Cristiana Santos
Assistant Professor, Utrecht University
This project is maintained by Rel-incode
Publications in the field of “Privacy and Data Protection”, and “Legal informatics applied to Data Protection and Consumer Law”. Service. Contacts.
Research Profile
I am an Assistant Professor at the School of Law, Utrecht University. I am teaching in the Law and Technology Masters and coordenating the bachelor course on Regulating Big Tech. I hold a PhD in Law and Technology and Informatics from the University of Luxembourg and Bologna. Visit my current webpage here
My research area is Privacy and Data Protection.
My research interests include:
- identifying legal and technical requirements for consent
- assessing purposes of personal data processing
- analysing the lawfulness of dark patterns when: users consent to web tracking, and when users access their personal data through subject access requests (SAR)
- studying usable privacy
The goal of my research is to make legal information structured and actionable for legal compliance, for models and tools. I extract legal requirements from legal sources and, with this domain knowledge, I collaborate with computer scientists and designers to identify the technical requirements for a concrete technology. I also collaborate with Inria PRIVATICS Team. Currently I am working on the GDPR/ePrivacy Directive requirements for: #Consent #Purposes #SAR, and lawfulness of #Darkpatterns.
My drive is to discover problematic practices from organizations within case-studies, and inform policy makers with ground-based analytical research to address gaps in law & tech.
Previously, I was a lawyer and worked as legal adviser and lecturer at the Portuguese Consumer Protection Organization-DECO.
Recent News
- Setember 2021 Our paper “Cookie Banners, What’s the Purpose? Analyzing Cookie Banner Text Through a Legal Lens” was accepted at the WPES 2021. We analysed the text of banners and focused on their purposes: we found out they are described with vagueness, positive framing, bundled in multipurposes, misleading language, technical jargon… full of dark patterns within text!
- Setember 2021 I am co-chairing the Workshop COnSeNT 2021 co-located with 6th IEEE European Symposium on Security and Privacy. “Does Consent work? If not Consent, what else?”. The amazing Johnny Ryan gave an invited talk about Consent spam and our panel counted with IAB, Robin Berjon, Rob van Eijk, Irene Kamara, the CNIL, and Mark Lizar. Check the youtube video here
- June 2021 I spole at the conference “What can the ePrivacy Regulation do against dark patterns” together with Maryant Fernandez (BEUC), Peter Eberl (European Commission), and Christian Drews (Dapde project)
- March 2021 Our paper got an Honorable Mention at ACM CHI 2021! Check our 5 min talk on youtube
-
March 2021 Our paper“CMPs under the GDPR:processors and/or controllers?” was accepted at the Annual Privacy Forum (APF2021)
- Dec 2020 Happy to share our feedback with Nataliia Bielova on the Public Consultation of the Italian DPA ‘Garante Privacy’ on the “Guidelines on the use of cookies and other tracking tools”. We discuss #dark patterns #scrolling #cookiewall #fingerprinting #standardization of consent
- Dec 2020 Our paper on 𝗗𝗮𝗿𝗸 𝗣𝗮𝘁𝘁𝗲𝗿𝗻𝘀 𝗮𝗻𝗱 𝘁𝗵𝗲 𝗟𝗲𝗴𝗮𝗹 𝗥𝗲𝗾𝘂𝗶𝗿𝗲𝗺𝗲𝗻𝘁𝘀 𝗼𝗳 𝗖𝗼𝗻𝘀𝗲𝗻𝘁 𝗕𝗮𝗻𝗻𝗲𝗿𝘀: An Interaction Criticism Perspective was accepted at the HCI/2021. It is a truly interdisciplinary paper where Design, Human Computer Intercation (HCI), Computer Science and Law meet! We are extremely honored to collaborate with Colin Gray, the most amazing expert in dark patterns from a HCI, design and UX perspectives.
- Outb 2020 We submitted our feedback on controllers and processors to the European Data Protection Board (EDPB).
- Sept 2020 Our paper on legal-technical requirements for compliant consent banners is accepted to an international journal of Technology and Regulation (TechReg). Check it out latest version
- Sept 2020 We are presenting our paper “On Compliance of Cookie Purposes with the Purpose Specification Principle” at the Intl. Workshop on Privacy Engineering, colocated at the IEEE European Symposium on Security and Privacy 2020. See our slides in youtube, and our paper
- Jul 2020 We were interviewed by the CNIL, French Data Protection Authority about our work on user’s consent by the IAB Europe’s Transparency and Consent Framework (TCF)
- Jul 2020 Our talk “I see a cookie banner – is it even legal?” is a runner-up for the Best HotPETs talk! See it on Youtube!
- Mar 2020 Our paper on purposes in IAB Europe TCF got accepted at APF 2020!
- Feb 2020 We have written our opinion on the draft recommendation of the CNIL on “cookies and other trackers”
- Feb 2020 Our paper on cookie banners got accepted at IEEE Security & Privacy 2020!
Publications
I have published in the topics of Privacy and Data Protection, and Modeling legal information in Data Protection and Consumer Law. The table below summarizes the most influential publications:
| Acronym | Journals and Conferences |
|---|---|
| IEEE S&P | IEEE Symposium on Security & Privacy |
| CLSR | Computer Law & Security Review Journal |
| APF | Annual Privacy Forum |
| HCI | Human Computer Interaction Conference |
| IPWE | International Workshop on Privacy Engineering |
| PRIVON | Privacy and the Semantic Web - Policy and Technology |
| TechReg | Technology and Regulation Journal |
| AIL | Artificial Intelligence and Law Journal |
| JURIX | Int. Conf. Legal Knowledge and Information Systems |
Privacy and Data Protection
Gray, C., Santos, C., Bielova, N., Toth, M., & Clifford, D. (2020). Dark Patterns and the Legal Requirements of Consent Banners: An Interaction Criticism Perspective. CHI 2021 - ACM CHI Conference on Human Factors in Computing Systems, May 2021, Yokohama, Japan. pp.1-18, ⟨10.1145/3411764.3445779⟩.[HCI2021(https://hal.inria.fr/hal-03117307)
Santos C., Bielova N., & Matte C. (2020). Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners, International Journal of Technology and Regulation, 91-135.
Fouad I., Santos C., Kassar F. A., Bielova B., Calzavara S. (2020), On Compliance of Cookie Purposes with the Purpose Specification Principle. International Workshop on Privacy Engineering IWPE
Matte C., Santos C., Bielova N. (2020) Purposes in IAB Europe’s TCF: which legal basis and how are they used by advertisers? Annual Privacy Forum APF
Santos C Matte C., Bielova N. (2020) Are Dark Patterns Lawful? Analysis of Dark Patterns applied to Cookie Banner Design and Consent Requirements, abstract accepted, European Privacy Law Scholars Conference PLSC Europe
Matte C., Bielova N., Santos C. (2019). Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework, IEEE Symposium on Security and Privacy. Impact: NOYB issued a complaint to the CNIL using our results and our browser extension. Selected media coverage: Lemonde.fr, Businessinsider.fr, Nextinpact.com
Boniface C., Fouad I., Bielova N., Lauradoux C., Santos C. (2019), Security Analysis of Subject Access Request Procedures How to authenticate data subjects safely when they request for their data, Annual Privacy Forum APF
Masseno M. D., Santos C. (2019). Personalization and profiling of tourists in smart tourism destinations - a data protection perspective. International Journal of Information Systems and Tourism (IJIST)
Bartolini C., Santos C., Ullrich C., (2017), Property and the Cloud, Computer Law and Security Review CLSR
Modeling legal information – in the domains of data protection and consumer law
Filtz E., Navas-Loro M., SantosC., Polleres A., Kirrane S. (2020) Events Matter: Extraction of Events from Court Decisions, Frontiers in Artificial Intelligence and Applications (FAIA, 2020), Volume 334: Legal Knowledge and Information Systems
Bartolini C., Lenzini L., Santos C. (2019), An Agile Approach to Validate a Formal Representation of the GDPR, Frontiers in Artificial Intelligence and Applications (FAIA, 2019), Lecture Notes in Computer Science, Springer
Bartolini C., Lenzini L., Santos C. (2018), A Legal Validation of a Formal Representation of Articles of the GDPR, Proceedings of the 2nd Workshop on Technologies for Regulatory Compliance TERECOM 2018
Rodriguez-Doncel V., Santos C., Casanovas P., Gómez-Pérez A., Gracia J. (2018) A Linked Data Terminology for Copyright Based on Ontolex-Lemon. AI Approaches to the Complexity of Legal Systems (AICOL 2015-AICOL 2017)
Navas-Loro M., Santos C. (2018), Events in the legal domain – first impressions. Proceedings of the 2nd Workshop on Technologies for Regulatory Compliance TERECOM 2018
V. Opijnen M., Santos C. (2017), On the Concept of Relevance in Legal Information Retrieval, Artificial Intelligence and Law Journal, AIL
Santos C., Gangemi A., Alam M. (2017), Detecting and Editing Privacy Policies of Companies on the Web, Proc. 1st Workshop on Technologies for Regulatory Compliance TERECOM
Santos C., Pruski C., Silveira M., Rodríguez-Doncel V., Casanovas P., Van der Torre L., Gangemi A. (2017), Complaint Ontology Pattern, Advances in Ontology Design and Patterns, ODP
Santos C., Rodríguez-Doncel V., Casanovas P., Van der Torre L. (2016), Modeling Relevant Legal Information for Consumer Disputes, Electronic Government and the Information Systems Perspective, 2016 EGOVIS
Casanovas P., Rodríguez-Doncel V., Santos C., Gómez-Pérez A. (2016), A European Framework for Regulating Data and Metadata Markets. Society, Privacy and the Semantic Web - Policy and Technology, 2016 PrivOn
Santos C., Casanovas P., Rodríguez-Doncel V., Van der Torre L. (2016), Reuse and Reengineering of Non-ontological Resources in the Legal Domain, AI Approaches to the Complexity of Legal Systems (AICOL)
Santos C., Rodríguez Doncel V., Casanovas P. et al. (2016), An Approach for Modelling Relevance in Legal Ontologies, VII Workshop on Artificial Intelligence and the Complexity of Legal Systems (AICOL)
Rodríguez-Doncel V., Santos C., Casanovas P., Gómez-Pérez A. (2016), Legal Aspects of Linked Data: the European Framework, Computer Law & Security Review
Humphreys L., Santos C., Di Caro L., Boella G., van der Torre L., Robaldo L. (2015), Mapping Recitals to Normative Provisions in EU Legislation to Assist Legal Interpretation, in Frontiers in Artificial Intelligence and Applications (FAIA, 2015)
Rodriguez-Doncel V., Casanovas P., Santos C., Gómez-Pérez A. (2015), A Linked Term Bank of Copyright-Related Terms, in Frontiers in Artificial Intelligence and Applications (FAIA, 2015)
Bartolini C., Muthuri R., Santos C. (2015), Using ontologies to model data protection requirements in workflows, Proc. of the 9th Int. Work. on Juris-informatics (JURISIN, 2015), New Frontiers in Artificial Intelligence. JSAI-isAI 2015. Lecture Notes in Computer Science,
Robaldo L., Humphreys L., Sun X., Cupi L., Santos C., Muthuri R. (2015), Combining Input/Output logic and Reification for representing real-world obligations, New Frontiers in Artificial Intelligence, JSAI-isAI 2015. Lecture Notes in Computer Science
Rodríguez-Doncel V., Santos C., Casanovas P. (2014), A Model of Air Transport Passenger Incidents and Rights, Proc. of the 27th Int. Conf. on Legal Knowledge and Information System (JURIX)
Rodríguez-Doncel V., Santos C., Casanovas P. (2014), Ontology-driven Legal Support-System in Air Transport Passenger Domain, Proc. of the Int. Workshop on Semantic Web for The Law 2014 (SW4Law)
Santos C. (2014), Enhancing the Decision-Making Process through Relevant Legal Information in Consumer Law Disputes - a Case Study in Air Transport Passenger Rights, Proceedings of the Second Doctoral Consortium Workshop (Jurix2014-DC), Best Paper Award
Santos C., Andrade F., Novais P. (2014), Sinergia na resolução de litígios em linha e a necessidade de proteção da privacidade e dos dados pessoais, Revista Democracia Digital e Governo Eletrônico
Santos C. (2014), Law by Design in ODR. Definition of relevant legal information in consumer law disputes to enhance the decision-making process. Group Decision and Negotiation, Proc. Joint International Conference of the INFORMS GDN Section and the EURO Working Group on DSS
Santos C. (2013), Increasing media richness in Online Dispute Resolution and the need for personal data protection, Proceedings of the First JURIX Doctoral Consortium Workshop in conjunction with the 26th International Conference on Legal Knowledge and Information Systems, JURIX 2013
Service
Program Committee Chair
-COnSeNT 2021, Workshop on Consent Management in Online Services, Networks and Things
Program Committee member
-PETs 2021, Privacy Enhancing Technologies Symposium
-APF 2021, Annual Privacy Forum
-IWPE 2021, International Workshop on Privacy Engineering
-RELATED 2021, International Workshop on Relations in the Legal Domain
-LIIE 2020, Workshop on Legal Issues in Intelligent Environments
-MIREL 2019, Workshop on Mining and Reasoning with Legal texts
-LIIE 2018, Workshop on Legal Issues in Intelligent Environments
-TERECOM 2018, Workshop on Technologies for Regulatory Compliance
-TERECOM 2017, Workshop on Technologies for Regulatory Compliance
Journals (Reviewer)
-TechReg 2021, Technology and Regulation
-CLSR 2019, Computer Law and Security Review
Scientific Expertise
• Expert of the Rapporteur Pegado Liz, European Social Economic Committee for the Proposal for a Regulation of the European Parliament and of the Council on Online Dispute Resolution for Consumer Disputes, COM (2011) 794
• Participation on the study on Interest Rates Restrictions in Consumer Credit for the European Commission (2010)