spring 2021
JUR-3625 Data Protection Law - 15 ECTS

Last changed 19.08.2021

Type of course

Master level. The course is given during the spring term.

Admission requirements

The course builds upon the students´ knowledge of international law and human rights acquired during their first and fourth year of study but entails no overlap with courses at the Faculty of Law.

Students should have basic knowledge of International and European law. For students on the integrated master´s degree programme in law in Tromsø, the course builds upon their knowledge of International law, European and Human Rights Law acquired during their first and fourth year of study. Students at the integrated master´s degree programme in law may choose this course as a partial fulfillment of the requirements for the elective part of the programme's fifth year, cf. Programme Specification for the Master's Degree in Jurisprudence at the University of Tromsø (Studieplan for graden Master i rettsvitenskap ved Universitetet i Tromsø), Sec. 4. Followed by necessary application and admission process, other students (such as exchange students) may also choose this course, cf. Regulations for the Elective Component in the Master's Degree Programme in Jurisprudence (Reglement for den valgfrie delen av masterstudiet i rettsvitenskap) (Regulation). Students who do not have admission to the Master of Law-studies at the Faculty of Law must contact the Faculty for information about required qualifications and application process for this course.

Course content

The technological developments make it possible to process data in ever-increasing complex and efficient ways. This has caused an increased focus on legal protection of personal data. Data protection law is a rapidly developing field, which involves a multitude of international legal instruments. The pace of technological change, automatic data processing and the digitization of society, mean it is assuming an increasingly critical role in our lives today. It regulates everything from legal responsibility for cyber-security breaches, to how social networking sites store and share data and even how its users share information about one another or others. Personal data is becoming a valuable asset. Data protection law seeks to strike a balance between protecting the rights of individuals, whilst also facilitating the movement and use of data by organisations and states. A basic understanding of data protection law is now a necessary requirement for many lawyers and many companies are under an obligation to employ specialist Data Protection Officers.

This course studies legal rules on data protection which govern the processing of data relating to persons (personal data) in order to protect the privacy and related interests of those persons. The main focus is on the European legal instruments, primarily The EU Charter of Fundamental Rights Articles 7 and 8; The European Union (EU) General Data Protection Regulation (Regulation (EU) 2016/679 - GDPR), The European Convention on Human Rights and Fundamental Freedoms (ECHR) Article 8, the current data protection directive (Directive 2002/58/EC) and the forthcoming data protection regulation along with case law pursuant to these instruments. The course offers a broad introduction to data protection law, and a more specific focus on selected key substantive topics, particularly in the context of distributed computer networks, such as the Internet. Hence, themes such as legal-regulatory issues related to surveillance and the increasing automatization of decision-making processes will be addressed.

The course consists of three main parts. The first part of the course introduces the basic concepts, principles and instruments of data protection law at a European level and includes the historical background and development of data protection law. The second part of the course deals with data protection as a human right with a focus on the historical roots of data protection, human rights instruments such as The EU Charter for Human Rights and The European Convention on Human Rights and Fundamental Freedoms (ECHR), and case law illustrating the relationship between human rights and data protection regulation. The third part of the course focuses on the EU directive and regulation on data protection and the main rules and mechanisms of these legal instruments, including the central terms, scope of regulation, applicable law, data protection principles, legal basis for processing, rights of the data subject, transfer to third countries, sanctions and control mechanisms, and data protection in the context of police and criminal justice.

From the course, one gains knowledge and an understanding of the basic rules and principles for protecting privacy and personal information, particularly as laid down in the EU and the Council of Europe (CoE) instruments, and into the regulatory challenges in the field. A further aim of the course is not just to impart knowledge of the relevant legal rules as they currently stand, but also to encourage critical appraisal of them. This involves analyzing and challenging the assumptions upon which the rules are based and a critical analysis of the interaction between law and technology.

Objectives of the course

Knowledge: Having passed the exam, the student shall have acquired:

  • advanced knowledge of the rationale for legal protection of personal data;
  • advanced knowledge of the basic concepts of data protection law;
  • advanced knowledge of the legal framework for data protection in the European Union (EU) and the European Convention on Human Rights (ECHR) including case law pursuant to these instruments;
  • good knowledge of the interplay between data protection and human rights and central rules and mechanisms of the EU legislation;
  • good knowledge of the ways in which information and communication technology (ICT), challenge the application and enforcement of law on protection of personal data;
  • knowledge of the control mechanisms and the role of the European Data Protection Supervisor (EDPS);


Skills: Having passed the exam, the student is able to:

  • understand thoroughly the rationale and logic of the law on protection of personal data;
  • to understand the place of data protection law in the broader legal landscape;
  • identify relevant data protection issues when such issues occur in a given situation
  • identify and analyze questions regarding legal rules on protection of personal data in accordance with the generally accepted legal-dogmatic method;
  • identify and discuss limits of the current law;
  • use English terminology applicable to this field of law.


General Competence: Having passed the exam, the student can:

  • apply the obtained knowledge and skills in the field of data protection law to new legal scenarios, tasks and projects, where relevant;
  • analyze data protection law issues, to argue for different possible solutions to the legal issues and make a reasoned balancing of the relevant legal arguments;
  • communicate reasoning in the field of data protection law in a clear and precise manner, orally and in writing to the academic community and the general public;
  • identify and reflect on ethical dilemmas that may arise within the field and deal with these in a responsible manner;
  • master the English language and terminology within this field of law.

Language of instruction and examination

All teaching will be held in English. This means that all communication during lectures/seminars will be in English, and all literature and auxiliary materials are in English. The exam must also be written in English.

Teaching methods

The course will consist of a combination of lectures and seminars, comprising a total of 30 hours. Students are expected to be prepared for lectures and seminars and to participate actively by discussing legal approaches to the issues at hand. Student participation is sought through discussions and voluntary case law interpretation. Students should study independently in periods when there are no lectures or seminars. They are free to use the literature in the curriculum, but are also encouraged to find additional literature in academic books or journals.


Students are required to hand in a mid-term paper assignment and have it accepted as adequate before they can take the exam. The paper shall not exceed 5 pages. The topic may be chosen freely by the students from the topics covered by the course. Before submission, all students will be given the possibility to present and discuss the paper within the class.

In assessing whether the research paper is approved, the following criteria will be used:

  • Identification, formulation and discussion of the research question
  • Critical and independent use of legal sources
  • Presentation and communication of legal arguments in a clear and precise manner
  • Knowledge within a particular topic within the course content.

The evaluation of whether the research paper is approved, is based on an overall assessment of these criteria.

The course is assessed through a six hours closed book written school examination where the student is allowed to bring a dictionary, as long as it merely provides translations and no definitions. The Faculty must approve each student’s examination supports prior to the examination. The exam may include theoretical and/or practical scenario questions. The grading scale of A to F is applied, where F constitutes fail. Students who fail their examination are entitled to re-sit the examination, cf. Regulations for examinations at the University of Tromsø Sec. 22.

Recommended reading/syllabus

Pensumliste for JUR-3625 Data Protection Law
  • About the course
  • Campus: Tromsø |
  • ECTS: 15
  • Course code: JUR-3625