Quiz: Enforcement, Compliance, and the Limits of Law

Test your understanding before moving to the next chapter. Target: 70% or higher to proceed.

Section 1: Multiple Choice (1 point each)

1. Under the GDPR, data protection authorities possess which three categories of powers?

  • A) Legislative, executive, and judicial
  • B) Investigative, corrective, and authorization/advisory
  • C) Arrest, prosecution, and sentencing
  • D) Rule-making, enforcement, and appellate review
Answer **B)** Investigative, corrective, and authorization/advisory *Explanation:* Section 25.1.2 describes the three categories of DPA powers under Article 58 of the GDPR: investigative powers (ordering information, conducting audits, inspections), corrective powers (issuing warnings, ordering compliance, imposing fines, banning processing), and authorization/advisory powers (issuing opinions, approving codes of conduct, authorizing contractual clauses). This tripartite structure gives DPAs comprehensive authority — but effectiveness depends on resources, political will, and institutional independence.

2. The GDPR's "one-stop-shop" mechanism has been criticized primarily because:

  • A) It requires companies to register with every DPA in every EU member state where they operate.
  • B) It concentrates enforcement responsibility for many major tech companies in Ireland, where the DPC has been perceived as slow to act against companies that provide significant employment and tax revenue.
  • C) It prevents data protection authorities from cooperating across borders.
  • D) It eliminates individual consumers' right to file complaints.
Answer **B)** It concentrates enforcement responsibility for many major tech companies in Ireland, where the DPC has been perceived as slow to act against companies that provide significant employment and tax revenue. *Explanation:* Section 25.1 describes the one-stop-shop mechanism as designed to prevent companies from facing conflicting requirements from multiple DPAs. However, because many tech giants (Meta, Google, Apple, Microsoft, TikTok) established their European headquarters in Ireland, the Irish DPC became the lead supervisory authority for these companies. Critics — including other DPAs and the EDPB — have argued that the concentration of enforcement power in a jurisdiction with economic incentives for leniency has slowed enforcement.

3. The largest GDPR fine discussed in this chapter was imposed on:

  • A) Google, for cookie consent violations
  • B) Amazon, for non-compliant advertising targeting
  • C) Meta, for its "pay or consent" model
  • D) H&M, for employee surveillance
Answer **B)** Amazon, for non-compliant advertising targeting *Explanation:* Section 25.2 discusses the €746 million fine imposed on Amazon by Luxembourg's data protection authority (CNPD) in 2021. At the time, this was the largest GDPR fine ever imposed. The fine was based on Amazon's behavioral advertising practices and was initially pursued following a complaint coordinated by La Quadrature du Net. Amazon contested the fine and brought legal challenges.

4. "Regulatory capture" in the data protection context refers to:

  • A) The government seizing control of private data processing operations.
  • B) The phenomenon in which a regulator becomes too closely aligned with the interests of the industry it regulates, compromising its independence and effectiveness.
  • C) The practice of encrypted data being "captured" and decrypted by law enforcement.
  • D) A company acquiring a data protection authority through corporate merger.
Answer **B)** The phenomenon in which a regulator becomes too closely aligned with the interests of the industry it regulates, compromising its independence and effectiveness. *Explanation:* Section 25.3 defines regulatory capture as a governance failure in which the regulator — intended to serve the public interest — becomes influenced by the industry it regulates, whether through revolving door dynamics (staff moving between regulator and industry), information dependence (relying on industry for technical expertise), financial dependence (industry funding of regulatory activities), or cultural alignment (regulators adopting industry perspectives). Capture does not require corruption; it can result from structural incentives.

5. The FTC's $5 billion settlement with Facebook (2019) was significant because:

  • A) It was the first time the FTC had ever imposed a penalty on a technology company.
  • B) It represented the largest privacy-related penalty ever imposed by the FTC, but critics argued it was still insufficient given Facebook's revenue and did not require fundamental changes to the company's business model.
  • C) It forced Facebook to cease all data collection permanently.
  • D) It was overturned on appeal.
Answer **B)** It represented the largest privacy-related penalty ever imposed by the FTC, but critics argued it was still insufficient given Facebook's revenue and did not require fundamental changes to the company's business model. *Explanation:* Section 25.2 describes the Facebook settlement as a landmark in US enforcement — $5 billion was an unprecedented amount. But critics, including two dissenting FTC commissioners, argued that the settlement amounted to a fraction of Facebook's quarterly revenue, required no admission of wrongdoing, and imposed governance requirements (a privacy committee, external assessments) that did not address the fundamental business model of data-driven advertising. The settlement illustrates the gap between headline penalties and structural reform.

6. The distinction between compliance and ethics, as described in this chapter, is best summarized as:

  • A) Compliance is voluntary; ethics is mandatory.
  • B) Compliance asks "Are we following the rules?" while ethics asks "Are we doing the right thing?" — and the two questions can produce different answers.
  • C) Compliance is a European concept; ethics is an American concept.
  • D) Compliance applies to government; ethics applies to corporations.
Answer **B)** Compliance asks "Are we following the rules?" while ethics asks "Are we doing the right thing?" — and the two questions can produce different answers. *Explanation:* Section 25.4 draws this distinction as one of the chapter's central arguments. A company can be fully compliant with every applicable regulation while engaging in practices that are ethically questionable — using dark patterns, exploiting vulnerable populations, or collecting data that is legally permitted but socially harmful. Conversely, a company acting ethically might impose restrictions on itself that go beyond legal requirements. The chapter argues that compliance is necessary (breaking the law is never ethical) but insufficient (following the law is not always ethical).

7. Which of the following is a "limit of law" identified in this chapter?

  • A) Laws cannot be written in clear language.
  • B) Regulatory lag — the time between a new technology or practice emerging and the law addressing it — means law is inherently reactive.
  • C) Laws are always enforced perfectly and immediately.
  • D) Legal systems are unable to incorporate ethical principles.
Answer **B)** Regulatory lag — the time between a new technology or practice emerging and the law addressing it — means law is inherently reactive. *Explanation:* Section 25.5 identifies regulatory lag as one of several fundamental limits of law. Other limits include: jurisdictional boundaries (laws are territorial; data is global), resource constraints (enforcement agencies are perpetually under-resourced relative to the scale of data processing), information asymmetry (regulators know less about data practices than the companies they regulate), and the compliance ceiling (law can set minimum standards but cannot compel ethical excellence). These limits do not make law useless — but they define the space that other governance mechanisms must fill.

8. The European Data Protection Board (EDPB) has intervened in enforcement decisions primarily when:

  • A) Companies have requested additional time to comply with GDPR requirements.
  • B) The lead supervisory authority's proposed decision was challenged by other concerned DPAs, and the EDPB used its dispute resolution mechanism to ensure consistent enforcement.
  • C) Companies have voluntarily self-reported minor data breaches.
  • D) Individual consumers have filed complaints about cookie consent banners.
Answer **B)** The lead supervisory authority's proposed decision was challenged by other concerned DPAs, and the EDPB used its dispute resolution mechanism to ensure consistent enforcement. *Explanation:* Section 25.1 describes several instances where other DPAs objected to the Irish DPC's proposed enforcement decisions (particularly in Meta cases), triggering the EDPB's Article 65 dispute resolution mechanism. The EDPB overrode the Irish DPC's proposals on multiple occasions, imposing higher fines and stronger corrective measures. This mechanism serves as a check on any single DPA's potential leniency but also reveals the institutional tensions within the GDPR's enforcement architecture.

9. Self-regulation in data governance is most effective when:

  • A) There is no government oversight or enforcement backstop.
  • B) Industry codes are developed without input from civil society or consumer advocates.
  • C) It operates within a co-regulatory framework where government provides oversight, enforcement backstop, and minimum standards.
  • D) Participation is mandatory for all companies regardless of size.
Answer **C)** It operates within a co-regulatory framework where government provides oversight, enforcement backstop, and minimum standards. *Explanation:* Section 25.5 analyzes self-regulation and concludes that pure self-regulation (no government involvement) consistently fails to produce adequate protections, because industry will not voluntarily regulate against its own financial interests. Co-regulation — where industry develops standards with government providing oversight, minimum requirements, and enforcement authority — captures the benefits of industry expertise and flexibility while maintaining the accountability that only government enforcement can provide.

10. Eli's testimony before the Detroit city council represents:

  • A) A corporate compliance exercise.
  • B) An act of democratic governance — a citizen using the political process to shape data governance for his community.
  • C) A regulatory enforcement action.
  • D) A self-regulatory industry initiative.
Answer **B)** An act of democratic governance — a citizen using the political process to shape data governance for his community. *Explanation:* Section 25.5 describes Eli's testimony as a moment that connects data governance to democratic participation. Eli's advocacy for a municipal data governance ordinance goes beyond compliance or enforcement — it represents the claim that communities should have a voice in determining how data about them is collected, used, and governed. This connects to the broader argument that law's limits can be addressed partly through democratic participation, community advocacy, and the kind of grassroots governance that neither top-down regulation nor corporate self-regulation can provide.

Section 2: True/False with Justification (1 point each)

11. "GDPR fines are always proportionate to the company's revenue, ensuring that large companies face larger penalties."

Answer **False.** *Explanation:* While the GDPR allows fines up to 4% of global annual turnover (which would create proportionality), in practice, fines have not consistently reflected company size. Section 25.2 notes that some major fines, while large in absolute terms, represent a small fraction of the company's revenue. The Facebook/Meta settlement and Amazon fine, for example, were substantial but represented weeks or months of revenue rather than the maximum. Additionally, the fine calculation process involves multiple factors beyond revenue — gravity, intentionality, cooperation, categories of data affected — that can produce outcomes that are not strictly proportionate.

12. "The FTC can only take action against data practices that are explicitly prohibited by a specific federal privacy statute."

Answer **False.** *Explanation:* Section 25.2 explains that the FTC's primary tool is Section 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices" in commerce. This general authority does not require a specific statute prohibiting the practice — the FTC can act against practices that are unfair (causing substantial, unavoidable harm not outweighed by benefits) or deceptive (making misleading representations) even in the absence of sector-specific legislation. This flexibility is the FTC's greatest strength as a data privacy enforcer — but also a source of criticism, because enforcement is case-by-case rather than based on clear, pre-announced rules.

13. "Regulatory capture occurs only through deliberate corruption — regulators being paid to favor industry."

Answer **False.** *Explanation:* Section 25.3 emphasizes that regulatory capture is usually structural, not corrupt. It occurs through legitimate dynamics: revolving door employment (regulators join industry and bring their relationships and perspectives); information dependence (regulators rely on industry for technical expertise); resource constraints (under-funded regulators accept industry input that better-funded regulators could produce independently); and cultural alignment (regulators absorb industry framing through repeated interaction). Capture can occur without anyone breaking any rules — which is precisely what makes it so difficult to prevent.

14. "If law has fundamental limits, then legal regulation of data practices is pointless."

Answer **False.** *Explanation:* Section 25.5 identifies law's limits (regulatory lag, jurisdictional boundaries, resource constraints, information asymmetry, the compliance ceiling) but does not conclude that law is pointless. Law establishes minimum standards, creates enforcement infrastructure, defines individual rights, and signals societal values. The chapter argues that law is necessary but insufficient — that its limits must be addressed by complementary governance mechanisms (ethical frameworks, professional standards, technical design, democratic participation, civil society advocacy). The relationship between law and other governance mechanisms is complementary, not substitutive.

15. "Sofia Reyes argues that enforcement is more important than lawmaking — that the gap between law on the books and law in practice is the central problem in data governance."

Answer **True.** *Explanation:* Section 25.5 presents Sofia's DataRights Alliance perspective that the enforcement gap — the distance between what laws require and what actually happens — is a more urgent problem than the absence of new legislation. Her argument is that many data protection laws are strong enough on paper but fail in practice because enforcement is slow, under-resourced, captured, or insufficient. Sofia's advocacy focuses on strengthening enforcement mechanisms, supporting DPA independence, and using strategic litigation to push regulators to act on existing authority.

Section 3: Short Answer (2 points each)

16. Explain the "Ireland problem" in GDPR enforcement. What structural features of the GDPR's enforcement architecture created this problem, and what solutions have been proposed or implemented?

Sample Answer The "Ireland problem" refers to the concentration of Big Tech enforcement in the Irish DPC due to the one-stop-shop mechanism: because many major technology companies (Meta, Google, Apple, Microsoft, TikTok) established their European headquarters in Ireland, the Irish DPC became their lead supervisory authority. Critics argue that Ireland has incentives for leniency (tech companies provide employment and tax revenue) and that the Irish DPC has been slow to investigate and reluctant to impose strong penalties. Solutions include: (1) the EDPB's dispute resolution mechanism, which has been used to override Irish DPC decisions and impose higher fines; (2) proposals to modify the one-stop-shop mechanism to allow other DPAs to act independently when the lead authority is perceived as failing; (3) increased EDPB authority to initiate investigations directly; and (4) pressure on Ireland to increase the DPC's budget and staff. The tension remains unresolved — the one-stop-shop mechanism prevents fragmentation but enables concentration. *Key points for full credit:* - Explains the structural cause (one-stop-shop + Irish headquarters) - Identifies the concern (slow enforcement, potential capture) - Describes at least two proposed or implemented solutions

17. Using a specific example from the chapter, explain how a company can be fully compliant with data protection law while acting unethically. What does this gap reveal about the limits of legal regulation?

Sample Answer The chapter describes companies that use "dark patterns" in consent interfaces — designing the "Accept All" button to be large, colorful, and prominent while making the "Reject" or "Manage" option small, gray, and hidden behind multiple clicks. This interface technically complies with the GDPR's consent requirements: the user is presented with a choice; both options are available; the company can argue that consent was "freely given." But ethically, the design is manipulative — it exploits cognitive biases (default bias, friction aversion) to steer users toward maximum data sharing without genuine informed choice. This gap reveals a fundamental limit of legal regulation: law regulates observable behaviors (did you present a consent interface?) but struggles to regulate intentions and effects (did you design the interface to manipulate the user?). Law sets minimum standards but cannot compel genuine commitment to the values those standards embody. Closing this gap requires complementary governance: ethical design principles, professional codes of conduct, and organizational cultures that value genuine respect for users over technical compliance with legal requirements. *Key points for full credit:* - Provides a specific example of compliant-but-unethical behavior - Explains why the behavior is technically compliant - Explains why it is ethically problematic - Connects to the broader point about law's limits

18. What role do civil society organizations like noyb and the DataRights Alliance play in data protection enforcement? Why does the chapter argue this role is both valuable and concerning?

Sample Answer Civil society organizations play a critical role in data protection enforcement by: filing strategic complaints that force DPAs to investigate (noyb has filed hundreds of complaints across multiple jurisdictions); pursuing strategic litigation that establishes legal precedents (the Schrems cases, pursued by noyb's predecessor organization, reshaped EU-US data transfers); monitoring DPA activity and holding regulators accountable for slow or weak enforcement; and amplifying individual complaints that might otherwise go unheard. This role is valuable because DPAs are often under-resourced and enforcement depends partly on external pressure to prioritize cases. Civil society fills a gap between individual complaints (which may be too small to prompt action) and systematic regulatory investigation (which requires resources DPAs may lack). But the chapter also identifies concerns: enforcement should not depend on the existence of well-funded advocacy organizations, because this creates geographic and thematic gaps (issues without an advocacy champion may go unaddressed). There is also a risk that strategic litigation becomes the primary enforcement channel, diverting attention from systematic, proactive regulation toward reactive, case-by-case adjudication. *Key points for full credit:* - Describes the specific roles civil society plays in enforcement - Explains why the role is valuable (fills resource gaps, creates accountability) - Identifies concerns (dependence on advocacy, geographic gaps)

19. The chapter argues that enforcement alone cannot close the gap between compliance and ethics. Propose two governance mechanisms — beyond law and enforcement — that could help bridge this gap. For each, explain how it works and what limitation it has.

Sample Answer **Mechanism 1: Professional ethics codes.** Data protection professionals (DPOs, data scientists, engineers) could be subject to professional codes of ethics — similar to those governing lawyers, doctors, and accountants — that impose ethical obligations beyond legal compliance. A DPO bound by a professional code might be obligated to raise concerns about dark patterns even if they are technically legal, and could face professional sanctions (loss of certification, disciplinary proceedings) for complicity in ethically questionable practices. Limitation: professional codes are only as effective as their enforcement, and a code without a meaningful disciplinary mechanism becomes aspirational rather than binding. **Mechanism 2: Ethical design review.** Organizations could implement internal ethical review processes — similar to Institutional Review Boards in research — that evaluate data practices against ethical criteria before deployment. A proposed data collection practice would be assessed not only for legal compliance but for potential harms, power asymmetries, and whether the practice treats data subjects with genuine respect. Limitation: internal review bodies can be captured by organizational culture (approving everything management wants) and may lack the independence necessary to make difficult decisions. *Key points for full credit:* - Proposes two specific mechanisms beyond law/enforcement - Explains how each works in the data governance context - Identifies a limitation for each

Section 4: Applied Scenario (5 points)

20. Read the following scenario and answer all parts.

Scenario: GreenData Corp

GreenData Corp is a mid-size data analytics company operating in the EU. It processes personal data for 50 corporate clients across retail, insurance, and recruitment. A GDPR audit by the French DPA (CNIL) reveals the following:

  • GreenData's privacy policy has not been updated since 2019 and does not reflect its current data practices.
  • Data subject access requests (DSARs) are routinely answered 10-15 days late.
  • The company's DPO reports to the CEO and has been overruled on three occasions when she recommended against a data processing activity.
  • GreenData has not conducted Data Protection Impact Assessments for two high-risk processing activities (automated recruitment scoring and insurance risk profiling).
  • The company's data retention policy states that data is retained "as long as necessary for business purposes" — with no specific timeframes.

GreenData's CEO responds to the audit: "We take data protection very seriously. We have a DPO, a privacy policy, and we respond to every DSAR. That should be enough."

(a) Identify and classify each violation found in the audit. For each, specify the relevant GDPR article(s) and the severity of the violation. (1 point)

(b) The CEO's response reflects a specific attitude toward compliance that the chapter critiques. Identify and analyze this attitude using the compliance-ethics framework from Section 25.4. (1 point)

(c) The DPO has been overruled three times. Analyze the governance implications under GDPR Article 38 (which requires that the DPO not receive instructions regarding the exercise of their tasks and not be dismissed or penalized for performing them). What should the DPO do? (1 point)

(d) If CNIL imposes a fine on GreenData, what factors under Article 83 would it consider in determining the amount? Apply at least four factors to GreenData's specific circumstances. (1 point)

(e) Propose a remediation plan for GreenData that addresses each audit finding. Your plan should include both immediate corrective actions and long-term governance improvements. (1 point)

Sample Answer **(a)** Violations: 1. **Outdated privacy policy:** Violates Article 13/14 (information obligations) and Article 5(1)(a) (transparency principle). Moderate severity — ongoing systemic failure. 2. **Late DSAR responses:** Violates Article 12(3) (response within one month, extendable by two months). Moderate severity — pattern of delayed compliance. 3. **DPO independence compromised:** Violates Article 38(3) (DPO shall not receive instructions regarding exercise of tasks). High severity — structural governance failure undermining the DPO function. 4. **Missing DPIAs:** Violates Article 35 (DPIA required for high-risk processing). High severity — automated recruitment scoring and insurance risk profiling are clearly high-risk processing that requires prior DPIA. 5. **Indefinite retention:** Violates Article 5(1)(e) (storage limitation principle). Moderate severity — data retained without specific timeframes violates the requirement that data be kept no longer than necessary for the specified purpose. **(b)** The CEO's response exemplifies what the chapter calls "checkbox compliance" — the belief that the presence of governance structures (DPO, privacy policy, DSAR response) equals compliance. The CEO treats compliance as a set of artifacts to possess rather than practices to implement effectively. From the compliance-ethics framework: even if GreenData had perfect legal compliance, the CEO's attitude — "that should be enough" — reveals a culture that views data protection as a burden to be minimized rather than a responsibility to be embraced. The CEO's willingness to overrule the DPO is particularly telling: it suggests that data protection is subordinated to business interests whenever they conflict. **(c)** Under Article 38(3), the DPO must not receive instructions about the exercise of her tasks. Being overruled on data protection recommendations constitutes improper instruction — it compromises the DPO's independence and potentially violates the GDPR. The DPO should: (1) document each instance of being overruled, including the reasoning provided; (2) formally notify the CEO in writing that overruling DPO recommendations on data protection matters may violate Article 38; (3) if the situation does not improve, report the independence issue to CNIL (DPAs are specifically empowered to receive such reports); and (4) consider whether her position has been compromised to the point where she cannot perform the DPO function effectively. **(d)** Article 83(2) factors applied to GreenData: - **(a) Nature, gravity, and duration:** Multiple violations of varying severity, some ongoing since 2019 (privacy policy). Duration weighs toward a higher fine. - **(b) Intentional or negligent character:** The failures appear negligent rather than intentional, but the CEO's dismissive attitude and overruling of the DPO suggest institutional negligence. Moderate aggravation. - **(d) Degree of responsibility:** GreenData failed to implement basic governance measures (DPIAs, retention schedules) that a data controller should have in place. High degree of responsibility. - **(f) Degree of cooperation:** The CEO's defensive response suggests limited cooperation. If GreenData cooperates during remediation, this factor could mitigate. Currently neutral to aggravating. - **(k) Any other applicable factors:** The fact that GreenData processes data for automated recruitment scoring and insurance risk profiling — both high-risk activities affecting individuals' livelihoods — increases the gravity. **(e)** Remediation plan: **Immediate (30 days):** - Update privacy policy to reflect current data practices and publish. - Clear the backlog of late DSARs and implement tracking to ensure future compliance within one month. - Initiate DPIAs for both high-risk processing activities; suspend automated recruitment scoring and insurance risk profiling until DPIAs are completed. - Issue a written directive from the board (not the CEO) confirming the DPO's independence under Article 38. **Medium-term (90 days):** - Develop a specific data retention schedule with defined timeframes for each data category and processing purpose. - Implement automated DSAR tracking and deadline alerting. - Conduct a comprehensive data inventory to identify any additional high-risk processing requiring DPIAs. - Provide GDPR training to all staff, with specific training for the CEO and senior management on their obligations. **Long-term (6-12 months):** - Restructure DPO reporting: the DPO should report to the board, not the CEO, to ensure independence. - Implement a governance review cycle: quarterly audit of privacy policy currency, DSAR response times, DPIA status, and retention compliance. - Engage an external auditor for annual GDPR compliance assessment. - Establish a data protection committee including the DPO, legal, IT, and business unit representatives.

Scoring & Review Recommendations

Score Range Assessment Next Steps
Below 50% (< 15 pts) Needs review Re-read Sections 25.1-25.3, redo Part A exercises
50-69% (15-20 pts) Partial understanding Review specific weak areas, focus on Part B exercises
70-85% (21-25 pts) Solid understanding Ready to proceed to Part 5
Above 85% (> 25 pts) Strong mastery Proceed to Chapter 26: Building a Data Ethics Program
Section Points Available
Section 1: Multiple Choice 10 points (10 questions x 1 pt)
Section 2: True/False with Justification 5 points (5 questions x 1 pt)
Section 3: Short Answer 8 points (4 questions x 2 pts)
Section 4: Applied Scenario 5 points (5 parts x 1 pt)
Total 28 points