Legal and security concerns for website developers

The processing of personal data in Ireland is controlled by the Data Protection Act 2018, which applies to all data controllers. (This transposed the EU’s Law Enforcement Directive 2016/680 and the 2011 e-Privacy Regulations (SI no 336 of 2011) into Irish law. Data includes any information processed manually or automatically by a computer, while personal data relates to an identifiable living individual.(The data of people who have died or historical subjects is not covered by the Act.) The European General Data Protection Regulation (GDPR) replaces the existing data protection framework under the EU Data Protection Directive and is directly applicable. It sets out six key principles:

GDPR imposes serious legal responsibilities on all companies, wherever they are based in the EU, breach of which is punishable by a fine and deletion of data collected through the website. (However, in Digital Rights Ireland Ltd v The Minister for Communications, Marine and Natural Resources & ors,1 the High Court refused a trial of a preliminary issue or a reference to the CJEU of the “complex” issues which had not been defined “with sufficient precision”. “A trial of the issue as drafted would involve too many hypotheses to amount to a useful or appropriate procedure,” said Costello J.)

Controllers and processors

Irish law distinguishes between a ‘data controller’ and a ‘data processor’. According to s 1(1) of the 1988 Data Protection Act, a ‘data controller’ is “a person who, either alone or with others, controls the contents and use of personal data”. A ‘data processor’ is “a person who processes personal data on behalf of a data controller” (but this does not include an employee of a data controller processing data as part of his employment). The data controller, normally the operator of the website, is responsible for processing the data, which can involve:

Fundamental rules

The data controller must ensure that staff are properly trained and follow eight fundamental rules. Information must be:

Privacy statement

A privacy statement is required whenever a site collects personal data (by users filling in forms or if the site uses cookies). The statement sets out publicly and in detail how the website owner proposes to apply the eight principles to data processed through its website. Data must be obtained and processed ‘fairly’ which suggests that users whose data is processed should be clear about:

Users must also be told that they have a right of access to their data and a right to correct it if it is wrong or out of date. The form in which the data must be provided to a data subject was clarified by the Court of Justice of the European Community.2

Contents of privacy statement

The statement should explain how the site complies in practice with its obligations and should:

The privacy statement should be accessible from the homepage, normally alongside items such as the website’s terms and conditions or security statement. However, if the site is also to be accessible through other pages, the privacy statement should be linked from those pages too. The privacy statement should be reviewed annually, but also if:


The privacy statement should say that the security responsibilities are taken seriously, the most up-to-date security systems are used, including staff training, and the measures are regularly reviewed. Users should have an acceptably secure username and password and should be advised that too simple a password (such as ‘password’) is not secure enough. Access should not be made available to private data without an appropriately strong username and password which includes at least eight alphanumeric characters in a mixture of capital and small letters and numbers.

If a website is hosted by a server, the operator of that server is also a data processor, but the data controller is ultimately responsible for any breach of the legislation. The data controller must have a written agreement with the data processor setting out:

Users’ right of access

The privacy statement should also refer to users’ right of access to their own data. Such a request should be in writing, by email or letter and a fee may be charged, though no fee may be demanded for correcting or removing data. A reply should be provided within 40 days. However, employers are prohibited from requiring employees (or job applicants) to seek copies of personal data to be made available to the employer (or prospective employer).

Only accurate, complete and up-to-date data should be retained, and users should be able to update their details to ensure they are accurate. Any unnecessary data should be deleted. The EU Court of Justice ruled in May 20143 that internet search engine operators are responsible for the processing of personal data which appears on web pages published by third parties. The court found that, by searching “automatically, constantly and systematically” for information published on the internet, a search engine operator collected data within the meaning of the directive. The operator (Google Spain) also retrieved, recorded and organised that data, which it then stored on its servers and possibly disclosed and made available to searchers. Those operations constituted ‘processing’, even though they concerned material that had already been published in the media.

Any general derogation from the privacy directive would largely deprive it of its effect. So users are now entitled to ask search engines, such as Google, to remove query results which are inadequate, irrelevant (or no longer relevant) or excessive. According to a judgment by Mr Justice Hogan in June 2014,4 “what matters is the essential inviolability of the personal data itself”. That right would be compromised if the data subject believed that his data could be routinely accessed.

However, in July 2000, the European Commission found that US data protection law and practice sufficiently safeguarded the rights of European data subjects. Even though the data of Irish citizens might be accessed by the security authorities of a foreign country on a “mass and undifferentiated basis”, Irish law has been “effectively pre-empted by EU law and specifically by the provisions of the 1995 Directive and the 2000 Decision establishing the Safe Harbour [sic] regime”.

Ireland’s Data Protection Commissioner was obliged to comply with this decision but, in order to decide whether the interpretation of the 1995 Directive and the 2000 Commission decision should be re-evaluated in the light of Article 8 of the Charter of Human Rights, the judge referred the question to the Court of Justice for a ruling. The CJEU overturned the 15-year-old Safe Harbour agreement in October 2015,5 stating that concerns had been expressed about the “transparency and enforcement” of the agreement. Following the Schrems judgment, the European Commission and the United States finalised a decision on the transatlantic transfer of data in February 2016. The EU-US Privacy Shield will create stronger links between the US Department of Commerce and EU data protection authorities and will impose strict rules for the handling of transatlantic data. (The Irish High Court referred the case to the CJEU for a preliminary ruling on the validity of the SCC decisions under Article 267 of TFEU.6 The Supreme Court was to rule on 21 January 2019 whether to halt the referral. (Sonia Murphy in the Supreme Court office said: “The Judgment in the above case is reserved. At this time a date for delivery of the Judgment has not been set.”) The 11 questions included whether the High Court correctly found that there was “mass indiscriminate processing” of data by US government agencies.


Cookies, which are a small piece of text, may be downloaded in the form of persistent cookies (which have an expiry date at some time in the future) or session cookies, which exist only as long as a particular session is open. No information may be retrieved from users’ computers, phones or other equipment unless they have been told clearly why this is being done and have consented to the proposed storage or use of the information. The use of cookies is covered by the Data Protection Act 2018, and users should be asked to give prior consent to the use of cookies. This has become a matter of course, with users being informed that the website creator uses cookies and that continued use of the site implies acceptance of this practice. A cookie warning may not be given in the limited case of a ‘technical necessity’. Where possible, user consent may be assumed if appropriate browser settings are used. However, users may bring a legal action if they have been damaged by the way in which their data has been processed. Whether or not they have to show pecuniary loss depends on whether the Irish courts follow Irish or English precedents.


Websites must not use copyright data, images or other materials without prior written authorisation from the copyright-holders. Anyone who uploads materials should check that they have the right to do so. Copyright-free images, and images provided without charge under creative commons licences, are readily available. Internet service providers may be ordered to block customers’ access to a website which breaches copyright, subject to a fair balance between the fundamental rights of the user and the Internet Service Provider (ISP).7

Bugs and hacking

Measures should also be taken to prevent the unauthorised collection of personal data by security bugs, phishing, spear or trojan phishing, pharming, hacking, baiting or cryptolocker attacks. These prospective dangers should be borne in mind when designing the back end of any website. Security software should be kept up to date. Even if the data controller outsources these tasks, the ultimate responsibility rests with the controller, not the processor or others.

Court decisions

According to the Appeal Court of England and Wales,8 it is not necessary to show economic loss to claim compensation (although see the 2013 Irish case of Collins v FBD9). And following the decision of the European Court on 14 April 2014,10 the State is no longer required to retain traffic metadata relating to internet access, email and internet telephony. The Court struck down the Data Retention Directive (2006/24/EC) as not laying down “clear and precise” rules for interfering with the fundamental rights of citizens under the Charter of Fundamental Rights of the European Union. The joined cases were referred to the CJEU by the Irish High Court and the Austrian Constitutional Court. This was only the second time that the Court had struck down a directive.

In a December 2016 decision11 (in a preliminary ruling requested by the Stockholm Administrative Court of Appeal, Sweden, and the England and Wales Court of Appeal), the Grand Chamber of the European Court of Justice ruled that the directive on protecting privacy in electronic communications was inconsistent with laws which required the retention of indiscriminate traffic data and subscribers’ location information in order to fight crime. National authorities could only access the data if the objective was solely to fight serious crime, subject to prior review by a court or an independent administrative authority and retaining the data in the European Union. Legislation has now been proposed by the European Commission to bring all rules for electronic communication providers – such as Facebook Messenger and WhatsApp – into line with the EU’s ePrivacy Directive, which applies only to telecoms operators. The Regulation by the European Commission (due to be enacted in 2019) says specific protection should apply to the creation of personality profiles and the collection of personal data from children, including “interpersonal communication services or online selling of tickets”. In the meantime, O’Connor J ruled12 that parts of the Communications (Retention of Data) Act 2011 were inconsistent with EU law. The State is to ask the Supreme Court to hear a ‘leapfrog appeal’ against the ruling.

1 [2017] IEHC 307
2 Cases C-141/12 and C-372/12, YS v Minister voor Immigratie, Integratie en Asiel and Minister voor Immigratie, Integratie en Asiel v M and S
3 Case C-131/12, Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González
4 Schrems v Data Protection Commissioner [2014] IEHC 310
5 Case C-362/14, Schrems v Data Protection Commissioner
6 The Data Protection Commissioner v Facebook Ireland Ltd & anor [2017] IEHC 545
7 Case C-314/12, UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH and Wega Filmproduktionsgesellschaft mbH
8 Google Inc v Judith Vidal-Hall and Others [2015] EWCA Civ 311
9 [2013] IEHC 137
10 C-293/12 Digital Rights Ireland v Minister for Communications & Others and C-594/12 Seitlinger & Others
11 C-203/15 Tele2 Sverige AB v Post och telestyrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson, Peter Brice and Geoffrey Lewis
12Dwyer v Garda Commissioner, Minister for Communications, Energy and Natural Resources & Ors [2018] IEHC 685

The website of the Data Protection Commissioner (who dealt with 2,642 complaints in 2017, almost double the 1,479 complaints received in 2016) can be found here.
The Data Protection Act 2018, which implements the GDPR, directly affects the processing of personal data in Ireland.

Search this site        

| Family law | Civil law | Legal terminology | Links |
| Barristers | FAQs | Curriculum vitae | Home page |
| Book | | e-mail me |

© Kieron Wood 1998–2019