In a Chamber judgment from the European Court of Human
Rights, Benedik
v. Slovenia (application no. 62357/14), it has been held, by six votes to
one, that there had been a violation of Article 8 (right to respect for private
and family life) of the ECHR where the Slovenian police failed to obtain a
court order to access subscriber information associated with a dynamic IP
address recorded by the Swiss law-enforcement authorities during their
monitoring of users of a certain file-sharing network. This led to the
applicant being identified after he had shared files over the network,
including child pornography.
The Court found in particular that the legal provision used
by the police to obtain the subscriber information associated with the dynamic
IP address had not met the Convention standard of being ‘in accordance with the
law’. The provision had lacked clarity, offered virtually no protection from
arbitrary interference, had no safeguards against abuse and no independent
supervision of the police powers involved. It stated that a finding of a
violation of Mr Benedik’s rights under the Convention was sufficient just
satisfaction for any non-pecuniary damage.
Principal facts
Igor Benedik is a Slovenian national. In 2006 police in
Switzerland informed their counterparts in Slovenia about a dynamic IP address
that was being used in a peer-to-peer file-sharing network, which included the
sharing of child pornography pictures or videos. In August 2006 the Slovenian
police asked the local ISP for information about the user who had been assigned
that IP address, which the company handed over. The police used a provision of
the Slovenian Criminal Procedure Act which allowed them to request information
from an electronic communication provider about the user of a certain means of
electronic communication whose details were not available in the relevant
directory. The police did not obtain a court order. In December of the same
year the police got a court order to obtain information about that user’s
traffic data.
Although the IP address at first identified Mr Benedik’s
father as the subscriber to the Internet service in question, it transpired
that it was Mr Bendik who used the service himself and had downloaded files
with child pornography. He was formally placed under investigation in November
2007. He denied committing any offence and told investigators that he did not
know what was on the files. He was convicted in December 2008 of the offence of
the display, manufacture, possession or distribution of child pornography.
He made unsuccessful appeals to the Ljubljana Higher Court,
the Supreme Court and the Constitutional Court. He alleged throughout the
domestic proceedings that the evidence about his identity had been obtained
unlawfully because the authorities had not had a court order to obtain
subscriber information associated with the dynamic IP address in question. In
particular, the Constitutional Court found that such information was in
principle protected by constitutional data privacy safeguards but that Mr
Benedik had waived his right to protection by revealing his IP address and the
content of his communications on the file-sharing network.
Decision of the Court
Article 8
The Court first held that Mr Benedik’s interest in having
his identity with respect to his online activity protected fell within the
scope of the notion of ‘private life’ under the Convention. It went on to
assess in particular whether the police’s interference with his rights had been
‘in accordance with the law’. That meant that the measure had to have some basis
in domestic law; the law had to be accessible; the person affected had to be
able to foresee the consequences of his or her actions; and the provision had
to be compatible with the rule of law.
The Court found that the provision of the Criminal Procedure
Act used by the police to access subscriber information raised no questions as
to its accessibility, but it also had to be satisfied that there were
sufficient guarantees against abuse. The provision concerned a request for
information on the owner or user of a means of electronic communication,
however, it had no rules covering the link between a dynamic IP address and
subscriber information. In contrast, other legislation laid down rules on the
secrecy and confidentiality of electronic communication. For example, Article
37 of the Constitution required a court order for any interference with the
privacy of communication. It was not the Court’s task to say which piece of
legislation should have prevailed, but in examining the domestic judgments it
highlighted the constitutional finding on Mr Benedik: access to subscriber
information based on his IP address had in principle required a court order,
but the Constitutional Court had ultimately found that it had not been
necessary to get such an order in Mr Benedik’s case as he had effectively
waived his right to privacy by revealing his IP address and the contents of his
communication on the file-sharing network. However, the Court did not find that
decision to be reconcilable with the scope of the right to privacy under the
Convention.
In the Court’s view, the police should have got a court
order and nothing in the law had prevented them from seeking one. In fact, they
had obtained a court order subsequently to obtain similar information. In
addition, there were at the time no regulations on retaining the relevant data
and no safeguards against abuse by State officials in the procedure for
accessing and transferring them. No independent supervision of the use of the
police’s powers in relation to obtaining information from ISPs had existed at
the time, although the Court noted that Slovenia had subsequently passed
legislation to regulate such matters.
Overall, the Court found that the law used by the police to
obtain subscriber information relating to the dynamic IP address had lacked
clarity and had not offered sufficient safeguards against arbitrary
interference with his Article 8 rights. The interference with Mr Benedik’s
rights had therefore not been ‘in accordance with the law’” and had led to a
violation of the Convention.
Just satisfaction (Article 41)
The Court held that the finding of a violation was
sufficient just satisfaction for any non-pecuniary damage Mr Benedik might have
suffered. It awarded him 3,522 euros (EUR) in respect of costs and expenses for
both the domestic proceedings and those before the Court.
Separate opinions
Judge Yudkivska expressed a concurring opinion, which was
joined by Judge Bošnjak, while Judge Vehabovic expressed a dissenting opinion.
