ECHR ruling of April 24, 2018 in the case of Benedik v. Slovenia (application N 62357/14).
In 2014, the complainant was assisted in preparing a application. Subsequently, the application was communicated to Slovenia.
The case was successfully considered a complaint about police receiving, without a court decision, information related to the use of a dynamic Internet protocol address. The case has violated the requirements of Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms.
THE CIRCUMSTANCES OF THE CASE
Based on information regarding the exchange of files containing child pornography, through a certain file sharing site, police officers, without a court decision, demanded that an Internet service provider (ISP) provide information about the user of the dynamic address of the Internet protocol to which this address was assigned at a certain time. The provider provided the name and address of the Internet user who entered the Internet at the appropriate IP address.
An IP address is a set of numbers assigned to computers on a computer network, including to provide access to Internet resources. When a client computer or smartphone is requested to the data of the Internet site, the client’s IP address is transmitted to the server serving the specified site. Internet providers provide Internet users with either “static” or “dynamic” IP addresses, that is, addresses that change each time a computer reconnects to the Internet. In contrast to static, dynamic IP addresses do not always allow to unequivocally establish (using the means available to a wide range of people) the correspondence between a specific computer and a physical point of connection to the Internet provided by the provider.
Subsequently, police officers received a court order, according to which the Internet provider was obliged to provide personal data and information about the information transmitted and received via the computer (traffic) by the user associated with the IP address under consideration. On this basis, a search was conducted in the house of the applicant's family, during which computers were seized, in which they found materials containing child pornography. The applicant was convicted of the crime of demonstrating, producing, storing and distributing pornographic materials.
The applicant unsuccessfully appealed in the domestic courts to the fact that the private nature of the correspondence and other means of communication could be violated only on the basis of a court order, therefore any information obtained unlawfully should have been excluded from the list of evidence. In this regard, the Constitutional Court of Slovenia indicated that the applicant, who did not hide his IP address, through which he connected to the Internet, deliberately provided this information for public use and, thus, refused to lawfully expect privacy. As a result, although the identity of the user’s IP address was protected by privacy law in accordance with the Slovenian Constitution, the applicant’s case did not need a court order to divulge this data.
QUESTIONS OF LAW
Regarding compliance with Article 8 of the Convention. (a) Admissibility. (i) The nature of the interests affected. Data relating to specific dynamic IP addresses provided at a particular time, in principle, related to personal data. In addition, these data were not publicly available, so they could not be compared with information from ordinary telephone registers or public license plate registration databases. In order to determine the user of a dynamic IP address at a specific time, the ISP had to evaluate the stored data related to certain telecommunication events. The use of these stored data may in itself raise questions about the violation of the right to respect for private life. In the present case, the sole purpose of obtaining information about a user of an IP address was to establish a specific person operating under a dynamic IP address. Information about such Internet activity included the privacy aspect at the moment when it was related to an identified person or a person who can be identified. Consequently, what could be perceived by a police request for secondary information, namely, the name and address of the Internet user, should have been viewed as a request inextricably linked with the specified user’s online activity, thus revealing personal data. A different conclusion would mean a denial of the necessary protection of information, which could report a lot on a person’s Internet activity, including confidential information about his or her interests, beliefs and personal life.
(ii) Whether the applicant’s identity was established as a result of the impugned measure. The applicant was the user of the Internet resource in question using his personal computer, who was at the applicant's home, and it was his Internet activity that the police were tracking. The fact that the applicant was not personally registered as a user of Internet services did not affect the applicant’s expectations regarding privacy, which were indirectly affected as soon as the user's data related to his use of the Internet in private were disclosed.
(iii) Could the applicant reasonably expect confidentiality to remain? Despite the publicly accessible nature of the file exchange system on the Internet, the applicant subjectively expected that his activities would remain undisclosed and that his identity would not be disclosed. The fact that he did not hide his dynamic IP address could not be decisive in assessing whether the applicant’s expectation of confidentiality of information was reasonable from an objective point of view. In such an assessment, an important factor to be taken into account was the anonymous aspect of maintaining confidentiality in online activities. In particular, it was not claimed that the applicant had ever revealed his identity in relation to the Internet activity being considered in the case or that his identity, for example, could be established using a file-sharing system through the connection address or contact details. Thus, the applicant’s activity on the Internet was associated with a high degree of anonymity, which is confirmed by the fact that the dynamic IP address used by the applicant, although visible to other Internet users, could not be traced to a specific computer without data confirmation from the Internet provider. police request. In addition, the Constitution of Slovenia guaranteed confidentiality of correspondence and negotiations and required that any interference with this right would be based on a court order. Therefore, it cannot be said that the applicant’s expectations of confidentiality regarding his online activities were unfounded or unreasonable.
(iv) Conclusion. The applicant's interest in protecting the confidentiality of his personal data in relation to his activities on the Internet was related to the concept of "private life". Accordingly, Article 8 of the Convention applies to the present case.
(b) Compliance with the requirements of the Convention. The police’s access to the Internet provider and their use of data about the Internet user, which led to the identification of the applicant, interfered with the rights of the applicant, guaranteed by Article 8 of the Convention. Police actions were partially based on domestic legislation. As the relevant rules were not consistent with respect to the applicant's interests in the field of privacy protection, the European Court referred to the interpretation of the Constitutional Court, according to which the disclosure of personal data of a person using means of communication and traffic data in principle required a court order. Regarding the position of the Constitutional Court concerning the fact that the applicant refused reasonable expectations of privacy, since he did not hide his IP address through which he went to the Internet, the European Court did not establish that this circumstance has any relationship with the limits of the right to respect for the particular life provided for by the convention. Thus, in the present case, a court order was necessary, and nothing prevented the police officers from obtaining it.
"Traffic data" means any data.
Consequently, the reference of the domestic authorities to the provisions of the Criminal Procedure Code relating to requesting information about the owner or user of certain electronic communications and not containing specific rules regarding the relationship between the dynamic IP address and personal data of the Internet user was clearly irrelevant. Moreover, this position did not provide almost any protection against arbitrary interference with the user's rights. During the period relating to the circumstances of the case, there appeared to be no norms specifying the conditions for preserving data obtained under the Criminal Procedure Code, and providing guarantees against abuses by public officials during the procedure for access to and storage of said data. In addition, it was not demonstrated that there was independent control over the use of such powers by police officers, despite the fact that these authorities obliged the Internet provider to find the stored data on establishing Internet connections and gave the police the ability to connect a large amount of information relating to the Internet. -activities with a specific person without his or her consent.
As a result, the law, on which the contested measure was based, and the method of its application by the domestic courts were not clear and did not provide sufficient guarantees against arbitrary interference with the applicant's rights. Thus, interference with the applicant’s right to respect for his private life was not “prescribed by law”.
In the case of a violation of the requirements of Article 8 of the Convention (it was adopted by six votes "for" with one - "against").
In application of Article 41 of the Convention. The European Court ruled that the finding of a violation of the Convention was in itself a fair enough compensation for any non-pecuniary damage.