Academy
Data Privacy Law and the Data Protection Officer experimental
Data Privacy Law and the Data Protection Officer The history and comparative law of the privacy right, from its 1890 common-law origin through the General Data Protection Regulation, the Californian, Indian, Malaysian, and United Kingdom statutes, to the Data Protection Officer role and the unresolved Chat Control 2.0 encryption-scanning debate. The Origins of a Legal Right to Privacy. The 1890 common-law invention of a privacy tort and the Fourth Amendment reasonable-expectation test. Explain why Warren and Brandeis argued for a legal right to privacy in 1890 and what technological change provoked it. State the Katz v. United States test for a reasonable expectation of privacy, apply it to a novel factual scenario, and explain why it replaced a property-based standard. Warren and Brandeis, 1890, The instant photograph and the yellow press, Four privacy torts (Prosser, 1960), Katz v. United States and the reasonable-expectation test, Article 8 of the European Convention on Human Rights A Right Invented by a Law Review Article In 1890, Samuel Warren and Louis Brandeis published "The Right to Privacy" in the Harvard Law Review. No statute compelled it and no court had yet recognized it as a distinct legal interest. The article argued that the common law should recognize a right "to be let alone," grounded in existing tort principles rather than a new constitutional text. The immediate provocation was technological: the instant photograph and the mechanical printing press had made it possible, for the first time, to capture and mass-distribute a person's image and private affairs without consent. Warren and Brandeis were reacting specifically to the sensationalist "yellow press" of their era, which used candid photography to report on the private lives of prominent Boston families, reportedly including Warren's own. "Recent inventions and business methods call attention to the next step which must be taken for the protection of the person... Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life." From Tort to Doctrine William Prosser later systematized the case law that grew from Warren and Brandeis's proposal into four distinct privacy torts: intrusion upon seclusion, public disclosure of private facts, false light, and appropriation of name or likeness. This tort-based architecture remained the primary vehicle for privacy protection in the United States for most of the twentieth century, operating alongside, not instead of, constitutional protections. The Constitutional Track: Katz v. United States Privacy protection also developed along a separate, constitutional track. Before 1967, Fourth Amendment protection against government searches depended on physical trespass onto property, following the reasoning of Olmstead v. United States (1928), which held that wiretapping a telephone line outside a person's home was not a search because it involved no physical intrusion. Katz v. United States (1967) overturned that framework. The Supreme Court held that the Fourth Amendment protects people, not places, and adopted what is now called the reasonable-expectation-of-privacy test: government conduct is a search when it intrudes on a subjective expectation of privacy that society recognizes as reasonable. Applying this test, the Court found that a person using an enclosed public telephone booth had a reasonable expectation his conversation was not being recorded, even though the booth itself was not his property. A Human Rights Track: Article 8 ECHR In Europe, a third track developed through international human rights law. Article 8 of the 1950 European Convention on Human Rights (ECHR) guarantees the right to respect for private and family life, home, and correspondence, subject to narrow, lawful, and necessary exceptions. This provision, rather than a common-law tort, became the doctrinal anchor for much of the European Union's later data-protection architecture. Why This Module Comes First Every statute studied later in this course, the General Data Protection Regulation, the California Consumer Privacy Act, India's Digital Personal Data Protection Act, Malaysia's amended Personal Data Protection Act, and the United Kingdom's Data (Use and Access) Act, rests on the same underlying premise Warren and Brandeis articulated in 1890: that new technology can outpace existing legal categories, and that society must periodically decide where a person's reasonable expectation of privacy begins and ends. The final module of this course returns to that exact question in the context of encrypted messaging and mandated content scanning. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) The American Patchwork: Sectoral Privacy Law. HIPAA, ECPA, Carpenter v. United States, and California's CCPA and CPRA. Analyze the United States' sectoral approach to privacy law compared with a comprehensive regime. Explain how Carpenter v. United States (2018) extended Fourth Amendment protection to cell-site location data. Sectoral versus omnibus regulation, HIPAA and health information, The Electronic Communications Privacy Act of 1986, Carpenter v. United States and the third-party doctrine, The California Consumer Privacy Act and the California Privacy Rights Act A Law for Every Sector, Not One Law for All Data Unlike the comprehensive, single-statute model later adopted by the European Union, the United States regulates personal data sector by sector. Health information, financial records, electronic communications, children's data, and credit reporting are each governed by separate federal statutes, enacted at different times in response to different concerns, with no single federal data-protection authority overseeing all of them. HIPAA: Health Data as a Special Category The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates the privacy and security of individually identifiable health information held by covered entities, health plans, healthcare clearinghouses, and most healthcare providers, along with their business associates. HIPAA illustrates the sectoral approach precisely: it says nothing about a person's retail purchase history or browsing behavior, only about health data within its defined scope. ECPA: Extending Wiretap Law to Electronic Communications The Electronic Communications Privacy Act of 1986 (ECPA) extended the federal wiretap statute, originally written for telephone calls, to cover electronic communications including email and other data transmissions. Enacted well before the commercial internet, ECPA remains the primary federal statute governing law-enforcement access to stored and in-transit electronic communications, and it has aged awkwardly against technologies its drafters could not have anticipated. Carpenter v. United States: The Constitutional Track Meets Digital Records Carpenter v. United States, decided by the Supreme Court in 2018, extended the Katz reasonable-expectation framework to a new category of data: historical cell-site location information held by a wireless carrier. Timothy Carpenter had been convicted partly on the strength of 127 days of cell-site records obtained from his carrier without a warrant. Before Carpenter, the "third-party doctrine" held that information voluntarily conveyed to a third party, such as a bank or a phone company, carried no reasonable expectation of privacy, because the individual had assumed the risk the third party might disclose it. The Supreme Court held that this doctrine did not extend to the comprehensive, retrospective picture of a person's physical movements that cell-site location data reveals, and that the government generally needs a warrant to obtain it. Carpenter is a narrow decision on its facts, but it demonstrates that the 1967 Katz framework remains the operative test as new categories of digital records emerge. California Fills the Gap: CCPA and CPRA In the absence of a comprehensive federal statute, California enacted the California Consumer Privacy Act (CCPA), effective 2020, giving state residents the right to know what personal information a business collects, to request its deletion, and to opt out of its sale. The California Privacy Rights Act (CPRA), approved by ballot initiative later that year, amended and expanded the CCPA: it added a defined category of sensitive personal information subject to additional restrictions and created the California Privacy Protection Agency, the state's first dedicated privacy regulator. The Practical Consequence for a Data Protection Officer A Data Protection Officer operating in the United States cannot rely on a single statute the way a counterpart operating solely under the General Data Protection Regulation can. Compliance requires mapping which sectoral statute, which state law, and which case law (such as Carpenter's warrant requirement for historical location data) applies to each category of data the organization processes. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) The European Model: The GDPR and the Data Protection Officer. GDPR principles, lawful bases, enforcement, and the statutory Data Protection Officer role. Describe the GDPR's core principles and lawful bases for processing personal data. Evaluate whether a given organization is statutorily required to appoint a Data Protection Officer under GDPR Articles 37 through 39, and state the officer's core statutory tasks. The GDPR's seven principles (Article 5), Lawful bases for processing (Article 6), When a Data Protection Officer must be appointed (Article 37), The DPO's position and tasks (Articles 38 and 39), Enforcement and fines (Article 83) A Single Regulation for the Whole Union The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, became directly applicable across all European Union member states on 25 May 2018. Unlike the United States' sectoral patchwork, the GDPR is a single, horizontally applicable regulation covering nearly all processing of personal data, regardless of sector, by any organization that offers goods or services to, or monitors the behavior of, people in the European Union. The Seven Principles Article 5 of the GDPR sets out the principles that govern all processing: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability, meaning the controller must be able to demonstrate compliance with the other six, not merely assert it. Lawful Bases for Processing Article 6 requires that processing rest on at least one lawful basis: the data subject's consent, necessity for performing a contract, compliance with a legal obligation, protection of vital interests, performance of a task in the public interest, or the controller's legitimate interests, balanced against the data subject's rights and freedoms. A Data Protection Officer (DPO)'s first question about any new processing activity is almost always which of these six bases applies, and whether it has been properly documented. The Data Protection Officer: Articles 37 to 39 The GDPR created, for the first time in most member states, a statutorily defined compliance role with legal independence guarantees. Article 37 requires appointment of a Data Protection Officer when the controller or processor is a public authority, when its core activities require large-scale, regular and systematic monitoring of individuals, or when its core activities involve large-scale processing of special categories of data such as health, biometric, or criminal-conviction data. Article 38 protects the DPO's independence: the organisation must involve the DPO properly and in a timely manner in all data-protection matters, the DPO must report to the highest level of management, and the DPO must not be instructed on how to exercise their tasks nor penalised for performing them. Article 39 lists the DPO's tasks: informing and advising the controller and its employees of their obligations, monitoring compliance, providing advice on data protection impact assessments, cooperating with the supervisory authority, and acting as its contact point. Enforcement: Article 83 The GDPR's fines are tiered. The most serious infringements, including violations of the core processing principles and data-subject rights, can result in administrative fines of up to 20 million euros or 4 percent of the undertaking's total worldwide annual turnover of the preceding financial year, whichever figure is higher. This structure is designed to scale meaningfully even against the largest multinational processors. A Related but Distinct Instrument: The ePrivacy Directive Directive 2002/58/EC (the 'EC' suffix denoting the European Community (EC) treaty framework used in pre-Lisbon legal citations), the ePrivacy Directive, predates the GDPR and specifically governs privacy in electronic communications: cookies, unsolicited marketing communications, and confidentiality of communications. It interacts with, but is legally distinct from, the GDPR, and a Data Protection Officer must track both instruments separately, since a reform of one does not automatically amend the other. Setting Up the Comparative Modules to Follow The GDPR's independent, statutorily empowered DPO role became the template that other jurisdictions would later adapt, sometimes closely and sometimes only partially. The next module examines three of those adaptations: India's Digital Personal Data Protection Act, Malaysia's amended Personal Data Protection Act, and the United Kingdom's post-Brexit reform, each of which borrows from the GDPR's structure while diverging from it in specific, consequential ways. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) The Global Wave: DPDP, PDPA, and the United Kingdom's DUAA. India's DPDP Act, Malaysia's amended PDPA, and the United Kingdom's Data (Use and Access) Act 2025. Evaluate India's DPDP Act 2023, Malaysia's amended PDPA, and the United Kingdom's DUAA 2025 on scope, timeline, and the Data Protection Officer requirement. Identify which of these regimes made DPO appointment mandatory and from what date. India's Digital Personal Data Protection Act 2023 and its 2025 Rules, Malaysia's Personal Data Protection (Amendment) Act 2024, The United Kingdom's Data (Use and Access) Act 2025, A comparative table of scope and enforcement, Why comprehensive privacy statutes have spread globally since the GDPR The GDPR as Template, Not Terminus Since the General Data Protection Regulation (GDPR) took effect in 2018, a wave of jurisdictions with historically minimal or purely sectoral privacy law have enacted comprehensive statutes of their own. Three enacted or substantially reformed their frameworks within roughly the same recent window: India, Malaysia, and the United Kingdom. Each borrows recognisable GDPR structures, a defined oversight body, breach notification, data-subject rights, while diverging in scope, timeline, and how far it goes in mandating a Data Protection Officer (DPO). India: The Digital Personal Data Protection Act India's Digital Personal Data Protection Act (DPDP) was enacted in 2023, but most of its delegated provisions required implementing rules, which were notified as the Digital Personal Data Protection Rules 2025 on 13 November 2025. The Act established the Data Protection Board of India as the body responsible for administrative oversight and complaint adjudication, distinct from a full-scale regulator with independent rulemaking power. A distinctive feature of the Indian regime is the Consent Manager framework: registered, interoperable third-party intermediaries through which a Data Principal (the Indian statute's term for a data subject) can manage, review, or withdraw consent across multiple digital services from a single interface. This framework was expected to become operational through 2026, with full compliance obligations for Data Fiduciaries (the Act's term for controllers) phased in on a multi-year timeline extending toward 2027. Malaysia: The Personal Data Protection (Amendment) Act 2024 Malaysia's Personal Data Protection Act (PDPA), originally enacted in 2010, received its most significant amendment in 2024. The Personal Data Protection (Amendment) Act 2024 received Royal Assent on 9 October 2024 and was phased in across three dates in the first half of 2025. The substantive obligations arrived in the later phases. From 1 April 2025, key changes such as expanded sensitive-data definitions and the removal of the prior cross-border-transfer whitelist system took effect. From 1 June 2025, both data controllers and data processors became required to appoint at least one Data Protection Officer, and controllers gained a duty to notify the Personal Data Protection Commissioner as soon as practicable upon reasonable belief that a data breach had occurred. Malaysia's amendment is, among the three regimes compared in this module, the one whose text most explicitly and unconditionally mandates a DPO role for both controllers and processors. The United Kingdom: The Data (Use and Access) Act 2025 The United Kingdom's Data (Use and Access) Act (DUAA) 2025 received Royal Assent on 19 June 2025. It is widely described as the most significant reform of the UK's post-Brexit data protection framework since the retained "UK GDPR" was established, and most of its substantive reforms took effect on 5 February 2026, with certain employer-facing obligations following on 19 June 2026. The Act recalibrates several GDPR-inherited rules toward what its drafters describe as a more innovation-friendly balance: a more permissive framework for solely automated decision-making, subject to safeguards; a new international-transfer "data protection test" that asks whether a third country's protections are "not materially lower" than the UK's, replacing the stricter "essentially equivalent" standard; clarified Data Subject Access Request handling, limiting organisations to "reasonable and proportionate" searches and allowing the response clock to pause when further information is needed from the requester; and a new statutory right for individuals to complain directly to organisations, which must acknowledge the complaint within a defined period. A Comparative View Why the Comparison Matters Operationally A Data Protection Officer at a company operating across the European Union, India, Malaysia, and the United Kingdom cannot treat any one of these regimes as a proxy for the others. Each imposes independent timelines, thresholds, and enforcement mechanisms, even where the underlying structure looks similar to the GDPR's. The next module turns from this comparative legal map to the DPO's day-to-day operational obligations, data protection impact assessments, records of processing, and breach notification, that apply regardless of which statute is in force. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) The Data Protection Officer in Practice. DPIAs, breach-notification workflows, records of processing, and the DPO's operating position. Describe when a Data Protection Impact Assessment is required and what it must contain. Construct a breach-notification workflow that satisfies the tightest applicable statutory deadline across jurisdictions studied. The DPO's independence and reporting line, revisited, Data Protection Impact Assessments, Records of processing activities, Breach-notification deadlines compared across jurisdictions, The DPO's working relationship with security, legal, and the board From Statute to Daily Practice The preceding modules traced the legal architecture of privacy law. This module turns to what a Data Protection Officer (DPO) actually does: assessing risk before it materialises, documenting processing activities, and running a breach response under real time pressure. Data Protection Impact Assessments Under the General Data Protection Regulation (GDPR) Article 35, a Data Protection Impact Assessment (DPIA) is required before beginning any processing likely to result in a high risk to the rights and freedoms of natural persons, for example large-scale systematic monitoring of a publicly accessible area, or large-scale processing of special categories of data. A DPIA must describe the processing and its purposes, assess necessity and proportionality, identify risks to data subjects, and set out the measures taken to address those risks. Conducted before processing begins, a DPIA is a design tool, not a post-incident report. Records of Processing Activities Article 30 requires many controllers and processors to maintain a Record of Processing Activities: the purposes of each processing activity, the categories of data subjects and personal data involved, the recipients to whom data is or will be disclosed, applicable retention periods, and a general description of the technical and organisational security measures in place. In practice, this record is the single artefact a DPO produces first when a regulator asks "what do you do with this data, and why." Breach Notification: A Race Against Different Clocks Breach notification timelines are not harmonised across the jurisdictions studied in this course, and a Data Protection Officer's operational competence is measured largely by whether the organisation can meet the tightest applicable deadline. Under GDPR Article 33, a controller must notify the relevant supervisory authority, where feasible, within 72 hours of becoming aware of a personal data breach. Malaysia's amended Personal Data Protection Act uses a materially different standard: notification to the Personal Data Protection Commissioner "as soon as practicable" upon reasonable belief a breach occurred, a duty without a fixed hour count but without the GDPR's feasibility qualifier either. The United Kingdom's Data (Use and Access) Act 2025 left the underlying UK GDPR breach-notification regime in place while separately clarifying Data Subject Access Request handling, permitting "reasonable and proportionate" searches and pausing the response deadline when further information is needed from the requester. The DPO's Position in the Organisation, Revisited None of this operational work is possible without the independence guarantees examined in Module 2. A DPO who can be instructed to delay a breach assessment, or penalised for recommending disclosure management would prefer to avoid, cannot reliably meet a 72-hour or "as soon as practicable" deadline. The GDPR's Article 38 protections, and the reporting-line requirement they impose, exist precisely so that the DPO's operational judgment is not subordinated to short-term commercial pressure during the moment it matters most. Working with Security and Legal An effective DPO's relationship with the security function is collaborative but distinct. Security identifies, contains, and remediates the technical incident. The DPO assesses the legal notifiable status, the applicable statutory deadline in each relevant jurisdiction, and the required content of any notification, then coordinates with legal counsel on liability exposure and with communications on data-subject-facing messaging. Confusing these roles, for example letting security alone decide whether a breach is legally notifiable, is a common and avoidable failure mode. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) The Frontier: Encryption, Scanning, and Consent (Capstone). The Chat Control 2.0 encryption-scanning debate as the current frontier of the privacy right, and a synthesis capstone. Explain the structural tension between mandatory scanning for illegal content and end-to-end encryption, using the European Union's Chat Control 2.0 debate and Apple's withdrawn NeuralHash proposal. Write a Data Protection Officer briefing memo synthesizing the course's historical, comparative, and operational material for a hypothetical multinational company. The structural problem: scanning versus end-to-end encryption, Apple's NeuralHash proposal and its 2021 to 2022 withdrawal, The European Union's Chat Control 2.0 (CSAR) negotiations, Where the arc from 1890 to today leaves open questions, Capstone: the DPO briefing memo The Structural Problem Every privacy statute studied in this course assumes that content, a message, a photograph, a location record, can in principle be inspected by someone: a court applying a warrant, a regulator investigating a complaint, a Data Protection Officer (DPO) auditing a processing activity. End-to-end encryption removes that assumption for message content: only the sender and recipient can read it, by design, and no intermediary, including the platform operator, can decrypt it. This creates a direct structural conflict with proposals to detect child sexual abuse material (CSAM) in private messaging. Detecting such material normally requires inspecting message content in some form, which appears to be in tension with a system explicitly engineered so that no one but the participants can read that content. Apple's NeuralHash: The Closest Real-World Attempt In August 2021, Apple published a technical summary of a proposed CSAM Detection system, often referred to by the name of its underlying algorithm, NeuralHash. The design performed on-device hash matching: before a photo was uploaded to iCloud, the device would compute a hash and compare it against a database of known CSAM hashes, without the raw image ever being inspected by Apple in unencrypted form on its servers, and without any human review unless a threshold of matches was exceeded. The proposal was paused, and later effectively abandoned, following sustained criticism from security researchers, cryptographers, and civil-liberties organisations. Their central objection was not that the specific hash-matching mechanism was technically broken, but that building any on-device scanning infrastructure, even for a narrowly defined and universally condemned category of content, creates a capability that could be repurposed or expanded by court order or by authoritarian governments to scan for other content entirely. Apple's own long-standing public defence of strong encryption made the proposal appear, to many critics, internally inconsistent with the company's stated privacy commitments. The European Union's Chat Control 2.0 Debate The European Union has, since 2022, negotiated a proposed Child Sexual Abuse Regulation (CSAR) laying down rules to prevent and combat child sexual abuse, referred to by critics as "Chat Control" or "Chat Control 2.0." As of mid-2026, this permanent regulation remains under negotiation through trilogue between the Parliament, Council, and Commission, with no final text adopted. A separate, narrower measure, an interim derogation from the ePrivacy Directive that permitted platforms to voluntarily scan private communications for CSAM, sometimes called "Chat Control 1.0," had allowed such scanning on a temporary legal basis. The European Parliament declined to extend that derogation, and it lapsed in early 2026, after which several major platforms reportedly continued some voluntary scanning despite the absence of a clear legal basis for doing so. The permanent CSAR negotiation continues separately and remains the central open question this module asks learners to track rather than resolve. The Continuity from 1890 to Today This module's placement at the end of the course is deliberate. Warren and Brandeis, in 1890, argued that a new technology, instant photography combined with mass printing, required society to define a new boundary around private life that existing law had not anticipated. The Chat Control 2.0 debate poses the structurally identical question about a different technology: does detecting a narrow, universally condemned category of illegal content require capabilities that erode the reasonable expectation of privacy that end-to-end encryption was built to guarantee for everyone else's ordinary communications? Neither this course nor the underlying negotiation has resolved that question. What a Data Protection Officer can responsibly do is separate confirmed facts, statutory deadlines, decided case law, enacted statutes, from unresolved, live political negotiations, and advise their organisation accordingly rather than treating a pending outcome as settled law. Capstone: The Data Protection Officer Briefing Memo Produce a briefing memo, addressed to a hypothetical multinational company's board, that synthesises this course. The memo must include: the historical and legal basis for the privacy right (Module 0); the applicable statutory landscape across at least the European Union, the United States, and one of India, Malaysia, or the United Kingdom (Modules 1 through 3); the company's operational obligations under that landscape, including Data Protection Impact Assessment (DPIA) triggers and the tightest applicable breach-notification deadline (Module 4); and an assessment of the encryption-versus-scanning tension and its current, unresolved status (this module). The memo should explicitly flag which of its claims rest on settled law and which rest on a live, unresolved negotiation. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/)