The following reading list is common for the courses taught at bachelor’s and master’s level. Note that there are different achievement requirements:
- Master’s level (10 credits): A good understanding is required
- Bachelor’s level (10 credits): A general understanding is required
Course content
The course studies legal rules on data protection—i.e., a set of norms which specifically govern the processing of data relating to persons (personal data) in order to protect, at least partly, the privacy and related interests of those persons.
Outside Europe, such norms tend to be described in terms of protecting “privacy”, “information privacy”, or increasingly, “data privacy”. The main focus is on European and international codes, primarily the European Convention on Human Rights and Fundamental Freedoms (ECHR) Article 8 and Directive 95/46/EC, along with case law pursuant to these instruments. Special attention is also given to Directives 2002/58/EC and 2006/24/EC, and to Norway’s Personal Data Act of 2000 (Personopplysningsloven). The latter is used to illustrate how the international codes are nationally implemented.
The themes taken up in the course may be summed up with the following key-words: privacy, data protection, surveillance, Internet, cyberspace, encryption, freedom of expression.
Requirements
Achievement requirements for master’s level (10 credits):
Students are expected to achieve a good understanding of the following topics:
- the basic content and policy thrust of European laws on privacy/data protection;
- the rationale for these laws;
- the normative roots of these laws, particularly in relation to human rights;
- the main points of difference and similarity between these laws and their equivalents in non-European jurisdictions;
- the main challenges to the efficacy of these laws posed by technological/organisational developments;
- the principal ways in which technology can be used to enhance privacy interests.
Achievement requirements for bachelor's level (10 credits):
Students are expected to achieve knowledge of the following topics:
- the basic content and policy thrust of European laws on privacy/data protection;
- the rationale for these laws;
- the normative roots of these laws, particularly in relation to human rights;
- the main points of difference and similarity between these laws and their equivalents in non-European jurisdictions;
- the main challenges to the efficacy of these laws posed by technological/organisational developments;
- the principal ways in which technology can be used to enhance privacy interests.
Reading assignments
Main literature
*Bygrave, LA: Data Protection Law: Approaching Its Rationale, Logic and Limits (The Hague/London/New York: Kluwer Law International, 2002), chapters 2–8, 18–19 (200 pages).
*Koops, B-J & Leenes, R., “‘Code’ and the Slow Erosion of Privacy”, Michigan Telecommunications and Technology Law Review, 2005, vol. 12, issue 1, pp. 115–188.
The below mentioned articles are available in the course compendium, JUR5630/1630, Privacy, Data Protection and Lex Informatica, Course Literature- Selected available for purchase in the bookstore Akademika (Domus Nova, St. Olavs plass 5, entry from Pilestredet). Bring your student identification card when buying compendiums.
Bygrave, LA: “Data Protection Pursuant to the Right to Privacy in Human Rights Treaties”, International Journal of Law & Information Technology, 1998, volume 6, pp. 247–284; also available via http://folk.uio.no/lee/publications (37 pages).
Bygrave, L.A.,Privacy and Data Protection in an International Perspective", Scandinavian Studies in Law, 2010, volume 56 (166- 200) (34p)
Burkert, H: “Privacy-Enhancing Technologies: Typology, Critique, Vision”, in PE Agre & M Rotenberg (ed.s), Technology and Privacy: The New Landscape (Cambridge, Massachusetts: MIT Press, 1997), pp. 125–142 (17 pages).
Bygrave, LA: “Determining Applicable Law pursuant to European Data Protection Legislation”, Computer Law & Security Report, 2000, volume 16, pp. 252–257 (5 pages); also available via http://folk.uio.no/lee/publications alternatively Bing, J: “Data protection, jurisdiction and the choice of law”, Privacy Law & Policy Reporter, 1999, volume 6, pp. 92–98 (6 pages).
Greenleaf, G: “An Endnote on Regulating Cyberspace: Architecture vs Law?”, University of New South Wales Law Journal, 1998, volume 21, number 2, available at http://www.austlii.edu.au/au/journals/UNSWLJ/1998/52.html (29 p)
Lessig, L: Code and Other Laws of Cyberspace (New York: Basic Books, 1999), chapter 11.
Reidenberg, J: “Lex Informatica: The Formulation of Information Policy Rules Through Technology”, Texas Law Review, 1998, volume 76, pp. 553–593; also available at http://reidenberg.home.sprynet.com/lex_informatica.pdf (40 pages).
Rotenberg, M: “Fair Information Practices and the Architecture of Privacy (What Larry Doesn’t Get)”, Stanford Technology Law Review, 2001, available at http://stlr.stanford.edu/STLR/Articles/01_STLR_1/index.htm (34 pages).
Supplementary literature
Bennett, C.J. & Raab, C.D.: The Governance of Privacy. Policy instruments in global perspective (MIT Press, 2006).
Bygrave, L.A.: “Electronic Agents and Privacy: A Cyberspace Odyssey 2001”, International Journal of Law and Information Technology, 2001, volume 9, pp. 275–294.
Bygrave, L.A.: “Privacy-enhancing technologies – caught between a rock and a hard place”, Privacy Law & Policy Reporter, 2002, volume 9, pp. 135–137.
Bygrave, L.A.: “Digital Rights Management and Privacy – Legal Aspects in the European Union”, in E. Bekker et al. (eds.), Digital Rights Management: Technological, Economic, Legal and Political Aspects (Berlin / Heidelberg: Springer, 2003), pp. 418–446.
Flaherty, D.H.:Protecting Privacy in Surveillance Societies (Chapel Hill / London: University of North Carolina Press, 1989).
Froomkin, A.M.: “The Death of Privacy?”, Stanford Law Review, 2000, volume 52, pp. 1461–1543;
Grijpink, J.: “Biometrics and Privacy”, Computer Law & Security Report, 2001, vol. 17, no. 3, pp. 154–160.
Kuner, C.: European Data Privacy Law and Online Business (Oxford: Oxford University Press, 2007 2nd edition).
Lessig, L: “The Law of the Horse: What Cyberlaw might Teach”, Harvard Law Review, 1999, volume 113, pp. 501–546 http://cyber.law.harvard.edu/works/lessig/finalhls.pdf (45 pages).
Olsen, T. & Mahler, T.: “Identity management and data protection law: Risk, responsibility and compliance in ‘Circles of Trust’”, Computer Law & Security Report, 2007, vol. 23, nos. 4–5, pp. 342–351, 415–426.
Reidenberg, J.R.: “Resolving Conflicting International Data Privacy Rules in Cyberspace”, Stanford Law Review, 2000, vol. 52, pp. 1315–1371.
Shaffer, G.: “Globalization and Social Protection: The Impact of E.U. and International Rules in Ratcheting Up of U.S. Privacy Standards”, Yale Journal of International Law, 2000, volume 25, pp. 1–88.
Solove, D.: “Privacy and Power: Computer Databases and Metaphors for Information Privacy”, Stanford Law Review, 2001, volume 53, pp. 1393–1462.
Westin A.F.: Privacy and Freedom (New York: Atheneum, 1970).
Regulatory instruments
The below mentioned directives/decisions are available in the compedium Regulatory instruments available for purchase in the bookstor Akademika, DN
Council of Europe’s Convention on data protection (1981) – Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108), adopted 28.1.1981; available at http://conventions.coe.int/Treaty/EN/Treaties/Html/108.htm
Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows (E.T.S. No. 181), adopted 8.11.2001.
EC Directive on data protection (1995) – Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (O.J. No. L 281, 23.11.1995, 31).
EC Directive on privacy and electronic communications (2002) – Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector_ (O.J. No. L 201, 31.07.2002, 37).
EC Directive on data retention (2006) – Directive 2006/24/EC of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (O.J. No. L 105, 13.4.2006, 54). Available at http://eur-lex.europa.eu/LexUriServ/site/en/oj/2006/l_105/l_10520060413en00540063.pdf
Decision 2000/520/EC of 26.7.2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce (O.J. L 215, 25.8.2000, 7). Available at http://eur-lex.europa.eu/LexUriServ/site/en/oj/2000/l_215/l_21520000825en00070047.pdf
Norway’s Personal Data Act (2000) – lov om behandling av personopplysninger av 14. april 2000 nr 31; available at http://www.datatilsynet.no/Global/english/Personal%20Data%20Act_20100215.pdf
OECD Guidelines on data protection (1980) – Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, adopted 23.9.1980; available at http://europa.eu.int/comm/justice_home/fsj/privacy/instruments/oecdguideline_en.htm
UN Guidelines on data protection (1990) – Guidelines Concerning Computerized Personal Data Files, adopted 14.12.1990; available at http://europa.eu.int/comm/justice_home/fsj/privacy/instruments/un_en.htm
Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters; available athttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:350:0060:0071:EN:PDF