FIFTH SECTION

DECISION

Application no. 2309/10 Marie RINGLER against Austria

The European Court of Human Rights (Fifth Section), sitting on 12 May 2020 as a Committee composed of:

Mārtiņš Mits, President, Gabriele Kucsko-Stadlmayer, Anja Seibert-Fohr, judges,

and Victor Soloveytchik, Deputy Section Registrar,

Having regard to the above application lodged on 12 January 2010,

Having regard to the observations submitted by the respondent Government and the observations in reply submitted by the applicant,

Having regard to the comments submitted by Privacy International, which had been given leave to intervene in the written procedure (Article 36 § 2 of the Convention and Rule 44 § 3 of the Rules of Court),

Having deliberated, decides as follows:

THE FACTS

1. The applicant, Ms Marie Ringler, is an Austrian national who was born in 1975 and lives in Vienna. She was represented before the Court by Ms M. Windhager, a lawyer practising in Vienna.

2. The Austrian Government (“the Government”) were represented by their Agent, Ambassador H. Tichy, Head of the International Law Department at the Federal Ministry for Europe, Integration and Foreign Affairs.

3. The facts of the case, as submitted by the parties, may be summarised as follows.

4. On 1 January 2008 Federal Law no. 114/2007 containing an amendment to the Security Police Act ( Sicherheitspolizeigesetz; hereinafter: “SPA”) entered into force. Among other measures, its section 53(3a) and (3b) extended the powers of the police authorities to request personal data of telephone/mobile phone and internet users from telecommunications providers (see paragraphs 20-21 below).

5. The applicant was a member of the Vienna Regional Parliament and lodged a complaint under Article 140 of the Federal Constitution ( Bundesverfassungsgesetz ) with the Constitutional Court requesting it to review the constitutionality of section 53(3a) and (3b) of the SPA.

6 . She did not allege that any of these measures had in fact been ordered or implemented against her, nor that she had been affected by measures directed against other persons. However, she contended that she hosted a website and was as such considered a provider of telecommunications services and might therefore be required to give information under 53(3a) of the SPA. Moreover, as an internet and mobile phone user, she might be subjected to measures under section 53(3a) and (3b) at any point in time and without having any effective remedy at her disposal.

7. On 1 July 2009 the Constitutional Court rejected the applicant’s complaint as inadmissible. It noted that only persons with whose rights a law interfered directly, without being applied through a decision of a court or an administrative authority, had the right to lodge a complaint under Article 140 of the Federal Constitution.

8 . In so far as the applicant alleged that she was required to give certain information as a telecommunications provider, the Constitutional Court held that, although section 53(3a) of the SPA did not contain any new obligations to retain data, it contained an obligation to provide certain types of information. It accepted that in so far as section 53(3a) obliged the applicant, as a provider of telecommunications services, to give information, it interfered with her rights. However, if such information were actually requested she had a remedy, namely a complaint to the Independent Administrative Panel under section 88 of the SPA at her disposal. She was therefore not directly affected.

9. In so far as she had asserted that she was a mobile phone and internet user and was therefore likely to be affected by section 53(3a) and (3b) of the SPA, the Constitutional Court referred to its decision of 1 July 2009 (G 147,148/08-14) in a similar case.

10. In that case also, the applicants had not alleged that the police authorities had requested any information about them or taken any measures against them under the contested provisions. They had merely asserted that they were likely to be affected by these provisions as they were mobile phone and internet users and exercised certain professions. In the Constitutional Court’s view this was not sufficient to show that they were directly affected by the said provisions.

11. Referring to the case-law of the European Court of Human Rights ( Klass and Others v. Germany , 6 September 1978, Series A no. 28, and Weber and Saravia v. Germany (dec.), no. 54934/00, ECHR 2006 ‑ XI), the Constitutional Court observed that section 53(3a) and (3b) of the SPA did not regulate secret surveillance of communications but merely empowered the police authorities to obtain specific information about telephone or internet users from providers of telecommunications services. Since the circumstances at issue were therefore distinct from those in the Court’s case-law, the applicants’ complaint in respect of these provisions was inadmissible on that ground alone.

(a) The Security Police Act (“SPA”)

(i) General tasks of the police authorities

15. In the context of the task of maintaining public security, the police authorities have, inter alia, to assess and avert dangers emanating from criminal organisations or from intentional criminal offences (section 21(1) read in conjunction with section 16). Further tasks include the protection of the constitutional institutions of the Republic, the protection of representatives of foreign states or international organisations, the protection of vulnerable persons, in particular of persons who may give information about criminal organisations or about the commission of criminal offences (section 22). A further task is the search for wanted or helpless persons (section 24).

16. Introduced by a later amendment to the SPA, the police authorities also have the task of protecting facilities for providing basic public utilities such as energy, communications, water and so on (section 22).

(ii) Police authorities

18. After reorganisation measures in 2012, the police authorities are now the Federal Minister for the Interior, the Regional Police Authorities ( Landespolizeidirektionen ) and the subordinated District Administrative Authorities.

(b) Powers to request data from telecommunications providers

19. Sections 51 to 54 of the SPA regulate the police authorities’ powers to collect, process and transmit personal data ( personenbezogene Daten ). Section 53(3a) and (3b) which entered into force on 1 January 2008 regulate specifically the power to request personal data of telephone/mobile phone and internet users from telecommunications providers.

20 . Section 53(3a) allows the police authorities to request the providers to disclose the name, address and number of a specific telephone line, to disclose the IP-address relating to a specific message and the time of its transmission and to disclose the name and address of the user to whom an IP-address was attributed at a specific point in time.

21 . Section 53(3b) allows the police authorities to request from telecommunications providers the location data and the international mobile phone user code (IMSI) of the mobile phone or other terminal carried by that person and to use technical devices to locate it.

22. The law, as in force at the time of the Constitutional Court’s decision of 1 July 2009, required for requests under section 53(3a) specific facts that gave reason to believe that there was a situation of danger and that the data was required for the fulfilment of the police authorities’ tasks. For requests under Section 53(3b) specific facts were required that gave reason to believe that there was an immediate danger for the life or health of a person.

23. Further amendments to section 53 were introduced on 1 April 2012, on 1 July 2014, on 1 July 2016 and on 25 May 2018: inter alia, requests under section 53(3a) to disclose the name, address and number of a specific telephone line no longer require a situation of danger; for requests under section 53(3a) concerning IP-addresses, the prerequisites of having a ‘situation of danger’ and ‘required for the fulfilment of their tasks’ were replaced by the wording “to avert a situation of danger for the life, health and liberty of a person in the context of the general obligation to provide assistance ( erste allgemeine Hilfeleistungspflicht ); to avert an intentional criminal offence ( gefährlicher Angriff ) or to avert a criminal association ( kriminelle Vereinigung )”; requests under section 53(3b) are additionally possible if there is an immediate danger for the liberty of a person and it is allowed to locate the mobile phone or terminal also of the companion of the person who is in danger, and the person posing a threat.

(c) Legal Protection

(i) General principles for the protection of personal data

24. Both, the SPA and the Data Protection Act 2000, which was replaced by the new Data Protection Act on 25 May 2018, contain safeguard and remedy provisions. While the Data Protection Act 2000 implemented the EU Data Protection Directive 95/46/EC, the new Data Protection Act 2018 followed the new General Data Protection Regulation (EU) 2016/679. In the context of the security police, it also implemented the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. The provisions of the Data Protection Act apply unless explicitly provided otherwise (section 51(2) of the SPA).

25. The police authorities are responsible for the lawfulness of requests for personal data under section 53 (3a) and (3b) of the SPA. They may only use personal data in so far as is necessary for the fulfilment of their tasks and have to respect the general principle of proportionality (sections 29 and 52 of the SPA).

(ii) Legal Protection Commissioner

26 . The Legal Protection Commissioner ( Rechtsschutzbeauftragter ) was created by an amendment to the Federal Constitution in 1997 as an independent organ for the protection of human rights in the security police. He is not bound by any instructions (section 91a of the SPA).

27. The police authorities must generally give the Legal Protection Commissioner access to their documents and recordings and provide him with any information necessary for the fulfilment of his tasks (section 91d of the SPA).

28 . The Legal Protection Commissioner supervises, inter alia , the police authorities’ implementation of data requests and their compliance with the rules on correction and deletion of data (section 91d of the SPA).

(iii) Data Protection Authority (former: Data Protection Commission)

29. The former Data Protection Commission consisted of six members who had legal experience in data protection. They were appointed for a term of five years by the Federal President of the Republic of Austria on the basis of a proposal by the Federal Government and were independent in the performance of their duties (section 36 of the Data Protection Act 2000).

30. An amendment to the Data Protection Act 2014 replaced the Data Protection Commission with the Data Protection Authority, which is also independent in the performance of its duties. The head of the Data Protection Authority and the deputy are appointed for a term of five years by the Federal President of the Republic of Austria on the basis of a proposal by the Federal Government. Re ‑ appointment is permitted. They must, inter alia, have specific knowledge of data protection law and at least five years’ experience in the legal profession (section 20 of the Data Protection Act).

31. Like section 40 (4) of the Data Protection Act 2000, its main task is to ensure compliance with the rules for data protection and to rectify infringements of these rules (sections 31 to 34 of the Data Protection Act; see also Article 28 of the EU Data Protection Directive 95/46/EC and Article 51 of the General Data Protection Regulation (EU) 2016/679).

(iv) Notification

32. The SPA and the Data Protection Act 2000/new Data Protection Act contain rules on notification.

33 . Pursuant to section 24 of the Data Protection Act 2000, as in force on 1 July 2009, anyone who requested the processing of personal data, including the police authorities, had the duty to provide information for the data subject ( Betroffener ). The new Data Protection Act introduced, in particular, the duty for the police authorities to notify the data subject additionally on data protection rights and remedies (section 43 of the Data Protection Act).

34 . However, like section 24 of the Data Protection Act 2000, section 43 of the new Data Protection Act does not require a notification if data is obtained by transmission from another entity and the processing is provided for by law. Notifications may also be delayed, restricted or omitted to the extent necessary, and as long as it proves necessary and proportionate, to avoid prejudicing the prevention and combating of crime; to protect public and national security; to protect the institutions of the Republic; to protect the military facilities and to protect the rights and freedoms of others.

35 . Pursuant to section 91c of the SPA, the police authorities must notify the Legal Protection Commissioner, inter alia , on requests made under section 53(3a) of the SPA, which concerned IP-addresses (see paragraph 20 above) and about requests made under section 53(3b) of the SPA (see paragraph 21 above).

36 . If the Legal Protection Commissioner perceives that a right of a data subject, who has no knowledge of the data collection, has been violated by the use of personal data, he must notify him or her. If a notification is not possible pursuant to the exceptions of the Data Protection Act (see paragraph 34 above), he must lodge a complaint with the Data Protection Authority (section 91d of the SPA). The obligation was introduced on 1 April 2012 by an amendment to the SPA and replaced the initial wording that the Legal Protection Commissioner was ‘entitled’ to notify and lodge a complaint.

37 . On 1 April 2012 an obligation was also introduced for the police authorities to notify the data subject if retained data ( Vorratsdaten ) were required to answer a request under section 53(3a) and (3b) of the SPA (section 53(3c) of the SPA).

(v) Information rights

38 . Pursuant to section 26 of the Data Protection Act 2000, as in force on 1 July 2009, everyone had the right to obtain information (nature of the data, its source, transmission to third persons, the purpose and legal basis of the processing) from anyone who requested the processing of personal data, including the police authorities. The new Data Protection Act introduced, in particular, a duty for the police authorities to inform the data subject also on the period of retention, on the rights for rectification, restrictions or deletion and on the data protection rights and remedies (section 44 of the Data Protection Act).

39 . However, like section 26 of the Data Protection Act 2000, section 44 of the new Data Protection Act restricts the information rights by referring to section 43 of the Data Protection Act (see paragraph 34 above). In the event of such restrictions, the authorities have to inform the data subject about the restriction and to provide him or her with the reasons for it. If no data exists or if the disclosure of the restriction would jeopardise the measure, the police authorities can respond with a standard reply (“ no data, which is subject to the duty of disclosure and concerning the person requesting the information, is used” [“Keine der Auskunftspflicht unterliegenden Daten über den Auskunftswerber werden verwendet”] ). The reasons for the restrictions must be documented and made available to the Data Protection Authority.

(vi) Rectification, restriction or deletion

40 . Like section 27 of the Data Protection Act 2000, the new Data Protection Act contains rules on rectification, restriction or deletion of data which is no longer needed or was unlawfully processed (section 45 of the Data Protection Act and section 63 of the SPA).

(vii) Remedies

41 . Like sections 30 and 31 of the Data Protection Act 2000, the new Data Protection Act gives everyone who considers that the processing of personal data has infringed his data protection rights the right to lodge a complaint with the Data Protection Authority (sections 32(1 no. 4), 34(5) and 24 of the Data Protection Act).

42 . The right to complain applies also to restrictions on notifications (see paragraph 34 above) and to applicants who did not receive the requested information (see paragraph 39 above) or whose request for rectification, restriction or deletion was refused (sections 32(1) and 42(8) of the Data Protection Act).

43 . If a data subject has no knowledge of a violation of his rights, the Legal Protection Commissioner is obliged to lodge such a complaint (see paragraph 36 above).

44 . Pursuant to section 40 (2) of the Data Protection Act 2000 a data subject had a right to appeal against a decision of the Data Protection Commission to the Administrative Court ( Verwaltungsgerichtshof ). The new Data Protection Act contains the right to complain to the Federal Administrative Court ( Bundesverwaltungsgericht ) against a decision of the Data Protection Authority or its failure to act in time (sections 34 (5), 27 and 42 (9) of the Data Protection Act).

45. Under Article 140 § 1 of the Austrian Federal Constitution, every person can challenge the constitutionality of a law if he/she alleges that the law has infringed his/her rights and become immediately effective for him/her without a court´s or administrative authority´s decision. In its well ‑ established case-law, the Constitutional Court requires “direct interference” by the contested law with the person´s rights and the unavailability of remedies against its application.

COMPLAINTS

46. The applicant complained under Article 8 of the Convention that the powers provided to the police authorities under section 53(3a) and (3b) of the Security Police Act (“SPA”) entailed by their very existence an interference with her right to respect for her private life.

47. The applicant further complained under Article 13 of the Convention that she did not have any effective remedy in respect of the alleged violation of Article 8 of the Convention.

THE LAW

48. The applicant relied on Article 8 of the Convention, which reads as follows:

“1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right, except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”

(a) The Government

49. The Government were of the view that the applicant had no right to challenge the impugned legislation in abstracto and that she had failed to exhaust domestic remedies. The applicant had not alleged that she had been subjected to any measures, nor were there any indications that she belonged to a group which had an increased risk of being affected by such requests to telecommunications providers.

50. The present case must also be distinguished from cases concerning secret surveillance because the impugned provisions did not give powers to collect the content of the communication, but only communications data.

52 . In cases where statutory restrictions on notification and information applied, which was foremost applicable in the present case, the review by the Legal Protection Commissioner compensated for the data subject’s inability to challenge the legality of a measure. This commissioner was obliged to notify the data subject or to lodge a complaint with the Data Protection Commission. Changing the wording from ‘being entitled’ to ‘being obliged’ was only a clarification because it had been common understanding that the Legal Protection Commissioner had always had the obligation to guarantee efficient legal protection.

53. The right to lodge a complaint with the Data Protection Commission for failure to act or to challenge the reply of the police authorities was an effective legal remedy. The police authorities were obliged to implement the commission’s decisions, which were further subject to judicial review.

(b) The applicant

55. The applicant argued that she had victim status because it was impossible or an unreasonable burden for her to prove that she had been the subject of measures under section 53(3a) and (3b) of the SPA.

56. She contested the Government’s submission that the data subject was notified of such measures. The domestic legislation neither stipulated such an obligation nor had there been any notifications in practice, even if there was no longer an interest in secrecy. Notification by the police authorities was only on a voluntary basis.

57 . Likewise, the legal protection by the Legal Protection Commissioner was not effective because there was no notification obligation. In the past, the Legal Protection Commissioner had only notified the data subjects in a small number of cases and had never complained to the Data Protection Commission.

58. Finally, the opportunity to seek information from the police authorities under section 26 of the Data Protection Act 2000 did not constitute an effective legal remedy. She could not be expected to make requests to a multitude of police authorities on a regular basis in order to verify the existence of measures foreseen under the contested legislation.

(c) The third party

59. Privacy International pointed out that access to non-content data or more specific communications data could also be highly invasive and allowed a comprehensive view into a person’s private life. Laws providing for State access to such data as well as requests to telecommunications providers continued to proliferate. A distinction between communications and content data became increasingly insignificant.

(d) The Court’s assessment

(i) Preliminary observations

60. The Court observes that the applicant has not alleged that she was subjected to any of the measures foreseen in the SPA, but she has been affected by the mere existence of the legislation. Even though such measures do not concern surveillance of communication content, requesting communications data also raises privacy issues capable of engaging the protection of Article 8 of the Convention. In the context of personal data, the Court has found that the term ‘private life’ must not be interpreted restrictively ( Benedik v. Slovenia , no. 62357/14, §§ 102 ‑ 104, 24 April 2018 with further references, and Ben Faiza v. France , no. 31446/12, § 66, 8 February 2018 concerning, inter alia, the numbers dialled, the date and duration of telephone calls).

61. The applicant does not complain about her obligations under the SPA as a telecommunications provider (unlike before the Constitutional Court, see paragraphs 6 and 8 above), but about measures affecting mobile phone and internet users under section 53(3a) and (3b) of the SPA (in particular in respect of IP-addresses and location data).

62. The present case does not concern retained data (Vorratsdaten) because the impugned provisions of the SPA, as in force at the time of the Constitutional Court’s judgment on 1 July 2009 (see paragraph 8 above) and as they stand at the time of the present examination, did not introduce a specific obligation for telecommunications providers to retain data for the purpose of the investigation, detection and prosecution of crime. Thus, the notification obligation under section 53 (3c) of the SPA (see paragraphs 37 and 51 above) is not relevant for the present examination.

63. The Court does not need to examine whether the applicant complied with the rule of exhaustion of domestic remedies as her application is in any event inadmissible for the reasons set out below.

(ii) Victim status

(α) General principles

64. As to the applicant´s victim status, the Court has constantly held that its task is not normally to review the relevant law and practice in abstracto , but to determine whether the manner in which they were applied to, or affected, the applicant gave rise to a violation of the Convention (see, inter alia , Klass and Others v. Germany , 6 September 1978, § 33, Series A no. 28, and more recently Szabó and Vissy v. Hungary , no. 37138/14, § 32, 12 January 2016, Kosaité-Cypiené and Others v. Lithuania , no. 69489/12, § 67, 4 June 2019).

65. However, in recognition of the particular features of secret surveillance measures, the Court has accepted that, under certain circumstances, an individual may claim to be a victim on account of the mere existence of legislation ( Szabó and Vissy , cited above, § 33). By contrast, if the national system provides for effective remedies, a widespread suspicion of abuse is more difficult to justify. In such cases, the individual may claim to be a victim of a violation occasioned by the mere existence of secret measures or of legislation permitting secret measures only if he is able to show that, due to his personal situation, he is potentially at risk of being subjected to such measures ( Roman Zakharov v. Russia ([GC], no. 47143/06, § 171, ECHR 2015 which concerned covert interception of mobile telephone communications). The Court will also apply those conditions for victim status to the circumstances of the present case, which did not concern content data, but communications data.

66. Turning to the first condition, that is the scope of the legislation, the applicant may possibly be affected by measures foreseen under section 53(3a) and (3b) of the SPA because all users of communication services are potentially affected ( Roman Zakharov , cited above, § 171).

67. As to the second condition, the Court has identified the availability of an effective domestic remedy as decisive in determining whether there is greater need for scrutiny by the Court and an exception to the rule denying individuals the right to challenge a law in abstracto is justified ( Roman Zakharov , cited above, § 171).

68. In this context, the Court will also assess the domestic law on notification and information for data subjects. The Court has linked limitations on notification and information with the effectiveness of the remedies (see, for example, Klass and others , cited above, §§ 58 ‑ 59; Roman Zakharov , cited above, §§ 286 ‑ 87, and Szabó and Vissy , cited above, § 86). There is, in principle, little scope for recourse to the courts by the individual concerned unless he is advised of the measures taken without his knowledge and thus able retrospectively to challenge their legality ( Klass and Others , cited above § 57).

(β) Notification

69. The Court agrees with the applicant that the notification obligations under section 24 of the former Data Protection Act 2000 as well as under section 43 of the new Data Protection Act (see paragraph 33 above), lack practical significance. As the Government has admitted (see paragraph 52 above), the statutory exceptions from notification (see paragraph 34) apply foremost to the contested measures.

70. Nevertheless, the police authorities are obliged to notify the Legal Protection Commissioner of all requests made under section 53(3a) and (3b) of the SPA which concerned IP-addresses or location data (see paragraph 35 above). Vested with independence and the necessary powers (see paragraphs 26 ‑ 28 above), the commissioner is obliged either to inform the data subject of any unlawful measures or to lodge a complaint with the independent Data Protection Commission (see paragraph 36 above).

71. However, an enforceable right to such a notification or complaint exists only in the event of a violation of the data subject’s privacy rights. It does not result in a general notification obligation. The relevant provision, as in force at the time of the Constitutional Court’s decision, did also not explicitly stipulate an obligation for the commissioner to notify the data subject or to complain to the Data Protection Commission. Even though the Government submitted (see paragraph 52 above) that the subsequent law amendment (see paragraph 36 above) was solely a clarification, there remains lack of clarity, as to whether there had always been such an obligation.

(γ) Information rights

72 . The Court takes note of the information rights towards the police authorities (see paragraph 38 above) and furthermore, of the individual’s possibility to apply directly to the Data Protection Authority under section 24 of the Data Protection Act (see paragraph 41 above). Such an application had also been possible to the former Data Protection Commission under sections 30 and 31 of the Data Protection Act 2000 and it has never depended on a prior notification of the applicant. Uncontested by the applicant, the Government argued that everyone had the right to file such an application on the basis of mere suspicion of an infringement of his data protection rights. Such a complaint did thus not require a description of the facts, which could only be given after an applicant had concrete information about any measures (see, mutatis mutandis , Kennedy v. the United Kingdom , no. 26839/05, § 167, 18 May 2010). On the contrary, the Data Protection Commission/Data Protection Authority was and is obliged to investigate whether there had been any data compilation (see paragraph 54 above).

73. While the Court shares the applicant’s view that it is burdensome to seek information from a multitude of police authorities at regular intervals, an application to the former Data Protection Commission or to the Data Protection Authority (see paragraph 72 above) were, and remain, easily accessible alternatives. The applicant did not allege that she had not been able to lodge such a complaint by herself because of burdensome or too high formal requirements (see paragraph 57 above).

(δ) Remedies

74. A complaint by any person who suspected an infringement of his data protection right, to the Data Protection Commission/Data Protection Authority triggered an examination of the legality of a measure (see paragraphs 41, 43 and 54 above) or a review of the police authorities’ compliance with their notification and information obligations (see paragraph 42 above).

75. Further, everybody was and is able to request a rectification, restriction or deletion of data which is no longer needed or was unlawfully processed (see paragraph 40 above). The decision of the police authorities on such a request could and can be challenged before the Data Protection Commission/ Data Protection Authority (see paragraph 42 above).

76. Moreover, the decisions of the Data Protection Commission/Data Protection Authority were and are further subject to judicial control (see paragraph 44 above).

77. The remedy system was further complemented by the Legal Protection Commissioner, whose access and review rights (see paragraphs 26 ‑ 28 above) ensured that the data protection provisions were observed and applied correctly. Ultimately, this review could result in a notification of the data subject or in a complaint to the Data Protection Commission/Data Protection Authority (see paragraph 36 above).

78 . The Court finds therefore that the Legal Protection Commissioner and the Data Protection Authority provide a supervisory system which was accessible for the applicant for any claim against abuse. This system of effective remedies was already in place at the time of the decision of the Constitutional Court in 2009 and the Constitutional Court found therefore that the applicant had to exhaust these remedies before challenging the allegedly unconstitutional law before it (see paragraphs 8 ‑ 13 above).

(ε) Conclusion

79. The Court finds that, although the notification obligations lacked practical significance, a system of effective remedies with access to judicial control existed. The applicant in the present case did not demonstrate that she had tried to seek any information under section 26 of the Data Protection Act 2000 or had lodged a complaint with the Data Protection Commission under sections 30 and 31 of the Data Protection Act 2000. In such a situation, a widespread suspicion of abuse and thus a review of legislation in abstracto is more difficult to justify (see, mutatis mutandis , Kennedy , cited above, § 124).

80. The applicant alleged neither at the domestic level nor in her application to the Court that her personal or professional situation was of the kind that might normally attract the application of measures under section 53(3a) and (3b) of the SPA. She had only asserted in her constitutional complaint (see paragraph 6 above) that she was likely to be affected by such measures, as a mobile phone and internet user. She did not, therefore, demonstrate that, due to her personal situation, she was potentially at risk of being subjected to those measures (see Roman Zakharov , cited above, § 171). The Constitutional Court therefore rejected this complaint as inadmissible.

81. Accordingly, the facts of the present case were never such as to permit the applicant to claim to be a victim of a violation of her rights under Article 8 of the Convention. Accordingly, this complaint is incompatible ratione personae with the provisions of the Convention within the meaning of Article 35 § 3 (a) and must be rejected in accordance with Article 35 § 4.

82. The applicant relied on Article 13 of the Convention which, insofar as relevant, reads as follows:

“Everyone whose rights and freedoms as set forth in [the] Convention are violated shall have an effective remedy before a national authority ...”

83. Having declared the complaint under Article 8 of the Convention inadmissible, the Court concludes that the applicant has no arguable claim for the purposes of Article 13 of the Convention (see, for the same approach, Valeriy Fuklev v. Ukraine , no. 6318/03, § 98, 16 January 2014, and Lolova and Popova (dec.), no. 68053/10, § 52, 20 January 2015).

84. It follows that this complaint must be rejected as being incompatible ratione materiae with the provisions of the Convention, pursuant to Article 35 §§ 3 (a) and 4 of the Convention.

For these reasons, the Court, unanimously,

Declares the application inadmissible.

Done in English and notified in writing on 4 June 2020.

Victor Soloveytchik Mārtiņš Mits Deputy Section Registrar President