPR providesfortheadoptionofaEU-widestandardizedcode oficonsdepictingdataprotectionconcepts,seee.g.,Rossi and Palmirani(2020) andthe PrivacyIcons Forum.14 _For

14 _{https://www.privacyiconsforum.eu/.}

aset oficonsaimedattheinformedconsentprocessin eHealthapplications,seeDoerretal.,2016.

• Example:Fig.4.

5.5. Overviewfirst,detailsondemand

explor-ing additionalinformationondemand(Schaubetal.,2015; Shneiderman,1996).They havethe functionofavoiding to overwhelm individuals with many aspects at once, while supporting strategic reading (Passera and Haapio, 2019, Layering).Layering canbedesignedfordifferent audiences (e.g.,thefirstlayerforstudyparticipants,whilethedetailed layerforauditorsand supervisoryauthorities); fordifferent informational needs(e.g.,the firstlayer forindividualsnot yetenrolledinthestudy,whilethesubsequentlayerforthose alreadyparticipating);fordifferentmomentsofinformation provision(e.g.,the first layerforanintroduction tothe re-search,the second layerfordecision-makingmoments); or fordifferentdevices(e.g.,thefirstlayerforwearabledevices, whilethedetailedinformationforlaptops).

5.5.1. Layerednotice

• Summary:Alayerednoticedistributestheinformationon differentlayersaccordingtoitsrelevance: thefirst layer providesbydefaultanessentialoverviewoftheresearch process,whiledetails and explanations are providedin additionallayersthatcanbeexaminedondemand. • Problem(s):Language complexity;walloftext; excessive

length;lack ofaudience-tailoring;wrong timing;lack of familiarity.

• Constraints: Thesum oflayersmust offercomplete in-formation on in its totality to be compliant. The first tier must not deceive users, for example by conceal-ing research risks in the tiers on demand. In strategic decision-making moments (e.g., before enrolling in the study orbefore withdrawing fromit), readersshouldbe encouragedtodelveintothedetailedlayers.

• Application:tobelegallycompliant,thefirstlayershould atleastinclude informationabout the purposesof pro-cessing,the identityofthe controller,and adescription ofdatasubjects’ rights(seeRecital39 GDPR andArticle 29 Data Protection Working Party (2018)). It should be complementedwithalltherequiredinformationoutlined inSection2.3.

• Example:seeFig.8.

5.5.2. Videos

• Summary: Audio-visualmaterials can illustrate the key pointsoftheresearchprocessinasuccinct,butengaging manner.Videoscan alsodrawattention tospecific(e.g., unexpected) practices. Indeed, videos can be perceived asless effortfuland time-consuminginformation mate-rialthenwrittendocuments,but atthesametimemore alluring.Theycanconstitutemoreeffectivemeansof com-munication towards visually impaired people, children and young people, illiterate individuals and non-native speakers(Rossietal.,2019).

• Problem(s):Language complexity;walloftext; excessive length;lack ofaudience-tailoring;wrong timing;lack of familiarity.

• Constraints:introductoryvideoscanbepurposedlyshown orbeavailableondemand(e.g.onawebsiteorapp),but usually they do not replace complete, legally-binding information. Written information to be consulted on demandshouldalwaysaccompanyaudio-visualcontent.

Videosshouldnotgiveexclusiveprominencetothemost beneficialaspects,butshouldfairlycoverallrelevantfacts. • Application: in addition to the information reported in “Layered notice” Section 5.5.1, videos can illustrate the risks ofresearchparticipationand those key points deservingattentiontomakeaninformedchoice.

• Example: see the AncestryDNA video explaining their privacyandsecuritypractices.15

5.6. Emphasis

Emphasis design patterns give visual relevance to certain informationitemstoimmediatelyattractattentiontowards them (Passeraand Haapio, 2019). Thistechnique is partic-ularly useful when copious information can make people missthoseaspectsthataremoresignificant,unexpected,or representacallforactiononaquickread(Walleretal.,2016).

5.6.1. Highlightedtext

• Summary:Highlightedtext,intermofcoloredbackground orboldtypeface,standsoutfromtherestofthedocument, sothatreaderswillnoticeitmoreeasily(Passeraand Haa-pio,2019).Thischoiceshouldbeinformed,forexampleby theresultsofuserresearchwiththeintendedaudience. • Problem(s): Walloftext;excessivelength; wrongtiming;

lackoffamiliarity.

• Constraints:Onlykeyinformationshouldbeemphasized, sincetoomanyhighlightscanconfusereaders,insteadof guidingthem.Hence,thischoiceshouldbecarefullymade andavoidthecommonmistakeofusingallcapitals(often evencombinedwithunderlined,bold,oritalicstypeface). Itisparamounttoconsiderthatgivingprioritytocertain informationitemscancometothedetrimentofattention onotheritems.

• Application: unexpectedpractices or consequences;key procedures (e.g., data deletion policy); actions required fromtheparticipant(e.g.,consentapproval);risks. • Example:Fig.9.

5.6.2. Alerticons

• Summary:Alerticons,likewarningsigns,attractreaders’ attention towards specific pieces of information. They can beuseful toeasilynotice informationitems atfirst exposures and can besearch targets infollowing reads (Walleretal.,2016,p.23).

• Problem(s): Walloftext;excessivelength; wrongtiming; lackoffamiliarity.

• Constraints: An excessive number of icons can leave the readerpuzzledaboutthehierarchyofimportanceof differentaspects.Thisiswhyalerticonsshouldbeused sparinglyandthoughtfully.Moreover,attractingattention towards certain information itemscomes with the cost ofpotentiallydisregardingotherparts.Alerticonscanbe usedincombinationwithhighlightedtext.

Fig.8– ThelayeredapproachemployedintheeHealthinformedconsentinterfacebySageBionetworks(GovernanceTeam, 2019,p.30),expresslydesignedformobileapplications.

theimpossibilitytowithdrawfromthestudyoralongdata retentionperiod).Areasonedselectioncanbebasedonthe DPIAriskanalysis(seealsoEfronietal.,2019)oronFAQs. • Example:Fig.9.

5.7. Validationofthedesign

WerefertoHaapioand Passera(2017);Passera(2017);Rossi et al. (2019); Waller et al.(2016) and referencestherein for a more extensiveanalysis of transparencydesign patterns thathavebeenherebysuggestedandtoPasseraandHaapio (2019)foradditionalexamples.Thepatternscanbeusedin isolation or incombination,depending on the information typesandthegoalofthecommunication.Sinceadesign pat-ternisahigh-levelsolution,itisitsactualimplementationin aconcretecontextandforspecificinformationalneedsthat determineswhetheritincreasestransparency– oritdoesnot. Researchdemonstrateshowbadorsloppyimplementations canbewilderreaders.16_{Forinstance,themerefactof} design-ing atimeline does notensurethat importantdatesabout datadeletionhavebeen moretransparently communicated thanthroughprose.

16 _{Forareviewofthepitfallsofvisualizations,seeBrescianiand} Eppler(2015).

Thisiswhy,anevaluationoftheproposeddesignisnot onlyrecommended,butevennecessaryundertwodifferent perspectives:oneislegal,theotherisfunctional.Ideally,the effectivenessoftransparency-enhancingsolutionsshouldbe empiricallytestedtoprovewhethertheyare“understoodby anaveragememberoftheintendedaudience” (Article29Data ProtectionWorkingParty,2018,p.9)inordertodemonstrate compliancewiththeprincipleofaccountabilityenshrinedby Article5.2oftheGDPR.

Fig.9– Thisprototypeemploysbothhighlightsandalert iconstodrawuser’sattentiontowardscriticalaspectsof participatinginDNAtestingactivities.Plainlanguagehas beenappliedtospecifyvaguerisksandexplaintechnical terms.Elaborationisourown.Werefertotheoriginal provisionsin“Risksandconsideration” onlineat

https://www.23andme.

com/en-int/about/privacy/(last accessed: 31 October 2019).

otherthings” (p.7).Iftimeorresourcesarescarce,the feed-backreceivedfromexpertevaluationandrapidtestingwitha fewrepresentativesoftheintendedaudiencecanbesufficient topointtothemajorflawsoftheproposedinformationdesign. 5.8. Userjourneyandthetimingofcommunication An additional factor that is key to enable effective trans-parencyistiming.Indeed,asrecalledinSection3,peoplecan forget or ignoretheinformationprovided,if itis notgiven attherelevantmoment.Followingregulatoryrequirements, information about dataprivacyand protection isgenerally providedpriortothebeginningofthedataprocessing, there-foreeitheratthetimeofsetup(e.g.,duringregistration)or just-in-time (e.g.,when specificdata is collected).Butit is usefultoexpandthistemporalspectrumtoprovide meaning-fulnotices,thatcanalsobecontext-dependent(e.g.,calling for an action from the user); periodic (e.g., reminding the userofanactiveprocessingpractice,especiallyifinvisible); and persistent (e.g.,communicatingthat a datapracticeis active). All of these constitute push notices, i.e., they are sent or programmed by the controller.Pull notices like an onlineprivacypolicyoraprivacydashboard,instead,canbe consultedbytheuserondemand(Schaubetal.,2015).

The timingofnotices isdecisive to set the appropriate designspacetorespondtodifferentchallenges.Theseeven determine the appropriate channel of communication: if the processing purpose changes,for example,participants shouldbeinformeddirectlye.g.,throughe-mails;ifitwould requireadisproportionateeffort,thecommunicationshould bepublishedonthewebsiteorbeotherwisemadepublicly

available.Timing,moreover,interactswithlayeringstrategies: layeringshouldnotonlyconsiderthetypesofinformationto bepresented,butshouldbetunedtothetimingofprovision ofinformation.

Tointegrate timing, channelof communication,and in-formationalneedsofthe variousresearchparticipantsinto acoherentvision,focusshouldbeplacedonthejourneyof theuserthroughtheresearchprocess.Theuserjourney,or experience map, can be described as a multi-dimensional timelinewithmultiplegoals:theyservetorationallyorganize the experience ofthe users,while mapping out their pain pointsand designopportunities.Theyhelp theresearchers to put themselves in the participants’ shoes, in order to conceive and design a transparency-enhancing system of communication that opportunely responds to their needs andtheirexpectations.Italsocontributestothedesignofa coherentexperience,toavoidfragmentingitthrough differ-entchannels(LallemandandGronier,2015).Forinstance,in thoseresearchenvironmentsinvolvingtechnology-mediated dynamicconsent,theuserjourneycanbecrucialtoidentify andanalyzetheinformationalneedsofdifferenttypesofdata subjectsindifferentmomentsandtodevisehowtoprovidea time-relevantnoticethroughtheappropriatechannelforthe sakeofbothusabilityandcompliance.

Inthiscontext,auserjourneymapcaninclude:a repre-sentationofthe time and phasesof the experienceof the researchstudy(i.e.,when);touchpoints,namelyusers’actions andinteractionswiththeresearchersandotherstakeholders (i.e.,what); personas, namely fictional characters that rep-resenttheneeds,goals,feelings,thoughts,expectationsand painpointsoftheparticipants(i.e.,who);theemotionsofthe participantatdifferentmomentsoftheexperience(e.g.,fear, anxiety,satisfaction,etc.)(i.e.,how); and channels through whichthecommunicationsandinteractionstakeplace(e.g., website,app,online platform,inpersonalconversation, on paperatdistance,chatbot,etc.),(i.e.,where).

6.

Conclusions

and

future

directions

6.1. Limitations

Thisworkdoesnotproposetechnicaltools(e.g.software)to supportandimplementthe herebypresentedtransparency designpatterns.Indeed,thiscontributionexplicitlyintendsto avoidextendingthelistofexistingcut-and-pastetemplates.17 Templatescanbecopiedandappliedmindlesslywiththerisk ofreproducingincorrectormisleading information.Rather, this article has revolved around transparency-enhancing strategiesthatresearchersandpractitionerscanimplement

adhocinspecifiedsituations,onceabsorbedtheirrationale. Besides, it is alsorecommended to collaborate,when pos-sible, with design researchers and (e.g., information, UX, andinstructional)designers,inordertocreatesuitableand engagingcommunicationmaterialsandexperiences.

andpragmaticapplicabilitymustbestruck,forexampleina layeredinformationarchitecture.Eibandetal.(2018)borrow thepragmaticnotionofsatisficingfromSimon(1955)andcoin the terms “transparencysatisficing”,that weadapt here to theresearchcontext.Giventhathumanprocessingcapacity isboundedandthatusershavedifferentinformationalneeds and expectations,onemighthypothesizethattransparency satisficesuserswhenitallowsthemtobuildmentalmodels that are good enough to predict and explainthe observed data-gatheringprocess,evenwhenthegivenexplanationsare nottechnicallyexhaustive.Thisviewhasalsobeenofficially adopted by the Article 29 Working Party, who endorses a layeredapproachtorealisticallycopewiththequantityand complexity of information that must be provided to indi-viduals,byneverthelessprovidingthemwiththepossibility to learn more about specific aspects if needed or desired, and thereby personalize their learning path. Nonetheless, the useoftransparencydesignpatterns shouldnotreplace educational measures towards individuals, nor absolve theresearchinvestigatorsoftheirresponsibilitiesconcerning clarifications,butshouldberatherconceivedasanaidtoboth. Thisarticledoesnotevenaimatasystematicand compre-hensiveoverviewofthetransparencydesignpatternsthatcan beeffectivelyusedinthecontextofICT-mediated research. Thelistofpatternscanbelengthenedandrevisited,adding pertinent techniques to explain, e.g., information systems andautomateddecision-making.Moreover,beyondassertion TETs,manyadditionalinstrumentscanactuallyenhancethe transparencyofdataprocessing.Tonameafew,followingthe categorization by Zimmermann(2015), throughaudit TETs, datasubjectscangatherareliableinsightintoactualdata stor-ageandusage;throughinterventionTETs,datasubjectscan exercisecontrolovertheaccessbythirdparties(e.g.,other re-searchinstitutions)totheirpersonaldata;andlastly,through remediation TETs like privacy dashboards (Zimmermann etal.,2014)andconsentmanagementsolutions,datasubjects canmodifyanddeletetheirdataandwithdrawconsent.

Indeed, transparency under the GDPR should be in-terpreted more broadly than the restricted focus of this contribution.Transparencyconcernsprocessing accountabil-ity andauditability,and includesthe fairnessofthe choice architecturepinpointinginformedconsentandavoidanceof darkpatterns.Italsoconcerns thepossibility toeffectively exercisetherightsofthedatasubjectsinausablemanner,for instancetherighttoaccessandtherighttodataportability, and shouldcover thewholeuser experience.Although pro-vidingusableandunderstandableinformationisnecessary,it isnotsufficient:therealactionabilityofsuchinformationis indeedkey.Thisconstitutesafuturedirectionofourresearch. Someofthestrategiespresentedinthesepagesassume crucial relevance within the novel impulse to the devel-opment of informed consent experiences that move from authorization at single times and consent forms towards dynamic consent (also in electronic form), made possi-ble bydigital devices and device-mediated experiences. In such cases, the provision of timely, understandable, and appropriate information is crucial to allow participants to engage or,conversely,disengagewith scientificstudies.As Wilbanks(2018)pointsout,however,thechoicearchitecture ofadigitalconsentexperiencemust bethoughtfully

struc-tured-eveninwaysthatarecounter-intuitive(Fokkingaand Desmet, 2013). To steer users towards a mindful decision, the consentexperience should entail moments of friction insteadofbeingafrictionless,one-quickinteraction.Friction, though,canyieldlowerconsentorenrollmentrates.Hence, thechallenge residesinfinding adelicate balancebetween anarchitectureofchoicethatiscompliantontheonehand andusable,frictional,andpositiveontheotherhand. 6.2. Transparencyasinternalauditingmechanismand compliancefacilitator

Wemaintainthatafocusonthequalityofcommunication towards study participants will not onlysupport decision-making of the latter, but it can also represent a fruitful strategytoaugmentinvestigators’awarenessabouttheirdata practices and the consequences of their research. Namely, design patterns can be used as an internal check for co-herence,consistency,conformity,compliance,and ethicsof the research-related decisions, acting thereby as proactive measure of internal auditing towards legal compliance, in the spirit of privacy by design and by default. Concretely, usingdesignpatterns and visualizingcertain complex pro-cessescanhelpthenoticedraftersto“plan,clarifyandtest thelogical correctnessofthetexttheycreate” (Haapio and Passera,2017, p.3). For example,a timeline fordata reten-tion canelicit flawsinthe dataretention and cancellation policy,while organizingthe text inmeaningful paragraphs can highlight the lack of certain compulsory pieces of communication.

Furthermore, design patterns can also be employed to increase the transparency of communication among the different stakeholders involved in a research project. For instance, they can be used to clarify data sharing agree-mentsbetweencontrollersandprocessors,anddataprivacy and security policies for employees, therefore facilitating compliance(seee.g.,Fig.10).Insuchcomplexrelationships, non-compliance can have a disastrous cascade effect: the mistakeofoneprocessorcanimpactusers’trustinthedata controllerandtherebyunderminestudyparticipation. 6.3. MeasurestoensureabeneficialimpactoftheGDPR onresearchactivities

Fig.10– Thisistheactualagreementsignedbyscientiststo signifytheiradherencetowardsSynapseGovernance policiesinordertousethedatasharedontheplatform. Availableat:

https://docs.synapse.org/assets/other/oath.html(last accessed:31October2019).

standardizedpresentationformatsmightalsobeavaluable solution:asstudiesonprivacypolicystructures(Kelleyetal., 2010) and insurance product information documents (i.e., IPID)(Dukeetal.,2016)havedemonstrated,standardization can improve the comprehensibility of complex techni-cal information - and even facilitate the tasks of notice designers.

Intheworkpresentedinthesepages,agile,even standard-ized,methods that evaluate the implementation of design patterns are missing,eventhoughtheyconstitute a neces-sarystepforresearcherstoassesswhethertheyhavereached the transparency goal they had set.Such methods should not onlyassess whether the communicationisusable and comprehensible,butalsoanalyzewhetheritenhancesuser’s satisfaction,trust, and ultimately participationrates, while loweringanxietyand otheremotions thatmightnegatively impactengagement.WeagreewithNishimuraetal.(2013)in maintainingthatifparticipantshad“abetterunderstanding of the study, they would likely feel more like a ‘partner’ inthe researchprocess,theywould beeasilyexposed toa naturaltest/feedbacksetting,andarelationshipbetweenthe participantandtheresearcherwouldbeestablished” (p.12).

Secondly, governance-related auditing tools would be neededtoscrutinizetheaccuracyandunderstandabilitiyof

thecommunicationmaterials.Itisdoubtful,though,whether this responsibility belongs to the DPO,the ethics research committee(ERCs),orrathertheresearchersthemselves.With growingly overburdened DPOs and ERCs, it is unrealistic toexpectthat theycanprioritize thoroughassessmentsof informationmaterialsover other urgent duties.The estab-lishmentofbestpractices,though,constitutesagovernance instrument. Thirdly, capacity-building opportunities (i.e., epistemic solutions) are crucial to raise awareness about dataprotectionandtransparencyandtoenhancetheliteracy andthepracticalskillsofthescientificcommunity.However, howandevenwhethertransparency-enhancingskillsshould assumehighpriorityinthebroaderchallengingframeworkof dataprotectioneducation remainsanopen question.Some authors (de Lecuona and Villalobos-Quesada, 2018) have calledforaholisticframeworkthatintegratesthethree com-ponents (i.e., technical, governance-related,and epistemic) forthedevelopmentofresponsibleandethicalresearchand innovation.

Lastly,we add, participatory designprocesses involving research professionals that do not get explicit education about legal and ethical aspects of personal data handling canhelpidentifyandidentifytheirmaindifficulties,needs, constraints,andexpectations.18 _{These canbeactually} con-sidered design opportunities to co-devise and co-design solutions.19

6.4. Transparencyandtrust

Finally, future work should also be devoted to confirm, or ratherinvalidate,thehypothesisupholdingacorrelation be-tweentransparencyandtrust.Ontheonehand,transparency aboutpersonaldatauseislargelyconsideredasanenablerof users’trust,especiallyifcombinedwiththebenefitsexpected fromtheapplications(Schwabetal.,2011).Onthecontrary, lackoftransparency, deception,and data misusein digital economieshavebeenthedirectcauseofthedegradationof trustinservices (seee.g.,theCambridge Analyticascandal impactonthetrustofFacebook’susers(Tuttle,2018)).Indeed, stakeholders’concernsaboutdataprocessingrisksand con-sequencescanbemitigatedbytransparent,accurate,timely provisionofinformation.Forexample,Vayenaetal.(2019,p. 65-66)upholdsthatthe “GDPRcouldhelp promotetrustin data-donationandsharingforscientificpurposesamong Eu-ropeancitizensbyempoweringthemwithincreasedcontrol overtheirdata.Inturn,datasubjectswouldhaveamore affir-mativeroleindata-relateddecision-making,enhanceddata securitysafeguardsandmoretransparentinformationabout data uses. [...]. Research has demonstrated that increased awareness about data uses and increased control of data subjectsovertheirdataare allpredictorsofincreasedtrust 18 _{Onthemodeloftheparticipatorydesignworkshopsorganized} bytheFrenchDataProtectionAuthority(CNIL)toraisethe aware-nessofandco-createsolutionswithdesignersanddeveloperson dataprotectionandtransparencymatters.Seee.g.,https://design. cnil.fr/en/.