European Data Protection and Privacy Law
Full course description
Privacy and data protection are the fundamental rights that have gained salience not only as the fundamental rights protected within the European multi-level human rights protection system, but also as rights that provide framework for activities of entities using data as a basis for their economic activity (as if it was the new oil). This means that data protection as a discipline is complementary to data management and lies at the intersection with other major disciplines of law, both applying to private and public actors. What is more, it seems that the regulatory paradigm underlying GDPR has become a blueprint not only for data protection laws worldwide, but also for the legislative attempts to ensure ethical and fundamental rights compliant development of new technologies. The Digital Services Act or the proposal for the future AI Regulation only herald European Union’s ‘Digital Decade’ (https://digital-strategy.ec.europa.eu/en/policies/digital-compass) importance of which has been underlined by the radical change of our work- and lifestyles during the past months marked by the Covid-19 pandemics.
Against this background and with this in mind, during European Privacy and Data Protection Law course we will explore the European privacy and data protection system presenting it against the inter-disciplinary background and, subsequently, in the context of international and comparative law.
The course will begin with exploration of the GDPR-based architecture of data protection from three perspectives: that of data subjects, who derive rights and protection from the European Union data protection framework; that of data controllers, which are tasked with principle-compliant data processing, with assessing and mitigating risks emerging from data processing operations and with ensuring the rights of data subjects; and, finally, that of supervisory authorities who oversee the compliance with data protection principles. Subsequently, the optics will be expanded taking an comparative (ECHR, other jurisdictions) and intra-disciplinary (data retention, law enforcement, etc.) perspectives.
As a preparation to the course students will be offered an optional brief preparatory module for the course outlining the basic technological and economical constructs lying at the foundations of the data-based economy.
The course will be complemented by guest lectures delivered by experts and scholars associated with the European Centre for Privacy and Cybersecurity (ECPC) with the use of practice-oriented challenges and the focus on the case law of courts (both European and beyond).
At the end of the course students will be asked to sit a take home exam. In addition, students will be given an assignment with elements of group and individual evaluation.
The aims of this course are to acquire:
- Basic knowledge of European privacy and data protection law and the way it positions itself vis-à-vis other legal systems and disciplines;
- Fundamental knowledge of the architecture of the European Union data protection laws, in particular, the General Data Protection Regulation (Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) and the Directive on Data Protection for Prevention of Criminal Offences (Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data);
- The awareness of the interplay of the European Union data protection rules with other fundamental rights and legal instruments;
- Knowledge and understanding of the basic construction of the ECHR based protection of the right to private and family life;
- Understanding of core notions of EU privacy and data protection law, such as data subject, data controller and processor, accountability, legal bases for data processing, explicit consent, sensitive data, data protection impact assessment, anonymisation and pseudonimisation, rights of data subjects, including the right to be forgotten, enforcement and fines;
- Awareness of the variety of rights and obligations stemming from the GDPR, but affecting not only individuals’ experience and execution of the right to data protection and privacy, but also the organisation of enterprises and the function of public authorities in this context.
- Awareness of the functioning of GDPR regulatory paradigm and methodologies of compliance stemming from it.
- Awareness of the impact of GDPR on other areas of technology regulation.
It is not a prerequisite for attending the course but an advantage if students have the knowledge of the basics of the European multi-level system of human rights protection. If this basic knowledge is lacking, assistance will be provided for additional self-study aimed at complementing the basic knowledge.
- B. Rainery, E. Wicks and C. Ovey, Jacobs, White and Ovey - The European Convention on Human Rights (OUP 2017), Chapter 16: Protecting private life, the home and correspondence
- Fundamental Rights Agency, Handbook on European data protection law (FRA, 2018) available at < https://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law> (Available for free, can be ordered in a print version via the European Commission bookstore)
- C. Kuner, L.A. Bygrave, and C. Docksey, Commentary on the EU General Data Protection Regulation (Oxford University Press, 2020).
Mandatory legal sources:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1
- Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89
- Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC Text with EEA relevance, Official Journal L 295, 21.11.2018, p. 39
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Official Journal L 201, 31/07/2002 P. 0037
- Treaty on the Functioning of the European Union, Official Journal C 326, 26.10.2012, p. 47
- Treaty on European Union, Official Journal C 326, 26.10.2012, p. 13
- Charter of Fundamental Rights of the European Union, Official Journal C 326, 26.10.2012, p. 392
- European Convention on Human Rights (ECHR)