European Data Protection and Privacy Law
Full course description
Have you ever thought of how data-based economy influences your life, business, government? How does technology use your personal data to make decisions which are of relevance for your life? What is the impact of personal data processing on your fundamental rights? And furthermore, how does the protection of your data affect other areas of law and other entities?
Right to privacy and right to personal data protection gained salience not only as fundamental rights protected within the European multi-level human rights protection system, but also as the source of framework for entities using data as a basis for their economic activity (as if it was the new oil). This means that data protection as a discipline is complementary to data management and increasingly is intertwined with both public and private law disciplines.
Against this background, during European Privacy and Data Protection Law course we will explore the privacy and data protection system, mainly in Europe, however, presenting it against the inter-disciplinary background and, subsequently, in the context of international and comparative law. Following on the introductory lectures, we will focus on data protection in the European Union from three perspectives: that of data subjects, who derive rights and protection from the European Union data protection framework; that of data controllers, which are tasked with principle-compliant data processing, with assessing and mitigating risks emerging from data processing operations and with ensuring the rights of data subjects; and, finally, that of supervisory authorities who oversee the compliance with data protection principles. In the second part of the course we will explore broader issues of data protection, in particular by setting the European Union system in the context of the international data protection regulations. We will also explore “sister” areas of data protection rules and investigate their sectoral application.
The course will be delivered with participation of experts and scholars associated with the European Centre for Privacy and Cybersecurity (ECPC) with the use of practice-oriented challenges and the focus on the case law of courts (both European and beyond).
At the end of the course students will be asked to sit a take home exam.
For the purposes of the course assessment, students will be required to submit one written assignment which will be graded and complete a graded group assignment.
The aims of this course are to acquire:
- Basic knowledge of European privacy and data protection law and the way it positions itself vis-à-vis other legal systems and disciplines;
- Fundamental knowledge of the architecture of the European Union data protection laws, in particular, the General Data Protection Regulation (Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) and the Directive on Data Protection for Prevention of Criminal Offences (Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data);
- The awareness of the interplay of the European Union data protection rules with other fundamental rights and legal instruments;
- Understanding of core notions of EU privacy and data protection law, such as data subject, data controller and processor, accountability, legal bases for data processing, explicit consent, sensitive data, data protection impact assessment, anonymisation and pseudonimisation, rights of data subjects, including the right to be forgotten, enforcement and fines;
- Awareness of the variety of rights and obligations stemming from the GDPR, but affecting not only individuals’ experience and execution of the right to data protection and privacy, but also the organisation of enterprises and the function of public authorities in this context.
It is not a prerequisite for attending the course but an advantage if students have the knowledge of the basics of the European multi-level system of human rights protection. If this basic knowledge is lacking, assistance will be provided for additional self-study aimed at complementing the course.
B. Rainery, E. Wicks and C. Ovey, Jacobs, White and Ovey - The European Convention on Human Rights (OUP 2017), Chapter 16: Protecting private life, the home and correspondence
Fundamental Rights Agency, Handbook on European data protection law (FRA, 2018) available at < https://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law>
C. Kuner, L.A. Bygrave, and C. Docksey, Commentary on the EU General Data Protection Regulation (Oxford University Press, forthcoming 2019), see the 2018 Draft commentaries on 10 GDPR articles (from Commentary on the EU General Data Protection Regulation, OUP 2019) available at https://works.bepress.com/christopher-kuner/1/
Paul Voigt, Axel von dem Bussche, The EU General Data Protection Regulation (GDPR) – A Practical Guide, Springer 2017.
Mandatory legal sources:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC Text with EEA relevance, Official Journal L 295, 21.11.2018, p. 39
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Official Journal L 201, 31/07/2002 P. 0037
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM(2017) 10 final
Treaty on the Functioning of the European Union, Official Journal C 326, 26.10.2012, p. 47
Treaty on European Union, Official Journal C 326, 26.10.2012, p. 13
Charter of Fundamental Rights of the European Union, Official Journal C 326, 26.10.2012, p. 392
European Convention on Human Rights (ECHR)