The course promotes an in-depth analysis of one of the most challenging and multidisciplinary legal topics of the time. The course addresses students with different backgrounds such as law, economics, statistics, digital and engineering management, marketing and advertising, PR and further sectors intensely affected by the employment of personal data, who intend to develop the knowledge and the attitude of privacy compliance in their activities. There will be lectures, presentations of case studies, interviews to experts and professionals who deal on a daily base with both theoretical and practical issues produced by the implementation of data protection legislation in current market practices. Data flows are nowadays the actual fuel of economical, political and social research and strategical planning, providing continuous and rich information about singular profiles of present or potential customers, electors and stakeholder and with a thorough detail and update degree. On the other hand, such a deepened scrutiny has its severe repercussion on the side of data subjects trying to defend private information about themselves against illegitimate excessive intrusions. Innovation and technologies like big-data and AI represent unmissable chances for businesses, enterprises and governments, but also a permanent menace towards the rights and the liberties of individuals. Contemporary data protection legislations are specifically aimed to balance the reasonable needs of the market with the impact of digital technologies over personalities. The goal of the course is to give a thorough overview of the European General Data Protection Regulation (GDPR), its principles, its rules, its implementations method, its risk-based approach and the activity of the institutions it calls on. The analysis will focus on the pivotal concept of “accountability” of data controllers and processors, the very keystone of the brand-new data protection legal system, which specifically requires aware and responsible actors. The confrontation with realities dealing with the necessity to manage the fulfillment of practical needs in term of data processing within a strict legal framework will grant the students the development of that then-intuitive sensitiveness to the data protection compliance as one of the most precious strategical assets of an enterprise. Data governance is made of the ability both of mining and interpreting salient information but most of all being able to give an account of one’s choices when it comes to design data processing in order to minimize the risk of unnecessary or disruptive interference with another one’s personal and intimate life. Another goal of the class is to study and understand the different approaches towards data flows regulation held by Europe’s commercial partners overseas and how the profound conceptual distinction between “privacy” and “data protection” still affects them. Comparison will be an integral part of the teaching method for this subject. Students will also be presented with all the draft Acts of the EU Digital Package (DSA, DMA, DGA, Data Act, AI Regulation, and Privacy Regulation) currently under discussion in Brussels as fundamental elements of the future European legal framework of digital. environment. In addition, students will be presented with studies and applications of the most disruptive technologies and their impact on the future of data protection.

Knowledge and understanding: By the end of the course, students should be able to: • know all the principles and concepts applying to data control and processing; • follow-up the non-stop engineering innovation in data processing and comprehend the significant characteristics of relevant technologies such as the application of big-data and AI technologies in several business sectors; • master the tools and the institutions compatible with the new legal framework regulating data protection. Applying knowledge and understanding: Upon completing the study program, students will be able to: • assess the impact of data processing towards the right and liberties of data subjects; • elaborate and plan different privacy-by-design and privacy-by default solutions depending on specific processing purposes and situations; • effectively communicate and work, as an expert in data protection issues. Making judgements: Upon completing the study program, students will be able to: • apply the rules required by specifical data processing schemes; • recognize data protection risks within a processing and identify proper and effective measures to minimize them; • prepare original reports and impact assessment of specifical data processing simulations. Communications Skills: Upon completing the study program, students will be able to: • develop the ability to communicate in written form through completing the assignment and oral form through the final exam and the class debate; • use the notions and the communication of data protection law; • develop the ability to provide legal advice to data controllers and processors. Learning skills: Upon completing the study program, students will be able to: • build an analytic toolbox from data protection and privacy regulations; • solve problems in dynamics settings and develop critical positions. This ability will be acquired through: class participation, class debate, and research carried out for the drafting of the written assignment.

I. Privacy and Personal Data Protection fundamentals II. The GDPR discipline III. Comparative Privacy and Data Law around the Globe IV. Technological, political and economic challenges for Data Protection V. Other relevant EU legislation on the governance of the digital environment

In order to have a general and analytical view on data protection law and the impact of digital technology on individual rights, students can refer to: Council of Europe, European Court of Human Rights, European Data Protection Supervisor, European Union Agency for Fundamental Rights, 2018, Handbook on European Data Protection Law, EU Publications, Luxembourg, available at https://op.europa.eu/en/publication-detail/-/publication/5b0cfa83-63f3-11e8-ab9c-01aa75ed71a1/language-en A book of the following chosen by the individual student: D.J. Solove and W. Hartzog, Breached! Why Data Security Law Fails and How to Improve It, Oxford University Press, 2022 K. O'Hara, The seven veils of privacy: How our debates about privacy conceal its nature, Manchester University Press, 2023 J. Chin and L. Lin, Surveillance State: Inside China's Quest to Launch a New Era of Social Control, St. Martin's Press, 2022 N. Richards, Why Privacy Matters, Oxford University Press, 2021 S. Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, Profile Books, 2019 D.K. Citron, The Fight for Privacy: Protecting Dignity, Identity, and Love in the Digital Age, W. W. Norton & Company, 2022 A. ​Monti and R. Wacks, Protecting Personal Information: The Right to Privacy Reconsidered, Hart Publishing, 2019 T. Naef, Data Protection without Data Protectionism: The Right to Protection of Personal Data and Data Transfers in EU Law and International Trade Law, Springer, 2022 F. DeBrabander, Life after Privacy: Reclaiming Democracy in a Surveillance Society, Cambridge University Press, 2020 D. Lyon, Pandemic Surveillance, Polity 2021 Students are also expected to read the papers/articles assigned each week as well as the EDPB Guidelines indicated during the lessons and selected case law of the European Court of Human Rights and the Court of Justice of the European Union. Study Materials: slides uploaded on the course page on Luiss Learn

Acquisition: lectures, podcasts and online quizzes Practice: guest speakers, case study and simulation Investigation: analyzing ideas and information in a range of materials and resources Collaboration: small group project, discussing others’ output and building joint output Discussion: seminars, group based class discussion, synchronous and asynchronous discussion Production: essays

The assessment of learning is conducted according to the following criteria: - 15% of the final grade is based on attendance and active participation in class (7.5% for attendance and 7.5% for participation through contributions, opinions, initiatives, questions, and comments) - 30% of the final grade is based on the result of the first mid-term test (Groupwork on Compliance Assessment Simulation) - 30% of the final grade is based on the result of the second mid-term test (multiple choice) - 25% of the final grade is based on the final oral exam The mid-term tests cover the topics taught from the start of the course until the first test, and from the first to the second test, respectively. They are not mandatory: if you do not participate in one or both tests, you will be examined on the missing topics during the final oral exam. You may reject the written test grade, in which case you will also be examined orally on the related topics. The oral exam covers all topics for which you have not already received a grade. Additionally, you will have to discuss the topics of the book chosen among those in the list. Non-attending students are required to study all the material listed in the syllabus without exception. Unjustified non-attendance will be evaluated negatively.

A strong interest in the subject matter and theoretical inquiry, along with critical thinking skills and intellectual engagement will be highly valued by the course chair.