European Data Protection and Privacy Law
Full course description
Have you ever thought of how data-based economy influences your life, business, government? How does technology use your personal data to make decisions which are of relevance for your life? What is its impact on your fundamental rights? And furthermore, how does the protection of your data affect other areas of law and other entities?
Privacy and data protection are the fundamental rights that have gained salience not only as the fundamental rights protected within the European multi-level human rights protection system, but also as rights that provide framework for activities of entities using data as a basis for their economic activity (as if it was the new oil). This means that data protection as a discipline is complementary to data management and lies at the intersection with other major disciplines of law, both applying to private and public actors.
Against this background and with this in mind, we will explore the European privacy and data protection system presenting it against the inter-disciplinary background and, subsequently, in the context of international and comparative law. Following on the introductory lectures, we will focus on data protection in the European Union, its main principles and the way they inter-play with other legal orders. During the final encounters we will explore the architecture of data protection from three perspectives: that of data subjects, who derive rights and protection from the European Union data protection framework; that of data controllers, which are tasked with principle-compliant data processing, with assessing and mitigating risks emerging from data processing operations and with ensuring the rights of data subjects; and, finally, that of supervisory authorities who oversee the compliance with data protection principles.
The course will be delivered by a group of experts and scholars associated with the European Centre for Privacy and Cybersecurity (ECPC) with the use of practice-oriented challenges and the focus on the case law of courts (both European and beyond).
The core teaching staff for this course consists of:
- Prof Dr Paolo Balboni
- Dr Maja Brkan
- Dr Herke Kranenborg
- Cosimo Monda
- Christopher Mondschein
- Dr. Karolina Podstawa
Throughout the course students’ participation will be evaluated in an ongoing manner. At the end of the course students will be asked to sit a take home exam.
The aims of this course are to acquire:
- Basic knowledge of European privacy and data protection law and the way it positions itself vis-à-vis other legal systems and disciplines;
- Fundamental knowledge of the architecture of the European Union data protection laws, in particular, the General Data Protection Regulation (Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) and the Directive on Data Protection for Prevention of Criminal Offences (Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data);
- The awareness of the interplay of the European Union data protection rules with other fundamental rights and legal instruments;
- Understanding of core notions of EU privacy and data protection law, such as data subject, data controller and processor, accountability, legal bases for data processing, explicit consent, sensitive data, data protection impact assessment, anonymisation and pseudonimisation, rights of data subjects, including the right to be forgotten, enforcement and fines;
- Awareness of the variety of rights and obligations stemming from the GDPR, but affecting not only individuals’ experience and execution of the right to data protection and privacy, but also the organisation of enterprises and the function of public authorities in this context.
It is not a prerequisite for attending the course but an advantage if students have the knowledge of the basics of the European multi-level system of human rights protection. If this basic knowledge is lacking, assistance will be provided for additional self-study aimed at complementing the basic knowledge.
- B. Rainery, E. Wicks and C. Ovey, Jacobs, White and Ovey - The European Convention on Human Rights (OUP 2017), Chapter 16: Protecting private life, the home and correspondence
- Fundamental Rights Agency, Handbook on European data protection law (FRA, 2018) available at < https://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law>
- C. Kuner, L.A. Bygrave, and C. Docksey, Commentary on the EU General Data Protection Regulation (Oxford University Press, forthcoming 2019), see the 2018 Draft commentaries on 10 GDPR articles (from Commentary on the EU General Data Protection Regulation, OUP 2019) available at <https://works.bepress.com/christopher-kuner/1/>
- Paul Voigt, Axel von dem Bussche, The EU General Data Protection Regulation (GDPR) – A Practical Guide, Springer 2017.
Mandatory legal sources:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC Text with EEA relevance, Official Journal L 295, 21.11.2018, p. 39
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Official Journal L 201, 31/07/2002 P. 0037
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM(2017) 10 final
Treaty on the Functioning of the European Union, Official Journal C 326, 26.10.2012, p. 47
Treaty on European Union, Official Journal C 326, 26.10.2012, p. 13
Charter of Fundamental Rights of the European Union, Official Journal C 326, 26.10.2012, p. 392
European Convention on Human Rights (ECHR)