Course Spotlight: International Data Protection and Cybersecurity Law

International Data Protection and Cybersecurity Law is an elective course in Osgoode’s Professional LLM in Privacy and Cybersecurity Law. The course examines how privacy and data protection laws operate across jurisdictions and how global regulatory developments shape legal obligations for organizations operating in a digital economy.

The course is taught by Vance Lockton, a Senior Technology Policy Advisor at the Office of the Privacy Commissioner of Canada. He has spent the majority of his career working with Canada’s federal and provincial privacy regulators and currently leads work on a range of emerging technology issues, including artificial intelligence, age assurance, and neurotechnology. He holds master’s degrees in Computer Science and Public Policy.

Today, privacy law is fundamentally international in scope. “Privacy is inherently an international concern right now,” Lockton explains. Organizations with any kind of online presence are likely operating across borders, and many privacy laws apply internationally. The European Union’s General Data Protection Regulation (GDPR), for example, applies not only within Europe but also to companies outside the region that process personal information belonging to EU residents. As a result, “most companies and most legal professionals” need at least a working understanding of the range of privacy laws that may apply to the businesses they support.

International developments also play an important role in shaping Canadian privacy law. Lockton notes that Canada’s legal framework is often influenced by regulatory changes abroad. “Canada tends to be very inspired by international privacy law,” he says, meaning that understanding global developments can help explain why certain policy choices are made domestically. Looking at how privacy laws evolve internationally can therefore provide important insight into how Canadian law may develop in the future.

Lockton approaches the subject from the perspective of a policy professional rather than a practicing lawyer. Having spent nearly two decades working with privacy regulators, he has seen how international developments shape policy decisions in Canada. In his current role, analyzing global developments is a regular part of the work. “Whenever we are making recommendations or developing policy positions, a piece of that is always doing an analysis of what’s happening globally,” he explains. Understanding how laws are working internationally, including their challenges and limitations, helps inform regulatory thinking at the national level.

The classroom reflects the interdisciplinary nature of the field. Students often include lawyers, cybersecurity professionals, and policy specialists, as well as international participants who bring insight into developments in their own jurisdictions. Lockton notes that this diversity of perspectives enriches discussion by adding practical context to legal developments. Students working in areas such as health privacy, for example, can often explain how particular legal doctrines are interpreted in their sector, while cybersecurity professionals can help clarify the technical considerations that shape regulatory decisions.

Because the course is delivered virtually, Lockton emphasizes discussion and active engagement. His goal is to introduce core concepts and then encourage students to analyze how those ideas play out in practice. Much of the course focuses on identifying emerging regulatory developments and understanding how they affect organizations operating in a global digital environment.

One of the key assignments reflects this real-world policy perspective. Students identify a new legal or regulatory development and present a short briefing explaining its implications. Lockton describes the exercise as an opportunity to think like a policy analyst. In practice, professionals working in privacy and cybersecurity are often faced with lengthy and highly technical regulations. “Here’s the 300-page law that just got released,” he says. “How can I explain the impacts on my company in ten minutes?” The goal is to learn how to identify the key elements that matter and communicate them clearly to decision-makers.

By the end of the course, students develop the ability to interpret new privacy and cybersecurity laws in a rapidly evolving global environment. They gain the skills needed to identify the most important elements of complex regulatory developments and explain their implications clearly to policymakers, clients, and organizational leaders.