Exercises: Enforcement, Compliance, and the Limits of Law
These exercises progress from concept checks to challenging applications. Estimated completion time: 3-4 hours.
Difficulty Guide: - ⭐ Foundational (5-10 min each) - ⭐⭐ Intermediate (10-20 min each) - ⭐⭐⭐ Challenging (20-40 min each) - ⭐⭐⭐⭐ Advanced/Research (40+ min each)
Part A: Conceptual Understanding ⭐
Test your grasp of core concepts from Chapter 25.
A.1. Define "data protection authority" (DPA) as described in Section 25.1. What three categories of powers do EU DPAs possess under the GDPR?
A.2. Explain the GDPR's "one-stop-shop" mechanism (Section 25.1). What problem was it designed to solve, and what unintended consequence has it created — particularly in relation to Ireland?
A.3. Define "regulatory capture" (Section 25.3). Provide two mechanisms through which regulatory capture can occur in the data protection context, using examples from the chapter.
A.4. Explain the distinction between "compliance" and "ethics" as drawn in Section 25.4. Why does the chapter argue that full legal compliance is a necessary but insufficient condition for responsible data practice?
A.5. What is a "consent decree" as used by the FTC (Section 25.2)? How does it function as an enforcement mechanism, and what are its limitations?
A.6. Section 25.5 identifies several fundamental limits of law in governing data practices. List at least three of these limits and explain, in one sentence each, why they constrain the effectiveness of legal regulation.
A.7. Explain what "self-regulation" means in the context of data governance (Section 25.5). Identify one advantage and one disadvantage of self-regulation compared to government enforcement.
Part B: Applied Analysis ⭐⭐
Analyze scenarios and arguments using concepts from Chapter 25.
B.1. Eli testifies before the Detroit city council about enforcement challenges for the proposed data governance ordinance. He argues that without a dedicated enforcement mechanism, the ordinance will be "a regulation without teeth." Design an enforcement mechanism for Detroit's data governance ordinance that addresses: (a) who enforces it, (b) what investigative powers they have, (c) what penalties are available, (d) how complaints are filed and processed, and (e) how the mechanism is funded.
B.2. Sofia Reyes argues that GDPR enforcement has been systematically biased toward large, well-resourced companies that can challenge fines through years of litigation. Analyze this claim using the enforcement data discussed in Section 25.2. Is there evidence that enforcement is more effective against smaller entities than against major technology companies? What structural factors might explain any disparity?
B.3. A company has achieved full GDPR compliance: it has appointed a DPO, conducted DPIAs, implemented consent mechanisms, maintained records of processing, and responded to every DSAR within the required timeframe. Yet its data practices are ethically questionable — it uses dark patterns to steer users toward maximum data sharing, designs its consent interface to make rejection difficult, and targets vulnerable populations with data-driven advertising. Analyze this scenario using the compliance-ethics distinction from Section 25.4. How can a company be fully compliant and still acting unethically?
B.4. The Irish DPC has been criticized for slow enforcement against major technology companies headquartered in Ireland. Evaluate the following two explanations: (a) the Irish DPC is under-resourced relative to its mandate, and slow enforcement reflects resource constraints rather than capture; (b) the Irish DPC is reluctant to impose heavy penalties on companies that provide significant employment and tax revenue to Ireland. Are these explanations mutually exclusive, or can both be true simultaneously?
B.5. Section 25.3 describes "revolving door" dynamics as a mechanism of regulatory capture — regulators moving to industry positions and vice versa. Evaluate the following proposal: "Former DPA employees should be prohibited from working for any regulated entity for five years after leaving government service." What would be the benefits and costs of such a prohibition?
B.6. Mira discovers that VitraMed's HIPAA compliance program, while technically adequate, has devolved into a "checkbox exercise" — staff complete required training without engagement, privacy impact assessments use templates without substantive analysis, and the compliance officer has never rejected a data processing request. Using concepts from this chapter, analyze how compliance programs degenerate over time and propose three measures to prevent this in VitraMed's case.
Part C: Real-World Application Challenges ⭐⭐-⭐⭐⭐
These exercises ask you to investigate real-world enforcement.
C.1. ⭐⭐ GDPR Fine Analysis. Using the GDPR Enforcement Tracker (enforcementtracker.com) or similar resources, research the ten largest GDPR fines imposed to date. Create a table identifying: the company, the DPA that imposed the fine, the amount, the legal basis, and whether the fine has been appealed. Write a one-paragraph analysis of what patterns you observe.
C.2. ⭐⭐⭐ FTC Consent Decree Research. Research three FTC consent decrees related to data privacy (e.g., Facebook 2019, Zoom 2021, Fortnite/Epic Games 2022). For each, identify: (a) the alleged violation, (b) the terms of the decree, (c) the penalty, and (d) whether the decree changed the company's practices. Assess whether consent decrees are an effective enforcement mechanism.
C.3. ⭐⭐ DPA Resource Comparison. Research the budgets and staff sizes of data protection authorities in three EU member states (e.g., Ireland, France, Germany). Compare their resources to the scale of data processing they supervise. Write a one-page assessment of whether these DPAs have adequate resources to fulfill their mandates.
C.4. ⭐⭐⭐ Self-Regulation Assessment. Research one industry self-regulatory initiative in data governance (e.g., the Digital Advertising Alliance's Self-Regulatory Principles, the Student Privacy Pledge, the EU Cloud Code of Conduct). Assess: (a) its scope and membership, (b) its enforcement mechanisms, (c) evidence of its effectiveness, and (d) whether it provides adequate protection compared to government regulation.
Part D: Synthesis & Critical Thinking ⭐⭐⭐
These questions require integration of multiple concepts.
D.1. The chapter argues that "a regulation without enforcement is a suggestion." Yet the GDPR is widely regarded as the world's most influential data protection law, even though enforcement has been slow and uneven. Reconcile these two observations. Can a law be influential without being effectively enforced? If so, through what mechanisms?
D.2. Dr. Adeyemi poses the question: "If the law cannot keep pace with technology, what can?" Develop a 300-400 word response that considers: (a) the inherent speed asymmetry between legislative processes and technological development, (b) alternative governance mechanisms (standards, codes of conduct, professional ethics, technical design) that might complement law, and (c) whether the goal should be keeping pace or setting durable principles that transcend specific technologies.
D.3. The chapter presents regulatory capture as a governance failure. But some argue that close relationships between regulators and industry produce better regulation — because regulators who understand the industry can write more effective rules. Evaluate this counter-argument. Under what conditions might regulator-industry closeness improve governance? Under what conditions does it undermine it? How can institutions be designed to capture the benefits while mitigating the risks?
D.4. Sofia Reyes and the DataRights Alliance represent a model of enforcement advocacy — civil society organizations that file complaints, pursue strategic litigation, and push DPAs to act. Evaluate the role of civil society in data protection enforcement. Is it healthy for enforcement to depend partly on external pressure from advocacy organizations? What are the strengths and risks of this model?
D.5. Eli's testimony before the Detroit city council is a moment of democratic governance — a citizen using the political process to shape data governance for his community. Analyze this moment using the compliance-ethics framework from Section 25.4. How does Eli's approach differ from a purely legal or purely compliance-driven approach? What does it add?
Part E: Research & Extension ⭐⭐⭐⭐
Open-ended projects for deeper engagement.
E.1. Enforcement Effectiveness Study. Select one DPA (e.g., CNIL in France, the ICO in the UK, or the BfDI in Germany) and research its enforcement record over the past three years. Write a 1,000-word assessment covering: (a) the number and type of enforcement actions, (b) the size of fines relative to company revenue, (c) evidence of behavioral change resulting from enforcement, (d) resource constraints, and (e) overall effectiveness.
E.2. The FTC's Data Privacy Role. Research the FTC's evolution as a data privacy enforcer, from early consent decrees (2000s) through the Facebook $5 billion settlement (2019) to recent enforcement actions. Write a 1,000-word analysis of whether the FTC has become an effective data protection authority through Section 5 enforcement, or whether its general consumer protection authority is fundamentally inadequate for data privacy.
E.3. Beyond Law: Alternative Governance Mechanisms. Research one alternative governance mechanism for data ethics: professional certification programs (e.g., IAPP certifications), technical standards (e.g., IEEE ethics standards for AI), ethical review boards, or data trust models. Write an 800-word assessment of whether this mechanism can address gaps that law cannot fill, and what limitations it has.
Solutions
Selected solutions are available in appendices/answers-to-selected.md.