⚠️ This is not the current iteration of the course! Head here for the current offering.

Assignment 2: GDPR Case Study

Assignment

In this assignment, you will investigate a documented violation of the EU's General Data Protection Regulation (GDPR), learn the details of the case, and present it to the class. The goal is to understand how the privacy of user data is violated in practice, either deliberately or accidentally, what technical issues arise, and what sanctions apply.

Overview of what you will do:

  1. Pick a real-world GDPR violation case and investigate it.
  2. Write a short (1-2 pages) report about the case.
  3. Present the case in class (3-4 minutes, 1-2 slides).

Please read the detailed instructions below, as they are designed to help make the assignment easier for you.

Step 1: Choose a case

The first thing to do is to pick a case that you will look into and present. Records of GDPR violations are available online in many locations, including GDPRhub and Enforcement Tracker. When choosing a case, you might want to bear the following in mind:

Task: Choose a case that you find interesting, and enter it in this spreadsheet. Please make sure to avoid duplicates if possible; you are welcome to join an existing group.

Step 2: Find out the facts

Now investigate the case, and take detailed notes on these questions (and other important aspects of the case you come across):

  1. Who was found guilting of violating the GDPR, and who ordered them fined?
  2. Why was a fine imposed? Which articles of the GDPR were violated, and by whom?
  3. What personal data was exposed/mishandled, and in what way?
  4. Who are the data subjects, the data controller, and the data processor in this case? Which of the data controller or data processor was fined?
  5. What went wrong on a technical level? (The reports often lack details; you may need to make some assumptions about how the infrastructure involved was structured, and what problems occurred that could have resulted in the violation reported.)
  6. How could this violation have been prevented? Pay particular attention to technology (e.g., encrypted storage, least-privilege access, storage structure, etc.) that could have prevented the problem, but also to human factors (e.g., better procedures, more oversight, clear guidelines) that could have prevented it.
  7. Who caused action to be taken? Did someone complain, or did a regulator take action on their own?
  8. How rapidly did the regulator act? How much time elapsed between the violation and the fine being imposed?
  9. How large a fine did the regulator impose?
  10. How is the incident or violation explained to lay persons reading about it? How is it explained for a technical audience?
  11. What did the violator themselves do to acknowledge the violation, if anything? (Look for press releases from the company concerned, for example.)
  12. Was this case purely internal to an EU country, or does it have global significance? Were non-EU citizens affected by the violation? Is the company in question headquartered in the EU, does it have an EU subsidiary, or does it have no relation to the EU other than offering products or services to people in the EU?
  13. Has the case concluded? If so, does the final fine paid differ from the fine originally imposed? If not, what is currently happening (appeal, negotiations to reduce the fine, etc.)?

Not all cases are equally well documented, and finding answers to some of these questions can be challenging or may, in some cases, be impossible. However, I expect you to make a good effort. Using web search engines will get you some of the way, but remember that not all of the web is indexed by search engines. In particular, company press releases, court papers, and data protection agency enforcement action notices are not always easily discoverable through a search engine, and it may be a good idea to dig on their websites directly. For example, many large corporations have a separate press portal that contains press releases and legal notices.

Make note of your sources! You will want to cite important ones when you write up your report.

If primary information related to your case is in a language other than English, automated web translation services such as Google Translate often work reasonably well.

Step 3: Write a report

Now write a short report that summarizes your findings. The report should consist of about two pages of text, excluding figures, references and bibliography. Please use the OSDI 2018 submission template.

Your report should answer the questions listed above for which you could find answers, but in addition it should also contain your judgement on the case. This may involve answering questions like these:

Please treat the report as a piece of academic writing. This means that you must cite sources for your claims, and that copying and pasting information from sources without citation would constitute plagiarism (so don't do it). You will want to structure the report like you would structure a paper: a quick high-level abstract or introduction, followed by a structured discussion of the details, and finally a discussion of the implications. An example structure of section titles might look as follows:

Task: Submit your report by email to cs2390tas@lists.brown.edu by 11pm (Eastern time) on Friday, September 24, 2021.

We will publish the finished reports on the course website. If there are any problems with making your report publicly available, please contact Malte to discuss.

» Here are prior reports reports for inspiration.

Step 4: In-class presentation

On Tuesday, September 28, you will present the case you researched in our course meeting. Please prepare a short presentation that summarizes your research and findings. The exact presentation duration is still TBD, but you may assume that you will have no more than 3-4 minutes. Preparing such a short presentation is challenging! Think carefully about the key facts that every should know, and one or two other key points you want to emphasize. It is fine to not cover all aspects that your written report considers.

You may use slides or the whiteboard as you choose. However, to ensure that you stay on time, please plan on having no more than 1-2 slides in total. Rehearse your presentation well, so that you can make your points within the time available. Do not go over your time; we will enforce the time limits.