Data Protection and Management Law
Objectives
This course will analyse privacy rights and data protection rights within the European Union, with a special focus on the General Data Protection Regulation (GDPR). The aim is to prepare students to operate with the GDPR, both in a theoretical and practical way, by analysing case law and practical scenarios involving data processing. The analysis and discussion will also involve some more complex and little explored scenarios, such as digital profiling, data collection for the development and training of artificial intelligence systems and the use of facial recognition technology.
General characterization
Code
37035
Credits
6
Responsible teacher
VERA LÚCIA RAPOSO
Hours
Weekly - 3
Total - 36
Teaching language
English
Prerequisites
Not Applicable
Bibliography
Article 29 Working Party, 2014. ¿Opinion 06/ 2014 on the Notion of Legitimate Interests of the Data Controller under Article 7 of Directive 95/ 46/ EC¿, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf
Article 29 Working Party, ¿Opinion 03/ 2013 on Purpose Limitation¿, 2013, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf
European Data Protection Board, 2020, ¿Guidelines 07/2020 on the concepts of controller and processor in the GDPR¿, https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf
European Data Protection Board / European Data Protection Supervisor, 2021, ¿EDPB-EDPS Joint Opinion 5/2021on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act)¿, https://edpb.europa.eu/system/files/2021-06/edpb-edps_joint_opinion_ai_regulation_en.pdf
European Data Protection Board / European Data Protection Supervisor, 2022, ¿EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space¿, https://edpb.europa.eu/system/files/2022-07/edpb_edps_jointopinion_202203_europeanhealthdataspace_en.pdf
European Union Agency for Fundamental Rights and Council of Europe, 2018. Handbook on EU Data Protection Law. Available at https://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law-2018-edition
Kuner, Christopher, Lee A. Bygrave and Christopher Docksey (eds.), 2020. The EU General Data Protection Regulation (GDPR). Oxford University Press (2020). Oxford University Press 2020 DOI: 10.1093/oso/9780198826491.003.0002
Raposo, Vera Lúcia, 2022, ¿(Do Not) Remember My Face: Uses of Facial Recognition Technology in Light of the General Data Protection Regulation¿, Information and Communication Technology Law, Doi: 10.1080/13600834.2022.2054076
Caselaw:
Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja Gonzále, (2014) CJEU C¿131/12, ECLI:EU:C:2014:317
Schrems v Data Protection Commissioner (2015) CJEU Case C-362/14, ECLI:EU:C:2015:650
Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV, (2019) CJEU Case C- 40/17, ECLI:EU:C:2019:629
Schrems and Facebook Ireland v Data Protection Commissioner (2020) CJEU Case C-311/18, ECLI:EU:C:2020:559
X and Z v Autoriteit Persoonsgegevens, Case C-245/20, (2022) CJEU ECLI:EU:C:2021:822 (Advocate general opinion)
Note: Additional case law and references might be indicated throughout the course.
Teaching method
The course is structured in sessions that combine theoretical exposition with the practical solution of life cases and with the debate of controversial issues.
The teaching materials include not only the indicated references but also short videos that will be integrated to streamline the classes and give them a more practical content.
Evaluation method
The evaluation can be carried out in two ways:
i) Final assessment: Final exam, with the consultation of all materials
and/or
ii) Ongoing assessment:
(a) Participation in classes - 30%
(b) Written report, to be presented at the end of the semester, on an issue to be previously agreed with the professor, between 3000 and 4000 words (not counting bibliographic references) - 70%
Subject matter
1. The rights to privacy and data protection: Contextualization of these rights in European law
2. The GDPR: legal background and practical application
2.1. Scope
2.2. Basic concepts
2.3. Guiding principles
2.4. Rights of data subjects and obligations of controllers and processors
2.5. International data transfer
3. Critical assessment of the GDPR