Communicated on 8 April 2015

FIFTH SECTION

Application no. 62357/14 Igor BENEDIK against Slovenia lodged on 10 September 2014

STATEMENT OF FACTS

The applicant, Mr Igor Benedik , is a Slovenian national, who was born in 1977 and lives in Kranj . He is represented before the Court by Mr M. Jelenič Novak, a lawyer practising in Ljubljana.

A. The circumstances of the case

The facts of the case, as submitted by the applicant, may be summarised as follows.

In 2006 the Swiss law enforcement authorities of the Canton of Valais conducted a systematic review of the users of the so-called “Razorback” network. The Swiss police established that some of the users owned and exchanged child pornography in the form of pictures or videos. The files containing illegal content were exchanged through the so-called “p2p” (peer-to-peer) file sharing network in which each of the connected computers acted both as a client and a server. Hence, each of the users could access all files made available for sharing by other users of the network and download them for his or her use. Among the IP addresses recorded by the Swiss police was also a certain dynamic IP address.

Based on the data obtained by the Swiss police, on 7 August 2006 the Slovenian police requested company S., a Slovenian internet service provider, to disclose the data regarding the user to whom the above IP address was assigned on 20 February 2006 at 13.28. The police based its request on section 149b (3) of the Criminal Procedure Act (hereinafter “the CPA”) requiring the operators of the electronic communication networks to disclose to the police the information on the owners or users of a certain means of electronic communication whose details are not available in the relevant directory. In response, on 10 August 2006 the internet service provider S. gave the police the name, surname and address of the user in question, his telephone number and the time of the communication. The IP address recorded by the Swiss police was assigned to the applicant ’ s father, who was S. ’ s subscriber.

On 12 December 2006 the police proposed the Kranj District State Prosecutor ’ s Office to request the investigating judge of the Kranj District Court to issue an order requesting internet service provider S. to disclose both the personal and traffic data regarding the IP address in question. On 14 December 2006 such a court order was o btained on the basis of section 149b (1) of the CPA and the internet service provider gave the police the required data.

On 21 January 2007 the police and the investigating judge of the Kranj District Court carried out a house search of the applicant ’ s family home in which they seized four computers and made copies of their hard disks. Reviewing the hard disks, the police found that one of them contained files with pornographic material involving minors. The police established that the applicant had installed eMule , a file sharing programme, on one of the computers by means of which he was able to download different files from other users of the programme and also automatically offered and distributed his own files to them. Among the files downloaded by the applicant, there was a small percentage containing child pornography. The applicant argued that the fact that every computer in the network acted as a client and a server was also the main drawback of the network, since there existed the risk of transferring unwanted files due to the lack of any effective control over the content of the files available for transfer. Moreover, while a given file was in the process of being transferred to an individual computer, it could already simultaneously be distributed to other users; this meant that the user downloading a specific file could not review the content of the file before it was available, via his computer, to the other users. This was particularly true in the applicant ’ s case; since he had strived to attain the maximum download speed in the process of transferring files to his own computer, he had been required to make available as large a quantity of data as possible to other users in the network. In sum, the applicant alleged that he had not been aware of those files having been transferred to his computer or, indeed, passed on to other computers.

On 5 March 2008 the investigating judge of the Kranj District Court, not convinced by the applicant ’ s argument that he had not been aware of the illegal content he had downloaded and made available for transfer to other users of the p2p network, opened a judicial investigation against the applicant on the basis of a reasonable suspicion that he had committed the criminal offence of displaying, manufacturing, possessing and distributing of pornographic material under section 187 (3) of the Criminal Code. Subsequently, on 29 May 2008, the Kranj District State Prosecutor ’ s Office lodged an indictment against the applicant for the above-mentioned criminal offence.

On 5 December 2008 the Kranj District Court found the applicant guilty of the criminal offence he had been charged with. Based on the opinion of an expert in computer science, the district court held that the applicant must have been aware of 630 pornographic pictures and 199 videos involving minors he had downloaded through p2p networks and made available for sharing with other users. Namely, he had moved some of those contents to other folders on his computer which he had then shared with the other users of the networks. The expert took the view that the rather large quantity of illegal material implied that the applicant had to know what he had downloaded, especially since he had organised the downloaded materials into folders. The applicant was sentenced to a suspended prison term of eight months with a probation period of two years.

Both the applicant and the district state prosecutor appealed against the first-instance judgment. The applicant, challenging the facts as established by the district court, pointed out that the expert in computer science confirmed that the applicant had not even opened any of the files containing child pornography, nor had he created a folder with such specific content. Moreover, the expert could not confirm with certainty that the applicant was aware of the illegal pornographic materials. In this connection, it was also found that among 1984 files downloaded by the applicant through eMule , only a few dozen contained child pornography, while other files containing sexual content involved adults and were thus legal. Altogether, the applicant ’ s disks contained 170,000 files. Further, the applicant alleged that the data on the user of the IP address recorded by the Swiss police, which were acquired by the Slovenian police without a court order, should have been excluded as evidence, as they had been improperly obtained.

On 4 November 2009 the Ljubljana Higher Court granted the appeal of the district state prosecutor in part, converting the applicant ’ s suspended sentence into a prison term of six months. The applicant ’ s appeal was dismissed as unfounded. The higher court confirmed that the first-instance court had correctly established the facts of the case; moreover, it held that the data on the applicant ’ s father ’ s IP address concerned solely the name of an owner or user of electronic communication, thus the data that could be obtained without a court order.

The applicant lodged an appeal on points of law before the Supreme Court, reiterating that the dynamic IP address could not be compared to a telephone number which was not entered in a telephone directory, as a new IP address was assigned to a computer each time the user logged on. Accordingly, such data should be considered as traffic data constituting circumstances and facts connected to the electronic communication and attracting the protection of privacy of communication. The applicant argued that the Swiss police should not have obtained his father ’ s dynamic IP address without a court order and neither should the Slovenian police have obtained the data on the identity of his father to whom the IP address had been assigned without such an order. Thirdly, the applicant maintained that the Slovenian police should not have reviewed the files on his computer without a specific court order allowing them to search the contents of the computer.

On 20 January 2011 the Supreme Court dismissed the applicant ’ s appeal on points of law with the reasoning that, given the general accessibility of websites and the fact that the Swiss police could check the exchanges in the p2p network simply by monitoring the users sharing certain contents, that is without any particular intervention in internet traffic, such communication could not be considered private and thus protected by Article 37 of the Constitution. Moreover, in the Supreme Court ’ s view, the Slovenian police had not acquired traffic data about the applicant ’ s electronic communication, but only data regarding the user of a particular computer through which the internet had been accessed. Finally, the Supreme Court held that, given that the applicant ’ s house search had been ordered precisely for the purpose of seizing his computer and its contents, no additional court order was required for the review of his computer files.

The applicant lodged a constitutional complaint before the Constitutional Court, reiterating the complaints adduced before the lower courts.

On 13 February 2014 the Constitutional Court dismissed the applicant ’ s complaint, holding that his constitutional rights had not been violated. Firstly, the Constitutional Court had requested the Information Commissioner to express her position on the issue of providing the data on subscribers of electronic communication to the police on their request. The Information Commissioner was of the view that the reason for obtaining the identity of an individual user of electronic communication was precisely that he communicated by means of more or less publicly accessible websites. Thus, it was impossible to separate traffic data from subscriber data, as traffic data alone did not make any sense if one did not ascertain who the person behind these data was, which was an extremely important element of communication privacy . The commissioner also highlighted that the provisions of the Electronic Communications Act in force at the material time required a court order regarding all data related to electronic communications, irrespective of whether they related to traffic or identification data (e.g. who is using a certain IP address or telephone number). In the Commissioner ’ s view, section 149b (3) of the CPA, which required only a written request of the police to obtain data on who was communicating, was constitutionally problematic.

The Constitutional Court pointed out, at the outset, that in addition to the content of communications, Article 37 of the Constitution also protected traffic data, that is any data processed for the transmission of communications in an electronic communications network or for the billing thereof, which included the IP address. However, the applicant had not hidden in any way the IP address through which he accessed the internet, and neither was access to the p2p network used by him in any way restricted. Thus, in the court ’ s view the applicant had not clearly expressed his intention that he wanted to keep his communications and identity private. On the contrary, he had established an open line of communication with an undetermined circle of strangers using the internet worldwide who have shown interest in sharing certain files. Therefore, the complainant ’ s expectation of privacy was not legitimate. Consequently, the fact that the Swiss police had obtained his IP address did not interfere with his right to communication privacy, so a court order was not necessary to access it.

Moreover, since the applicant had publicly revealed both his IP address as well as the content of his communications, he had himself waived protection of his privacy. Hence, the data regarding the identity of the IP address user no longer enjoyed protection of communication privacy. Having regard to this, the Constitutional Court held that the police had not required a court order for obtaining data on the name and address of the user of the IP address in question. Finally, as to the alleged requirement that the inspection of the applicant ’ s computer files be authorised by a separate court order, the Constitutional Court noted that the investigating judge who had authorised the applicant ’ s house search had been aware of the fact that the police would seize computer equipment. The search order in question had been issued with the intent to seize and review electronic data storage media; thus, the Constitutional Court decided that no separate court order had been necessary for such review.

The Constitutional Court decision was adopted by seven votes to two, the two dissenting judges adopting the contrary view that even assuming that an individual could no longer expect protection with regard to the content of his communication – because it was already exposed to the public – that did not imply that he could not expect privacy with regard to the traffic data of his communication. Judge J.S. pointed out that the applicant nonetheless had not appeared in public under his own name, but only through the digits of his dynamic IP address. Thus, if the police had wanted to identify the person behind the IP address, they should have obtained a court order, as clearly followed from Article 37 (2) of the Constitution. Moreover, the dissenting judges expressed a doubt whether at the time the police had obtained the data at issue, there had existed a statutory regulation on the basis of which internet service providers could store the data they had provided to the police.

B. Relevant domestic law

1. The Constitution

Articles 37 and 38 of the Constitution, which provide for the protection of privacy of correspondence and other means of communication and the protection of personal data, respectively, provide as follows:

Article 37

“The privacy of correspondence and other means of communication shall be guaranteed.

Only a law may prescribe that on the basis of a court order the protection of the privacy of correspondence and other means of communication and the inviolability of personal privacy be suspended for a set time where such is necessary for the institution or course of criminal proceedings or for reasons of national security.”

Article 38

“The protection of personal data shall be guaranteed. The use of personal data contrary to the purpose for which it was collected is prohibited.

The collection, processing, designated use, supervision, and protection of the confidentiality of personal data shall be provided by law.

Everyone has the right of access to the collected personal data that relates to him and the right to judicial protection in the event of any abuse of such data.”

2. The Criminal Procedure Act

The Criminal Procedure Act as applicable at the material time provides, in its section 149b included in the chapter regulating the measures taken by the police in the pre-trial proceedings, as follows:

“(1) If there are grounds for suspecting that a criminal offence for which a perpetrator is prosecuted ex officio has been committed, is being committed or is being prepared or organised, and information on communications using electronic communications networks needs to be obtained in order to uncover this criminal offence or the perpetrator thereof, the investigating judge may, at the request of the public prosecutor adducing reasonable grounds, order the operator of the electronic communications network to furnish him with information on the participants and the circumstances and facts of electronic communications, such as: the number or other form of identification of users of electronic communications services; the type, date, time and duration of the call or other form of electronic communications service; the quantity of data transmitted; and the place where the electronic communications service was performed.

(2) The request and order must be in written form and must contain information that allows the means of electronic communication to be identified, indication of reasonable grounds, the time period for which the information is required and other important circumstances that dictate use of the measure.

(3) If there are grounds for suspecting that a criminal offence for which a perpetrator is prosecuted ex officio has been committed or is being prepared, and information on the owner or user of a certain means of electronic communication whose details are not available in the relevant directory, as well as information on the time that the means of communication was or is in use, needs to be obtained in order to uncover this criminal offence or the perpetrator thereof, the police may request that the operator of the electronic communications network furnish it with this information, at its written request and even without the consent of the individual to whom the information refers.

(4) The operator of electronic communications networks may not disclose to its clients or a third party the fact that it has given certain information to an investigating judge (first paragraph of this section) or the police (preceding paragraph), or that it intends to do so.”

3. The Electronic Communications Act

The Electronic Communications Act applicable at the material time requires the operators of the electronic communications networks to provide access to the contact and traffic data of their users as well as the data regarding the content of the communication, to the competent authorities. In this regard, section 107č provides as follows:

“(1) Operators shall be obliged to supply retained data immediately on receipt of a copy of that part of the order of the competent authority stating all the necessary data on the extent of access.

(2) The copy of the order from the previous paragraph shall be made by the authority that issued the order.

(3) Operators shall be obliged on receipt of an order to supply retained data to the competent authority in the extent stipulated in the copy of the order.

(4) Operators together with the competent authorities that may request access to retained data shall be obliged to ensure the non-erasable registration of each supply of retained data. In so doing, they shall be obliged to retain the acquired and submitted data permanently, and to protect them in accordance with the level of secrecy of the copy of the order, with a minimum level of secrecy of “confidential” in accordance with the rules on the protection of secret data.

(5) The minister in agreement with the minister responsible for internal affairs, the minister responsible for defence and the director of the Slovenian Intelligence-Security Agency, shall prescribe in greater detail the method of supplying retained data.”

4. The Criminal Code

The Criminal Code applicable at the material time prohibits, in its section 187, the presentation of pornographic materials to minors under the age of fourteen and of manufacturing and distributing of pornographic material depicting minors. The relevant provision reads as follows:

“ ...

(2) Whoever abuses a minor for the manufacturing of pornographic pictures, audio-visual or other objects of pornographic content, or whoever uses a minor to act in a pornographic performance, shall be given a prison sentence of between six months and five years.

(3) Whoever produces, distributes, sells, imports or exports pornographic or other sexual material depicting minors, supplies it in any other way, or possesses such material with the intent of producing, distributing, selling, importing, exporting or offering it in any other way, shall be subject to the same sentence as in the preceding paragraph.

... ”

5. The Constitutional Court decision no Up-106/05 of 2 October 2008

The complainant was convicted of illicit manufacture and trade in narcotics, based on the data (a list of telephone numbers and text messages) contained in his SIM card, which was obtained without the court order issued by an investigating judge. He complained that his conviction was based on unlawfully obtained evidence, as the police had monitored his mobile telephone communication without the court order.

The Constitutional Court pointed out that Article 37 of the Constitution, which guarantees the privacy of correspondence and other means of communication, protects the freedom of communication. According to the Constitutional Court, this right ensured the protection of the individual ’ s interest that no one learnt of the content of the message which he or she conveyed over any means allowing the exchange or conveying of information without his or her consent, as well as the individual ’ s interest to decide freely to whom, to what extent, in what manner, and under what conditions he or she would convey a certain message. The provision safeguarded the protection of free and unsupervised communication and thereby the protection of the confidentiality of the relations into which an individual entered when communicating.

The Constitutional Court took the view that the field of the protection of communication privacy was extended to correspondence and other means of communication (e.g. telephone, fax, computer ) and included conveying written, sound, or image messages. The field of communication privacy first of all included data which referred to the content of the message. Thus, the interception and recording of telephone conversations, was only admissible under the conditions determined in Article 37 (2) of the Constitution. However, the court continued that not only the content of the communication but also the circumstances and facts connected to the communication were protected, which meant that the scope of the protection of communication privacy had to be interpreted more broadly, so as to include the information on telephone calls which were an integral element of the communication. Moreover, also the data in the telephone memory record had to be considered as an integral element of communication privacy. Therefore, obtaining data on the last dialled and last unanswered calls as well as the examination of the content of the short text messages entailed an examination of the content and circumstances of the communication and consequently an interference with the right determined in the first paragraph of Article 37 of the Constitution.

According to Article 37 (2) of the Constitution, an interference with the freedom of communication was admissible if the following conditions were met: 1) the interference was prescribed by a law, 2) the interference was allowed on the basis of a court order, 3) the duration of the interference was precisely determined, and 4) the interference was necessary for the institution or course of criminal proceedings or for reasons of national security.

In this light, the Constitutional Court concluded that the police was not allowed to obtain data which were part of the constitutionally protected communication privacy without a court order, except under the conditions determined in Article 37 (2) of the Constitution. Accordingly, the court annulled the judgments of the lower court challenged by the applicant and remitted the case for reconsideration before the first-instance court.

COMPLAINTS

The applicant complains under Article 8 of the Convention that his right to privacy was breached on account of the fact that the data on his IP address and consequently on his identity were gathered without a court order, which was arbitrary.

According to the applicant, at the time when the Slovenian police obtained the data connecting his IP address to his identity, the law regulating access to such data was not clear. Moreover, the internet service provider retained his personal data for almost six months without any valid legal basis for such action. Thus, the gathering and retention of the data was not carried out “in accordance with the law”, a requirement referred to in the second paragraph of Article 8. The applicant maintains that although he disclosed the contents of his communication with an unidentifiable public, he did not waive his right to privacy with regard to traffic data (metering data), as such data enjoyed separate protection under the Convention.

QUESTION TO THE PARTIES

Was the alleged interference with the applicant ’ s right to privacy of electronic communication in accordance with the law applicable at the material time and necessary in terms of Article 8 § 2 of the Convention? In particular, did the applicable legislation on the basis of which the police obtained the data disclosing his identity and on the basis of which the relevant internet service provider stored and disclosed the traffic and personal data of its subscriber meet the requirement of lawfulness within the meaning of Article 8 § 2? Was it sufficiently foreseeable and compatible with the rule of law? Did the law contain adequate and effective safeguards against abuse?