Privacy and Data protection - GDPR
10 ECTS credits
Level of Study
Place of Instruction
Lectures and seminars will be a combination of UiB-based and online.
Objectives and Content
The course studies legal rules on data protection, that is a set of norms that govern the processing of personal data with the view of protecting the privacy of individuals whose data is being processed. The EU General Data Protection Regulation 2016/679 (GDPR) defines personal data as any information relating to an identified or identifiable natural person such as a name, an identification number, location, an online identifier or any factor specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Given the digital technologies' encroachment into our lives, the right to privacy and the protection of personal data have become crucial to both individuals, communities and businesses. A proper understanding of the rules governing data protection is now also necessary when working with other fields of law such as administrative law, EU/EEA competition law, public procurement, intellectual property law, health law or labour law.
As regards the rules governing data protection, this course focuses on the GDPR, a landmark in both data protection law and EU/EEA law, the European Convention on Human Rights and Fundamental Freedoms (ECHR) Article 8, the EU ePrivacy Directive (Directive 2002/58/EC) and the relevant case law from the Court of Justice of the EU and the European Court of Human Rights. Students are also made aware of the necessity of consulting national legislation that supplements the GDPR.
The course provides students with a thorough knowledge of the principles governing the processing of personal data, the GDPR's territorial and material scope, rights and obligations of data subjects (i.e. individuals whose personal information is processed), controllers (natural or legal persons determining the purposes and means of the processing of personal data), processors (natural or legal person that processes personal data on behalf of the controller), Data Protection Authorities in the EU/EEA, such as the Norwegian Data Protection Authority (Datatilsynet) and the European Data Protection Board (EDPB), that issues guidelines on interpreting the GDPR.
Students will learn about the legal grounds for processing personal data, including sensitive types of such data, special considerations regarding the processing of personal data of children, data protection rules applicable in the context of employment, exceptions concerning academic, journalistic and research activities, and requirements concerning transfers of personal data to third countries, that it outside EU/EEA.
Special attention is also given to data protection issues raised by the use of Artificial Intelligence, such as the legality of technologies involving automated individual decision-making and profiling. The course also covers such topics as freedom of speech and the "right to be forgotten", global surveillance in situations such as the outbreak of COVID-19 or data protection risks raised by such technologies as face recognition.
During the course the students are encouraged to identify privacy and data protection issues that are raised in other fields of law such as the above-mentioned administrative law, EU/EEA competition law, public procurement, intellectual property law, health law or labour law.
By the end of the course, students are expected to have a solid understanding of legal policies on privacy and data protection, particularly in the context of the rapid process of digitalization, implementing Artificial Intelligence solutions in both public and private sectors, not to mention the distributed computer networks such as the Internet. Given the two-fold aim of the GDPR, that is the protection of personal data and contributing to the accomplishment of the EU/EEA internal market, students should be able to correctly balance the right to data protection with other rights, freedoms and interests. Importantly, students are expected to engage in critical assessment of the GDPR with its unclarities that are still waiting for the interpretation by the EU Courts and challenges created by new technologies or unexpected events such as the COVID-19 outbreak.
A thorough knowledge of the logic governing the GDPR, which has become a global standard for data protection, will allow the students to navigate safely in other international and third countries' data protection rules. A solid understanding of the rationale behind the GDPR will also safeguard the correct application of its provisions to technologies that could not have been specifically addressed by the GDPR that was adopted in 2016.
Most importantly, due to being based on both lectures, seminars and group assignments, which enhance active learning and promote interaction with the lecturer(s) and fellow students, the course equips the students with the ability of identifying potential and existing data protection risks in "real life", clarifying their character under the relevant data protection rules and addressing them in appropriate manner. In this respect, students are expected to understand the relation between the EU/EEA law and national rules, including sectoral codes of practice.
Students are expected to be able to detect and formulate the relevant data protection issues when presented with a case, identify the relevant legal provisions (international and national, if applicable), and apply them in a correct way. They should also be able to provide arguments in favour of their assessment if a given issue requires balancing data protection against other rights, freedoms or interests. Students must also be fully comfortable with using the relevant sources of law and correctly identify their weight in the process of interpreting and applying the relevant provisions.
Given that in most cases students will have to study and communicate in a foreign language, it is expected that their English will significantly improve and that they will gain more confidence in using it.
A successful accomplishment of a group assignment will require the students cooperate in an efficient manner, assign tasks and share responsibilities in the group, exchange ideas and discuss different solutions of the legal problem(s) as well as communicate in a clear and understandable way. The necessity of presenting the results of the group work to the examiners and the external partner that provided the assignment will require that the students are able to identify and explain complex legal problems in a way that is understandable to both lawyers and non-lawyers. Such skills are crucial in relations with future clients or co-workers being experts in other sectors such as IT or health where data protection issues often arise.
Required Previous Knowledge
Three years of university studies.
Recommended Previous Knowledge
Three years of law studies.
Good level of English language.
Credit Reduction due to Course Overlap
No overlapping with courses at the Bergen Faculty of Law.
Access to the Course
The course is available for the following students:
- Admitted to the integrated master programme in law
- Admitted to the two-year master programme in law
- Exchange students at the Faculty of Law
The pre-requirements may still limit certain students' access to the course:
The number of students admitted to the course is limited to 30, of which 15 from the Norwegian master programme and 15 international exchange students. If the number of applicants exceeds this, admission will be decided by way of lottery.
See more information: GDPR evaluation of prototypes - TekLab (uib.no)
Teaching and learning methods
Active participation by the students is expected and necessary. This includes lectures, seminars, group work and activities related to project design and development.
The lectures combined with self-studying are the first step in the learning process that provide knowledge of data protection law and policies.
The seminars and group work promote active learning that allows for applying the theoretical knowledge in practice, makes the learning process both more effective and more efficient and develop the skills as described previously.
Students learn not only how to use the knowledge they already have, but also how to acquire more knowledge by using relevant sources and through cooperation with others.
Compulsory Assignments and Attendance
Compulsory attendance at first lecture and first seminar.
Forms of Assessment
Submitted and approved group assignment (report) and a final individual oral exam. The two parts will count 49 and 51 % (respectively) toward the final grade.
Examination Support Material
During the presentation of the results of the group work, students are allowed to consult and refer to a report in which they have described in detail the assignment, the legal issues they have identified, the manner in which they approached those issues and their solution(s)/answer(s).
A-E for passed, F for failed.
According to Faculty routines
Associate Professor Malgorzata Cyndecka