Short Bio

I am Cristiana Santos, Assistant Professor in Law and Technology. I hold a joint international Doctoral Degree in Law, Science and Technology (University of Bologna) and a Ph.D. Degree in Computer Science (University of Luxembourg). My PhD thesis focused on modeling relevant legal information using computational ontologies. Currently, I am an expert of the Data Protection Unit, Council of Europe; expert for the implementation of the EDPB's Support Pool of Experts; and expert of the Digital Persuasion or Manipulation Expert Group. I hold an International Chair Starting Career position at the National Institute for Research in Digital Science and Technology (INRIA) (2023-2026) to work on technical and legal aspects of data protection. I am also invited as external expert evaluator of EU funded proposals. I collaborate closely with computer scientists from PRIVATICS  team on online privacy. I am a co-founder of the deceptive.design/cases database website. Previously, I was a postdoc at INRIA. Prior to joining academia, I was a lawyer and worked as a legal adviser and lecturer at the Portuguese Consumer Protection Organization-DECO.

Research area and topics

The goal of my scholarship deals with finding evidence to assess the compliance (and non-compliance) with European secondary laws (ePDirective, GDPR, DSA, DMA), and possible risks and harms deriving from companies’ practices. In this line, I contribute to evidence-based policy-making and enforcement. 

My research follows two main themes:

• Dark patterns: Dark Pattern is commonly used term to describe manipulative techniques implemented into the user interface of websites and apps that lead users to make choices or decisions they would not have otherwise taken about their purchases, their use of time and the disclosure of their personal data. In this context, I study the lawfulness, enforcement, risks and harms caused by dark patterns within the GDPR, ePrivacy Directive, Digital Services Act (DSA), Digital Markets Act (DMA), and AI Act. Together with HCI/design experts (Colin Gray), and computer scientists (Nataliia Bielova), we investigate how these impact the decision making of data subjects on the Web. Our 2021 interdisciplinary ACM CHI paper on dark patterns and the legal requirements for consent received a Best of CHI Honorable Mention (top 5%). Our joint paper at the ACM Symposium on Computer Science and Law investigated whether dark patterns can be subject to redress for the damages it causes.  Our work has been cited in highly relevant policy reports, such as the OECD report on Dark commercial patterns in 2022, [link], the European Commission study on unfair commercial practices in the digital environment in 2022 [link], the UK Competition & Markets Authorithy report on Online Choice Architecture in 2022 [link], and the Norwegian Consumer Council report in 2021 [link].

• Online tracking: Web tracking is the practice by which website operators and third parties collect, store and share personal data about visitors’ behavior on the Web. Together with computer science colleagues, we investigate how the GDPR and the ePrivacy Directive apply to new tracking technologies and we research new non-compliant practices (e.g. server-side tracking, paywalls). Our 2021 paper that analyzed the data controllership roles and tracking practices of consent management platforms (CMPs) was cited by the Belgian Data Protection Authority in its decision against IAB Europe Transparency and Consent Framework.