Chapter 23: Exercises — Data Privacy Fundamentals

Comprehension Exercises

Exercise 1: Defining Personal Data List five types of data that are clearly "personal data" under GDPR's definition and five types that might not seem like personal data but are covered under the "identifiable" standard. For each item in the second list, explain what combination of other data could make it identifying.

Exercise 2: Sensitive Categories A health technology startup is developing a fitness app that tracks daily activity, sleep patterns, heart rate variability, and menstrual cycles. Identify which GDPR sensitive categories apply to the data the app collects. What additional legal requirements apply to processing these categories? How would HIPAA's coverage (or lack thereof) of this data differ from GDPR's approach?

Exercise 3: Contextual Integrity Analysis For each of the following data flows, apply Nissenbaum's contextual integrity framework to determine whether the flow is appropriate or a violation of privacy norms. Explain your reasoning. - a) A hospital shares a patient's diagnosis with a specialist to whom the patient has been referred - b) An employer searches job candidates' social media profiles before interviewing them - c) A school shares student attendance records with a marketing company - d) A therapist reports a patient's threats of violence to law enforcement - e) A fitness app sells users' exercise data to health insurers

Exercise 4: The Aggregation Problem A data analytics company has separately licensed the following datasets: grocery purchase history, pharmacy purchase records, ride-sharing location data, social media likes and follows, and credit card transaction records. Each dataset is provided without names, only with a unique identifier. Explain the aggregation problem as it applies to this scenario. What specific privacy intrusions could result from combining these datasets?

Exercise 5: Lawful Bases Assessment For each of the following processing activities, identify the most appropriate GDPR lawful basis and explain why. Then identify any alternative basis that might apply and assess its suitability. - a) An employer processes employee payroll data - b) A retail website uses cookies to show targeted advertisements - c) A bank monitors transactions for fraud detection - d) A healthcare provider shares patient data with a research institution - e) A social media platform builds personality profiles from user behavior

Application Exercises

Exercise 6: DPIA for an AI System You are advising a city government that wants to deploy an AI-powered public safety system that analyzes CCTV footage to detect suspicious behavior patterns and alert police. Conduct a preliminary Data Protection Impact Assessment. What are the purposes and lawful bases for processing? What are the risks to data subjects? What mitigation measures would you recommend?

Exercise 7: Privacy Policy Evaluation Find a privacy policy for a widely used consumer app of your choice. Evaluate it against GDPR's transparency requirements: Is it written in plain language? Does it clearly explain the purposes of processing? Does it identify the lawful bases? Does it describe data subject rights? Does it explain how long data is retained? Prepare a brief memo summarizing your findings and recommending improvements.

Exercise 8: Data Minimization in AI A company wants to build an AI credit scoring model. The data science team has proposed collecting: income history, employment history, rent payment records, utility payment records, grocery purchase patterns, social media activity, mobile app usage, contact list, browsing history, and neighborhood crime statistics. Apply the data minimization principle. Which data categories are clearly necessary? Which are potentially useful but not necessary? Which should be excluded on privacy grounds? Justify your decisions.

Exercise 9: Right to Erasure Implementation You are CTO of a company that built and deployed a recommendation engine that was trained on customer purchase history, browsing behavior, and demographic data. A customer exercises their right to erasure under GDPR. Write a technical implementation plan for fulfilling this request. What systems must you address? What are the specific technical challenges related to the trained model? What residual limitations on erasure might be legally permissible?

Exercise 10: Consent Architecture Redesign A mobile gaming company uses a consent banner that: pre-checks acceptance of all tracking, places the "Accept All" button in a large, prominently colored button at the top, and places the "Manage Preferences" option in small text at the bottom of a long policy summary. Identify the dark patterns present. Redesign the consent interface to meet GDPR's requirements for freely given, specific, informed, and unambiguous consent. Sketch the revised interface and explain how each change addresses the identified problems.

Exercise 11: US Patchwork Navigation A new digital health startup operates in the United States and offers: a telemedicine platform that connects patients with doctors (billed through insurance); a wellness app that tracks symptoms, mood, and medication adherence without billing insurance; and a children's educational health module. Map the federal privacy laws that apply to each component of the business. Identify any gaps — data or activities not covered by any federal law. What state laws might fill those gaps?

Exercise 12: International Compliance Planning A mid-sized US retailer is expanding e-commerce operations to the EU, UK, Canada, and Brazil. Create a high-level privacy compliance checklist for each jurisdiction. Where do the requirements align? Where do they diverge? What are the most challenging requirements to implement simultaneously across all four jurisdictions?

Case Analysis Exercises

Exercise 13: Cambridge Analytica Analysis Based on the case study, answer the following: - a) What specific Facebook design choices made the Cambridge Analytica harvesting possible? - b) Which GDPR principles (had GDPR been in effect) did the data harvesting violate? - c) Was Facebook a data controller, a data processor, or both with respect to the Cambridge Analytica data? What are the legal implications of your answer? - d) What structural changes — not just policy changes — would have prevented the scandal?

Exercise 14: DeepMind/NHS Analysis Based on the case study, answer the following: - a) What was the lawful basis claimed for sharing 1.6 million patient records with DeepMind? Why did the ICO find it inadequate? - b) How should the data sharing agreement have been structured to be lawful and ethical? - c) What governance structures would have caught the problems with the arrangement before it became a scandal? - d) How does this case inform the design of healthcare AI development programs?

Exercise 15: Privacy Harm Analysis For each of the following scenarios, identify the specific privacy harms caused and classify them (dignity harm, autonomy harm, democratic harm, economic harm, physical safety harm): - a) A data breach exposes the HIV status of 50,000 individuals - b) A retail analytics company sells location data that reveals an employee attended a union organizing meeting - c) An AI model trained on criminal records assigns a higher fraud risk score to people from predominantly Black neighborhoods - d) A government uses facial recognition to identify attendees at a political protest - e) An insurer uses behavioral data to identify and deny coverage to people likely to make claims

Synthesis and Critical Thinking Exercises

Exercise 16: Privacy vs. Innovation Trade-off Privacy by Design's fourth principle claims that privacy and functionality are not zero-sum — that it is possible to have both. Critics argue this is naive: truly privacy-protective systems cannot be as commercially valuable as surveillance-based systems. Write a 500-word analysis taking a position on this debate and defending it with specific examples.

Exercise 17: Consent Reform Several privacy scholars argue that individual consent has failed as a privacy protection mechanism and should be supplemented or replaced by alternative approaches such as: privacy as property rights, data fiduciaries, sector-specific prohibitions, collective bargaining, or regulatory standards. Choose two of these alternatives and evaluate them as complements or replacements for consent-based privacy.

Exercise 18: DPO Role Design You have been asked to design the Data Protection Officer role for a mid-sized technology company that processes significant amounts of personal data. Using GDPR's requirements as a baseline: What should the DPO's reporting line be? What authority should the role have? What resources are needed? What should the relationship with legal, security, and product teams look like? How do you ensure the DPO's independence without isolating them from business decision-making?

Exercise 19: Global AI Privacy Standard If you were advising a UN working group on developing a global AI privacy standard, what five core principles would you recommend? Explain the rationale for each and how you would handle the genuine variations in cultural values and political systems across countries.

Exercise 20: Algorithmic Decision-Making and Privacy GDPR Article 22 gives individuals the right not to be subject to solely automated decisions with significant effects, and the right to obtain human review. A consumer lender uses an AI model to make lending decisions. The model uses 200 variables and the lender argues that no human could meaningfully review every decision. Analyze the tension between operational efficiency and Article 22 rights. What would a compliant automated decision-making system look like?

Scenario-Based Exercises

Exercise 21: The Convenient Breach Your company has just experienced a data breach. A hacker accessed a database containing the names, email addresses, and purchase histories of 100,000 customers. The CISO argues that the breach was minor because no financial data or passwords were exposed. The privacy officer argues that notification is required. The CEO wants to wait to see if the breach causes any harm before notifying. Evaluate each position against GDPR's breach notification requirements. What should the company do?

Exercise 22: The Legacy System Problem An organization that was founded before modern privacy law took effect is operating legacy systems that contain decades of customer data with minimal metadata about when it was collected, what consent was obtained, and what it was used for. The GDPR requires them to be able to respond to data subject rights requests. Design a program to address this legacy data problem. What can be assessed? What should be deleted? What are the practical limits?

Exercise 23: The Third-Party Risk A company uses a third-party analytics provider to improve its website. The provider's JavaScript code runs on every page of the company's website and, in addition to analytics, appears to collect personal data for the provider's own advertising business. The company's privacy policy does not disclose this. Analyze the privacy law issues. Who is responsible? What remediation steps are required? How should the company manage third-party scripts going forward?

Exercise 24: The Helpful AI Assistant A hospital wants to deploy an AI-powered virtual assistant that allows patients to ask questions about their care, review their test results, and schedule appointments. The assistant is powered by a large language model and is trained on a dataset that includes de-identified patient records. Identify all the privacy considerations the hospital must address before deploying this system. What data is being collected in operation? What are the risks if the underlying LLM memorizes training data?

Exercise 25: Privacy Program Assessment You have been retained as a privacy consultant to assess an e-commerce company's privacy program. The company's documentation includes a privacy policy, a data processing inventory, vendor contracts with data processing addenda, and a record of consent for marketing emails. What additional elements would you expect to see in a mature privacy program that are missing from this list? How would you assess the effectiveness of the elements that do exist? What questions would you ask to evaluate whether the documented program reflects actual practice?