European Court rules on access to subscriber information
Benedik v Slovenia, Application No. 62357/14
Court: European Court of Human Rights, Fourth Section
Judgment date : 24 April 2018
On 24 April 2018, the European Court of Human Rights (European Court) upheld a claim that the applicant’s right to privacy under article 8 of the European Convention on Human Rights (European Convention) had been violated. The case concerned the Slovenian police’s failure to obtain a court order to access subscriber information associated with a dynamic internet protocol (IP) address that had been recorded by the Swiss law-enforcement authorities. This led to the applicant being identified after he had shared files over the network, including child pornography.
In 2006, Swiss law enforcement authorities conducted a monitoring exercise of users of the so-called ‘Razorback’ network. The Swiss police established that some users owned and exchanged child pornography in the form of pictures or videos. Files containing illegal content were exchanged through the so-called ‘p2p’ (peer-to-peer) file-sharing network. One of the dynamic IP addresses recorded by the Swiss police was later linked to the applicant.
Based on the data obtained by the Swiss police, the Slovenian police – without obtaining a court order – requested a Slovenian internet service provider (ISP) to disclose data regarding the user to whom the abovementioned IP address had been assigned. The request was made in terms of section 149b(3) of the Slovenian Criminal Procedure Act (CPA), which required the operators of electronic communication networks to disclose to the police information on the owners or users of certain means of electronic communication whose details were not available in the relevant directory. In response, on 10 August 2006, the ISP gave the police the name and address of the applicant’s father, who was the subscriber to the ISP relating to the IP address.
On 14 December 2016, the Kranj District State Prosecutor’s Office obtained a court order demanding that the ISP disclose both the personal data of the subscriber and the traffic data linked to the IP address in question. Thereafter, a further court order was obtained for a search of the applicant’s family home to be conducted. During the search, the police and the investigating judge seized four computers. A review of the hard disks revealed that they contained files with pornographic material involving minors.
Before the investigating judge, the applicant argued that he had not been aware of the content of the files in question. The applicant argued further that the ISP had unlawfully, without a judicial warrant, passed his personal data to the police. Moreover, during his trial, the applicant lodged a written request for the exclusion of evidence obtained unlawfully, including the information concerning the user of the IP address obtained without a court order. The request was rejected on the basis that section 149b(3) did not require that a judicial warrant be obtained, and the applicant was ultimately found guilty of displaying, manufacturing, possessing and distributing pornographic material.
At the outset of its judgment on the merits, the European Court noted that an IP address is a unique number assigned to every device on a network that allows each other to communicate with other. Static IP addresses are permanently allocated to a particular network interface of a particular device, while dynamic IP addresses are assigned to a device by the ISP temporarily, typically each time the device connects to the internet. In the present case, the information on the dynamic IP address and the time it had been assigned were collected by the Swiss police, who forwarded the information to the Slovenian police to obtain the name and address of the subscriber from the ISP. In order to identify a subscriber to whom a particular dynamic IP address had been assigned at a particular time, the ISP must access stored data concerning particular telecommunication events.
The European Court considered whether individuals using the internet had a reasonable expectation that their otherwise public online activity would remain anonymous. It noted that where there has been a compilation of data on a particular individual, the processing, use or publication of that data in a manner or degree beyond that normally foreseeable raises private life considerations under article 8 of the European Convention. In this regard, article 8 of the European Convention provides for a form of informational self-determination.
The European Court held that the police request to the ISP and their use of the subscriber information leading to the applicant’s identification amounted to an interference with the right to privacy under article 8 of the European Convention. As to whether this was justifiable, and having reviewed the Slovenian domestic law, the European Court reached the conclusion that the applicant had a reasonable expectation that his identity with respect to his online activity would remain private, and that the Slovenian police should properly have been required to obtain a court order to be able to obtain that information. The European Court went on to hold that the domestic authorities’ reliance on section 149b(3) of the CPA was manifestly inappropriate, and that it offered no protection from arbitrary interference.
As noted by the European Court, at the time that this case arose, there were no regulations specifying the conditions for the retention of data obtained under section 149b(3) of the CPA and no safeguards against abuse by state officials in the procedure for access to and transfer of such data. There was further no independent supervision of the use of such police powers, despite the fact that those powers compelled the ISP to retrieve the stored connection data and enabled the police to associate a great deal of information concerning online activity with a particular individual without consent. Accordingly, the European Court upheld the claim that the applicant had suffered a violation of article 8 on the basis that the law on which the contested measure was taken lacked clarity and did not offer sufficient safeguards against arbitrary interference with the right to privacy.
The full judgment is accessible here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].