NWO Vidi grant awarded to Cristiana Santos for research into data protection law, power and real control

Dr. Cristiana Santos has received a Vidi grant from the Netherlands Organisation for Scientific Research (NWO) to explore how power and influence over others should shape responsibility under the GDPR, ensuring fairer compliance and stronger protection of users’ data rights. Dr. Santos is Assistant Professor in Law and Technology at the Utrecht University School of Law and a member of the Research Platform on Data, AI and Law. 

The title of he Vidi-awarded project is: "With greater power must come great responsibility: attributing data protection compliance to those with real control." Santos says: "The  European Commission has pledged to make the GDPR more SME-friendly (for small and medium-sized enterprises) in its new policy agenda. A scientific assessment of the threshold of power is urgently needed to inform this effort, and this project aims to provide exactly that." 

Abstract

Data protection law is all about control over the data or tools used to collect data, but not about how much of it there is. Embedding a tool can turn a website or app owner into a ‘data controller’ regardless of the level of control they hold. Legal responsibility applies even without access to the data or understanding of what the tool does. 

In reality, many data controllers lack control and agency over data or tools. They operate under different power dynamics of third-party tools they depend on. Yet, they remain subject to hefty fines and are often unable to comply with the law or protect users’ data rights. Data protection law falls short in attributing responsibility and protecting end-users’ rights, which are diverted from those who truly control, manipulate, and play a systemic role in data collection. 

Embedding a tool can turn a website or app owner into a ‘data controller’, but in reality, many data controllers lack control and agency over data or tools. Yet, they remain subject to hefty fines.

It is crucial to interpret legal responsibility based on the level of power an actor holds. This project lays the scientific and empirical groundwork to define how power shapes responsibility in the Web’s architecture, while strengthening the fundamental right to data protection and limiting systemic abuse. 

The research question is: How should data protection law be reinterpreted to ensure responsibility for GDPR compliance falls on those with power, technical expertise, and potential for manipulation, in the light of end-users' right to data protection?

This project develops a theory of power (WP1), and empirically identifies power dynamics between Web actors and third-party tools (WP2). Drawing on these findings, the project answers the main research question by defining the normative threshold of power that should determine who qualifies as a data controller responsible for GDPR compliance (WP3). The project harnesses computer science methods and user studies to empirically investigate power dynamics and their level of control to inform data protection law.