The Irish requirement for what its Commissioner calls a web site "privacy statement" derives from the same section of the European Directive on data protection and, in the UK, this requirement is generally referred to as a "data protection notice". The Irish statement and UK notice serve much the same purpose: to give certain information to a user that will make any processing of his data fair.
The minimum information requirements for web sites in the UK and Ireland are similar, according to a comparison of the guidance from the Irish Commissioner and various guidance from his UK counterpart, Richard Thomas. The biggest difference is in the guidance from the respective Commissioners on the positioning of the privacy statement.
Ireland's Commissioner appears to accept a link to the privacy statement, provided that link is visible on every page of a site without any need to scroll down a page to find the link. So having a "Privacy" link on the top or side navigation of a web page appears to be sufficient.
In contrast, guidance from the UK Commissioner, published in 2001, says that a link to a privacy statement is not enough: certain information should be displayed on the page where personal data is taken. The UK guidance states:
"Although a privacy statement is important, it is not sufficient to provide the above information simply in the form 'click here to view our privacy statement'. At least the basic messages and choices should be displayed in an intelligible and prominent form wherever personal data are collected, even where a more detailed explanation is provided elsewhere by means of a privacy statement. Clearly, any basic messages or information given about choices should correspond with the contents of any privacy statement."
In fact, the wording of the Irish Guidelines could be interpreted as going much further than the UK. "As a minimum," it states, "a Privacy Statement should be placed in the upper half of the entry page to a website."
This may suggest that the Statement itself should appear on the homepage – which would be a designer's nightmare, given the unavoidable length of the legal notice. OUT-LAW contacted Ireland's Information Commissioner for clarification.
Ann McCabe of the Commissioner's office reassured us that this was not the intent. Acknowledging the ambiguity, she said her Office only expects a clearly visible link to the Privacy Statement – not the Statement itself. She pointed to the example of her Office's own homepage, at www.dataprotection.ie, where a link to the site's Statement is positioned at the top left of the screen.
The seven-page Guidelines set out the minimum information that should be included in a Privacy Statement in addition to guidance on dealing with cookies and web beacons.
Ireland's Commissioner also warns that any breaches of the rules may result in an investigation and enforcement action by the Data Protection Commissioner. Failure to comply with an enforcement notice may result in prosecution – with a maximum penalty of €100,000. Marketing databases compiled from data collected via the web site may also be deleted.
The Guidelines are not the law; that is found in Ireland's Data Protection Acts of 1988 and 2003, and its European Communities (Electronic Communications Networks and Services)(Data Protection and Privacy) Regulations of 2003. But the Guidelines do present the Commissioner's view on how to comply with the law. That said, while data protection law can specify what should be in the relevant Privacy Statement, it is the general contract law of the relevant country that says how that notice should be incorporated on a web site.