EU Data Protection Law

Course summary

This course introduces the new EU data protection regime as set out in the Regulation on the protection of individuals with regard to the processing of personal data and the free movement of such data (General Data Protection Regulation). It will provide an overview of the terminology and underlying principles of data protection. It then addresses specific areas and requirements for data controllers and processors subject to the new EU regime, including legal grounds for lawful processing of personal data, the data protection principles, tights of the data subject (including the right to be forgotten and the right to subject access),and the legal framework governing cross-border data transfers. It will also consider the challenges of enforcement at the national, regional and global level, with a particular focus on the processing of personal data in the online environment. Specific contemporary challenges for data protection like cloud computing, data collection through smart devices and the Internet of Things,and Big Data will also be addressed.


  1. Introduction to the EU data protection framework: provides an overview of historical developments in EU data protection law and an introduction to the structure of the new regime.
  2. The General Data Protection Regulation - Scope and key defined terms: discusses the material and territorial scope of the GDPR and the main definitions, including data controller, data processor, data subject, etc.
  3. What is “personal data”?: discusses EU and UK approaches to the concept and nature of personal data and sensitive personal data in an offline and online environment (including anonymisation, pseudonymisation, and the nature of online identifiers).
  4. Data protection principles I: discusses the first data protection principle(“fair and lawful processing”), focusing on the legal grounds for data processing (consent, legitimate interest and other commercial and public policy grounds).
  5. Data protection principles II: discusses the value of the remaining data protection principles (purpose limitation, data minimisation, accuracy, data security) and their particular relevance in the age of Big Data.
  6. Rights of the data subject: including the right to object, the right to be forgotten and the right to subject access.
  7. Cross-border transfers of personal data: discusses the conditions on which personal data may be transferred outside the EEA, including recent case law and regulatory and legislative developments in this area.
  8. Enforcement and sanctions: regulatory and civil sanctions (fines, damages, etc.) and the challenges of global enforcement of regional/national rules.
  9. Privacy and electronic communications: considers the additional requirements imposed by the E-Privacy Directive (2002/54/EC)with regard to online consents, online behavioural tracking and profiling and the regulation of traffic and location data collected by electronic/mobile communications devices.
  10. Contemporary issues of data protection: likely to change from year to year, but currently likely to include cloud computing, smart devices and the Internet of Things and Big Data.

Learning outcomes

By the end of the course you should have obtained:

  • A general understanding of the fundamental principles of the EU data protection regime and information privacy.
  • A detailed and specific knowledge of data protection issues arising in the specific contexts.
  • An appreciation of some of the current challenges faced by data controllers, data subjects, policy makers and regulators.
  • A basic grounding in research skills and techniques in the area of data protection and information privacy.


4000-word essay (60%); assessed course work (20%); participation in online activity (20%).

Terms and conditions

Please note the University reserves the right to make variations to the contents of programmes, including the range of courses offered, and the available choice of courses in any given year may change.

Find out more about the University's terms and conditions