I am Cristiana Santos, Assistant Professor in Law and Technology. I hold a joint international Doctoral Degree in Law, Science and Technology (ľ¹Ï¸£ÀûÓ°ÊÓ of Bologna) and a Ph.D. Degree in Computer Science (ľ¹Ï¸£ÀûÓ°ÊÓ of Luxembourg). My focused on modeling relevant legal information using computational ontologies.
Currently, I am an expert of the Data Protection Unit, Council of Europe; expert for the implementation of the EDPB's Support Pool of Experts; and expert of the Digital Persuasion or Manipulation Expert Group. I hold an International Chair Starting Career position at the National Institute for Research in Digital Science and Technology (INRIA) (2023-2026) to work on technical and legal aspects of data protection. I provide expertise and consult the EU Commission, OECD, Global Privacy Enforcement Network (GPEN), other policy-makers and civil society organizations. I am also invited as external expert evaluator of EU funded proposals. I collaborate closely with computer scientists and designers on online privacy to include methods and findings from human-centered privacy and web measurements into data protection law. I am a co-founder of the database website. I have been recognized with several awards for excellence in data protection (see Prizes). Prior to joining academia, I was a legal adviser and lecturer at the Portuguese Consumer Protection Organization-.
Research area and topics
The goal of my scholarship deals with finding evidence to assess the compliance (and non-compliance) with European secondary laws (ePrivacy Directive, GDPR, DSA, DMA), and possible risks and harms deriving from companies’ practices. In this line, I contribute to evidence-based policy-making and enforcement.
My research follows these main themes:
- Roles and responsibilities of actors in the data ecosystem
- Compliance of online tracking practices with GDPR/ePrivacy Directive, DSA, DMA
- Dark Patterns, manipulation of end-users and developers
- Digital harms and redress
- Web privacy standards
- Dark patterns: Dark Pattern is commonly used term to describe manipulative techniques implemented into the user interface of online services that lead users to make choices or decisions they would not have otherwise taken about their purchases, their use of time and the disclosure of their personal data. In this context, I study the lawfulness, enforcement, risks and harms caused by dark patterns within the GDPR, ePrivacy Directive, Digital Services Act (DSA), Digital Markets Act (DMA), and AI Act. Together with HCI/design experts (), and computer scientists (), we investigate how these impact the decision making of data subjects on the Web. Our 2021 interdisciplinary ACM CHI r on dark patterns and the legal requirements for consent received a Best of CHI Honorable Mention (top 5%). Our joint paper at the ACM Symposium on Computer Science and Law investigated whether dark patterns can be subject to redress for the damages it causes. Our work has been cited in highly relevant policy reports, such as the OECD report on Dark commercial patterns in 2022, [], the European Commission study on unfair commercial practices in the digital environment in 2022 ], the UK Competition & Markets Authorithy report on Online Choice Architecture in 2022 [], and the Norwegian Consumer Council report in 2021 ].
- Online tracking: Web tracking is the practice by which website operators and third parties collect, store and share personal data about visitors’ behavior on the Web. Together with computer science colleagues, we investigate how the GDPR and the ePrivacy Directive apply to new tracking technologies and we research new non-compliant practices (e.g. server-side tracking, paywalls). Our 2021 that analyzed the data controllership roles and tracking practices of consent management platforms (CMPs) was cited by the Belgian Data Protection Authority in its decision against IAB Europe Transparency and Consent Framework.
