CONCURRING OPINION OF JUDG E YUDKIVSKA, JOINED BY JUDGE BO Å NJAK

I agree with the outcome of the judgment as well as with the methodology used by the majority. What surprises me, however, is the apparent difficulty with which the conclusion on the existence of interference in this case is reached and, in particular, a very cautious approach to the reasonable expectation of privacy in paragraphs 115-118.

The case in issue presented a unique opportunity to clarify the scope of the reasonable expectation of privacy in the digital age, where a striking amount of information about our private lives is easily circulated beyond our control. “Civilization is the progress toward a society of privacy”, stated Ayn Rand [1] . The modern reality, however, is that privacy is increasingly becoming a cherished value, which requires greater protection day by day. Countless scholars have already announced the “death”, “end” or “destruction” of privacy [2] . It is argued that in order to protect privacy in the modern era we must reconsider the outdated understanding of it as mere secrecy, and move toward legal protection of trust and confidentiality and of the right to control how information is disseminated and used [3] . As judges we are entrusted with the task of rethinking the privacy paradigm in cases such as the present one.

For the first time in this case the Court has gone into a study of the Internet Protocol and forms of IP addressing, namely static and dynamic – to the extent necessary in the circumstances. In Benedik we are dealing with dynamic IP addressing, that is, assigning new IP addresses at random from a pool of addresses assigned to an Internet service provider on each occasion that a user connects to the internet. Today dynamic IP addressing is the most common form for Internet consumers, and therefore the Court ’ s conclusions on privacy in the present case will affect the great majority of internet users all around Europe.

It has become commonplace to recall in privacy discussions that the legal notion of privacy was not pronounced until Samuel D. Warren and Louis D. Brandeis published their prominent article “The Right to Privacy” back in 1890. What deserves to be mentioned is that they were prompted by concern that modern technologies, namely the recently invented portable camera and the rapid development of printed media, would reveal unwanted details about the lives of ordinary people: “Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that ‘ what is whispered in the closet shall be proclaimed from the house-tops ’ .” [4]

Since that time, every development in existing technologies and the appearance of new ones has generated a revisiting of the doctrine of privacy and its reasonable expectations: from concerns about monitoring of telephone conversations at the beginning of the 20th century to wide discussions on mass surveillance, collection and processing of metadata at the beginning of the 21st century. Yet in 1966 Justice William Douglas in his dissenting opinion in Osborn v. United States warned: “We are rapidly entering the age of no privacy, where everyone is open to surveillance at all times; where there are no secrets from government” [5] . The technical possibilities that exist nowadays are far more intrusive than Justice Douglas could even have imagined some fifty years ago. But the wide expansion of the internet merely presents a new degree of intensity in respect of an old problem.

The notion of a “reasonable expectation of privacy” has been used by the Court in several cases, including the present one, but this notion came to us from the United States Supreme Court, where it appeared in the case of Katz v. United States [6] , which concerned the use by the FBI of eavesdropping devices for receiving conversations on illegal gambling made by a suspect from a public telephone booth. As the Supreme Court observed, “no less than an individual in a business office, in a friend ’ s apartment, or in a taxicab, a person in a telephone booth may rely upon the protection of the Fourth Amendment. One who occupies it, shuts the door behind him, and pays the toll that permits him to place a call is surely entitled to assume that the words he utters into the mouthpiece will not be broadcast to the world.”

It was a concurring opinion by Justice Harlan which introduced this particular concept: he wrote that his “ understanding of the rule that has emerged from prior decisions is that there is a twofold requirement”: (1) a person “has demonstrated the actual (subjective) expectation of privacy”, and (2) society is ready to admit that this expectation is (objectively) reasonable. It is this test which has subsequently been cited in the Supreme Court ’ s Fourth Amendment case-law.

The concept of a “reasonable expectation of privacy” was first used by this Court in Halford v. the United Kingdom [7] . There, the Court concluded that a police officer had reasonable expectations about the privacy of phone calls made at the workplace, in the absence of any warning that those calls could be intercepted. The Court referred to the same concept ten years later in Copland v. the United Kingdom [8] , finding that, in the absence of any warning, a college employee also had reasonable expectations about the privacy of the emails she had sent from her college mailbox account.

More recently, the concept was mentioned in the Grand Chamber case of Bărbulescu v. Romania [9] . The case concerned the applicant ’ s dismissal following the monitoring of his electronic communications, mainly through his Yahoo Messenger account, which the applicant was instructed to create for communicating with clients. It was found that he used the Internet for personal purposes during the working day, in violation of internal rules. The Court left open the question of whether the applicant had a reasonable expectation of privacy, notwithstanding the employer ’ s clear instructions for abstaining from any personal activity in the workplace, because an “employer ’ s instructions cannot reduce private social life in the workplace to zero”.

The present case raises the issue of a reasonable expectation of privacy when it comes to traffic data (metering or metadata), and I regret that the Court missed the opportunity to take a clear stance on it. An interesting discussion of this topic within the Constitutional Court of Slovenia (see paragraphs 28-34 of the judgment) was left unaddressed.

Similar discussions are ongoing among the American judiciary. Under the original conception of US constitutional law, the Supreme Court has clearly proceeded on the basis that while there can be said to be a reasonable expectation of privacy with respect to content, there is no such expectation when it comes to metadata (traffic data). Some forty years ago, in the case of Smith v. Maryland [10] , the Supreme Court considered the handling of metadata by telephone companies, which have information on the numbers dialled and the duration of conversations. It observed that “it is too much to believe that telephone subscribers, under these circumstances, harbor any general expectation that the numbers they dial will remain secret.” Under this concept, therefore, an individual does not have a reasonable expectation of privacy with regard to this type of information.

American courts have interpreted the “third-party doctrine” established in Smith to apply to IP addresses, and have held that Internet users have no reasonable expectation of privacy in their IP addresses because they are voluntarily conveyed to third parties - the users ’ ISPs and web service providers [11] , noting, however, that “the mere act of accessing a network does not in itself extinguish privacy expectations” [12] and that “individuals possess objectively reasonable expectations of privacy in the contents of their computers” [13] . Nevertheless, in 2008 the Superior Court of New Jersey adopted the judgment in the case of State v. Reid [14] , explaining that “ in dividuals need an ISP address in order to access the Internet. However, when users surf the Web from the privacy of their homes, they have reason to expect that their actions are confidential. Many are unaware that a numerical IP address can be captured by the websites they visit. More sophisticated users understand that that unique string of numbers, standing alone, reveals little if anything to the outside world. Only an Internet service provider can translate an IP address into a user ’ s name.”

The NJ Court then proceeded with a crucially important reshaping of the privacy pattern, prompted by modern internet activities: “ ... while decoded IP addresses do not reveal the content of Internet communications, subscriber information alone can tell a great deal about a person. With a complete listing of IP addresses, one can track a person ’ s Internet usage ... Such information can reveal intimate details about one ’ s personal affairs in the same way as disclosure of telephone billing records does. Although the contents of Internet communications may be even more revealing, both types of information implicate privacy interests”.

In my view, this is the key challenge to be clearly articulated – traffic data or metadata is collected nowadays much more broadly than the content data (actual content of communications), and such interference must be “established beforehand in a law, and set forth expressly, exhaustively, precisely, and clearly, both substantively and procedurally”, defining “the causes and conditions that would enable the State to intercept the communications of individuals, collect communications data or “metadata,” or to subject them to surveillance or monitoring that invades spheres in which they have reasonable expectations of privacy.” [15] . The PACE Resolution on Mass Surveillance [16] urged the Council of Europe member States “to ensure that their national laws only allow for the collection and analysis of personal data ( including so-called metadata ) with the consent of the person concerned or following a court order granted on the basis of reasonable suspicion of the target being involved in criminal activity ... ”.

It appears accepted that the collection of metadata was seen (and is still seen) as less intrusive than the collection of content. In the pre-internet era, in 1984, the European Court of Human Rights held that while collecting content is a greater intrusion than collecting metadata, collecting metadata would still be an interference with Article 8. This was the case in Malone v. the United Kingdom [17] , where the police used devices that recorded the numbers dialled on a particular phone, as well as the time and duration of each call - without interception of the conversations. The Government argued that the collection of such information did not entail an interference with the right guaranteed by Article 8.

The Court noted in Malone that it “does not accept ... that the use of data obtained from metering, whatever the circumstances and purposes, cannot give rise to an issue under Article 8”, as the numbers dialled were an “integral element in the communications made by telephone” and the handing over of that information from a telephone service provider to the police without the consent of the subscriber amounted to an interference with a right guaranteed by Article 8 ( Malone , § 84).

This position needs to be substantially strengthened today. The view that metadata does not deserve the same level of protection as content data is shattered as it is confronted with present-day realities: there are currently so many forms of metadata - from phone calls, e-mails, web engines showing your surfing history, to Google Maps showing your location, etc.; and if this data are aggregated, an outstandingly intrusive portrait is obtained of the person concerned, revealing his or her personal and professional relationships, ethnic origin, political affiliation, religious beliefs, membership of different groups, financial status, shopping or disease history, and so on. In order to obtain this information, one need not go to the trouble of listening to conversations or reading letters, as in the good old days. This point was underlined in the United Nations Human Rights Council Resolution on the Right to Privacy in the Digital Age, which noted that “while metadata may provide benefits, certain types of metadata, when aggregated, can reveal personal information that can be no less sensitive than the actual content of communications and can give an insight into an individual ’ s behaviour, social relationships, private preferences and identity” [18] .

In his book “Data and Goliath” [19] , specifically devoted to “t he golden age of surveillance” , leading security expert Bruce Schneier gives a fascinating example of an experiment conducted by Stanford University, which examined the phone metadata of a number of people and easily identified among them - using only traffic information about their various phone calls - a heart-attack victim, a home marijuana grower, and a pregnant woman planning an abortion.

The collection and aggregation of several types of protected information from various sources creates new risks for human rights, to which this Court cannot turn a blind eye, given that almost everything we do leaves a digital footprint.

The applicant in the present case, like all other internet users, enjoyed anonymity, as dynamic IP addresses can be linked to one ’ s identity only if specifically disclosed by the service provider following a relevant request. Thus, there should be no doubt that his expectations of privacy were perfectly legitimate, notwithstanding the abhorrently illegal character of his activity as explained in paragraph 99 (had the interference been in accordance with the law the Court would have proceeded with a further examination of its proportionality and the nature of the crime would have been given due consideration).

In view of the foregoing, I believe that the Court ought to have stated unequivocally that, given the technical anonymity of IP addresses, internet users have reasonable expectations of privacy when surfing the Web. Further processing of this metadata may only be carried out in accordance with a law that satisfies quality requirements, as argued above.

Privacy protection is a crucial achievement in European political and legal culture, not least because it was formed against the backdrop of the horrors of the Nazi and communist regimes. In the long run, privacy will stand as a fundamental right only so long as it is defended by society, and it will disappear if society stops seeing it as essential value. We do have a reasonable expectation that our privacy will be protected even when we go online. Our fundamental right to control how we present ourselves to the outside world is vital, and this stance should be reinforced by the Court.