I am Cristiana Santos, Assistant Professor in Law and Technology. I hold a joint international Doctoral Degree in Law, Science and Technology (University of Bologna) and a Ph.D. Degree in Computer Science (University of Luxembourg). My PhD thesis focused on modeling relevant legal information using computational ontologies. 

I serve as an expert of the Data Protection Unit, Council of Europe; expert for the implementation of the EDPB's Support Pool of Experts; and expert of the Digital Persuasion or Manipulation Expert Group. I hold an International Chair Starting Career position at the National Institute for Research in Digital Science and Technology (INRIA) (2023-2026) to work on technical and legal aspects of data protection. I provide expertise and consult the EU Commission, OECD,  Global Privacy Enforcement Network (GPEN), other  policy-makers and civil society organizations.  My work is transdisciplinary, involving close collaboration with computer scientists and designers to integrate human-centered privacy and web measurement methods into data protection law. I am a co-founder of the deceptive.design/cases database website. I have been recognized with several awards for excellence in data protection (see Prizes). Prior to joining academia, I was a legal adviser and lecturer at the Portuguese Consumer Protection Organization-DECO.

Research area and topics

Vidi project: Attribution of responsibility in data protection

In my Vidi project entitled ‘’With greater power must come great responsability: attriburing data protection compliance to those with real control'' I investigate how power and influence over others should shape responsibility under the GDPR, ensuring fairer compliance and stronger protection of user's data rights.

Research agenda

My scholarship focuses in finding evidence to assess the compliance (and non-compliance) with European secondary laws (including ePrivacy Directive, GDPR, DSA, DMA), as well as identifying possible harms deriving from companies’ practices. In this line, I contribute to evidence-based policy-making and enforcement. 

My research is organized around three main themes: 

• Developer-centered privacy: I investigate privacy decision-making and capabilities of developers and website owners using Human Computer Interaction (HCI) methods, assessing how these factors the impact their legla compliance. This work contributes to defining their legal roles and responsibilities in the data ecosystem.
• Dark patterns, manipulation of end-users and developers: Dark Pattern is a commonly used term of art to describe manipulative, deceptive or coercive techniques implemented into the user interface and user journey of online services that lead users to make choices or decisions they would not have otherwise taken about their purchases, their use of time or  disclosure of their personal data. In this context, I study the lawfulness, enforcement, risks and harms caused by dark patterns under current EU laws. Together with HCI/design experts (Colin Gray), and computer scientists (Nataliia Bielova), we investigate how these impact the decision making of users on the Web. Our 2021 interdisciplinary ACM CHI paper on dark patterns and the legal requirements for consent received a Best of CHI Honorable Mention (top 5%). Our joint paper at the ACM Symposium on Computer Science and Law investigated whether dark patterns can be subject to redress for the damages it causes.  Our work has been cited in highly relevant policy reports, such as the OECD report on Dark commercial patterns in 2022, [link], the European Commission study on unfair commercial practices in the digital environment in 2022 [link], the UK Competition & Markets Authorithy report on Online Choice Architecture in 2022 [link], and the Norwegian Consumer Council report in 2021 [link].
• Compliance of online tracking practices with GDPR/ePrivacy Directive, DSA, DMA: Web tracking is the practice by which Web actors collect, store and share personal data about visitors’ behavior online. Together with computer science scholars, we investigate how EU laws apply to new tracking technologies (e.g. server-side tracking, paywalls). Our 2021 paper that analyzed the data controllership roles and tracking practices of consent management platforms (CMPs) was cited by the Belgian Data Protection Authority in its decision against IAB Europe Transparency and Consent Framework.