Achievement requirements
Achievement requirements for master’s level (10 credits):
Knowledge
- Thorough knowledge of the rationale for legal protection of personal data.
- Thorough knowledge of the legal framework for data protection in the European Union (EU) and European Economic Area (EEA).
- Knowledge of the interaction of data protection law with other fields of law, such as administrative law, labour law, human rights law and contract law.
- Knowledge of the data protection laws in certain non-European jurisdictions, particularly the USA.
- Thorough knowledge of the ways in which distributed computer networks such as the Internet, along with other forms of information and communication technology (ICT), challenge the application and enforcement of law on protection of personal data.
- Good knowledge of the challenges in arriving at global consensus on legal policies for data protection.
- Good knowledge of the relevant EU rules for determining applicable law and extra-territorial jurisdiction in the field.
- Good knowledge of relevant soft law (guidelines and codes of practice).
Skills
- Interpret and apply legal rules on protection of personal data, in accordance with generally accepted legal-dogmatic method.
- Interpret and apply EU rules on applicable law and extra-territorial jurisdiction related to protection of personal data.
- Elucidate and critically assess the efficacy of data protection law in the digital environment.
General competence
- Ability to understand thoroughly the rationale, logic and limits of law on protection of personal data.
- Ability to analyse critically the assumptions upon which the law is based, and to discuss sensibly alternative regulatory possibilities.
- Ability to understand the place of data protection law in the broader legal landscape.
- Ability to understand the EU rules for determining applicable law and extra-territorial jurisdiction pertaining to protection of personal data, and to understand why these rules are controversial.
Achievement requirements for bachelor’s level (10 credits):
Knowledge
- Solid knowledge of the rationale for legal protection of personal data.
- Solid knowledge of the legal framework for data protection in the European Union (EU) and European Economic Area (EEA).
- Knowledge of the interaction of data protection law with other fields of law, such as administrative law, labour law, human rights law and contract law.
- Knowledge of the data protection laws in certain non-European jurisdictions, particularly the USA.
- Knowledge of the ways in which distributed computer networks such as the Internet, along with other forms of information and communication technology (ICT), challenge the application and enforcement of law on point.
- Appreciation of the challenges in arriving at global consensus on legal policies for data protection.
- Knowledge of relevant soft law (guidelines and codes of practice).
Skills
- Interpret and apply legal rules on protection of personal data, in accordance with generally accepted legal-dogmatic method.
- Elucidate and critically assess the challenges posed by ICT to data protection law.
General competence
- Ability to understand the rationale, logic and limits of law on protection of personal data.
- Ability to understand the place of data protection law in the broader legal landscape.
- Ability to analyse critically the assumptions upon which the law is based, and to discuss sensibly alternative regulatory possibilities.
Reading assignments
Main literature
Bagger Tranberg, C.: “Proportionality and data protection in the case law of the European Court of Justice”, International Data Privacy Law, 2011, vol. 1(4), pp. 239–248 (9 pages).
Lee A. Bygrave, Data Privacy Law: An International Perspective (Oxford University Press, 2014) ( 220 p)
Bygrave, LA: “Data Protection Pursuant to the Right to Privacy in Human Rights Treaties”, International Journal of Law & Information Technology, 1998, volume 6, pp. 247–284 (37 pages).
Koops, B-J. & Leenes, R.: “‘Code’ and the Slow Erosion of Privacy”, Michigan Telecommunications and Technology Law Review, 2005, vol. 12, issue 1, pp. 115–188 (73 pages; Master’s level only).
Moerel, L.: “The long arm of EU data protection law: Does the Data Protection Directive apply to processing of personal data of EU citizens by websites worldwide?”, International Data Privacy Law, 2011, vol. 1(1), pp. 28–46 (18 pages).
Moerel, L.: “Back to basics: when does EU data protection law apply?”, International Data Privacy Law, 2011, vol. 1(2), pp. 92–110 (18 pages).
Svantesson, D.J.B.: “The regulation of cross-border data flows”, International Data Privacy Law, 2011, vol. 1(3), pp. 180–198 (18 pages).
Master's level: 393 pages
Bachelor's level: 320 pages
Supplementary literature
Bennett, C.J. & Raab, C.D.: The Governance of Privacy. Policy instruments in global perspective (MIT Press, 2006).
Bygrave, L.A.: “The Body as Data? Biobank Regulation via the ‘Back Door’ of Data Protection Law”, Law, Innovation and Technology, 2010, vol. 2, pp. 1–25 (25 pages).
Bygrave, L.A.: “Digital Rights Management and Privacy – Legal Aspects in the European Union”, in E. Bekker et al. (eds.), Digital Rights Management: Technological, Economic, Legal and Political Aspects (Berlin / Heidelberg: Springer, 2003), pp. 418–446.
Flaherty, D.H.:Protecting Privacy in Surveillance Societies (Chapel Hill / London: University of North Carolina Press, 1989).
Froomkin, A.M.: “The Death of Privacy?”, Stanford Law Review, 2000, volume 52, pp. 1461–1543.
Kuan Hon, W., Millard, C. and Walden, I.: “The problem of ‘personal data’ in cloud computing: what information is regulated?—The cloud of unknowing”, International Data Privacy Law, 2011, vol. 1(4), pp. 211-228 (17 pages).
Kuan Hon, W., Millard, C. and Walden, I.: “Who is responsible for ‘personal data’ in cloud computing?—The cloud of unknowing, Part 2”, International Data Privacy Law, 2012, vol. 2(1), pp. 3-18 (15 pages).
Kuner, C.: European Data Privacy Law and Online Business (Oxford: Oxford University Press, 2007, 2nd edition).
Olsen, T. & Mahler, T.: “Identity management and data protection law: Risk, responsibility and compliance in ‘Circles of Trust’”, Computer Law & Security Report, 2007, vol. 23, nos. 4–5, pp. 342–351, 415–426.
Reidenberg, J.R.: “Resolving Conflicting International Data Privacy Rules in Cyberspace”, Stanford Law Review, 2000, vol. 52, pp. 1315–1371.
Shaffer, G.: “Globalization and Social Protection: The Impact of E.U. and International Rules in Ratcheting Up of U.S. Privacy Standards”, Yale Journal of International Law, 2000, volume 25, pp. 1–88.
Solove, D.: “Privacy and Power: Computer Databases and Metaphors for Information Privacy”, Stanford Law Review, 2001, volume 53, pp. 1393–1462.
Tene, O.: “Privacy: The New Generations”, International Data Privacy Law, 2011, vol. 1(1), pp. 15-27 (12 pages).
Westin A.F.: Privacy and Freedom (New York: Atheneum, 1970).
Relevant Regulatory instruments:
Council of Europe’s Convention on data protection (1981) – Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108), adopted 28.1.1981; available at http://conventions.coe.int/Treaty/EN/Treaties/Html/108.htm
Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows (E.T.S. No. 181),adopted 8.11.2001; available at http://conventions.coe.int/Treaty/EN/Treaties/Html/181.htm
EC Directive on data protection (1995) – Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (O.J. No. L 281, 23.11.1995, 31), available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
EC Directive on privacy and electronic communications (2002) – Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector_ (O.J. No. L 201, 31.07.2002, 37);consolidated version available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2002L0058:20091219:EN:HTML
Decision 2000/520/EC of 26.7.2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce (O.J. L 215, 25.8.2000, 7). (no longer in force)
Available at: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32000D0520&qid=1487173366306&from=EN
Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (notified under document C(2016) 4176):
Norway’s Personal Data Act (2000) – lov om behandling av personopplysninger av 14. april 2000 nr 31;
https://www.datatilsynet.no/English/Regulations/Personal-Data-Act-/
OECD Guidelines on data protection (2013) – Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data,( adopted 23.9.1980) available at
http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf
UN Guidelines on data protection (1990) – Guidelines Concerning Computerized Personal Data Files, adopted 14.12.1990; available at
http://www.refworld.org/docid/3ddcafaac.html
Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters; available athttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:350:0060:0071:EN:PDF
EU Data Protection Directive for Police and Justice Sectors -- Directive
(EU) 2016/680 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
EU General Data Protection Directive -- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
Case law:
European Court of Human Rights
Amann v Switzerland, App No 27798/95, [2000] ECHR 88
Copland v UK, App No 62617/00 [2007] ECHR 253
Gaskin v UK, App No 10454/83 (1990) 12 EHRR 36
I v Finland, App No 20511/03 (2009) 48 EHRR 31
Malone v UK, App No 8691/79 (1984) 7 EHRR 14
Peck v UK, App No (2003) 36 EHRR 41
S and Marper v UK, App No 44647/98 (2008) 48 EHRR 50
Von Hannover v Germany (no 2), App Nos 40660/08 and 60641/08 (2012) 55 EHRR 15
Szabó and Vissy v Hungary, App No 37138/14 (2016) 63 EHRR 3
Court of Justice of European Union
Bodil Lindqvist (C-101/01) [2003] ECR I-12971
Digital Rights Ireland v Ireland and K?rntner Landesregierung, Tschohl, Seitlinger and Others (C-293/12 and C-594/12) [2014] ECR I-0000
European Commission v Republic of Austria (C-614/10) [2012] ECR I-0000
Google Spain v Agencia Espa?ola de Protección de Datos (AEPD) and Mario Costeja González (C-131/12) [2014] ECR I-0000
Heinz Huber v Federal Republic of Germany (C-524/06) [2008] ECR I-9705
Maximilian Schrems v Data Protection Commissioner (C-362/14) [2015] ECR I-0000
Rechnungshof v ?sterreichischer Rundfunk and Others (C-465/00, C-138/01, and C-139/01) [2003] ECR I-4989
Scarlet Extended v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM) (C-70/10) [2011] ECR I-0000
Schwarz v Stadt Bochum (C-291/12) [2013] ECR I-0000
Tietosuojavaltuutettu v Satakunnan Markkinap?rssi Oy and Satamedia Oy (C-73/07) [2008] ECR I-9831
Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen (C-92/09 and C-93/09) [2010] ECR I-11063
Breyer v FRG (C-582/14 )[2016] ECR I-0000
Franti?ek Ryne v ??ad pro ochranu osobních údaj? (C-212/3) [2014] ECR I-0000
Weltimmo v Nemzeti Adatvédelmi és Információszabadság Hatóság (C- 230/14); EU:C:2015:639
Verein für Konsumenteninformation v Amazon EU Sàrl (C-191/15);
EU:C:2016:612