@wazir-dev/cli 1.0.0

package/expertise/security/compliance-frameworks.md

@@ -0,0 +1,601 @@
+# Compliance Frameworks — Expertise Module
+
+> Comprehensive guidance for implementing regulatory compliance across GDPR, CCPA/CPRA, HIPAA, PCI-DSS 4.0, SOX, and FERPA. Covers data classification, subject rights automation, breach response protocols, consent management, cross-jurisdictional requirements, and audit trail implementation. Use when building systems that handle regulated data or operate across multiple legal jurisdictions.
+
+---
+
+## 1. Authority Opening — Enforcement Reality
+
+Regulatory enforcement is not theoretical. Fines are measured in hundreds of millions,
+and the trend is acceleration, not leniency.
+
+| Year | Entity | Fine | Authority | Reason |
+|------|--------|------|-----------|--------|
+| 2023 | Meta Platforms | EUR 1.2B | Irish DPC | EU-US data transfers without adequate safeguards (GDPR Art. 46) |
+| 2021 | Amazon Europe | EUR 746M | CNPD Luxembourg | Behavioral advertising without valid consent (GDPR Art. 6) |
+| 2020 | British Airways | GBP 20M | UK ICO | Failure to protect personal data in 2018 breach (GDPR Art. 32) |
+| 2019 | Equifax | USD 575M | US FTC | Settlement for 2017 breach exposing 147M consumers' PII |
+
+**IBM 2023 Cost of a Data Breach Report:**
+- Global average breach cost: **$4.45M** (13% increase over 3 years).
+- Healthcare sector average: **$10.93M** (highest of any industry, 13 consecutive years).
+- Organizations with IR team + tested plan saved **$2.66M** per breach.
+- AI and automation in security reduced breach costs by **$1.76M** on average.
+
+**HIPAA breach notification (45 CFR Section 164.408):** Covered entities must notify
+affected individuals no later than **60 calendar days** from discovery. Breaches
+affecting 500+ individuals require concurrent notification to HHS and prominent
+media outlets in the affected state or jurisdiction.
+
+---
+
+## 2. Framework Comparison
+
+| Framework | Scope | Key Requirements | Breach Window | Penalties | Territorial Reach |
+|-----------|-------|------------------|---------------|-----------|-------------------|
+| **GDPR** | Personal data of EU/EEA residents | Lawful basis, minimization, subject rights (Art. 12-22), DPO, DPIA | 72 hours to authority (Art. 33) | EUR 20M or 4% global turnover | Any entity processing EU residents' data |
+| **CCPA/CPRA** | PI of California residents | Right to know, delete, opt-out of sale/sharing, correct | "Without unreasonable delay" | USD 2,500-7,500/violation | USD 25M+ revenue, 100K+ consumers, or 50%+ data revenue |
+| **HIPAA** | Protected health information | Privacy Rule, Security Rule, minimum necessary, BAAs | 60 days to individuals (45 CFR 164.408) | USD 100-50,000/violation; max USD 1.5M/year | US healthcare providers, plans, clearinghouses, BAs |
+| **PCI-DSS 4.0** | Cardholder data + sensitive auth data | Segmentation, encryption, access control, MFA, logging | Immediate to acquirer; brands within 72h | USD 5,000-100,000/month; loss of processing | Any entity handling cardholder data globally |
+| **SOX** | Financial reporting of US public companies | Internal controls (Sec. 404), CEO/CFO cert (Sec. 302) | Material weakness in annual report | USD 5M + 20 years imprisonment | US-listed companies + foreign subsidiaries |
+| **FERPA** | Student education records | Prior consent for disclosure, directory opt-out | "Reasonable" notification expected | Loss of federal funding | US institutions receiving federal funding |
+
+---
+
+## 3. Data Classification Patterns
+
+Define classification once in config; enforce everywhere through middleware and database policies.
+
+```yaml
+data_categories:
+  email:
+    classification: PII
+    retention_days: 730
+    legal_basis: consent
+    encryption: at_rest_and_transit
+    cross_border: requires_adequacy_decision
+
+  health_record:
+    classification: sensitive_PII
+    retention_days: 2555  # 7 years (HIPAA minimum)
+    legal_basis: legal_obligation
+    encryption: at_rest_and_transit
+    additional_controls: [access_logging, anonymization_at_rest, role_based_access]
+
+  credit_card_number:
+    classification: financial
+    retention_days: 0     # Never store full PAN (PCI-DSS)
+    legal_basis: contract
+    encryption: tokenization
+    additional_controls: [pci_scope_isolation, network_segmentation]
+
+  social_security_number:
+    classification: sensitive_PII
+    retention_days: 2555  # Tax/legal retention
+    legal_basis: legal_obligation
+    encryption: at_rest_and_transit
+    additional_controls: [access_logging, masking_in_display, need_to_know_access]
+
+  child_data:
+    classification: sensitive_PII
+    retention_days: 365   # Minimize retention
+    legal_basis: parental_consent
+    minimum_age: 13       # COPPA; GDPR varies 13-16 by member state
+    additional_controls: [age_verification, parental_consent_verification, no_behavioral_profiling]
+
+  student_record:
+    classification: education_PII
+    retention_days: 1825  # 5 years post-enrollment
+    legal_basis: legal_obligation
+    additional_controls: [ferpa_directory_opt_out, parental_consent_tracking]
+
+  ip_address:
+    classification: PII
+    retention_days: 90
+    legal_basis: legitimate_interest
+    anonymization_strategy: truncate_last_octet
+```
+
+### Classification Enforcement
+
+```typescript
+function enforceClassification(field: string, config: DataClassification) {
+  return async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+    if (req.body[field] === undefined) return next();
+    if (config.encryption === 'tokenization') {
+      req.body[field] = await tokenizationService.tokenize(req.body[field]);
+    }
+    if (config.additionalControls.includes('access_logging')) {
+      await auditLogger.log({
+        actor: req.user?.id ?? 'anonymous', action: 'access',
+        resource: field, dataSubjectId: req.params.userId,
+      });
+    }
+    next();
+  };
+}
+```
+
+---
+
+## 4. Subject Rights Implementation (GDPR Articles 15-22)
+
+| Right | Article | Implementation | SLA |
+|-------|---------|----------------|-----|
+| Access | Art. 15 | Data export endpoint | 30 days |
+| Rectification | Art. 16 | Update with audit trail | 30 days |
+| Erasure | Art. 17 | Cascading delete + processor notification | 30 days |
+| Restriction | Art. 18 | Flag-based processing halt | 30 days |
+| Portability | Art. 20 | JSON/CSV structured export | 30 days |
+| Object | Art. 21 | Opt-out with audit trail | 30 days |
+| Automated decisions | Art. 22 | Human review mechanism | 30 days |
+
+### Erasure Endpoint with Cascading Deletes
+
+```typescript
+interface ErasureResult {
+  service: string;
+  status: 'deleted' | 'anonymized' | 'retained' | 'failed';
+  recordCount: number;
+  legalBasis?: string;
+}
+
+class ErasureService {
+  private readonly processors: DataProcessor[] = [
+    { name: 'analytics-provider', endpoint: '/api/gdpr/erasure' },
+    { name: 'email-service', endpoint: '/api/gdpr/erasure' },
+    { name: 'payment-provider', endpoint: '/api/gdpr/erasure' },
+  ];
+
+  async executeErasure(userId: string, requestId: string): Promise<ErasureReport> {
+    const results: ErasureResult[] = [];
+
+    // Phase 1: Internal data — delete or anonymize per legal basis
+    results.push(await this.deleteUserProfile(userId));
+    results.push(await this.deleteUserContent(userId));
+    results.push(await this.handleFinancialRecords(userId));
+
+    // Phase 2: Notify processors (GDPR Art. 17(2))
+    const notified: string[] = [];
+    for (const proc of this.processors) {
+      try {
+        await this.notifyProcessor(proc, userId, requestId);
+        notified.push(proc.name);
+      } catch (err) {
+        const reason = (err as NodeJS.ErrnoException).code
+          ?? (err instanceof Error ? err.message : String(err));
+        await this.alertDPO(requestId, proc.name, reason);
+        results.push({ service: proc.name, status: 'failed', recordCount: 0 });
+      }
+    }
+
+    // Phase 3: Audit trail (pseudonymize subject ID in record)
+    const report = {
+      requestId, userId: this.pseudonymize(userId),
+      completedAt: new Date().toISOString(), results, processorsNotified: notified,
+    };
+    await this.auditLog.recordErasure(report);
+    await this.scheduleBackupPurge(userId);
+    return report;
+  }
+
+  private async handleFinancialRecords(userId: string): Promise<ErasureResult> {
+    // Tax law: 7-year retention — pseudonymize, do not delete
+    const count = await db.query(
+      `UPDATE financial_records SET user_id = $1, email = NULL, name = NULL
+       WHERE user_id = $2`,
+      [this.pseudonymize(userId), userId]
+    );
+    return {
+      service: 'financial-records', status: 'anonymized',
+      recordCount: count.rowCount,
+      legalBasis: 'Tax retention obligation (7 years) — Art. 17(3)(b)',
+    };
+  }
+
+  private async notifyProcessor(
+    processor: DataProcessor, userId: string, requestId: string
+  ): Promise<void> {
+    const response = await fetch(processor.endpoint, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'X-Request-Id': requestId },
+      body: JSON.stringify({ userId, action: 'erasure', requestId }),
+    });
+    if (!response.ok) {
+      throw new Error(`Processor ${processor.name} returned ${response.status}`);
+    }
+  }
+}
+```
+
+---
+
+## 5. Breach Response Protocol
+
+### Four-Phase Timeline
+
+```
+Phase 1: DETECTION (Hour 0)
+  |-- Automated monitoring triggers (SIEM, anomaly detection, IDS/IPS)
+  |-- Security team acknowledges; begins containment
+  |-- Preserve forensic evidence (do NOT reboot or wipe affected systems)
+  |
+Phase 2: ASSESSMENT (Hours 0-24)
+  |-- Determine: What data? How many subjects? What categories?
+  |-- Severity classification (see matrix below)
+  |-- Legal review: which frameworks apply?
+  |
+Phase 3: NOTIFICATION (Hours 24-72)
+  |-- GDPR: 72 hours to supervisory authority (Art. 33)
+  |-- HIPAA: 60 days to individuals; HHS for 500+ (45 CFR 164.408)
+  |-- CCPA: "Without unreasonable delay" to affected consumers
+  |-- PCI-DSS: Immediate to acquirer/payment brand
+  |-- Notify data subjects if high risk (GDPR Art. 34)
+  |
+Phase 4: DOCUMENTATION (Post-incident)
+  |-- Root cause analysis + remediation plan
+  |-- Evidence preservation chain of custody
+  |-- Update incident register (GDPR Art. 33(5))
+```
+
+### Severity Matrix
+
+| Factor | Low (1) | Medium (2) | High (3) | Critical (4) |
+|--------|---------|------------|----------|---------------|
+| Data type | Public | Internal/PII | Sensitive PII/PHI | Financial/credentials |
+| Volume | < 100 records | 100-10K | 10K-1M | > 1M records |
+| Encryption | Encrypted | Partially encrypted | Unencrypted | Unencrypted + exfiltrated |
+| Impact | Minimal | Limited | Significant harm likely | Widespread harm certain |
+
+**Score = sum. Thresholds:** 4-6 internal only; 7-10 authority notification;
+11-14 authority + individual; 15-16 full crisis response.
+
+### Notification Template (GDPR Art. 33)
+
+```yaml
+breach_notification:
+  controller:
+    name: "{{company_name}}"
+    dpo_contact: "{{dpo_email}}"
+  breach_details:
+    date_detected: "{{timestamp}}"
+    nature: "{{unauthorized access / exfiltration / ransomware}}"
+    categories_affected: ["Names and emails", "{{additional}}"]
+    approximate_subjects: "{{count}}"
+  consequences:
+    likely_impact: "{{identity theft / financial loss / reputational harm}}"
+  measures_taken:
+    containment: "{{actions taken}}"
+    remediation: "{{actions to prevent recurrence}}"
+    subject_notification: "{{planned / completed / not required}}"
+```
+
+---
+
+## 6. Privacy by Design — Cavoukian's 7 Foundational Principles
+
+| # | Principle | Implementation |
+|---|-----------|---------------|
+| 1 | Proactive not reactive | Threat modeling during design; DPIA before high-risk processing |
+| 2 | Privacy as the default | Opt-in for collection; strictest settings out of the box |
+| 3 | Privacy embedded into design | Data classification in schema; encryption by default |
+| 4 | Full functionality | Privacy and features coexist; no false trade-offs |
+| 5 | End-to-end security | Encryption at rest + in transit; secure deletion |
+| 6 | Visibility and transparency | Audit trails; clear privacy notices |
+| 7 | Respect for user privacy | User-centric controls; easy rights exercise; no dark patterns |
+
+### Data Minimization
+
+```typescript
+// WRONG: Collecting everything "just in case"
+interface UserRegistration {
+  email: string; password: string; fullName: string;
+  dateOfBirth: string; gender: string; ssn: string; // Never needed for registration
+}
+
+// CORRECT: Only what the purpose requires
+interface UserRegistration {
+  email: string; password: string; displayName: string;
+}
+```
+
+### Purpose Limitation — Scoped Database Views
+
+```sql
+CREATE TABLE users (
+  id UUID PRIMARY KEY, email TEXT NOT NULL,
+  display_name TEXT NOT NULL, date_of_birth DATE,
+  shipping_address JSONB, created_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+-- Each service sees only what it needs
+CREATE VIEW users_authentication AS SELECT id, email FROM users;
+CREATE VIEW users_shipping AS SELECT id, display_name, shipping_address FROM users;
+CREATE VIEW users_analytics AS
+  SELECT id, date_trunc('year', date_of_birth) AS birth_year,
+         date_trunc('month', created_at) AS signup_month FROM users;
+-- GRANT SELECT ON users_authentication TO auth_service;
+```
+
+### Storage Limitation — Retention Cron Job
+
+```typescript
+const policies: RetentionPolicy[] = [
+  { tableName: 'sessions', retentionDays: 90, action: 'delete',
+    legalBasis: 'No longer necessary (Art. 5(1)(e))' },
+  { tableName: 'events', retentionDays: 365, action: 'anonymize',
+    legalBasis: 'Legitimate interest expires after 1 year' },
+  { tableName: 'users', retentionDays: 730, action: 'delete',
+    legalBasis: 'Storage limitation — 2 years inactive' },
+  { tableName: 'transactions', retentionDays: 2555, action: 'archive',
+    legalBasis: 'Tax law — 7 years (Art. 17(3)(b))' },
+];
+
+// Runs daily via cron
+async function enforceRetention(policies: RetentionPolicy[]): Promise<void> {
+  for (const p of policies) {
+    const cutoff = new Date();
+    cutoff.setDate(cutoff.getDate() - p.retentionDays);
+    switch (p.action) {
+      case 'delete':
+        await db.query(`DELETE FROM ${p.tableName} WHERE updated_at < $1`, [cutoff]);
+        break;
+      case 'anonymize':
+        await db.query(
+          `UPDATE ${p.tableName} SET user_id = encode(digest(user_id::text,'sha256'),'hex'),
+           ip_address = NULL, email = NULL WHERE created_at < $1 AND is_anonymized = false`, [cutoff]);
+        break;
+      case 'archive':
+        await db.query(`INSERT INTO ${p.tableName}_archive SELECT * FROM ${p.tableName} WHERE created_at < $1`, [cutoff]);
+        await db.query(`DELETE FROM ${p.tableName} WHERE created_at < $1`, [cutoff]);
+        break;
+    }
+    await auditLog.record({ action: 'retention_enforcement', tableName: p.tableName });
+  }
+}
+```
+
+---
+
+## 7. Consent Management
+
+### Granular Consent Model
+
+```typescript
+interface ConsentRecord {
+  userId: string;
+  purpose: 'marketing' | 'analytics' | 'personalization' | 'essential';
+  granted: boolean;
+  timestamp: string;
+  source: 'banner' | 'settings' | 'signup';
+  version: string;       // Policy version consented to
+  expiresAt: string;
+  withdrawnAt?: string;
+}
+
+class ConsentService {
+  async grantConsent(
+    userId: string, purpose: string, source: string, policyVersion: string
+  ): Promise<ConsentRecord> {
+    const record: ConsentRecord = {
+      userId, purpose: purpose as ConsentRecord['purpose'], granted: true,
+      timestamp: new Date().toISOString(), source: source as ConsentRecord['source'],
+      version: policyVersion, expiresAt: this.calculateExpiry(purpose),
+    };
+    await this.store.save(record);
+    await this.auditLog.record({
+      actor: userId, action: 'consent_change', resource: `consent:${purpose}`,
+      dataSubjectId: userId, justification: `Granted via ${source} for v${policyVersion}`,
+    });
+    return record;
+  }
+
+  async withdrawConsent(userId: string, purpose: string): Promise<void> {
+    // Art. 7(3): Withdrawal must be as easy as granting
+    const existing = await this.store.findActive(userId, purpose);
+    if (!existing) return;
+    existing.granted = false;
+    existing.withdrawnAt = new Date().toISOString();
+    await this.store.save(existing);
+    await this.processingEngine.stopForPurpose(userId, purpose);
+  }
+
+  async isConsentValid(userId: string, purpose: string): Promise<boolean> {
+    const c = await this.store.findActive(userId, purpose);
+    if (!c || !c.granted) return false;
+    return new Date(c.expiresAt) >= new Date()
+      && c.version === await this.getCurrentPolicyVersion();
+  }
+}
+```
+
+### Consent Banner UX (No Dark Patterns)
+
+Google fined EUR 150M by CNIL, Meta EUR 60M, for manipulative consent interfaces.
+
+**Mandatory rules:**
+- Accept and Reject buttons: **equal visual prominence** (same size, color, weight).
+- Same click count for opt-in and opt-out (no "manage preferences" detour for rejection).
+- No pre-checked boxes (GDPR Recital 32: silence does not constitute consent).
+- Granular per-purpose choices (necessary, analytics, marketing, personalization).
+- No cookie walls blocking access without consent (EDPB Guidelines 05/2020).
+- Withdrawal accessible from every page (persistent footer link).
+
+```html
+<!-- WRONG: Dark pattern -->
+<button class="btn-primary btn-large">Accept All</button>
+<a href="/settings" class="text-small text-muted">Manage</a>
+
+<!-- CORRECT: Equal prominence -->
+<div class="consent-actions" role="dialog" aria-label="Cookie consent">
+  <button class="btn-secondary" onclick="rejectAll()">Reject All</button>
+  <button class="btn-secondary" onclick="showPreferences()">Preferences</button>
+  <button class="btn-secondary" onclick="acceptAll()">Accept All</button>
+</div>
+```
+
+---
+
+## 8. Cross-Jurisdictional Compliance Matrix
+
+| Requirement | EU (GDPR) | US Federal | US (CA/CPRA) | UK (UK GDPR) | Canada (PIPEDA) | Brazil (LGPD) | Singapore (PDPA) |
+|-------------|-----------|------------|--------------|--------------|-----------------|---------------|-------------------|
+| DPO required | Yes (Art. 37) | No | No | Yes | No (recommended) | Yes (all) | Yes |
+| Transfer mechanisms | SCCs, BCRs, adequacy, DPF | No restriction | No restriction | UK IDTA, UK SCCs | Consent/contractual | SCCs, BCRs, consent | Consent, comparable standard |
+| Children's age | 16 (states may lower to 13) | 13 (COPPA) | 16 | 13 | Meaningful capacity | 12 (parental consent) | Not specified |
+| Breach window | 72h (authority) | Varies (HIPAA: 60d) | "Without unreasonable delay" | 72h (ICO) | "As soon as feasible" | "Reasonable time" | "As soon as practicable" |
+| Private right of action | Yes (Art. 82) | Sector-specific | Yes (breaches) | Yes | Yes | Yes | No |
+| Consent standard | Opt-in | Varies (opt-out common) | Opt-out sale; opt-in sensitive | Opt-in | Implied or express | Express for sensitive | Deemed consent possible |
+| Maximum penalty | EUR 20M / 4% revenue | Varies (no FTC cap) | USD 7,500/violation | GBP 17.5M / 4% revenue | CAD 100K / CAD 25M proposed | 2% revenue, max BRL 50M | SGD 1M / 10% revenue |
+
+---
+
+## 9. Audit Trail Implementation
+
+### Immutable Audit Log
+
+Hash chaining provides tamper-evident integrity without requiring a blockchain.
+
+```typescript
+interface AuditEntry {
+  id: string;
+  timestamp: string;
+  actor: string;
+  action: 'access' | 'modify' | 'delete' | 'export' | 'consent_change';
+  resource: string;
+  dataSubjectId: string;
+  justification: string;
+  previousHash: string;  // SHA-256 of previous entry — chain integrity
+}
+
+class ImmutableAuditLog {
+  private lastHash = 'GENESIS';
+
+  async append(entry: Omit<AuditEntry, 'id' | 'previousHash'>): Promise<AuditEntry> {
+    const full: AuditEntry = { ...entry, id: crypto.randomUUID(), previousHash: this.lastHash };
+    const hash = await this.computeHash(full);
+    this.lastHash = hash;
+    await this.store.insert({ ...full, entryHash: hash });
+    return full;
+  }
+
+  async verifyChainIntegrity(): Promise<{ valid: boolean; brokenAt?: string }> {
+    const entries = await this.store.getAllOrdered();
+    let expected = 'GENESIS';
+    for (const entry of entries) {
+      if (entry.previousHash !== expected) return { valid: false, brokenAt: entry.id };
+      expected = await this.computeHash(entry);
+    }
+    return { valid: true };
+  }
+
+  private async computeHash(entry: AuditEntry): Promise<string> {
+    const payload = JSON.stringify({
+      id: entry.id, timestamp: entry.timestamp, actor: entry.actor,
+      action: entry.action, resource: entry.resource,
+      dataSubjectId: entry.dataSubjectId, previousHash: entry.previousHash,
+    });
+    const buf = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(payload));
+    return Array.from(new Uint8Array(buf)).map(b => b.toString(16).padStart(2, '0')).join('');
+  }
+}
+```
+
+### Database Schema
+
+```sql
+CREATE TABLE audit_log (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  actor TEXT NOT NULL,
+  action TEXT NOT NULL CHECK (action IN ('access','modify','delete','export','consent_change')),
+  resource TEXT NOT NULL,
+  data_subject_id TEXT NOT NULL,
+  justification TEXT NOT NULL,
+  previous_hash TEXT NOT NULL,
+  entry_hash TEXT NOT NULL,
+  metadata JSONB DEFAULT '{}'
+);
+
+-- Append-only: REVOKE UPDATE, DELETE ON audit_log FROM app_user;
+CREATE INDEX idx_audit_data_subject ON audit_log (data_subject_id, timestamp);
+CREATE INDEX idx_audit_actor ON audit_log (actor, timestamp);
+```
+
+---
+
+## 10. Anti-Patterns
+
+### AP-COMP-01: Blanket Consent
+
+**Problem:** Single checkbox: "I agree to the privacy policy and terms." Bundles all
+purposes, violating GDPR Art. 7 specific consent requirement.
+**Fix:** Separate consent per purpose. Essential processing uses "contract" basis, not consent.
+
+### AP-COMP-02: Retention Without Policy
+
+**Problem:** Data stored indefinitely. Violates GDPR Art. 5(1)(e) storage limitation.
+**Fix:** Retention period per category with automated enforcement (see Section 6).
+
+### AP-COMP-03: Dark Patterns in Consent Flows
+
+**Problem:** Large "Accept All" with tiny "Manage preferences" link. Pre-checked boxes.
+CNIL fined Google EUR 150M for this.
+**Fix:** Equal prominence. No pre-checked boxes. Same clicks for accept and reject.
+
+### AP-COMP-04: Security Theater
+
+**Problem:** Compliance checkboxes without underlying controls. Privacy policy claims
+encryption while database stores plaintext. PCI-DSS questionnaire passes while logging
+full card numbers.
+**Fix:** Automated testing validates stated controls. Internal audits compare docs to infra.
+
+### AP-COMP-05: Soft-Delete Without Notification
+
+**Problem:** Erasure request sets `is_deleted = true` without removing data. Subject
+believes data is gone; it persists in DB, backups, and processors.
+**Fix:** Hard delete from primary stores. Pseudonymize where legal retention applies.
+Notify processors (Art. 17(2)). Schedule backup purge. Report retention with legal basis.
+
+### AP-COMP-06: Cross-Border Transfer Without Adequacy
+
+**Problem:** EU data in US-region cloud without Transfer Impact Assessment. Uber fined
+EUR 290M.
+**Fix:** Map all cross-border flows. Identify mechanism (DPF, SCCs, BCRs, adequacy).
+Conduct TIA. Re-evaluate when legal landscape changes.
+
+### AP-COMP-07: Cookie Walls
+
+**Problem:** Blocking site access without consent. EDPB Guidelines 05/2020: cookie walls
+do not meet "freely given" (GDPR Art. 7).
+**Fix:** Core functionality accessible regardless of consent. Disable non-essential
+features only.
+
+### AP-COMP-08: Privacy Policy Copy-Paste
+
+**Problem:** Generic template not reflecting actual practices. Lists uncollected categories,
+omits real ones, references unused processors.
+**Fix:** Policy mirrors ROPA. Updated with every processing change. Automated diff detects drift.
+
+### AP-COMP-09: Consent Version Drift
+
+**Problem:** Policy updated but existing consent references old version. Processing
+continues under outdated consent.
+**Fix:** Version-stamp consent records. Re-consent when policy version changes.
+
+### AP-COMP-10: Orphaned Processor Agreements
+
+**Problem:** DPAs with decommissioned processors; new processors operating without DPA.
+Art. 28 requires DPA with every processor.
+**Fix:** Processor register linked to ROPA. Quarterly review. DPA before any data sharing.
+
+---
+
+## References
+
+- GDPR: https://gdpr-info.eu/ | EDPB Guidelines: https://www.edpb.europa.eu/our-work-tools/general-guidance
+- CCPA/CPRA: https://oag.ca.gov/privacy/ccpa | HIPAA: https://www.hhs.gov/hipaa/
+- PCI-DSS 4.0: https://www.pcisecuritystandards.org/document_library/
+- Enforcement Tracker: https://www.enforcementtracker.com/ | IBM Breach Report: https://www.ibm.com/reports/data-breach
+- Cavoukian, A. "Privacy by Design: The 7 Foundational Principles"
+- LGPD: https://www.gov.br/cidadania/pt-br/acesso-a-informacao/lgpd | PIPEDA: https://www.priv.gc.ca/ | PDPA: https://www.pdpc.gov.sg/