Legal and security concerns for website developers

The processing of personal data in Ireland is controlled by the Data Protection Acts 1988 and 2003, which apply to all data controllers. Data includes any information processed manually or automatically by a computer, while personal data relates to an identifiable living individual. (The data of people who have died or historical subjects is not covered by the acts.) EC Directive 2002/58 on privacy and electronic communications (the ‘E-privacy Directive’), which extends the Data Protection Directive, regulates issues such as the confidentiality of information, treatment of data, cookies and spam. EC Directive 2002/22 (the Universal Service Directive) dealt with universal service and users’ rights relating to electronic communications networks and services. They were amended by Directive 2009/136, which introduces changes to the law on cookies, so that users must consent in advance to their use. The legislation imposes serious legal responsibilities, breach of which is punishable by a fine of up to €100,000 and deletion of data collected through the website.

(However, in Digital Rights Ireland Ltd v The Minister for Communications, Marine and Natural Resources & ors [2017] IEHC 307, the High Court refused a trial of a preliminary issue or a reference to the CJEU of the “complex” issues which had not been “defined with sufficient precision”. “A trial of the issue as drafted would involve too many hypotheses to amount to a useful or appropriate procedure,” said Costello J.)

Controllers and processors

Irish law distinguishes between a ‘data controller’ and a ‘data processor’. According to Section 1(1) of the 1988 Data Protection Act, a ‘data controller’ is “a person who, either alone or with others, controls the contents and use of personal data”. A ‘data processor’ is “a person who processes personal data on behalf of a data controller” (but this does not include an employee of a data controller processing data as part of his employment). The data controller, normally the operator of the website, is responsible for processing the data, which can involve:

Fundamental rules

The data controller must ensure that staff are properly trained and follow eight fundamental rules. Information must be:

Privacy statement

A privacy statement is required whenever a site collects personal data (by users filling in forms or if the site uses cookies). The statement is a legal requirement under the 1988 and 2003 Data Protection Acts and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations (SI 336 of 2011). The statement sets out publicly and in detail how the website owner proposes to apply the eight principles to data processed through its website. Section 2(1)(a) of the Acts requires that data must be obtained and processed ‘fairly’ which suggests that users whose data is processed should be clear about:

Users must also be told that they have a right of access to their data and a right to correct it if it is wrong or out of date. The form in which the data must be provided to a data subject was clarified by the Court of Justice of the European Community.1

Contents of privacy statement

The statement should not just say that “processing of data on the site complies with the Data Protection Act”, but should explain how the site complies in practice with its obligations. The statement should:

The privacy statement should be accessible from the homepage, normally alongside items such as the website’s terms and conditions or security statement. However, if the site is also to be accessible through other pages, the privacy statement should be linked from those pages too. The privacy statement should be reviewed annually, but also if:


The privacy statement should say that the security responsibilities are taken seriously, the most up-to-date security systems are used, including staff training, and the measures are regularly reviewed. Users should have an acceptably secure username and password and should be advised that too simple a password (such as ‘password’) is not secure enough. Access should not be made available to private data without an appropriately strong username and password which includes at least eight alphanumeric characters in a mixture of capital and small letters and numbers.

If a website is hosted by a server, the operator of that server is also a data processor, but the data controller is ultimately responsible for any breach of the legislation. The data controller must have a written agreement with the data processor setting out:

Users’ right of access

The privacy statement should also refer to users’ right of access to their own data. Such a request should be in writing, by email or letter and a fee may be charged, though no fee may be demanded for correcting or removing data. A reply should be provided within 40 days. However, since July 2014, Section 4(13) of the Data Protection Acts has prohibited employers from requiring employees (or job applicants) to seek copies of personal data to be made available to the employer (or prospective employer).

Only accurate, complete and up-to-date data should be retained, and users should be able to update their details to ensure they are accurate. Any unnecessary data should be deleted. The EU Court of Justice ruled in May 20142 that internet search engine operators are responsible for the processing of personal data which appears on web pages published by third parties. The court found that, by searching “automatically, constantly and systematically” for information published on the internet, a search engine operator collected data within the meaning of the directive. The operator (Google Spain) also retrieved, recorded and organised that data, which it then stored on its servers and possibly disclosed and made available to searchers. Those operations constituted ‘processing’, even though they concerned material that had already been published in the media.

Any general derogation from the privacy directive would largely deprive it of its effect. So users are now entitled to ask search engines, such as Google, to remove query results which are inadequate, irrelevant (or no longer relevant) or excessive. According to a judgment by Mr Justice Hogan in June 2014,3 “what matters is the essential inviolability of the personal data itself”. That right would be compromised if the data subject believed that his data could be routinely accessed.

However, in July 2000, the European Commission found that US data protection law and practice sufficiently safeguarded the rights of European data subjects. Even though the data of Irish citizens might be accessed by the security authorities of a foreign country on a “mass and undifferentiated basis”, Irish law has been “effectively pre-empted by EU law and specifically by the provisions of the 1995 Directive and the 2000 Decision establishing the Safe Harbour [sic] regime”.

Ireland’s Data Protection Commissioner was obliged to comply with this decision but, in order to decide whether the interpretation of the 1995 Directive and the 2000 Commission decision should be re-evaluated in the light of Article 8 of the Charter of Human Rights, the judge referred the question to the Court of Justice for a ruling. The CJEU overturned the 15-year-old Safe Harbour agreement on 6 October 2015,4 stating that concerns had been expressed about the “transparency and enforcement” of the agreement. Following the Schrems judgment, the European Commission and the United States finalised a decision on the transatlantic transfer of data in February 2016. The EU-US Privacy Shield will create stronger links between the US Department of Commerce and EU data protection authorities and will impose strict rules for the handling of transatlantic data. (The Irish High Court referred the case to the CJEU for a preliminary ruling on the validity of the SCC decisions under Article 267 of TFEU.5)


Cookies, which are a small piece of text, may be downloaded in the form of persistent cookies (which have an expiry date at some time in the future) or session cookies, which exist only as long as a particular session is open. No information may be retrieved from users’ computers, phones or other equipment unless they have been told clearly why this is being done and have consented to the proposed storage or use of the information. The use of cookies is covered by Directive 2009/136 and Ireland’s 2011 regulation, so users should be asked to give prior consent to the use of cookies. This has become a matter of course, with users being informed that the website creator uses cookies and that continued use of the site implies acceptance of this practice. A cookie warning may not be given in the limited case of a ‘technical necessity’. Where possible, user consent may be assumed if appropriate browser settings are used. However, users may bring a legal action if they have been damaged by the way in which their data has been processed. Whether or not they have to show pecuniary loss depends on whether the Irish courts follow Irish or English precedents.


Websites must not use copyright data, images or other materials without prior written authorisation from the copyright-holders. Anyone who uploads materials should check that they have the right to do so. Copyright-free images, and images provided without charge under creative commons licences, are readily available. Internet service providers may be ordered to block customers’ access to a website which breaches copyright, subject to a fair balance between the fundamental rights of the user and the ISP.6

Bugs and hacking

Measures should also be taken to prevent the unauthorised collection of personal data by security bugs, phishing, spear or trojan phishing, pharming, hacking, baiting or cryptolocker attacks. These prospective dangers should be borne in mind when designing the back end of any website. Security software should be kept up to date. Even if the data controller outsources these tasks, the ultimate responsibility rests with the controller, not the processor or others.

Court decisions

According to the Appeal Court of England and Wales,7 it is not necessary to show economic loss to claim compensation (although see the 2013 Irish case of Collins v FBD8). And following the decision of the European Court on 14 April 2014,9 the State is no longer required to retain traffic metadata relating to internet access, email and internet telephony. The Court struck down the Data Retention Directive (2006/24/EC) as not laying down “clear and precise” rules for interfering with the fundamental rights of citizens under the Charter of Fundamental Rights of the European Union. The joined cases were referred to the CJEU by the Irish High Court and the Austrian Constitutional Court. This was only the second time that the Court had struck down a directive.

In a December 2016 decision10 (in a preliminary ruling requested by the Stockholm Administrative Court of Appeal, Sweden, and the England and Wales Court of Appeal), the Grand Chamber of the European Court of Justice ruled that the directive on protecting privacy in electronic communications was inconsistent with laws which required the retention of indiscriminate traffic data and subscribers’ location information in order to fight crime. National authorities could only access the data if the objective was solely to fight serious crime, subject to prior review by a court or an independent administrative authority and retaining the data in the European Union. Legislation has now been proposed by the European Commission to bring all rules for electronic communication providers – such as Facebook Messenger and WhatsApp – into line with the EU’s ePrivacy Directive, which applies only to telecoms operators. The proposed Regulation by the European Commission says specific protection should apply to the creation of personality profiles and the collection of personal data from children, including “interpersonal communication services or online selling of tickets”.

1Cases C-141/12 and C-372/12, YS v Minister voor Immigratie, Integratie en Asiel and Minister voor Immigratie, Integratie en Asiel v M and S
2Case C-131/12, Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González
3Schrems v Data Protection Commissioner [2014] IEHC 310
4Case C-362/14, Schrems v Data Protection Commissioner
5The Data Protection Commissioner v Facebook Ireland Ltd & anor [2017] IEHC 545
6Case C-314/12, UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH and Wega Filmproduktionsgesellschaft mbH
7Google Inc v Judith Vidal-Hall and Others [2015] EWCA Civ 311
8Collins v FBD Insurance Plc [2013] IEHC 137
9Joined cases C-293/12 Digital Rights Ireland v Minister for Communications & Others and C-594/12 Seitlinger & Others
10Joined cases C-203/15 Tele2 Sverige AB v Post och telestyrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson, Peter Brice and Geoffrey Lewis

The website of the Data Protection Commissioner (who dealt with 1,438 complaints in 2016, up from 1,015 in 2015) can be found here. The Data Protection Bill 2017 would replace the Commissioner with three commissioners, “if justified by an increased future workload”. The Bill, which implements the EU's General Data Protection Regulation, will also directly affect the processing of personal data in Ireland from 25 May 2018.

Search this site        

| Family law | Civil law | Legal terminology | Links |
| Barristers | FAQs | Curriculum vitae | Home page |
| Book | | e-mail me |

© Kieron Wood 1998-2017