The following reading list is common for the courses taught at bachelor’s and master’s level. Note that there are different achievement requirements:
- Master’s level (15 credits): A good understanding is required
- Bachelor’s level (10 credits): A general understanding is required
Course content
The primary aim of the course is to facilitate a solid understanding of legal policies on privacy and data protection, particularly in the context of distributed computer networks such as the Internet. More specifically, the course seeks to illuminate the rationale and regulatory logic of such policies along with the various technological challenges that they face.
The secondary aim of the course is to facilitate an understanding of the regulatory impact of information technology; that is, to analyse the significance and role of what has been termed “lex informatica” (Reidenberg).
The course seeks also to illuminate legal-regulatory issues related to freedom of expression, the increasing automatisation of decision-making processes, the increasingly cross-national character of organisational transactions, and the interaction of legal norms with the regulatory effects of IT and other non-legal instruments, such as sectoral codes of practice.
The themes taken up in the course may be summed up with the following key-words: privacy, data protection, surveillance, Internet, cyberspace, encryption, freedom of expression, automated decision making, rule of law, codes of practice, electronic commerce.
With respect to law on privacy and data protection, the primary points of departure for course discussion will be the 1995 EC Directive on data protection (Directive 95/46/EC of 24.10.1995) and case law pursuant to Article 8 of the 1950 European Convention on Human Rights and Fundamental Freedoms (ECHR). Special attention will also be given to the 2002 EC Directive on privacy and electronic communications (Directive 2002/58/EC), Norway’s Personal Data Act of 2000 (Personopplysningsloven) and Germany’s Teleservices Data Protection Act of 1997 (Teledienstedatenschutzgesetz).”
Requirements
Achievement requirements for master’s level (15 credits):
Students are expected to achieve a good understanding of the following topics:
- the basic content and policy thrust of European laws on privacy/data protection;
- the rationale for these laws;
- the normative roots of these laws, particularly in relation to human rights;
- the main points of difference and similarity between these laws and their equivalents in non-European jurisdictions;
- the main challenges to the efficacy of these laws posed by technological/organisational developments;
- the principal ways in which technology can be used to enhance privacy interests.
Achievement requirements for bachelor's level (10 credits):
Students are expected to achieve knowledge of the following topics:
- the basic content and policy thrust of European laws on privacy/data protection;
- the rationale for these laws;
- the normative roots of these laws, particularly in relation to human rights;
- the main points of difference and similarity between these laws and their equivalents in non-European jurisdictions;
- the main challenges to the efficacy of these laws posed by technological/organisational developments;
- the principal ways in which technology can be used to enhance privacy interests.
Reading assignments
Main literature
Bygrave, LA: Data Protection Law: Approaching Its Rationale, Logic and Limits (The Hague/London/New York: Kluwer Law International, 2002), chapters 2–8, 18–19 (200 pages).
The below mentioned articles are available in the in the course compendium, JUR 5630/1630, Privacy, Data Protection and Lex Informatica, Course Literature- Selected
Bygrave, LA: “Data Protection Pursuant to the Right to Privacy in Human Rights Treaties”, International Journal of Law & Information Technology, 1998, volume 6, pp. 247–284; also available via http://folk.uio.no/lee/publications (37 pages).
Bygrave, L.A., “Privacy Protection in a Global Context – A Comparative Overview”, Scandinavian Studies in Law, 2004, volume 47, pp. 319–348 (29 pages). (Handout)
Burkert, H: “Privacy-Enhancing Technologies: Typology, Critique, Vision”, in PE Agre & M Rotenberg (ed.s), Technology and Privacy: The New Landscape (Cambridge, Massachusetts: MIT Press, 1997), pp. 125–142 (17 pages).
Bygrave, LA & Aarø, AH: “Privacy, Personality and Publicity – An Overview of Norwegian Law”, in M. Henry (ed.), International Privacy, Publicity and Personality Laws (London: Butterworths, 2001), pp. 333–346; also available via http://folk.uio.no/lee/publications (13 pages).
Bygrave, LA: “Determining Applicable Law pursuant to European Data Protection Legislation”, Computer Law & Security Report, 2000, volume 16, pp. 252–257 (5 pages); also available via http://folk.uio.no/lee/publications alternatively Bing, J: “Data protection, jurisdiction and the choice of law”, Privacy Law & Policy Reporter, 1999, volume 6, pp. 92–98 (6 pages).
Greenleaf, G: “An Endnote on Regulating Cyberspace: Architecture vs Law?”, University of New South Wales Law Journal, 1998, volume 21, number 2, available at http://www.austlii.edu.au/au/journals/UNSWLJ/1998/52.html (29 p)
Karanja, SK: “The Schengen Co-operation: Consequences for the Rights of EU Citizens”, Mennesker og rettigheter, 2000, volume 18, number 3, pp. 215–222; also available via http://www.personvern.uio.no/pvpn/artikler/index.html
Karanja, S.K.: “SIS II Legislative Proposals 2005: Gains and Losses!”, in G.P. Krog & A.G.B. Bekken (eds.): Yulex 2005 (Oslo: Institutt for rettsinformatikk / Unipub, 2005), pp. 81–103. (handout)
Lessig, L: Code and Other Laws of Cyberspace (New York: Basic Books, 1999), chapter 11.
Reidenberg, J: “Lex Informatica: The Formulation of Information Policy Rules Through Technology”, Texas Law Review, 1998, volume 76, pp. 553–593; also available at http://reidenberg.home.sprynet.com/lex_informatica.pdf (40 pages).
Rotenberg, M: “Fair Information Practices and the Architecture of Privacy (What Larry Doesn’t Get)”, Stanford Technology Law Review, 2001, available at http://stlr.stanford.edu/STLR/Articles/01_STLR_1/index.htm (34 pages).
Supplementary literature
Bennett, C.J. & Raab, C.D.: The Governance of Privacy. Policy instruments in global perspective (MIT Press, 2006).
Bygrave, L.A.: “Electronic Agents and Privacy: A Cyberspace Odyssey 2001”, International Journal of Law and Information Technology, 2001, volume 9, pp. 275–294.
Bygrave, L.A.: “Privacy-enhancing technologies – caught between a rock and a hard place”, Privacy Law & Policy Reporter, 2002, volume 9, pp. 135–137.
Bygrave, L.A.: “Digital Rights Management and Privacy – Legal Aspects in the European Union”, in E. Bekker et al. (eds.), Digital Rights Management: Technological, Economic, Legal and Political Aspects (Berlin / Heidelberg: Springer, 2003), pp. 418–446.
Flaherty, D.H.:Protecting Privacy in Surveillance Societies (Chapel Hill / London: University of North Carolina Press, 1989).
Froomkin, A.M.: “The Death of Privacy?”, Stanford Law Review, 2000, volume 52, pp. 1461–1543;
Grijpink, J.: “Biometrics and Privacy”, Computer Law & Security Report, 2001, vol. 17, no. 3, pp. 154–160.
Koops, B-J & Leenes, R., “‘Code’ and the Slow Erosion of Privacy”, Michigan Telecommunications and Technology Law Review, 2005, vol. 12, issue 1, pp. 115–188.
Kuner, C.: European Data Privacy Law and Online Business (Oxford: Oxford University Press, 2007 2nd edition).
Lessig, L: “The Law of the Horse: What Cyberlaw might Teach”, Harvard Law Review, 1999, volume 113, pp. 501–546 http://cyber.law.harvard.edu/works/lessig/finalhls.pdf (45 pages).
Olsen, T. & Mahler, T.: “Identity management and data protection law: Risk, responsibility and compliance in ‘Circles of Trust’”, Computer Law & Security Report, 2007, vol. 23, nos. 4–5, pp. 342–351, 415–426.
Olsen, T. & Mahler, T.: “Data Protection Issues in Collaborative Identity Management: Compliance and Responsibility in Circles of Trust” (2006), working paper (available from authors).
Reidenberg, J.R.: “Resolving Conflicting International Data Privacy Rules in Cyberspace”, Stanford Law Review, 2000, vol. 52, pp. 1315–1371.
Shaffer, G.: “Globalization and Social Protection: The Impact of E.U. and International Rules in Ratcheting Up of U.S. Privacy Standards”, Yale Journal of International Law, 2000, volume 25, pp. 1–88.
Solove, D.: “Privacy and Power: Computer Databases and Metaphors for Information Privacy”, Stanford Law Review, 2001, volume 53, pp. 1393–1462.
Westin A.F.: Privacy and Freedom (New York: Atheneum, 1970).
Regulatory instruments
The below mentioned directives/decisions are available in Regulatory instruments 2009 or 2010
Council of Europe’s Convention on data protection (1981) – Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108), adopted 28.1.1981; available at http://conventions.coe.int/Treaty/EN/Treaties/Html/108.htm
Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows (E.T.S. No. 181), adopted 8.11.2001.
EC Directive on data protection (1995) – Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (O.J. No. L 281, 23.11.1995, 31).
EC Directive on privacy and electronic communications (2002) – Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector_ (O.J. No. L 201, 31.07.2002, 37).
EC Directive on data retention (2006) – Directive 2006/24/EC of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (O.J. No. L 105, 13.4.2006, 54). Available at http://eur-lex.europa.eu/LexUriServ/site/en/oj/2006/l_105/l_10520060413en00540063.pdf
Decision 2000/520/EC of 26.7.2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce (O.J. L 215, 25.8.2000, 7). Available at http://eur-lex.europa.eu/LexUriServ/site/en/oj/2000/l_215/l_21520000825en00070047.pdf
Norway’s Personal Data Act (2000) – lov om behandling av personopplysninger av 14. april 2000 nr 31; available at http://www.datatilsynet.no/upload/Dokumenter/regelverk/lov_forskrift/lov-20000414-031-eng.pdf
OECD Guidelines on data protection (1980) – Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, adopted 23.9.1980; available at http://europa.eu.int/comm/justice_home/fsj/privacy/instruments/oecdguideline_en.htm
OECD Guidelines on information security (2002) – Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, adopted 25.7.2002, available at http://www.ftc.gov/bcp/conline/edcams/infosecurity/popups/OECD_guidelines.pdf
UN Guidelines on data protection (1990) – Guidelines Concerning Computerized Personal Data Files, adopted 14.12.1990; available at http://europa.eu.int/comm/justice_home/fsj/privacy/instruments/un_en.htm
Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters; available athttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:350:0060:0071:EN:PDF