SURV624: Privacy Law

Data Output/Access

Apply through UMD

Instructor: Thomas Fetzer

The course will start with an introduction to the historical and constitutional roots of privacy law in Europe. It will contrast those foundations with the concepts of privacy under U.S. law in order to demonstrate why privacy issues sometimes create tensions or at least misunderstandings between Europe and the U.S. The course deals with informational privacy law only, which mainly in Europe is also called “data protection law”. Data protection law addresses the question who might process personal data (collect, use, store, and transfer personal data to third parties). This points to two important limitations: First, data protection law is overlapping with data security law but has a different scope: While data protection law deals with the question under which circumstances personal data can be processed legally, data security law regulates how the integrity of data against manipulation and data theft must be secured. Data security law will only be covered in the course as far as security measures are demanded by data protection laws Second, data protection law deals only with personal data, meaning any kind of information that can be linked to a human being, but not with pure machine data. However, it should be noted that due to new data processing capabilities arguably the majority of data can be linked to human beings and is, therefore, potentially within in the scope of data protection laws.


In a second part the course will cover the European General Data Protection Regulation. The course will introduce the students to general principles of the GDPR: Under which circumstances is it applicable? This question is relevant in a geographical regard as well as in respect to which data is personal data for the purpose of the regulation. Who is responsible for complying with the GDPR? This is especially important if third parties are involved in the processing of personal data. Moreover, the course will deal with three most relevant ways to process personal data legally: Anonymization/pseudonymization, consent by the individual, and statutory permissions. In this part the course will also deal with individual’s private enforcement rights and public enforcement of data protection law.


Finally, the course will also introduce the students to current challenges to the established privacy paradigms posed by big data and big data analytics. The course will also give an overview on currently discussed alternative privacy concepts (e.g. privacy by design and enhancing digital sovereignty).

Course objectives: 

By the end of the course, students will…

  • have a basic knowledge on the foundations of privacy law in Europe and the U.S.;
  • have an understanding why privacy issues are treated differently in Europe and the U.S.;
  • have a basic knowledge on the applicability of the General Data Protection Regulation (GDPR) and its basic principles;
  • be aware of privacy issues and potential legal limitations when processing data;
  • be aware of current challenges to the existing privacy paradigms by big data and big data analytics;
  • be aware of currently discussed new approaches to privacy (e.g. privacy by design).

Grading will be based on:

Participation in discussion during the weekly online meetings and submission of questions via e-mail demonstrating understanding of the required readings and video lectures (10% of grade)
Weekly online exercises reviewing specific aspects of the material covered (60% of grade)
A final open-book online exam (30% of grade)

Dates of when assignment will be due are indicated in the syllabus. Extensions will be granted sparingly and are at the instructor's discretion.


No prerequisites.


Decision by the German Constitutional Court (“Bundesverfassungsgericht”)

“Census Act”, BVerfGE 65,1

 Whitman, The Two Western Cultures of Privacy, 113 Yale Law Journal 1151

Weekly online meetings & assignments:

  • Week 1: Introduction to privacy law (Quiz 1)
  • Week 2: The GDPR I (Quiz 2)
  • Week 3: The GDPR II (Quiz 3)
  • Week 4: The GDPR III and current challenges to the existing privacy paradigms
  • Final exam 

Course Dates


Fall Semester (September – December)


Fall Semester (September – December)


Summer Term (June – August)