Assignment 2: GDPR Case Study

• Reports

Assignment

The first thing to do is to pick a case that you will look into and present. Records of GDPR violations are available online in many locations, including here and here. When choosing a case, you might want to bear the following in mind:

• Some cases are documented much better than others; choose a case for which you are confident you can answer most of the questions in Step 3 below using the available information.
• High-profile cases are likely to have more media coverage and details available, but small cases (e.g., individuals getting fined) can also be interesting.
• One primary source of information is often a European country's data protection agency, as these agencies impose the fines. The agencies often have a section on their website that lists enforcement cases (for example, the UK's Information Commissioner's Office list), and those lists may be a good source of cases missing from the above aggregator lists.
• Some of the official documents you find may be in the national language of the country in which the violation occurred. Sometimes, you can find an English version on the national data protection agency's website, or by searching for the name of the violating entity and "GDPR" on the internet to find press coverage.

Step 2: Find out the facts

Now investigate the case, and take detailed notes on these questions (and other important aspects of the case you come across):

1. Who was found guilting of violating the GDPR, and who ordered them fined?
2. Why was a fine imposed? Which articles of the GDPR were violated, and by whom?
3. What personal data was exposed/mishandled, and in what way?
4. Who are the data subjects, the data controller, and the data processor in this case? Which of the data controller or data processor was fined?
5. What went wrong on a technical level? (The reports often lack details; you may need to make some assumptions about how the infrastructure involved was structured, and what problems occurred that could have resulted in the violation reported.)
6. How could this violation have been prevented? Pay particular attention to technology (e.g., encrypted storage, least-privilege access, storage structure, etc.) that could have prevented the problem, but also to human factors (e.g., better procedures, more oversight, clear guidelines) that could have prevented it.
7. Who caused action to be taken? Did someone complain, or did a regulator take action on their own?
8. How rapidly did the regulator act? How much time elapsed between the violation and the fine being imposed?
9. How large a fine did the regulator impose?
10. How is the incident or violation explained to lay persons reading about it? How is it explained for a technical audience?
11. What did the violator themselves do to acknowledge the violation, if anything? (Look for press releases from the company concerned, for example.)
12. Was this case purely internal to an EU country, or does it have global significance? Were non-EU citizens affected by the violation? Is the company in question headquartered in the EU, does it have an EU subsidiary, or does it have no relation to the EU other than offering products or services to people in the EU?
13. Has the case concluded? If so, does the final fine paid differ from the fine originally imposed? If not, what is currently happening (appeal, negotiations to reduce the fine, etc.)?

Not all cases are equally well documented, and finding answers to some of these questions can be challenging or may, in some cases, be impossible. However, I expect you to make a good effort. Using web search engines will get you some of the way, but remember that not all of the web is indexed by search engines. In particular, company press releases, court papers, and data protection agency enforcement action notices are not always easily discoverable through a search engine, and it may be a good idea to dig on their websites directly. For example, many large corporations have a separate press portal that contains press releases and legal notices.

Make note of your sources! You will want to cite important ones when you write up your report.

If primary information related to your case is in a language other than English, automated web translation services such as Google Translate often work reasonably well.

Step 3: Write a report

Now write a short report that summarizes your findings. The report should consist of about two pages of text, excluding figures, references and bibliography. Please use the OSDI 2018 submission template.

Your report should answer the questions listed above for which you could find answers, but in addition it should also contain your judgement on the case. This may involve answering questions like these:

• Do you think the fine imposed is appropriate? Is it too low, too high, or just right? Relate the amount to the number of people affected by the violation. It may help you to consider what "price" the fine (implicitly) puts on the personal data concerned.
• Did the GDPR enforcement process work well in this case? What could have been handled better?
• Do you believe violations similar to the one sanctioned here to be commonplace? Will the case cause other companies or entities to change their practices?
• What should we as researchers and system designers aim to do in order to prevent similar problems in the future? Are there technical solutions that already exist? If not, what would we need to invent in order to make it impossible (or at least very unlikely) for the problem concerned to reoccur?

Please treat the report as a piece of academic writing. This means that you must cite sources for your claims, and that copying and pasting information from sources without citation would constitute plagiarism (so don't do it). You will want to structure the report like you would structure a paper: a quick high-level abstract or introduction, followed by a structured discussion of the details, and finally a discussion of the implications. An example structure of section titles might look as follows:

• Abstract/Introduction: overview of the case.
• Background: problem setting (data subjects/controller/processor), infrastructure used, business involved, responsible data protection agency.
• GDPR violation:
  • What happened? Describe the violation, how it was reported, and what action was taken.
  • Who/what is responsible? Discuss why the violation occurred, including the technical and human factors responsible.
  • What could have prevented this? Discuss what measures the violator could have taken (or taken differently) to avoid the problems.
• Discussion: your judgement about the handling, importance, and significance of the case.

We will publish the finished reports on the course website. If there are any problems with making your report publicly available, please contact Malte to discuss.

» 2019 reports for inspiration.

Step 4: In-class presentation

On Tuesday, September 29, you will present the case you researched in our course meeting. Please prepare a short presentation that summarizes your research and findings. The exact presentation duration is still TBD, but you may assume that you will have no more than 3-4 minutes. Preparing such a short presentation is challenging! Think carefully about the key facts that every should know, and one or two other key points you want to emphasize. It is fine to not cover all aspects that your written report considers.

You may use slides or the whiteboard as you choose. However, to ensure that you stay on time, please plan on having no more than 1-2 slides in total. Rehearse your presentation well, so that you can make your points within the time available. Do not go over your time; we will enforce the time limits.