LAWS0338 Privacy, Data and Surveillance Law

Dr Michael Veale, UCL Faculty of Laws, 2021-22 Syllabus

Updated 16 February 2022

     / \  `.  __..-,O
    :   \ --''_..-'.'
    |    . .-' `. '.
    :     .     .`.'
     \     `.  /  ..
      \      `.   ' .
       `,       `.   \
      ,|,`.        `-.\
     '.||  ``-...__..-`
      |  |
    // || \\

Reading importance labels — Check the labels beside each reading! Compulsory means “please do this before class”. Recommended means “if you’re interested, or if you’re writing an essay or revising this topic, have a look at this”. It does not mean “if you’re a really good student you’ll have done all the recommended reading as well as compulsory reading before class”. Optional means “if you’re writing an essay, or it interest you, this might be something you want look at, but you could also do your own research and find other sources too.”

Open access — Wherever possible, resources are accompanied by an open access link (‘OA link’). Some resources are available freely but only behind for-profit repositories such as SSRN, which heavily push users to register and log-in, and hide the download options for downloading without this in the bottom of the page. These are ‘OA-ish links’. Occasionally, a paper or book is too important not to recommend even though an OA version is unavailable. I have tried to minimise these resources throughout the reading list.

S1: What is Privacy, Data and Surveillance Law, Anyway?

What is privacy all about, and why might we seek it? In this session, we will take a look at some of the different issues privacy might, or has been thought to, protect. The three compulsory readings approach this from different angles: Solove offers a taxonomy to cover a breadth of the issues; Viljoen looks at what ‘data law’ might do, focussing on the way that technologies construct and mediate human relations; while Lynskey consider the developing approach(es) that courts in the UK have taken to a set of rights that have only relatively recently made their way into law in this jurisdiction.

For very different views, the optional readings present different viewpoints. Gürses unpacks how computer scientists often think about privacy; O’Hara tries to understand why people talk over each other when talking about what privacy is or should do; Hildebrandt thinks about how privacy might be theorised in relation to a world of profiling machines; while Warren and Brandeis, in a seminal article, try to locate privacy as a right in the US constitution — influential on later thought, not least as Brandeis became a US Supreme Court justice.

The core questions for this first session are broad, but set the scene for this module. What do you think privacy is or should protect? What should the priorities for law be in an informationalised world, and have courts so far appeared to be up to these challenges?


  • Compulsory Daniel J Solove, ‘A Taxonomy of Privacy’ (2005–06) 154 U Pa L Rev 477 OA link
  • Compulsory Salomé Viljoen, ‘A Relational Theory of Data Governance’ (2021) 131 Yale Law Journal 573 OA link
  • Compulsory Orla Lynskey, ‘Courts, Privacy and Data Protection in the UK: Why Two Wrongs Don’t Make a Right’ in Courts, Privacy and Data Protection in the Digital Environment (Edward Elgar Publishing 2017) UCL link
  • Recommended Julie E Cohen, ‘What Privacy is For’ (2012–13) 126 Harv L Rev 1904 OA link
  • Recommended Kieron O’Hara, ‘The Seven Veils of Privacy’ (2016) 20 IEEE Internet Computing 86 UCL link
  • Recommended Seda Gürses, ‘Can You Engineer Privacy?’ (2014) 57 Communications of the ACM 20. UCL typeset link / OA preprint link
  • Optional Mireille Hildebrandt, ‘Privacy as Protection of the Incomputable Self: From Agnostic to Agonistic Machine Learning’ (2019) 20 Theoretical Inquiries in Law 83 OA link
  • Optional Samuel D Warren and Louis D Brandeis, ‘The Right to Privacy’ (1890) 4 Harvard Law Review 193 OA link
  • Optional Julie E Cohen, ‘Turning Privacy Inside Out’ (2019) 20 Theoretical Inquiries in Law OA link

S2: Data Protection: Form and Function

In this session, we introduce a parallel but interwoven regime to privacy and private life: data protection. Lynskey introduces where data protection came from, what is does, and how it relates to privacy. Her book was written before the passing of the General Data Protection Regulation, which builds on previous privacy statutes; this is the topic of Hoofnagle and others, who seek to summarise the Regulation. You should also read the GDPR alongside this article as appropriate.

Further readings look at the history of data protection law (González Fuster), and elaborate theoretically on the functioning of data protection and its place within the EU legal order (Lynskey, Ausloos).

Think while reading about what data protection seeks to do and protect. How does it secure the aims we discussed when considering privacy? What other ends does it pursue, or ways might it protect or empower people? Is it a subset of privacy, or a separate, complementary regime? How many of the rights and obligations were you aware of, and how does the text of data protection law relate to the practices of firms and governments that you are aware of?


  • Compulsory Orla Lynskey, ‘The Key Characteristics of the EU Data Protection Regime’ and ‘The Link between Data Protection and Privacy in the EU Legal Order’ in The Foundations of EU Data Protection Law (Oxford University Press 2015) UCL link
  • Compulsory Chris Jay Hoofnagle and others, ‘The European Union General Data Protection Regulation: What It Is and What It Means’ (2019) 28 Information & Communications Technology Law 65 OA link
  • Recommended Gloria González Fuster, ‘The Materialisation of Data Protection in International Instruments’ in The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer 2014) UCL link
  • Recommended Orla Lynskey, The Foundations of EU Data Protection Law (Oxford University Press 2015) UCL link
  • Optional Jef Ausloos, ‘Foundations of Data Protection Law’ in The Right to Erasure in EU Data Protection Law: From Individual Rights to Effective Protection (Oxford University Press 2020) UCL link

Policy Documents

  • Optional European Court of Human Rights, Guide to the Case Law of the European Court of Human Rights: Data Protection (Council of Europe, updated regularly) (look at relevant parts to bolster your understanding) OA link


  • Compulsory Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1. Read this alongside the Hoofnagle and others article. You do not need to read all of the recitals yet, and this takes most of the length out; but they do help shine light on the main articles, and are important interpretative tools, so refer back as appropriate.
  • Compulsory Charter of Fundamental Rights of the European Union, articles 7–8.

S3: The Law of Everything? Anonymisation and the Scope of Personal Data

One of the main concepts in data protection is the concept of personal data. The boundaries of this concept have been hotly contested, and are an important point of interaction for law, policy, computer and data science alike; all of these disciplines work on this issue intensely. McAuley describes why computer scientists find anonymisation difficult to achieve. Purtova argues that the CJEU has interpreted the GDPR in an expansive manner which has led an unmanageable array of information types to be classifiable as personal data (but compare to optional reading, Dalla Corte, who critiques this reading). Elliot and others propose a different approach, which looks at the risk of data to be reidentified in its environment. What would be the benefits or risks of adopting this approach? You should also read the Breyer case, which is looked at considerably in the Purtova article.

You may also choose to read further reading, such as a technical analyis of why it is difficult or impossible to anonymise some types of location data from the perspective of computer science by de Montjoye and others, the application to smart environments and technologies by Gellert. You should also consider the household exemption, part of the scope of data protection law, which is importantly limited by the cases Lindqvist and Ryneš.

How should a controller in practice go about considering what is personal data or not? How might this differ for different types of data — text; location; tabular data; video data or photographs? Is there a good balance between personal or non personal data classification that is possible, or will any approach inevitably be gamed and abused? If so, is there a way out of this quandary?



  • Compulsory Nadezhda Purtova, ‘The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law’ (2018) 10 Law, Innovation and Technology 40 OA link
  • Compulsory Mark Elliot and others, ‘Functional Anonymisation: Personal Data and the Data Environment’ (2018) 34 Computer Law & Security Review 204. OA preprint link / UCL typeset link
  • Recommended Lorenzo Dalla Corte, ‘Scoping Personal Data: Towards a Nuanced Interpretation of the Material Scope of EU Data Protection Law’ (2019) 10 European Journal of Law and Technology. OA link
  • Recommended Raphaël Gellert, ‘Personal Data’s Ever-Expanding Scope in Smart Environments and Possible Path(s) for Regulating Emerging Digital Technologies’ (2021) 11 International Data Privacy Law 196. UCL typeset link / OA preprint
  • Optional Yves-Alexandre de Montjoye and others, ‘Unique in the Crowd: The Privacy Bounds of Human Mobility’ (2013) 3 Scientific Reports 1376. OA link
  • Optional Draft Guidance Information Commissioner’s Office (2021), ICO call for views: Anonymisation, pseudonymisation and privacy enhancing technologies guidance OA link
  • Optional Benjamin Wong, ‘Delimiting the Concept of Personal Data after the GDPR’ (2019) 39 Legal Studies 517. UCL link
  • Optional Michael Veale, Reuben Binns and Lilian Edwards, ‘Algorithms that Remember: Model Inversion Attacks and Data Protection Law’ (2018) 376 Phil Trans R Soc A 20180083. OA link


European Union

  • Compulsory Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland ECLI:EU:C:2016:779 (on the identifiability of personal data)
  • Recommended Case C‑434/16 Nowak ECLI:EU:C:2017:994 (on exam scripts and comments)
  • Recommended Case C-101/01 Lindqvist EU:C:2003:596 (on the scope of the household exemption)
  • Recommended Case C‑212/13_ Ryneš_ ECLI:EU:C:2014:2428. (on a CCTV camera on a house and the household exemption)

United Kingdom

  • Optional Durant v Financial Services Authority [2003] EWCA Civ 1746.
  • Optional Edem v The Information Commissioner & Anor [2014] EWCA Civ 92
  • Optional Secretary of State for the Home Department & Anor v TLU & Anor [2018] EWHC 2217 (QB).


European Union

  • Compulsory GDPR, recitals 26-30, arts 2, 4(1).

S4: Revenge of the Cookie Monster


  • Compulsory Michael Veale and Frederik Zuiderveen Borgesius, ‘Adtech and Real-Time Bidding under European Data Protection Law’ (2022) 23 German Law Journal. OA link
  • Compulsory Midas Nouwens and others, ‘Dark Patterns after the GDPR: Scraping Consent Pop-Ups and Demonstrating Their Influence’ in (ACM 2020) Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI 2020). OA link
  • Compulsory René Mahieu and Joris Van Hoboken, ‘Fashion-ID: Introducing a Phase-Oriented Approach to Data Protection?’ (European Law Blog, 30 September 2019) OA link
  • Recommended Reuben Binns and others, ‘Third Party Tracking in the Mobile Ecosystem’ in Proceedings of the 10th ACM Conference on Web Science (WebSci ’18) (ACM 2018). OA link
  • Optional Günes Acar and others, ‘The Web Never Forgets: Persistent Tracking Mechanisms in the Wild’ in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS ’14) (ACM 2014) UCL link / OA link

Policy Documents

  • Optional Information Commissioner’s Office, ‘Update Report into Adtech and Real Time Bidding’ (Information Commissioner’s Office, 20 June 2019) link


European Union

  • Compulsory Case C-210/16 Wirtschaftsakademie Schleswig-Holstein ECLI:EU:C:2018:388.
  • Compulsory Case C-49/17 Fashion ID GmbH & CoKG v Verbraucherzentrale NRW eV ECLI:EU:C:2019:629.
  • Optional Case C‑25/17 Jehovan todistajat ECLI:EU:C:2018:551.
  • Optional Case C-673/17 Planet49 GmbH ECLI:EU:C:2019:801.

For both the compulsory cases it can be useful too to read the Advocate General opinions if you are unclear about the points and context: * Recommended Case C‑210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2017:796, Opinion of AG Bot. * Recommended Case C-49/17 Fashion ID GmbH & CoKG v Verbraucherzentrale NRW eV ECLI:EU:C:2018:1039, Opinion of AG Bobek.

United Kingdom

These cases are not directly about the substance of tracking but consider the issues of a workaround concerning cookie and the ability to claim damages on that basis. They are included here mainly for completeness, but are also of interest (both the final judgments listed and the prior cases appealed) in relation to how courts understand issues of tracking.

  • Optional Vidal-Hall v Google Inc [2015] EWCA Civ 311.
  • Optional Lloyd v Google LLC [2021] 3 UKSC 50.

S5: Forget Me, or Forget Me Not? The Right to Erasure


  • Compulsory Andrés Guadamuz, ‘Developing a Right to Be Forgotten’ in Tatiana-Eleni Synodinou and others (eds), EU Internet Law: Regulation and Enforcement (Springer 2017). OA-ish link UCL paywall link
    • An overview of some of the debates and sides people take concerning the Right to Be Forgotten.
  • Recommended Aleksandra Kuczerawy and Jef Ausloos, ‘From Notice-and-Takedown to Notice-and-Delist: Implementing Google Spain’ (2015–16) 14 Colo Tech LJ 219. OA link
    • A discussion of some of the roles (as they were and are emerging) of different governance actors in the run up to, and in the wake of, the judgment in Google Spain.
  • Recommended Jef Ausloos, The Right to Erasure in EU Data Protection Law: From Individual Rights to Effective Protection (Oxford University Press 2020). UCL link
  • Recommended Theo Bertram and others, ‘Five Years of the Right to Be Forgotten’ in (ACM 2019) Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security 959. OA link
    • A scholarly article on how the RTBF has panned out from the point of view of Google employees, who authored it. Read alongside the firm’s regularly updated, quantitative Transparency Report into EU delisting on the basis of the right.
  • Recommended Joris Van Hoboken, ‘Search Engine Freedom’ in Search Engine Freedom: On the Implications of the Right to Freedom of Expression for the Legal Governance of Web Search Engines (University of Amsterdam 2012) pp 168-213. OA link
    • A discussion of the theoretical and legal manners in which freedom of expression applies to search engines, given their crucial role in enabling access to information. Pre-dates Google Spain, although not the debates about the RTBF.
  • Optional Jean-François Blanchette and Deborah G Johnson, ‘Data Retention and the Panoptic Society: The Social Benefits of Forgetfulness’ (2002) 18 The Information Society 33. OA link paywalled, typeset link
    • A less legal view of why we might want a right to be forgotten from the standpoint of privacy.
  • Optional Tarleton Gillespie, ‘To Remove or to Filter?’ in Custodians of the Internet (Yale University Press 2018). UCL link (paywalled)
    • A broader discussion of the different tactics that internet intermediaries, and particularly platforms, use to limit the distribution of content online.
  • Optional David Erdos, ‘The “Right to Be Forgotten” beyond the EU: An Analysis of Wider G20 Regulatory Action and Potential Next Steps’ (2021) 13 Journal of Media Law 1. OA-ish link UCL link
    • Examines how similar rights to be forgotten work in jurisdiction including Canada, Turkey and Australia.
  • Optional Stefan Kulk and Frederik Zuiderveen Borgesius, ‘Privacy, Freedom of Expression, and the Right to Be Forgotten in Europe’ in Evan Selinger and others (eds), The Cambridge Handbook of Consumer Privacy (Cambridge University Press 2018). OA-ish link UCL paywall link
    • A useful introduction to how freedom of expression is balanced by the CJEU and ECtHR, focussing on the right to be forgotten. Overlaps otherwise in terms of content with Guadamuz 2017.

Policy Documents

  • Optional European Data Protection Board, Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (EDPB 2020) OA link
    • Guidance from the European regulators in charge of enforcing Google Spain and the Right to Erasure. See also the commentary on these guidelines by David Erdos, University of Cambridge.
  • Optional Access Now, Understanding the Right to Be Forgotten Globally (Access Now 2017) OA link
    • A short policy paper from an NGO indicating the surrounding conditions and a safeguard wishlist for global implementation of a right to be delisted on privacy grounds.


European Union

  • Optional Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, art 17.

Case Law

European Union

  • Compulsory Case C-131/12 Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González ECLI:EU:C:2014:317.
  • Compulsory Case C‑136/17 GC and Others v Commission nationale de l’informatique et des libertés (CNIL) ECLI:EU:C:2019:773.
  • Compulsory Case C‑507/17 Google LLC v Commission nationale de l’informatique et des libertés (CNIL) ECLI:EU:C:2019:772.

United Kingdom

  • Recommended NT1 & NT2 v Google LLC [2018] EWHC 799 (QB). BAILII

S6: Computer Says No? Algorithmic Decisions

2022 Industrial Action Adjustment: We will do this in place of the topic that would have been Tutorial 2, which will not be taught. You are welcome to, optionally, watch the following lectures that were recorded in previous years: link and link. These lectures would not have been given in the cancelled seminar format of this session, which has been cancelled, but may be useful to your preparation or coursework.

  • What are the main issues concerning algorithms that require governance? What has the last few years indicated are the most pressing of them, and which might be the most pressing in the future?
  • Should we be worried about algorithms, or “decisions”, both or neither?
  • How can we reconcile the purpose of Article 22 with the rest of the GDPR? Does it connect to form a coherent whole, or does it not make sense?
  • Is Article 22 a relic that will fail to govern algorithms going forward, or is there hope that it can be usefully repurposed? If so, as a simple safety net, or an active tool of governance?
  • Are there simple changes, or court interpretations, that might make the governance of algorithms through the GDPR function more effectively? Which? Are they likely without new legislation?


  • Compulsory Lilian Edwards and Michael Veale, ‘Slave to the Algorithm? Why a “Right to an Explanation” Is Probably Not the Remedy You Are Looking For’ (2017) 16 Duke Law & Technology Review 18 OA link
  • Compulsory Mireille Hildebrandt, ‘Privacy as Protection of the Incomputable Self: From Agnostic to Agonistic Machine Learning’ (2019) 20 Theoretical Inquiries in Law 83. OA link
  • Compulsory Andrew D Selbst and others, ‘Fairness and Abstraction in Sociotechnical Systems’ in Proceedings of the Conference on Fairness, Accountability, and Transparency (FAT* ’19, New York, NY, USA, ACM 2019). OA link
  • Recommended Reuben Binns and Michael Veale, ‘Is that Your Final Decision? Multi-Stage Profiling, Selective Effects, and Article 22 of the GDPR’ [2021] International Data Privacy Law OA link
  • Compulsory Margot E Kaminski, ‘Binary Governance: Lessons from the GDPR’s Approach to Algorithmic Accountability’ (2019) 92 Southern California Law Review OA link
  • Recommended Andrew Selbst and Solon Barocas, ‘The Intuitive Appeal of Explainable Machines’ (2018) 87 Fordham Law Review 1085 OA link.
  • Optional Margot E Kaminski, ‘The Right to Explanation, Explained’ (2019) 34 Berkeley Technology Law Journal OA link
  • Optional Luca Tosoni, ‘The Right to Object to Automated Individual Decisions: Resolving the Ambiguity of Article 22(1) of the General Data Protection Regulation’ (2021) 11 International Data Privacy Law 145. OA-ish link UCL link
  • Optional Andrew D Selbst and Julia Powles, ‘Meaningful Information and the Right to Explanation’ (2017) 7 International Data Privacy Law 233. OA link
  • Optional Sandra Wachter and others, ‘Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation’ (2017) 7 International Data Privacy Law 76. OA link

Policy Documents

  • Compulsory Article 29 Working Party, ‘Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679 (WP251rev.01)’ (6 February 2018) alongside article 15, 22, recital 71, GDPR.
  • Optional Information Commissioner’s Office, ‘Guidance on AI and data protection’ (2021) link


European Union

  • Compulsory General Data Protection Regulation (GDPR), articles 15, 21, 22, recital 71.

S7: State Surveillance: Introducing Bulk Powers

2022 Industrial Action Adjustment: We will do this topic in session 8 (8th March).

I know that you will be
Still around
I don't know which me to be
I know that you know me better than I know me
Still around

Holly Herndon, ‘Home’ (2014), an ode to an NSA monitor using PRISM, XKEYSCORE and other tools to watch the artist as she puzzles over which identity to portray. Music video link.

In 2013, documents leaked by Edward Snowden had a transformative effect on law, business practices, and perceptions. In this first surveillance seminar, we will try to look at the bigger picture, of technologies being used and some of the human rights fights around the old and new regimes.

When reading, consider the following:

  • What kind of impact on privacy is there from using content of communications? What kind from metadata?
  • How might you conceptualise the ECtHR’s trend in attitudes towards bulk collection/mass surveillance regimes?
  • What are the geopolitical implications of bulk collection, interception and interference practices? How does this relate to the jurisdiction and physical location of cloud companies?
  • Intelligence agencies commonly argue that bulk regimes are not particularly invasive as only some material is ever selected and read by humans. Do you consider that a sufficient safeguard?
  • What does surveillance of these types tell us about the role of the intermediaries we looked at previously? What powers and responsibilities do they have; how have they used these; and how should they use them?


Policy Documents

  • Compulsory David Anderson, Report of the Bulk Powers Review (Her Majesty’s Stationery Office 2016). OA link
  • Compulsory Unknown Author (OPC-MCR/GCHQ), ‘HIMR Data Mining Research Problem Book’ (Contained in the Snowden Leaks, 20 September 2011) OA link
    • Skim the top-secret research ‘open question’ problem book of the Heilbron Institute for Mathematical Research (University of Bristol), a GCHQ funded research centre that works on highly classified research. This book, part of the Snowden leaks, describes the kind of data and practices that GCHQ have and provide to the researchers that develop the techniques to analyse it. (some of this is very technical, I recommend pages 7-15, 51-53, 67-68. The data sources at the end, particularly pp 69–74 may also be interesting)**
  • Recommended David Anderson, A Question of Trust (Her Majesty’s Stationery Office 2015). OA link
  • Optional Caspar Bowden, The US Surveillance Programmes and Their Impact on EU Citizens’ Fundamental Rights (European Parliament 2013) OA link


  • Recommended Caspar Bowden, The Cloud Conspiracy 2008-14 (The 31st Chaos Computer Congress, 31C3 2014) OA link


  • Compulsory Browse the Snowden Archive. Look by Program, and for each entry, you can click on the news article analysing it at the bottom, or access the original PDF of the document itself. Note: if the link there does not work, an alternative, although less nice-to-browse, respository of documents can be found at the Internet Archive.

T3: Big Brother Watch

Do the readings for “State Surveillance: Bulk Powers and Human Rights”, at least the Grand Chamber Big Brother Watch case (it’s long!). In the tutorial, we’re going to start to look at the case, and continue in the seminar next week. Think about the following questions.

  • Compulsory Big Brother Watch and Others v the United Kingdom (Grand Chamber) ECLI:CE:ECHR:2021:0525JUD005817013.

  • What were the alleged violations of Article 8 in Big Brother Watch? What are the requirements for finding a violation of Art 8?

  • To what extent would you describe BBW as a pyrrhic victory for the applicants?

  • How much do you sympathise with the dissents? Is the trajectory of the ECtHR fit for the 21st century?

S8: State Surveillance: Bulk Powers and Human Rights

2022 Industrial Action Adjustment: We will do this topic in session 9 (15th March).

Arguably the most control over state surveillance is exercised by the European Convention on Human Rights. In this session, we’re going to look at how it has understood state surveillance across the years, and some of the key tensions it has faced going forward.

  1. How can we characterise the way the ECtHR has or has not changed in relation to the changing nature of surveillance?
  2. Should courts play closer attention to the substance of surveillance powers? How?
  3. Is a bulk collection or interception regime a natural progression or a disjunct leap from targeted collection/interception? What is the view of the ECtHR on this?
  4. Should individuals be notified that they have been subject to surveillance measures, when it would not undermine investigations to do so?


  • Compulsory Eleni Kosta, ‘Surveilling Masses and Unveiling Human Rights: Uneasy Choices for the Strasbourg Court’ (Inaugural Address, Tilburg Law School, 2017) <>.
  • Recommended Nóra Ní Loideáin, ‘A Bridge Too Far? The Investigatory Powers Act 2016 and Human Rights Law’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019). UCL link
  • Recommended Bernard Keenan, ‘The Evolution Of Elucidation: The Snowden Cases Before The Investigatory Powers Tribunal’ [2021] The Modern Law Review. UCL link
  • Recommended Théodore Christakis and Katia Bouslimani, ‘National Security, Surveillance, and Human Rights’, in the Oxford Handbook of the International Law of Global Security (OUP 2021). UCL link
  • Recommended Eleni Kosta, ‘Algorithmic State Surveillance: Challenging the Notion of Agency in Human Rights’ (2020) Regulation & Governance. OA link
  • Recommended European Court of Human Rights, Guide on Art 8 of the European Convention of Human Rights (Council of Europe, updated regularly) (look at relevant parts to bolster your understanding) OA link
  • Optional Andrew Murray, ‘State Surveillance and Data Retention’ in Information Technology Law (Oxford University Press 2019). (a more simplified high-level overview)
  • Optional Bart van der Sloot and Eleni Kosta, ‘Big Brother Watch and Others v UK: Lessons from the Latest Strasbourg Ruling on Bulk Surveillance Case Notes’ (2019) 5 Eur Data Prot L Rev 252.
  • Optional Pierre Notermans, ‘Surveillance Measures and the Exception of National Security in the Case Law of the European Court of Human Rights’ in Human Rights in Times of Transition (Edward Elgar Publishing 2020) UCL link


  • Compulsory Big Brother Watch and Others v the United Kingdom (Grand Chamber) ECLI:CE:ECHR:2021:0525JUD005817013.
  • Optional Malone v the United Kingdom ECLI:CE:ECHR:1984:0802JUD000869179.
  • Optional S and Marper v the United Kingdom ECLI:CE:ECHR:2008:1204JUD003056204.
  • Recommended Privacy International v Secretary of State for Foreign And Commonwealth Affairs & Ors [2016] UKIPTrib 15_110-CH.
  • Recommended Liberty & Ors v GCHQ & Ors [2014] UKIPTrib 13_77-H and Liberty & Ors v The Secretary of State for Foreign And Commonwealth Affairs & Ors [2015] UKIPTrib 13_77-H.

S9: Data Retention - the Never Ending Story

2022 Industrial Action Adjustment: We will not cover this topic.

 __i ----------- ?
`\   \   

Who called who, and when? When governments wish to understand what communication individuals had with each other in the past, they want somewhere to look back upon for reference. But keeping hold of all that data is expensive, and telecoms companies are loathe to do it. Enter data retention, a dynamic area of law characterised mainly by an ongoing battle between the CJEU and EU member states as to its permissible extent.

  • Why does data retention fall within EU law? Should it?
  • Has the Court of Justice gone too far, or has the ECHR not gone far enough?
  • Do you agree that metadata might have a chilling effect on freedom of expression?
  • What do you think Internet Communication Records are in the IPA? Does retaining these present additional human rights concerns? (hint: this was a novelty not present in RIPA).
  • How do the safeguards proposed in La Quadrature du Net compare to other aspects of the intelligence regime (e.g. in the UK)? Which might be easy to carry out, and which might be more difficult, or represent a significant change from e.g. the safeguards in the IPA?


  • Compulsory Marcin Rojszczak, ‘National Security and Retention of Telecommunications Data in Light of Recent Case Law of the European Courts’ [2021] European Constitutional Law Review. OA link
  • Compulsory Eleni Kosta, ‘The Retention of Communications Data in Europe and the UK’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019) OA link
  • Recommended Marcin Rojszczak, ‘The Uncertain Future of Data Retention Laws in the EU: Is a Legislative Reset Possible?’ (2021) 41 Computer Law & Security Review 105572. UCL link OA link
  • Optional Privacy International, ‘National Data Retention Laws since the CJEU’s Tele-2/Watson Judgment. A Concerning State of Play for the Right to Privacy in Europe’ (Privacy International, September 2017) OA link


European Union

  • Compulsory Joined Cases C‑511/18, C‑512/18 and C‑520/18 La Quadrature du Net and Others ECLI:EU:C:2020:791.
  • Recommended Case C-623/17 Privacy International ECLI:EU:C:2020:790.
  • Optional Case C‑746/18 HK v Prokuratuur ECLI:EU:C:2021:152.
  • Recommended Joined Cases C‑293/12 and C‑594/12 Digital Rights Ireland and Others ECLI:EU:C:2014:238.
  • Recommended Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others ECLI:EU:C:2016:970.

Advocate General Opinions

  • Optional Joined Cases C‑793/19 and C‑794/19 SpaceNet and Telekom Deutschland ECLI:EU:C:2021:939 (Opinion of Advocate General Campos Sánchez-Bordona)
  • Optional Case C-140/20 Commissioner of the Garda Síochána and Others ECLI:EU:C:2021:942 (Opinion of Advocate General Campos Sánchez-Bordona).

United Kingdom

  • Optional R (on the application of Davis and others) v The Secretary of State for the Home Department [2015] EWHC 2092 (Admin)
    • and in the EWCA: Secretary of State for the Home Department v Watson MP & Ors [2018] EWCA Civ 70.


  • Recommended Investigatory Powers Act 2016 part 4 (Retention of Communications Data) link.

S10: Data Transfers

2022 Industrial Action Adjustment: This topic stays where it is, as S10 (22nd March).

  • Compulsory Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ (2017) 18 German Law Journal 881. OA link
  • Optional Christopher Kuner, ‘Schrems II Re-Examined’ (Verfassungsblog, 25 Aug 2020) OA link
    • Recommended Read alongside Douwe Korff, ‘Comments on Prof. Chris Kuner’s Blog Schrems II Re-Examined of 25 August 2020’ (26 August 2020) OA-ish link (alt link)
  • Optional Barbara Sandfuchs, ‘The Future of Data Transfers to Third Countries in Light of the CJEU’s Judgment C-311/18 – Schrems II’ (2021) GRUR Int ikaa204 UCL link
  • Recommended Andrew D Murray, ‘Data Transfers between the EU and UK Post Brexit?’ (2017) 7 International Data Privacy Law 149 OA link
  • Optional Graham Greenleaf, ‘Japan: EU Adequacy Discounted’ (2018) 155 Privacy Laws & Business International Report 8-10 OA link

Policy Documents

  • Recommended Privacy International, ‘Secret Global Surveillance Networks’ (Privacy International, 2018) OA link
  • Optional European Data Protection Board, ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2’ (18 June 2021) OA link


  • Compulsory GDPR, chapter V.
  • Recommended Commission Implementing Decision (EU) 2021/1773 of 28 June 2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom (notified under document C(2021) 4801) OJ L360/69. OA link


European Union

  • Compulsory Case C-311/18 Data Protection Commissioner v Facebook Ireland and Schrems ECLI:EU:C:2020:559 (“Schrems II”) link
  • Recommended Case C-362/14 Maximillian Schrems v Data Protection Commissioner ECLI:EU:C:2015:65 (“Schrems I”)

It might be useful to read the AG Opinions in both cases too: * Optional Case C‑362/14 Maximillian Schrems v Data Protection Commissioner ECLI:EU:C:2015:627 (Opinion of Advocate General Bot). * Optional Case C-311/18 Data Protection Commissioner v Facebook Ireland and Schrems ECLI:EU:C:2019:1145, Opinion of Advocate General Saugmandsgaard Øe.


  • Optional The Data Protection Commissioner -v- Facebook Ireland Ltd & Anor [2017] IEHC 545 (Ireland)
    • This case is very useful in restating the facts of data transfers in the context of Facebook and US surveillance under FISA 702 and EO 12333. It is the case which led to the questions being referred to the CJEU in Schrems II.


ASCII art from [], credited to SSt.