CEDH · CASELAW;JUDGMENTS;CHAMBER;ENG — 24 avril 2018
- ECLI
- ECLI:CE:ECHR:2018:0424JUD006235714
- Date
- 24 avril 2018
- Publication
- 24 avril 2018
Mes notes
privées · visibles par vous seulRésumé structuré
version préliminaireFaits
Non déterminable à partir du texte fourni.
Procédure
Non déterminable à partir du texte fourni.
Question juridique
Non déterminable à partir du texte fourni.
Solution
source officiellePreliminary objection joined to merits and dismissed (Art. 34) Individual applications;(Art. 34) Victim;Remainder inadmissible (Art. 35) Admissibility criteria;(Art. 35-1) Exhaustion of domestic remedies;Violation of Article 8 - Right to respect for private and family life (Article 8-1 - Respect for private life);Non-pecuniary damage - finding of violation sufficient (Article 41 - Non-pecuniary damage)
Résumé généré automatiquement — à vérifier avec la décision originale.
Analyse IA non disponible
Générez un résumé intelligent de cette décision
Texte intégral
.s800EAC49 { font-size:12pt } .sFE10DC93 { margin-top:0pt; margin-bottom:0pt; text-align:center } .sBB9EE52A { font-family:Arial } .s2CD4C03F { margin-top:0pt; margin-left:36pt; margin-bottom:0pt; text-indent:-36pt; text-align:center } .s29100277 { font-family:Arial; font-weight:bold } .sA36B60A1 { font-family:Arial; font-style:italic } .s598389FB { margin-top:0pt; margin-bottom:0pt; text-align:center; font-size:14pt } .sF5E1C6CF { font-family:Arial; font-weight:bold; text-decoration:underline; color:#ff0000 } .sE208486F { font-family:Arial; color:#ff0000 } .s598389F8 { margin-top:0pt; margin-bottom:0pt; text-align:center; font-size:11pt } .s9793A85B { margin-top:0pt; margin-bottom:0pt; text-indent:14.2pt } .s4ACA9207 { page-break-before:always; clear:both; mso-break-type:section-break } .sCB9E0544 { margin-top:0pt; margin-bottom:0pt; text-align:left } .sB9D5CABB { width:28.35pt; display:inline-block } .sD3B63DAD { margin-top:36pt; margin-bottom:12pt; page-break-inside:avoid; page-break-after:avoid; font-size:14pt } .s79DE5897 { margin-top:18pt; margin-left:17.85pt; margin-bottom:12pt; text-indent:-17.85pt; page-break-inside:avoid; page-break-after:avoid } .sA8776625 { margin-top:18pt; margin-left:29.2pt; margin-bottom:12pt; text-indent:-17.6pt; page-break-inside:avoid; page-break-after:avoid } .s72C8F48C { margin-top:12pt; margin-left:36.6pt; margin-bottom:6pt; text-indent:-15.05pt; page-break-inside:avoid; page-break-after:avoid } .sF7A86111 { margin-top:6pt; margin-left:21.25pt; margin-bottom:6pt; text-indent:7.1pt; font-size:10pt } .s34D46E87 { margin-top:12pt; margin-bottom:6pt; text-align:center; page-break-inside:avoid; page-break-after:avoid; font-size:10pt } .sAADB120E { margin-top:6pt; margin-left:28.35pt; margin-bottom:6pt; text-indent:7.1pt; font-size:10pt } .sE5273FBD { margin-top:6pt; margin-left:21.25pt; margin-bottom:6pt; text-indent:7.1pt; text-align:center; font-size:10pt } .sF3D840DB { margin-top:6pt; margin-left:21.25pt; margin-bottom:6pt; text-indent:7.1pt; font-size:9pt } .sE872AC7E { margin-top:6pt; margin-left:28.35pt; margin-bottom:6pt; text-indent:7.1pt; text-align:center; font-size:10pt } .sEA7315FA { margin-top:6pt; margin-left:28.35pt; margin-bottom:6pt; text-indent:7.1pt; text-align:center; page-break-inside:avoid; page-break-after:avoid; font-size:10pt } .s16BDBD5C { margin-top:6pt; margin-left:28.35pt; margin-bottom:6pt; text-indent:7.1pt; page-break-inside:avoid; page-break-after:avoid; font-size:10pt } .sB853CD26 { font-family:Arial; font-size:8pt } .sF3D840DC { margin-top:6pt; margin-left:21.25pt; margin-bottom:6pt; text-indent:7.1pt; font-size:8pt } .sF7876111 { margin-top:6pt; margin-left:21.25pt; margin-bottom:6pt; text-indent:7.1pt; font-size:11pt } .s4B8D41EE { font-family:Arial; font-size:10pt } .s7ED160F0 { text-decoration:none } .sC36A6361 { font-family:Arial; color:#000000 } .sB853CD25 { font-family:Arial; font-size:9pt } .sA8B162D1 { margin-top:6pt; margin-left:21.25pt; margin-bottom:6pt; text-indent:7.1pt; font-size:12.5pt } .s2CE7C1B9 { font-family:Arial; font-size:10pt; font-style:italic } .s4B243ECC { margin-top:12pt; margin-bottom:0pt; text-indent:14.2pt; page-break-inside:avoid; page-break-after:avoid } .sF86E6111 { margin-top:6pt; margin-left:21.25pt; margin-bottom:6pt; text-indent:7.1pt; font-size:16pt } .sA20670C4 { margin-top:12pt; margin-left:48.75pt; margin-bottom:6pt; text-indent:-17pt; page-break-inside:avoid; page-break-after:avoid; font-size:10pt } .s686A38D { width:71.01pt; text-indent:0pt; display:inline-block } .s61A5E261 { width:17pt; text-indent:0pt; display:inline-block } .s59DEA84 { margin-top:12pt; margin-left:59.5pt; margin-bottom:6pt; text-indent:-17.85pt; page-break-inside:avoid; page-break-after:avoid; font-size:10pt } .sB206C230 { margin-top:12pt; margin-left:68.65pt; margin-bottom:6pt; text-indent:-16.75pt; page-break-inside:avoid; page-break-after:avoid; font-size:10pt } .sE1860691 { margin-top:0pt; margin-bottom:0pt; text-indent:14.2pt; font-size:16pt } .s4B4B41EE { font-family:Arial; font-size:12pt } .sBB355983 { margin-top:6pt; margin-left:21.25pt; margin-bottom:6pt; text-indent:7.1pt; page-break-inside:avoid; page-break-after:avoid; font-size:10pt } .s583D00FA { margin-top:0pt; margin-left:17pt; margin-bottom:0pt; text-indent:-17pt } .s32563E28 { margin-top:0pt; margin-bottom:0pt } .s26FF04E7 { margin-top:0pt; margin-left:17.3pt; margin-bottom:0pt } .sA7C1495E { margin-top:30pt; margin-bottom:0pt; text-align:left } .s5830ECD9 { width:0.2pt; display:inline-block } .sDFDF245D { width:188.42pt; display:inline-block } .sA2E62387 { width:204.97pt; display:inline-block } .s379BC09C { margin-top:36pt; margin-bottom:0pt; text-align:right } .s5E1364CA { margin-top:0pt; margin-bottom:12pt; text-align:center; page-break-inside:avoid; page-break-after:avoid; font-size:14pt } .s66E9FC38 { font-family:Arial; font-size:8pt; vertical-align:super; color:#000000 } .sD79B6DFE { font-family:Arial; font-size:8pt; font-style:italic; vertical-align:super; color:#000000 } .s83BE5C30 { font-family:Arial; font-size:8pt; vertical-align:super } .sF6A12959 { width:33%; height:1px; text-align:left } .s2EB42ED2 { margin-top:0pt; margin-bottom:0pt; font-size:10pt } .s391E78BA { font-family:Arial; background-color:#ffffff }       FOURTH SECTION               CASE OF BENEDIK v. SLOVENIA   (Application no. 62357/14)                   JUDGMENT     STRASBOURG   24 April 2018     FINAL   24/07/2018   This judgment has become final under Article 44 § 2 of the Convention. It may be subject to editorial revision.   In the case of Benedik v. Slovenia, The European Court of Human Rights (Fourth Section), sitting as a Chamber composed of:   Ganna Yudkivska, President,   Vincent A. De Gaetano,   Faris Vehabović,   Carlo Ranzoni,   Georges Ravarani,   Marko Bošnjak,   Péter Paczolay, judges,   and Andrea Tamietti, Deputy Section Registrar, Having deliberated in private on 20 March 2018, Delivers the following judgment, which was adopted on that date: PROCEDURE 1.     The case originated in an application (no. 62357/14) against the Republic of Slovenia lodged with the Court under Article 34 of the Convention for the Protection of Human Rights and Fundamental Freedoms (“the Convention”) by Igor Benedik. 2.     The applicant was represented before the Court by Mr M. Jelenič Novak, a lawyer practising in Ljubljana. The Slovenian Government (“the Government”) were represented by their Agent, Mrs J. Morela, State Attorney. 3.     The applicant alleged, in particular, that his right under Article 8 of the Convention had been breached because the police had unlawfully obtained information leading to his identification from his Internet service provider. 4.     On 8 April 2015 the application was communicated to the Government. THE FACTS I.     THE CIRCUMSTANCES OF THE CASE 5.     The applicant was born in 1977 and lives in Kranj. A.     The investigation 6 .     In 2006 the Swiss law-enforcement authorities of the Canton of Valais conducted a monitoring exercise of users of the so-called “Razorback” network. The Swiss police established that some of the users owned and exchanged child pornography in the form of pictures or videos. Files containing illegal content were exchanged through the so-called “p2p” (peer-to-peer) file-sharing network in which each of the connected computers acted as both a client and a server. Hence, each user could access all files made available for sharing by other users of the network and download them for his or her use. Among the dynamic Internet Protocol (“IP”) addresses recorded by the Swiss police was also a certain dynamic IP address, which was later linked to the applicant. 7 .     Based on the data obtained by the Swiss police, on 7 August 2006 the Slovenian police, without obtaining a court order, requested company S., a Slovenian Internet service provider (hereinafter “the ISP”), to disclose data regarding the user to whom the above-mentioned IP   address had been assigned at 1.28 p.m. on 20   February 2006. The police based their request on section 149b(3) of the Criminal Procedure Act (hereinafter “the CPA”, see paragraph 36 below), which required the operators of electronic communication networks to disclose to the police information on the owners or users of certain means of electronic communication whose details were not available in the relevant directory. In response, on 10   August   2006 the ISP gave the police the name and address of the applicant’s father, who was a subscriber to the Internet service relating to the respective IP address. 8 .     On 12 December 2006 the police proposed that the Kranj District State Prosecutor’s Office request the investigating judge of the Kranj District Court to issue an order demanding that the ISP disclose both the personal data of the subscriber and traffic data linked to the IP address in question. On 14 December 2006 such a court order was obtained on the basis of section 149b(1) of the CPA and the ISP gave the police the required data. 9.     On 12 January 2007 the investigating judge of the Kranj District Court issued an order to carry out a house search of the applicant’s family home. The order indicated the applicant’s father as the suspect. During the house search the police and the investigating judge of the Kranj District Court seized four computers and later made copies of their hard disks. 10.     Based on a conversation with the applicant’s family members, of which no record is available, the police changed the suspect to the applicant. 11.     Reviewing the hard disks, the police found that one of them contained files with pornographic material involving minors. The police established that the applicant had installed eMule, a file-sharing program, on one of the computers by means of which he had been able to download different files from other users of the program and had also automatically offered and distributed his own files to them. Among the files downloaded by the applicant, a small percentage had contained child pornography. 12.     On 26 November 2007 the Kranj District prosecutor requested that a judicial investigation be opened against the applicant. 13.     In his defence before the investigating judge, the applicant argued, inter alia, that he had not been aware of the content of the files in question. He also argued that the ISP had unlawfully, without a judicial warrant, passed his data, including his address, to the police. 14.     On 5 March 2008 the investigating judge of the Kranj District Court, opened a judicial investigation against the applicant on the basis of a reasonable suspicion that he had committed the criminal offence of displaying, manufacturing, possessing and distributing pornographic material under section 187(3) of the Criminal Code. The judge noted, among other things, that the applicant’s father had been the holder of the identified IP address and that the applicant had allegedly been logging into the respective program under the name of “Benet”. 15.     On 17 March 2008 the applicant’s counsel lodged an appeal against the decision to open a judicial investigation. He argued, inter alia , that the evidence concerning the identity of the user of the respective IP address had been obtained unlawfully. That information concerned the traffic data and should therefore not have been obtained without a judicial warrant. 16.     On 21 March 2008 an interlocutory panel of the court rejected the appeal finding that, although counsel had argued that the identity of the user of the IP address had been obtained unlawfully, he had not requested that certain documents be excluded from the file. B.     The trial 17.     On 29 May 2008, the Kranj District State Prosecutor’s Office lodged an indictment against the applicant for the above-mentioned criminal offence. 18.     At the hearing of 8 October 2008 the applicant lodged a written request for exclusion of evidence obtained unlawfully, including the information concerning the user of the respective IP address obtained without a court order. 19.     On 5 December 2008 the court rejected the applicant’s request, finding that the data concerning the user of the respective IP address had been obtained in compliance with section 149b(3) of the CPA. 20.     On 5 December 2008 the Kranj District Court found the applicant guilty of the criminal offence with which he had been charged. Based on the opinion of an expert in computer science, the District Court held that the applicant must have been aware of the 630 pornographic pictures and 199 videos involving minors which he had downloaded through p2p networks and made available for sharing with other users. The applicant was sentenced to a suspended prison term of eight months with a probation period of two years. C.     Proceedings before the Ljubljana Higher Court 21.     Both the applicant and the district state prosecutor appealed against the first-instance judgment. The applicant challenged the facts as established by the District Court. He also alleged that the subscriber information the Slovenian police had acquired without a court order, and thus unlawfully, should have been excluded as evidence. Consequently, all the evidence based on such unlawfully acquired data should also have been excluded. 22.     On 4 November 2009 the Ljubljana Higher Court granted the appeal of the district state prosecutor in part, converting the applicant’s suspended sentence into a prison term of six months. The applicant’s appeal was dismissed as unfounded. The Higher Court confirmed that the first-instance court had correctly established the facts of the case; moreover, it held that the data concerning the user of the IP address had been obtained lawfully, as no court order was required for such a purpose. D.     Proceedings before the Supreme Court 23.     The applicant lodged an appeal on points of law before the Supreme Court, reiterating that a dynamic IP address could not be compared to a telephone number which was not entered in a telephone directory, as a new IP address was assigned to a computer each time the user logged on. Accordingly, such data should be considered as traffic data constituting circumstances and facts connected to the electronic communication and attracting the protection of privacy of communication. The applicant argued that the Swiss police should not have obtained the respective dynamic IP address without a court order, and nor should the Slovenian police have obtained the data on the identity of the subscriber associated with the IP address without such an order. 24.     On 20 January 2011 the Supreme Court dismissed the applicant’s appeal on points of law, reasoning that given the general accessibility of websites and the fact that the Swiss police could check the exchanges in the p2p network simply by monitoring the users sharing certain contents, that is without any particular intervention in internet traffic, such communication could not be considered private and thus protected by Article 37 of the Constitution. Moreover, in the Supreme Court’s view, the Slovenian police had not acquired traffic data about the applicant’s electronic communication, but only data regarding the user of a particular computer through which the Internet had been accessed. E.     Proceedings before the Constitutional Court 25.     The applicant lodged a constitutional complaint before the Constitutional Court, reiterating the complaints adduced before the lower courts. 26.     The Constitutional Court asked the Information Commissioner to express her position on the issue. The Information Commissioner was of the view that the reason for obtaining the identity of an individual user of electronic communication was precisely that he or she communicated by means of more or less publicly accessible websites. In the Information Commissioner’s view, it was impossible to separate traffic data from subscriber data, as traffic data alone did not make any sense if one did not ascertain who the person behind those data was – this latter information was thus considered to be an extremely important element of communication privacy. The Information Commissioner also highlighted that the provisions of the Electronic Communications Act in force at the material time required a court order regarding all data related to electronic communications, irrespective of whether they related to traffic or identification data. In the Information Commissioner’s view, section 149b (3) of the CPA, which required only a written request from the police to obtain data on who was communicating, was constitutionally problematic. 27 .     On 13 February 2014 the Constitutional Court dismissed the applicant’s complaint, holding that his constitutional rights had not been violated. The Constitutional Court’s decision was adopted by seven votes to two. Judge J. Sovdat and Judge D. Jadek Pensa wrote dissenting opinions. The decision was served on the applicant on 11 March 2014. 1.     The Constitutional Court’s decision 28.     The Constitutional Court pointed out, at the outset, that in addition to the content of communications, Article 37 of the Constitution also protected traffic data, that is any data processed for the transmission of communications in an electronic communications network. It considered that IP addresses were included in such traffic data. The Constitutional Court, however, concluded that the applicant, who had not hidden in any way the IP address through which he had accessed the Internet, had consciously exposed himself to the public and could not legitimately have expected privacy. As a result, the data concerning the identity of the user of the IP address were not protected as communication privacy under Article 37 of the Constitution, but only as information privacy under Article 38 of the Constitution, and no court order was required in order to disclose them in the applicant’s case. 29 .     The most relevant parts of the Constitutional Court’s decision are as follows (as translated into English on the Constitutional Court’s website): “ Review of the objections regarding access to the complainant’s IP address by the Swiss police 11. The second paragraph of Article 37 of the Constitution provides a higher level of protection than Article 8 of the ECHR as it requires a court order for any interference with the right to communication privacy ... The right to communication privacy determined by the first paragraph of Article 37 of the Constitution primarily protects the content of the communicated message. ... In addition to the message content, the circumstances and facts related to the communication are also protected. In accordance with this view, in Decision No.   Up-106/05, dated 2 October 2008 (Official Gazette RS, No. 100/08, and OdlUS XVII, 84) the Constitutional Court extended the protection provided by Article 37 of the Constitution also to such data regarding telephone calls that by their nature constitute an integral part of communication so that such data cannot be obtained without a court order. The mentioned Decision refers otherwise to telephone communication, but the same conclusion can be applied mutatis mutandis to other types of communication at a distance. The crucial constitutional review test for the review of the Constitutional Court whether a particular communication is protected under Article 37 of the Constitution is the test of the legitimate expectation of privacy. 12. Communication via the internet takes place, in principle, in an anonymous form, which is essential for the free development of personality, freedom of speech, and the expression of ideas, and, consequently, for the development of a free and democratic society. The privacy of communication protected by the strict conditions determined by the second paragraph of Article 37 of the Constitution is therefore a very important human right that is becoming increasingly important due to technological advances and the related growing possibilities of monitoring. It entails individuals’ legitimate expectation that the state will leave them alone also in their communication through modern communication channels and that they do not necessary have to defend themselves for what they do, say, write or think. If there is a suspicion of a criminal offense the Police must have the ability to identify the individuals who have participated in a certain communication related to an alleged criminal offense, because the perpetrators are harder to trace due to this principle of anonymity on the internet. The conditions under which the Police can carry out investigative actions and whether they need a court order, however, depend on whether such entail an interference with the right to communication privacy. 13. As was pointed out above, in addition to the content of communications, Article 37 of the Constitution also protects traffic data. Traffic data signifies any data processed for the transmission of communications in an electronic communications network or for the billing thereof. Such entails that the IP address is a traffic datum. The Constitutional Court must therefore answer the question whether the complainant legitimately expected privacy regarding this datum. 14. Two factors must be weighed in relation to this review: the expectation of privacy regarding the IP address and the legitimacy of this expectation, where the latter must be of such nature that the society is willing to accept it as legitimate. The complainant in the case at issue communicated with other users of the Razorback network by using the eMule application to exchange various files, including those that contained child pornography. With regard to the general anonymity of internet users and also the content of the files, the Constitutional Court has no doubt that the complainant expected that his communications would remain private, and he also certainly expected that his identity would not be disclosed. The question therefore is whether such expectation of privacy was legitimate. The complainant has not established that the IP address through which he accessed the internet was hidden in any way, and thus invisible to other users, or that access to the Razorback network (and thus to the content of the files) was in any way restricted, for example by passwords or other means. ... In contrast, in the complainant’s case anyone interested in exchanging such data could have accessed the contested files, and the complainant has not demonstrated that his IP address was in any way concealed or inaccessible by other users of this network. This leads to the conclusion that this entailed an open line of communication with a previously undetermined circle of strangers using the internet worldwide who have shown interest in sharing certain files, while at the same time access to the IP addresses of other users was not limited to users of this network. Therefore, in the view of the Constitutional Court, the complainant’s expectation of privacy was not legitimate; that which a person knowingly exposes to the public, even if from a home computer and the shelter of his or her own home, cannot be a subject of the protection afforded by Article 37 of the Constitution. In view of the foregoing, the contested standpoint of the Supreme Court does not raise concerns regarding constitutional law. Obtaining the data regarding the complainant’s dynamic IP address does not interfere with his right to communication privacy determined by the first paragraph of Article 37 of the Constitution taking into account all the circumstances of the case, therefore a court order was not necessary to access it. By his conduct the complainant himself waived his right to privacy and therefore could not have a legitimate expectation of privacy therewith. ... Review of the objections regarding access to data on the user of a certain IP address 16. The complainant also challenges the standpoint of the Supreme Court that by its request to the service provider under the third paragraph of Article 149.b of the CPA the Police did not acquire traffic data, but only data regarding a particular user of a determined means of communication ... 17. In the case at issue, on 7 June 2006, on the basis of the third paragraph of Article 149.b of the CPA, the Police sent a request to the service provider for data regarding the user to whom IP address 195.210.223.200 was assigned on 20 February 2006 at 13:28. In the response, they received data regarding the user’s name, surname, and address, while the time of the communication set to the nearest second was already known. Then on 14 December 2006 the Police also obtained an order issued by the investigating judge on the basis of the first paragraph 149.b of the CPA and the service provider also provided the traffic data on the basis of this order. The main issue for the Constitutional Court at this point is therefore whether obtaining the data regarding the identity of the user of a determined IP address falls within the framework of communication privacy. 18. In accordance with the position of the Constitutional Court in Decision No. Up-106/05, Article 37 of the Constitution also protects traffic data, i.e. data regarding, for example, who, when, with whom, and how often someone communicated. The identity of the communicating individual is one of the important aspects of communication privacy, therefore it is necessary to obtain a court order for its disclosure in accordance with the second paragraph of Article 37 of the Constitution. Despite this standpoint, the Constitutional Court decided that the complainant’s allegation of a violation of Article 37 of the Constitution is unfounded in the case at issue . By his conduct, the complainant has himself waived protection of his privacy by publicly revealing both his own IP address as well as the content of his communications, and therefore can no longer rely on it as regards the disclosure of his identity. Since by such he also waived the legitimate expectation of privacy, the data regarding the identity of the IP address user no longer enjoyed protection in terms of communication privacy, but only in terms of information privacy determined by Article 38 of the Constitution. Therefore, by obtaining the data on the name, surname, and address of the user of the dynamic IP address through which the complainant communicated the Police did not interfere with his communication privacy and therefore did not require a court order to disclose his identity. In view of the foregoing, the contested position of the Supreme Court is not inconsistent with Article 37 of the Constitution, and the complainant’s complaints in this part are unfounded.” 2.     Dissenting opinion by Judge J. Sovdat 30.     Judge J. Sovdat welcomed the Constitutional Court’s departure from the Supreme Court’s view that the information concerned had not amounted to traffic data. However, in her view, the police wishing to obtain identification of the subscriber should have requested a court order. She pointed out that the Constitutional Court’s conclusion implied that the protection of privacy of traffic data was always dependent on the protection of the content of communication. Accordingly, traffic data concerning certain communication were protected as long as the content of that communication was protected. Consequently, an individual could not enjoy separate and independent protection of traffic data. Judge Sovdat disagreed with this view, pointing out that the applicant had not appeared in public under his own name, but only through the digits of his dynamic IP address. 31 .     Judge Sovdat agreed with the Information Commissioner that the police had been interested not in the ownership of the device but in “the identity of the person communicating and precisely because he had been communicating”. She endorsed the Commissioner’s view that “the content of communication alone did not have any particular weight in the absence of identification of those communicating”. She also pointed out that under sections 166 and 168 of the new Electronic Communications Act (“ECA-1”, see paragraph 39 below), the Internet provider was not allowed to transfer the stored information without a court order. Compared with section 149b(3) of the CPA, the ECA was definitely more recent and therefore the decision of the majority ran contrary to the level of rights protection already achieved. 3.     Dissenting opinion by Judge D. Jadek Pensa 32.     Judge D. Jadek Pensa argued that the constitutional guarantees set out in Article 37 of the Constitution were aimed at strengthening the expectation of privacy in this area of life and preventing disproportionate interferences and an abuse of power by the executive. 33 .     As regards the applicant’s expectation of online anonymity, Judge Jadek Pensa argued that none of the data publicly disclosed by the complainant revealed his identity. In her view, anonymity was what prevented the police from linking a particular communication with a particular person – that is, linking a dynamic IP address and an individual with his or her name and address. She further argued that the question whether the applicant’s manner of communication could lead to the conclusion that his expectation of privacy had not been objectively justified had to be approached by taking all the circumstances into account, including the law that had been in force at the relevant time. She explained that the ECA (sections 103(1(2)), 104(1) and 107 – see paragraphs 37 below) required Internet providers to delete traffic data as soon as they were no longer needed for the transfer of messages. Moreover, section 107 of the ECA provided that the secrecy of communication could be interfered with only on the basis of a decision by a competent authority. A letter from the police to an Internet provider could not be considered to amount to such a decision. Thus, even if section 149b(3) of the CPA could be interpreted as allowing the police to ask for information on an Internet subscriber, it should not apply in the situations covered by the ECA, which explicitly concerned the “protection of secrecy and confidentiality of electronic communications”. Otherwise, the legislation would be contradictory. The judge concluded that the applicable legal framework could not therefore have led to the conclusion that the applicant, as a reasonably and sufficiently informed individual, could not have expected privacy; that is, he could not have expected that his anonymity would be protected. 34 .     Judge Jadek Pensa went on to elaborate on the neutrality of traffic data, such as data on the user of a certain dynamic IP address: “9. The traffic datum – the dynamic IP address that was assigned randomly at a given moment – as I understand it, reveals how the internet was used on some computer, because it is inextricably attached to a specific connection. ... This is because only the two data jointly communicate how the internet was used in a non-anonymised way, i.e. regarding internet use in connection with an identified person. This essential circumstance in my opinion negates the notion of the neutrality of the datum regarding a specific user of services for a certain (known) dynamic IP address that the police sought through the service provider - namely, the neutrality of the datum in terms of denying its ability to communicate anything more than the name and address of a certain person (who has a subscription contract with the service provider). Precisely because this datum is inseparably linked to a specific communication, the traffic datum falls within the scope of protected communication privacy. 10. Even if the service provider communicated to the police ‘only’ the data identifying a person who had a subscription contract with it, by doing so, as I understand it, the service provider in fact communicated (to put it simply) traffic data in an electronic communications network regarding this person. The police also, as I have already explained, wanted to determine more than just the name and surname of a certain person who had concluded a contract. Since, as I understand it, they asked for traffic data associated with a particular person they would have to proceed according to the first paragraph of Article 149.b of the CPA and obtain an order from the investigating judge.” II.     RELEVANT DOMESTIC LAW AND PRACTICE A.     The Constitution 35 .     Articles 37 and 38 of the Constitution, which provide for the protection of privacy of correspondence and other means of communication and the protection of personal data, respectively, provide as follows: Article 37 “The privacy of correspondence and other means of communication shall be guaranteed. Only a law may prescribe that on the basis of a court order the protection of the privacy of correspondence and other means of communication and the inviolability of personal privacy be suspended for a set time where such is necessary for the institution or course of criminal proceedings or for reasons of national security.” Article 38 “The protection of personal data shall be guaranteed. The use of personal data contrary to the purpose for which it was collected is prohibited. The collection, processing, designated use, supervision, and protection of the confidentiality of personal data shall be provided for by law. Everyone has the right of access to the collected personal data that relates to him and the right to judicial protection in the event of any abuse of such data.” B.     Criminal Procedure Act 36 .     Section 149b of the Criminal Procedure Act (Official Gazette no. 8/06), in the chapter regulating measures taken by the police in pre-trial proceedings, provided: “(1) If there are grounds for suspecting that a criminal offence for which a perpetrator is prosecuted ex officio has been committed, is being committed or is being prepared or organised, and information on communications using electronic communications networks needs to be obtained in order to uncover this criminal offence or the perpetrator thereof, the investigating judge may, at the request of the public prosecutor adducing reasonable grounds, order the operator of the electronic communications network to furnish him with information on the participants and the circumstances and facts of electronic communications, such as: the number or other form of identification of users of electronic communications services; the type, date, time and duration of the call or other form of electronic communications service; the quantity of data transmitted; and the place where the electronic communications service was performed. (2) The request and order must be in written form and must contain information that allows the means of electronic communication to be identified, an indication of reasonable grounds, the time period for which the information is required and other important circumstances that dictate use of the measure. (3) If there are grounds for suspecting that a criminal offence for which a perpetrator is prosecuted ex officio has been committed or is being prepared, and information on the owner or user of a certain means of electronic communication whose details are not available in the relevant directory, as well as information on the time that the means of communication was or is in use, needs to be obtained in order to uncover this criminal offence or the perpetrator thereof, the police may request that the operator of the electronic communications network furnish them with this information, at their written request and even without the consent of the individual to whom the information refers. (4) The operator of electronic communications networks may not disclose to its clients or a third party the fact that it has given certain information to an investigating judge (first paragraph of this section) or the police (preceding paragraph), or that it intends to do so.” C.     Electronic Communications Act 37 .     At the time the data in question were obtained (August 2006), the Electronic Communications Act (“ECA”, Official Gazette nos. 43/04 and 86/04) was in force. This Act implemented, among other things, Directive 2002/58/EC (see paragraph 56 below). The following provisions were relevant: Section 1 Content of the Act   “This Act regulates the conditions for the provision of electronic communication networks and for the provision of electronic communication services ... determines the rights of users ... regulates the protection of the secrecy and confidentiality of electronic communications and regulates other questions related to electronic communications.”   Section 3 Terms used “The terms used in this Act have the following meaning: ...   25. Traffic data are any data processed for the purpose of the conveyance of communication on an electronic communications network or for the billing thereof. ...” Section 103 Confidentiality of communications “(1) Confidentiality of communications refers to: 1. the content of communications; 2. traffic data and location data connected to the communication mentioned in subsection (1)1 above; 3. facts and circumstances relating to unsuccessful attempts to establish connections. (2) An operator and anyone involved in the provision and performance of its activities must continue to safeguard the confidentiality of communications after ceasing performance of the activity for which it was bound to safeguard confidentiality. (3) Those entities liable under subsection (2) above may only obtain the information on communications referred to in subsection (1) above to the extent necessary for the provision of specific publicly available communications services, and may only use or transfer [ posreduje ] this information to others in order to provide these services. (4) Where operators obtain information on the content of communications or record or retain communications and the traffic data related to them under subsection (3) above, they must notify the user of this when the subscriber contract is signed or upon the commencement of provision of the publicly available communications service, and erase information on the content of communications or the communications themselves as soon as this is technically feasible and the information is no longer necessary for the provision of the particular publicly available communications service. (5) All forms of surveillance or interception, such as listening, tapping, recording, retention and transfer [ posredovanje ] of the communications referred to in subsection (1) above shall be prohibited, unless this is permitted under subsection (4) above or under section 107 of this Act, or if this form of surveillance or interception is necessary for the sending of messages (e.g. facsimile messages, electronic mail, electronic mailboxes, voicemail and SMS services). ...” Section 104 Traffic data “(1) Traffic data relating to subscribers and users, and processed and stored by the operator, should be deleted or rendered anonymous, as soon as they are no longer needed for the transfer of messages. (2) Without prejudice to the provision of subsection (1) above, an operator may, until complete payment for a service but no longer than until the expiry of the limitation period, retain and process traffic data required for the purposes of calculation and of payment relating to interconnection. (3) For the purpose of marketing electronic communications services or for the provision of value-added services, the provider of a publicly available electronic communications service may process the data referred to in subsection (1) above to the extent and for the duration necessary for such services or marketing, but only if the subscriber or user to whom the data relate has given his prior consent. Subscribers or users must be informed, prior to giving consent, of the types of traffic data which are processed and the duration of such processing. A user or subscriber shall have the right to withdraw his or her consent at any time. (4) For the purposes referred to in subsection (2) above, a service provider must indicate in the general terms and conditions which traffic data will be retained and processed, and the duration thereof, and declare that they will be treated in accordance with the law on data protection. (5) Traffic data may only be processed under subsections (1) to (4) above by persons acting under the authority of an operator and handling billing or traffic management, responding to customer enquiries, detecting fraud, marketing electronic communications services or providing a value-added service, and this processing must be limited to what is necessary for the purposes of such activities. (6) Without prejudice to the provisions of subsections (1), (2), (3) and (5) above, an operator shall, upon a written request of a competent body set up for the purpose of settling disputes, in particular interconnection or billing disputes, and in accordance with the applicable legislation, send traffic data to such body.” Section 107 Lawful interception of communications “... (2) An operator should enable the lawful interception of communications at a determined point of the public communication network as soon as it receives a copy of the operative part of the order of the competent authority indicating the point ... at which a lawful interception of communications should take place and other data related to the means, scope and duration of this measure.” 38 .     Further amendments to the ECA, namely ECA-A, which were enacted on 28 November 2006, that is after the contested measures had been taken in the present case (Official Gazette no. 129/06), regulated the retention of traffic data for the purposes of, inter alia , criminal proceedings. This included data necessary for the identification of the source of communication, such as the name and address of the subscriber to whom a certain IP address was assigned, data needed for the identification of the destination of communications, and data needed to identify the date, time and duration of communications (sections 107.a and 107.b). No distinction between the static and the dynamic IP address was made in this regard. Furthermore, the amendment, introduced by section 107.č, stipulated that the operator was under an obligation to allow access to or to transfer the retained data immediately and no later than three days after receiving the transcript of the “order” issued by the “competent body”. Section 107.e of the amended Act provided that “the court that has ordered that certain data be accessed should keep a record of data concerning orders for access and transfer of the retained data”. It also regulated the reporting procedure on access to retained data – from the courts to the Ministry of Justice and then from the ministry to the European Commission. 39 .     On 20 December 2012 a new Electronic Communications Act (“ECA-1”, Official Gazette 109/2012) was adopted. Its sections 166 and 168 provide as follows: Section 166 Transfer of retained data to competent bodies “(1) An operator must, immediately or without undue delay, transfer retained data as soon as it receives a copy of the operative part of an order from a competent body stating all the required data on the scope of access. ... (4) An operator may not disclose an order to the persons to whom the order ... relates or to third parties, nor disclose that it has transferred or will transfer retained data to the competent body under this section. ... (7) The information commissioner shall monitor the fulfilment of the obligations by the providers under this section, in so far as they do not fall under the supervision of other competent bodies on the basis of other laws.” Section 168 Data on access orders and data transfers “(1) A court that has ordered access to data shall keep a record of access orders and the transfers of data retained pursuant to section 166 of this Act, comprising: 1. the number of cases in which access to retained data was ordered; 2. a statement of the date or period for which the data was requested, the date on which the competent body issued the data access order and the date of the transfer of the data; 3. the number of cases in which data access orders could not be executed. (2) The competent court shall forward the record referred to in subsection (1) above for the current year to the ministry responsible for justice by no later than 31 January the following year. (3) The ministry responsible for justice shall, on the basis of the records received from all courts, prepare a joint report on access to retained data by no later than 20   February each year for the previous year. It shall forward it to the ministry, which shall in turn forward it without delay to the European Commission and to the National Assembly Committee responsible for supervising the intelligence and security services. (4) The ministry responsible for justice shall, after obtaining the prior opinion of the President of the Supreme Court of the Republic of Slovenia, issue instructions using the reporting forms under this section.” D.     Personal Data Protection Act 40 .     Further to Slovenia becoming a member of the European Union, the Slovenian Parliament adopted, on 15 July 2004, a new   Personal Data Protection Act (Official Gazette no. 86/04), underpinned by Directive 95/46/ES (see paragraph 53 below). It provides, in so far as relevant, as follows: Section 1 Contents of the Act “This Act determines the rights, responsibilities, principles and measures to prevent unconstitutional, unlawful and unjustified encroachments on the privacy and dignity of an individual (hereinafter: individual) in the processing of personal data.” Section 6 Meaning of terms “The terms used in this Act shall have the following meanings: 1. Personal data - are any data relating to an individual, irrespective of the form in which they are expressed. 2. Individual - is an identified or identifiable natural person to whom personal data relate; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, where the method of identification does not incur significant costs or a disproportionate effort or require a large amount of time. ... 18. Anonymising - is an alteration to the form of personal data such that they can no longer be linked to the individual or where such link can only be made with disproportionate efforts, expense or use of time. 19. Sensitive personal data - are data on racial, national or ethnic origin, political, religious or philosophical beliefs, trade-union membership, health status, sexual life, ...” 41 .     Section 2 of the Personal Data Protection Act provided that personal data should be processed lawfully and fairly. Section 8 provided that personal data could be processed if the law provided for doing so or on the basis of the consent of the individual affected. Under section 12, personal data could be processed without any other legal basis if this was urgently necessary for the protection of a person’s life or limb. 42 .     The Personal Data Protection Act also provided that data could be collected only for defined and lawful purposes and processed accordingly (section 16) and only on condition that this was necessary for the achievement of those purposes (section 21). Thereafter they should be deleted, destroyed, blocked or anonymised (ibid). The Act also set out the measures and procedures that should be taken by operators and contracted processors to secure personal data, and to prevent accidental or deliberate unauthorised destruction of data, their alteration, loss or unauthorised processing (sections 24 and 25). E.     Criminal Code 43 .     The Criminal Code applicable at the material time prohibited, in its Article 187, the presentation of pornographic material to minors under the age of fourteen and the manufacturing and distributing of pornographic material depicting minors. The relevant provision reads as follows: “... (2) Whosoever abuses a minor for the manufacturing of pornographic pictures, audio-visual or other objects of pornographic content, or uses a minor to act in a pornographic performance, shall be sentenced to a term of imprisonment of between six months and five years. (3) Whosoever produces, distributes, sells, imports or exports pornographic or other sexual material depicting minors, supplies it in any other way, or possesses such material with the intent of producing, distributing, selling, importing, exporting or offering it in any other way, shall be liable to the same sentence as in subsection (2) above. ...” F.     Constitutional Court decision no. Up-106/05 of 2 October 2008 44 .     Case no. Up-106/05 concerned a complainant who had been convicted of the illicit manufacture and trade in narcotics, based on data (a list of telephone numbers and text messages) obtained from hArticles de loi cités
Citations
Aucune citation répertoriée pour cette décision.
Décisions connexes
Aucune décision similaire identifiée pour le moment.
Synthèse
- Juridiction
- CEDH
- Chambre
- CASELAW;JUDGMENTS;CHAMBER;ENG
- Formation
- 7
- Date
- 24 avril 2018
- Matière
- droits fondamentaux
Référence
ECLI:CE:ECHR:2018:0424JUD006235714
Données disponibles
- Texte intégral