By Argyro Chatzinikolaou, (Doctoral Researcher), Law & Technology research group, Ghent University
Recently, the Fourth Section of the Court held in its judgement in the case of Benedik v Slovenia that there had been a violation of Article 8 (right to respect for private and family life) with regard to the failure of the Slovenian police to obtain a court order before accessing subscriber information associated with a dynamic IP address. More precisely, according to the Court, the legal provision used by the Slovenian police in order to access subscriber information associated with a dynamic IP address without first obtaining a court order had not met the Convention standard of being ‘in accordance with the law’.
In 2006, the Swiss police informed the Slovenian law-enforcement authorities about a dynamic IP address that was being used in a peer-to-peer file-sharing network and was linked to the sharing of child sexual abused material. In August 2006, the Slovenian police, without first obtaining a court order, requested a Slovenian Internet Service Provider (ISP) to disclose data regarding the user to whom the above-mentioned IP address had been assigned at 1.28 p.m. on 20 February 2006. The police’s request was based on section 149b(3) of the Criminal Procedure Act, according to which the ‘operators of electronic communication networks were required to disclose to the police information on the owners or users of certain means of communication whose details were not available in the relevant directory’. Following this request, the ISP communicated to the police the name and address of the applicant’s father, who was a subscriber to the Internet service relating to the respective IP address.
In December 2006, the police obtained a court order demanding that the ISP disclosed both the personal data of the subscriber and the traffic data linked to the relevant IP address. After a search of the applicant’s family house was conducted, the police indicated the applicant – and not his father – as a suspect. The applicant, Mr Benedik, was formally placed under investigation. Despite denying having committed any offence and arguing that he had not been aware of the content of the files in question, the applicant was convicted of the offense of display, manufacture, possession or distribution of child sexual abuse material. After being convicted, Mr Benedik unsuccessfully appealed to the Ljubljana Higher Court, the Supreme Court and the Constitutional Court. The applicant alleged during the domestic proceedings, that the evidence about his identity had been obtained unlawfully, as the authorities had failed to obtain a court order before requesting subscriber information associated with the dynamic IP address in question from the ISP.
On 24 April 2018 the Fourth Section of the ECtHR delivered a judgement with regard to Mr Benedik’s case and by six votes to one found that there was a violation of Article 8.
Taking note of the extensive legislation and of the case-law concerning personal data protection and privacy of electronic communications within the European Union, the Court set out the scope of its assessment through a number of preliminary observations. Specifically, the question to be addressed, as defined by the Court, touched upon ‘whether the applicant, or any other individual using the Internet, had a reasonable expectation that his otherwise public online activity would remain anonymous’. Moreover, it was observed that the assessment ought to be carried out ‘independently from the legal or illegal character of the activity in question’, as well as ‘without any prejudice to the Convention’s requirement that protection of vulnerable individuals must be provided by the member States’.
The Court then moved on to assess the applicability of Article 8. After considering the context in which the information was sought, the Court first assessed whether the applicant had a reasonable expectation of privacy. In particular, it was clarified that ‘not hiding a dynamic IP address, assuming it is possible to do so, cannot be decisive in assessing whether there is a reasonable expectation of privacy in relation to a person’s identity’. It was confirmed that ‘the assigned dynamic address, even if visible to other users of the network, could not be traced to the specific computer without the ISP’s verification of data following a request from the police’, and the online activity of the applicant was in fact found to carry a high degree of anonymity. It was, thus, concluded that Mr Benedik’s interest in having his online activity protected fell within the scope of the notion of ‘private life’ under Article 8 of the Convention.
In a second stage, the Court went on to assess the measure’s compliance with Article 8, and more precisely, whether the police’s interference with the applicant’s rights had been ‘in accordance with the law’, meaning that the measure ought to have some basis in domestic law; the law ought to be accessible; the person affected had to be able to foresee the consequences of his or her actions; and the provision had to be compatible with the rule of law.
Even though the Court detected no issues with regard to the accessibility of the law, it stressed that there must exist ‘adequate safeguards and effective guarantees against abuse’. The provision upon which the law enforcement authorities had relied in order to request the relevant information without having obtained a court order, namely section 149b(3) of the CPA, was found to contain no rules covering the link between a dynamic IP address and subscriber information, even though other legislation laid down rules on the secrecy and confidentiality of electronic communications (namely, Article 37 of the Constitution, which required a court order for any interference with the privacy of communications).
In the Court’s view, the constitutional finding that in the case of Mr Benedik it had not been necessary for the police to obtain a court order, as the applicant had effectively waived his right to privacy by revealing his IP address and the contents of his communications on the file-sharing network, was not reconcilable with the scope of the right to privacy under the Convention; the law-enforcement authorities should and could have obtained a court order. Moreover, the Court detected at the time a lack of regulations on retaining relevant data, a lack of safeguards against abuse by State officials in the procedure of accessing and transferring them, and a lack of independent supervision of the use of the police’s powers with regard to obtaining information from ISPs.
According to the Court, the law based on which subscriber information was requested had lacked clarity and had not offered sufficient safeguards against arbitrary interference with Mr Benedik’s Article 8 rights. Consequently, the interference with the applicant’s rights had not been in accordance with the law and a violation of Article 8 of the Convention was found.
The judgement delivered by the Fourth Section of the Court offers an in-depth discussion on the relationship between dynamic IP addresses and the notion of privacy. In a well-structured and methodologically sound manner, the Court sets the scene with the provision of abundant legislation and relevant case-law and then moves on to assess the applicability of and compliance with Article 8 of the Convention.
Contrary to the case of Breyer v Germany of the Court of Justice of the European Union, the Court of Human Rights does not focus on delineating the notion of personal data with regard to dynamic IP addresses and on establishing the criteria based on which a dynamic IP address may qualify as personal data. In the case of Mr Benedik, the Court touches only briefly upon the qualification of subscriber information associated with a dynamic IP address as personal data, by referencing relevant case-law and considering the context in which the subscriber information was sought. The Court then, rather easily, comes to the conclusion that the present case concerned privacy issues capable of engaging the protection of Article 8. Even though Article 8 refers to the ‘private life’ of a person in a general fashion, the Court borrows the definition of personal data as referring to information relating either to identified or identifiable individuals (see Convention on Cybercrime, Convention 108, Directive 95/46/EC, Regulation 2016/679 and Directive 2016/680) and observes that such information may render the subscriber identifiable.
The focus of the assessment is in fact put on whether the applicant had a reasonable expectation of privacy in relation to his identity. The reference to the ‘reasonable expectation of privacy’ criterion provides important insights on the perception of online anonymity. The Court grasps the opportunity to clarify that the visibility of an assigned dynamic IP address to other users of the network does not enable the tracing to the specific computer without the ISP’s verification of data.
The relevant analysis on the reasonable expectation of privacy, however, was discussed with skepticism by Judges Yudkivska and Bošnjak. In their welcomed insightful concurring opinion, they criticise the approach to the reasonable expectation of privacy as being very cautious and appear surprised by the ‘apparent difficulty with which the Court reached the conclusion on the existence of interference’. The assessment of the Court with respect to both elements could indeed be perceived as being cautious. In a sense, though, one might say that the Court’s assessment constituted a careful and step-by-step comprehensive analysis of all relevant case data, doctrine and legislation.
All in all, the judgement of the Fourth Section could be welcomed as a positive blue-print establishing that relevant legal safeguards must be put in place when law enforcement authorities want to obtain identifiable information. The Court may not have succeeded in firmly establishing the value of metadata, however declaring that the Court missed the opportunity to take a clear stance on the issue of a reasonable expectation of privacy when it comes to traffic data (as phrased in the concurring opinion), may be an unfair and strong conclusion for commentators to make.
Instead, one could find that there still remains a considerable margin for substantially strengthening the protection of metadata. From this standpoint, the Court could then move in the direction of acknowledging and establishing, through case-law, how the aggregation of such data may ‘construct an outstandingly intrusive portrait of the person concerned’ and render the person identifiable, as pointed out by Judges Yudkivska and Bošnjak in their concurring opinion.
 According to the Court’s preliminary observations, ‘an IP address is a unique number assigned to every device on a network, which allows the devices to communicate with each other’. Unlike the static IP address, ‘a dynamic IP address is assigned to a device by the ISP temporarily, typically each time the device connects to the Internet, and therefore changes each time there is a new connection to the Internet’.
 Metadata could be explained as data that provides information about other data, and can take many forms, such as online surfing history shown by web engines, locations shown by map applications, or the collection of information that includes the file size or the time of creation of a document.