Exercises: The Regulatory Landscape: A Global Survey

Claude (AI-Generated Textbook)

Exercises: The Regulatory Landscape: A Global Survey

These exercises progress from concept checks to challenging applications. Estimated completion time: 3-4 hours.

Difficulty Guide: - ⭐ Foundational (5-10 min each) - ⭐⭐ Intermediate (10-20 min each) - ⭐⭐⭐ Challenging (20-40 min each) - ⭐⭐⭐⭐ Advanced/Research (40+ min each)

Part A: Conceptual Understanding ⭐

Test your grasp of core concepts from Chapter 20.

A.1. Section 20.1.1 identifies four market failures that justify regulatory intervention in data markets. List all four and, for each, provide a one-sentence example not found in the chapter that illustrates the failure in practice.

A.2. Explain the difference between the rights-based justification and the market-failure justification for data regulation (Sections 20.1.1 and 20.1.2). Why does this distinction matter for the kind of regulation a jurisdiction adopts?

A.3. Define the following four regulatory approaches and identify one jurisdiction that exemplifies each: (a) command-and-control regulation, (b) principles-based regulation, (c) co-regulation, (d) self-regulation.

A.4. Vikram's legal counsel identified eleven potentially applicable regulatory frameworks for VitraMed (Chapter Opening). Using the US sectoral model described in Section 20.3, explain why a single twelve-person company can face this many obligations. What structural feature of the US approach creates this complexity?

A.5. Section 20.4 describes the GDPR's architecture as built on seven processing principles. List at least five of these principles and explain, in one sentence each, how they constrain a data controller's behavior.

A.6. Explain the concept of the "Brussels Effect" as introduced in Section 20.4. Why might the GDPR influence regulatory development even in countries that have no formal obligation to follow EU law?

A.7. In your own words, distinguish between an "omnibus" and a "sectoral" regulatory model. Why does the textbook describe the US approach as "sectoral" and the EU approach as "omnibus"?

Part B: Applied Analysis ⭐⭐

Analyze scenarios, arguments, and real-world situations using concepts from Chapter 20.

B.1. Consider the following scenario:

A mid-size social media company headquartered in Austin, Texas operates a platform with 15 million users in the United States, 3 million in Brazil, and 2 million in Germany. It collects usernames, email addresses, location data, browsing history, and biometric data (facial recognition for photo tagging). It has no offices outside the US.

Using Section 20.3 (US sectoral model), Section 20.4 (GDPR), and Section 20.6 (Brazil's LGPD), identify at least five distinct regulatory frameworks that could apply to this company. For each, explain the basis of jurisdiction.

B.2. Section 20.5 describes China's data governance as "state-directed." Compare the relationship between data regulation and political authority in China's model with the relationship in the EU's model. In what ways are they similar (both involve extensive state involvement)? In what ways are they fundamentally different?

B.3. Eli's work on Detroit's data governance ordinance brings him into contact with community members who argue that regulation is unnecessary — that the market will punish companies that misuse data because consumers will take their business elsewhere. Using Section 20.1.1's analysis of market failures, construct a three-part rebuttal to this argument.

B.4. Section 20.3 describes the US Federal Trade Commission's authority under Section 5 of the FTC Act as based on "unfair or deceptive acts or practices." Evaluate the strengths and weaknesses of using this general consumer protection authority — rather than a dedicated data protection statute — as the primary federal mechanism for data protection enforcement.

B.5. India's Personal Data Protection Act and Brazil's LGPD are described as emerging frameworks influenced by but distinct from the GDPR (Section 20.6). Identify two specific ways in which India's approach diverges from the GDPR model. For each divergence, explain whether you think the Indian approach is better suited to India's context or whether it introduces risks.

B.6. Mira learns that VitraMed is considering expansion to both the EU and Singapore. Using the regulatory models described in this chapter, write a brief comparison of the data protection environments VitraMed would encounter in each jurisdiction. Which expansion would present fewer compliance challenges, and why?

Part C: Real-World Application Challenges ⭐⭐-⭐⭐⭐

These exercises ask you to investigate real-world regulatory frameworks.

C.1. ⭐⭐ Regulatory Mapping Exercise. Choose a company you interact with regularly (e.g., your bank, your university, a social media platform, a health app). Research which data protection regulations apply to it. Create a table with columns for: (a) the regulation, (b) its jurisdiction, (c) the type of data it covers, (d) the key obligations it imposes, and (e) the penalties for non-compliance. Aim for at least four regulations.

C.2. ⭐⭐ CCPA vs. GDPR Comparison. Using primary sources (the CCPA/CPRA text and the GDPR text, both available online), compare the two frameworks on four dimensions: (a) definition of personal data/personal information, (b) legal basis for processing, (c) consumer/data subject rights, and (d) enforcement mechanisms. Present your findings in a side-by-side table.

C.3. ⭐⭐⭐ State Privacy Law Tracker. As of this writing, multiple US states have enacted comprehensive privacy laws. Research the current status of state privacy legislation in five states of your choice. For each, identify: (a) whether a law has been enacted or is pending, (b) its effective date, (c) whether it includes a private right of action, and (d) one notable provision that distinguishes it from other state laws. Write a one-paragraph analysis of whether these state laws are converging toward a de facto national standard or remaining significantly divergent.

C.4. ⭐⭐⭐ Adequacy Decision Research. Section 20.4 mentions the GDPR's adequacy mechanism. Research the current list of countries that have received adequacy decisions from the European Commission. Select one country whose adequacy status has been contested or revoked, and write a 400-word analysis of why the controversy arose and how it was resolved (or remains unresolved).

Part D: Synthesis & Critical Thinking ⭐⭐⭐

These questions require you to integrate multiple concepts from Chapter 20 and think beyond the material presented.

D.1. The chapter presents regulatory diversity as a challenge for global companies but also as a source of regulatory innovation. Construct an argument that regulatory fragmentation — the existence of many different national approaches — is actually beneficial for global data protection. Then construct a counter-argument that it is harmful. Which argument do you find more persuasive, and why?

D.2. Dr. Adeyemi observes that regulatory approaches reflect underlying assumptions about the relationship between the individual, the market, and the state. Apply this observation to explain why the United States and the European Union have developed fundamentally different data protection models. Your answer should go beyond legal differences to address historical, cultural, and political factors.

D.3. Section 20.7 raises the question of regulatory convergence: whether the world's diverse regulatory approaches are gradually moving toward a shared model. Evaluate this claim. What evidence from the chapter supports convergence? What evidence supports continued divergence? In your assessment, is the trend toward a global baseline, continued fragmentation, or regional blocs?

D.4. Sofia Reyes argues from the DataRights Alliance perspective that regulation is necessary but insufficient — that communities, not just governments, need power to shape how data is governed. Develop Sofia's argument into a 300-400 word essay. What governance mechanisms could give communities meaningful authority over data practices that affect them, beyond the protections offered by existing regulatory frameworks?

Part E: Research & Extension ⭐⭐⭐⭐

These are open-ended projects for students seeking deeper engagement. Each requires independent research beyond the textbook.

E.1. The African Data Protection Landscape. The chapter briefly references emerging data protection frameworks in Africa. Research the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), the Kenya Data Protection Act, South Africa's POPIA, and at least one additional African data protection law. Write a 1,000-word report analyzing: (a) the extent to which these frameworks draw on the GDPR model, (b) the unique features that reflect African contexts and priorities, (c) the enforcement challenges these jurisdictions face, and (d) the role of the African Union in promoting regulatory harmonization.

E.2. ASEAN Data Governance. Research the ASEAN Framework on Digital Data Governance and the data protection laws of at least three ASEAN member states (e.g., Singapore's PDPA, Thailand's PDPA, the Philippines' Data Privacy Act). Write a comparative analysis (800-1,200 words) examining how ASEAN's approach to data governance balances economic development, cross-border data flows, and individual rights. How does the ASEAN model compare to the EU and US approaches?

E.3. The US Federal Privacy Law Debate. For over a decade, the US Congress has debated but not enacted a comprehensive federal privacy law. Research the most recent legislative proposals (such as the American Data Privacy and Protection Act). Write a 1,000-word analysis covering: (a) the key provisions of the proposal, (b) why it has failed to pass, (c) the interests that support and oppose it, and (d) whether you believe a comprehensive federal law is likely to be enacted in the near future, and on what terms.

Solutions

Selected solutions are available in appendices/answers-to-selected.md.