Privacy Law

Summer 2023



No prerequisites.


The course will start with an introduction to the historical and constitutional roots of privacy law in Europe. It will contrast those foundations with the concepts of privacy under U.S. law in order to demonstrate why privacy issues sometimes create tensions or at least misunderstandings between Europe and the U.S. The course deals with informational privacy law only, which mainly in Europe is also called “data protection law”. Data protection law addresses the question who might process personal data (collect, use, store, and transfer personal data to third parties). This points to two important limitations: First, data protection law is overlapping with data security law but has a different scope: While data protection law deals with the question under which circumstances personal data can be processed legally, data security law regulates how the integrity of data against manipulation and data theft must be secured. Data security law will only be covered in the course as far as security measures are demanded by data protection laws Second, data protection law deals only with personal data, meaning any kind of information that can be linked to a human being, but not with pure machine data. However, it should be noted that due to new data processing capabilities arguably the majority of data can be linked to human beings and is, therefore, potentially within in the scope of data protection laws.

In a second part the course will cover the European General Data Protection Regulation. The course will introduce the students to general principles of the GDPR: Under which circumstances is it applicable? This question is relevant in a geographical regard as well as in respect to which data is personal data for the purpose of the regulation. Who is responsible for complying with the GDPR? This is especially important if third parties are involved in the processing of personal data. Moreover, the course will deal with three most relevant ways to process personal data legally: Anonymization/pseudonymization, consent by the individual, and statutory permissions. In this part the course will also deal with individual’s private enforcement rights and public enforcement of data protection law.

Finally, the course will also introduce the students to current challenges to the established privacy paradigms posed by big data and big data analytics. The course will also give an overview on currently discussed alternative privacy concepts (e.g. privacy by design and enhancing digital sovereignty).