European Data Protection and Privacy Law
Full course description
Privacy and data protection are the fundamental rights that have gained salience not only as values protected within the European multi-level human rights protection system, but also as rights and obligations that provide framework for activities of entities using data as a basis for their economic activities (as if it were, in a slightly dated and over-used terms, ‘new oil’). This means that data protection as a discipline is complementary to data management and lies at the intersection with other major disciplines of law, both applying to private and public actors. What is more, it seems that the regulatory paradigm underlying GDPR has become a blueprint not only for data protection laws worldwide, but also for the legislative attempts to ensure ethical and fundamental rights compliant development of new technologies. The Digital Services Act or the proposal for the future AI Regulation only herald European Union’s ‘Digital Decade’ (https://digital-strategy.ec.europa.eu/en/policies/digital-compass) importance of which has been underlined by the radical change of our work-and lifestyles during the past years’ Covid-19 pandemics and through the employment of cyberwarfare in the course of 2022 Russian-Ukrainian war.
With the above in mind, during European Privacy and Data Protection Law course we will explore the European privacy and data protection system presenting it against the inter-disciplinary background and, subsequently, in the context of international and comparative law.
The course will begin with exploration of the GDPR-based architecture of data protection from three perspectives:
- that of data controllers, which are tasked with principle-compliant data processing, with assessing and mitigating risks emerging from data processing operations and with ensuring the rights of data subjects;
- that of data subjects, who derive rights and protection from the European Union data protection framework; and, finally,
- that of supervisory authorities who oversee the compliance with data protection principles. Subsequently, the optics will be expanded taking a comparative (ECHR, other jurisdictions) and intra-disciplinary (data retention, law enforcement, etc.) perspective.
In preparation for the course students are offered a brief introductory module on Canvas providing the background information on the intersection of law, technology and economics.
Method
The course is based on the mix of lectures and tutorials delivered in the spirit of problem-based methodology.
Lectures offered by course coordinator will be complemented by guest lectures delivered by University of Maastricht and European Centre on Privacy and Cybersecurity (ECPC) scholars offering a variety of perspectives on the topic of the course.
Course objectives
The aims of this course are to acquire:
- Basic knowledge of European privacy and data protection law and the way it positions itself vis-à-vis other legal systems and disciplines;
- Fundamental knowledge of the architecture of the European Union data protection laws, in particular, the General Data Protection Regulation (Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) and the Directive on Data Protection for Prevention of Criminal Offences (Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data);
- The awareness of the interplay of the European Union data protection rules with other fundamental rights and legal instruments;
- Knowledge and understanding of the basic construction of the ECHR based protection of the right to private and family life;
- Understanding of core notions of EU privacy and data protection law, such as data subject, data controller and processor, accountability, legal bases for data processing, explicit consent, sensitive data, data protection impact assessment, anonymisation and pseudonimization, rights of data subjects, including the right to be forgotten, enforcement and fines;
- Awareness of the variety of rights and obligations stemming from the GDPR, but affecting not only individuals’ experience and execution of the right to data protection and privacy, but also the organisation of enterprises and the function of public authorities in this context.
- Awareness of the functioning of GDPR regulatory paradigm and methodologies of compliance stemming from it.
- Awareness of the impact of GDPR on other areas of technology regulation.
-
Skills to ensure compliance ranging from the adapting of existing tools to engaging in discussion across disciplines in order to obtain a full privacy-related picture of organization’s activities.
Prerequisites
It is not a prerequisite for attending the course but an advantage if students have the knowledge of the basics of the European multi-level system of human rights protection. If this basic knowledge is lacking, assistance will be provided for additional self-study aimed at complementing the basic knowledge.
In addition, understanding of basics of data-based technology will assist students in understanding the implications of data protection related challenges and consequences of not addressing them. In order to aid students in obtaining knowledge on the area, Module 0 of the course is offered to them in Canvas environment.
Recommended reading
- E. Kosta, R. Leens and I. Kamara, Research Handbook on EU Data Protection Law (Edward Elgar, 2022), ebook
- Fundamental Rights Agency, Handbook on European data protection law (FRA, 2018) available at <https://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law>
(Available for free, can be ordered in a print version via the European Commission bookstore)
- B. Rainery, E. Wicks and C. Ovey, Jacobs, White and Ovey - The European Convention on Human Rights (OUP 2017), Chapter 16: Protecting private life, the home and correspondence
- Fragments of C. Kuner, L.A. Bygrave, and C. Docksey, Commentary on the EU General Data Protection Regulation (Oxford University Press, 2020, ebook).
Mandatory legal sources:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1
- Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89
- Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC Text with EEA relevance, Official Journal L 295, 21.11.2018, p. 39
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Official Journal L 201, 31/07/2002 P. 0037
- Treaty on the Functioning of the European Union, Official Journal C 326, 26.10.2012, p. 47
- Treaty on European Union, Official Journal C 326, 26.10.2012, p. 13
- Charter of Fundamental Rights of the European Union, Official Journal C 326, 26.10.2012, p. 392
- European Convention on Human Rights (ECHR)