Human Rights Judgment on Accessing IP Address Information

According to the European Court of Human Rights, police accessing subscriber information associated with a dynamic IP address breached a suspect's human rights by failing to obtain a court order prior to access

In a Chamber judgment from the European Court of Human Rights, Benedik v. Slovenia (application no. 62357/14), it has been held, by six votes to one, that there had been a violation of Article 8 (right to respect for private and family life) of the ECHR where the Slovenian police failed to obtain a court order to access subscriber information associated with a dynamic IP address recorded by the Swiss law-enforcement authorities during their monitoring of users of a certain file-sharing network. This led to the applicant being identified after he had shared files over the network, including child pornography.

The Court found in particular that the legal provision used by the police to obtain the subscriber information associated with the dynamic IP address had not met the Convention standard of being ‘in accordance with the law’. The provision had lacked clarity, offered virtually no protection from arbitrary interference, had no safeguards against abuse and no independent supervision of the police powers involved. It stated that a finding of a violation of Mr Benedik’s rights under the Convention was sufficient just satisfaction for any non-pecuniary damage.

Principal facts

Igor Benedik is a Slovenian national. In 2006 police in Switzerland informed their counterparts in Slovenia about a dynamic IP address that was being used in a peer-to-peer file-sharing network, which included the sharing of child pornography pictures or videos. In August 2006 the Slovenian police asked the local ISP for information about the user who had been assigned that IP address, which the company handed over. The police used a provision of the Slovenian Criminal Procedure Act which allowed them to request information from an electronic communication provider about the user of a certain means of electronic communication whose details were not available in the relevant directory. The police did not obtain a court order. In December of the same year the police got a court order to obtain information about that user’s traffic data.

Although the IP address at first identified Mr Benedik’s father as the subscriber to the Internet service in question, it transpired that it was Mr Bendik who used the service himself and had downloaded files with child pornography. He was formally placed under investigation in November 2007. He denied committing any offence and told investigators that he did not know what was on the files. He was convicted in December 2008 of the offence of the display, manufacture, possession or distribution of child pornography.

He made unsuccessful appeals to the Ljubljana Higher Court, the Supreme Court and the Constitutional Court. He alleged throughout the domestic proceedings that the evidence about his identity had been obtained unlawfully because the authorities had not had a court order to obtain subscriber information associated with the dynamic IP address in question. In particular, the Constitutional Court found that such information was in principle protected by constitutional data privacy safeguards but that Mr Benedik had waived his right to protection by revealing his IP address and the content of his communications on the file-sharing network.

Decision of the Court

Article 8

The Court first held that Mr Benedik’s interest in having his identity with respect to his online activity protected fell within the scope of the notion of ‘private life’ under the Convention. It went on to assess in particular whether the police’s interference with his rights had been ‘in accordance with the law’. That meant that the measure had to have some basis in domestic law; the law had to be accessible; the person affected had to be able to foresee the consequences of his or her actions; and the provision had to be compatible with the rule of law.

The Court found that the provision of the Criminal Procedure Act used by the police to access subscriber information raised no questions as to its accessibility, but it also had to be satisfied that there were sufficient guarantees against abuse. The provision concerned a request for information on the owner or user of a means of electronic communication, however, it had no rules covering the link between a dynamic IP address and subscriber information. In contrast, other legislation laid down rules on the secrecy and confidentiality of electronic communication. For example, Article 37 of the Constitution required a court order for any interference with the privacy of communication. It was not the Court’s task to say which piece of legislation should have prevailed, but in examining the domestic judgments it highlighted the constitutional finding on Mr Benedik: access to subscriber information based on his IP address had in principle required a court order, but the Constitutional Court had ultimately found that it had not been necessary to get such an order in Mr Benedik’s case as he had effectively waived his right to privacy by revealing his IP address and the contents of his communication on the file-sharing network. However, the Court did not find that decision to be reconcilable with the scope of the right to privacy under the Convention.

In the Court’s view, the police should have got a court order and nothing in the law had prevented them from seeking one. In fact, they had obtained a court order subsequently to obtain similar information. In addition, there were at the time no regulations on retaining the relevant data and no safeguards against abuse by State officials in the procedure for accessing and transferring them. No independent supervision of the use of the police’s powers in relation to obtaining information from ISPs had existed at the time, although the Court noted that Slovenia had subsequently passed legislation to regulate such matters.

Overall, the Court found that the law used by the police to obtain subscriber information relating to the dynamic IP address had lacked clarity and had not offered sufficient safeguards against arbitrary interference with his Article 8 rights. The interference with Mr Benedik’s rights had therefore not been ‘in accordance with the law’” and had led to a violation of the Convention.

Just satisfaction (Article 41)

The Court held that the finding of a violation was sufficient just satisfaction for any non-pecuniary damage Mr Benedik might have suffered. It awarded him 3,522 euros (EUR) in respect of costs and expenses for both the domestic proceedings and those before the Court.

Separate opinions

Judge Yudkivska expressed a concurring opinion, which was joined by Judge Bošnjak, while Judge Vehabovic expressed a dissenting opinion.

Published: 2018-04-24T15:00:00


      This site uses cookies. By using the site you agree to our use of cookies as set out in our Privacy Policy.

      Please wait...