FOURTH SECTION
\nCASE OF BENEDIK v. SLOVENIA
\n(Application no. 62357\/14)<\/p>\n
JUDGMENT
\nSTRASBOURG
\n24 April 2018<\/p>\n
FINAL
\n24\/07\/2018<\/p>\n
This judgment has become final under Article 44 \u00a7 2 of the Convention. It may be subject to editorial revision.<\/p>\n
In the case of Benedik v. Slovenia,<\/strong><\/p>\n The European Court of Human Rights (Fourth Section), sitting as a Chamber composed of:<\/p>\n Ganna Yudkivska, President, Having deliberated in private on 20 March 2018,<\/p>\n Delivers the following judgment, which was adopted on that date:<\/p>\n PROCEDURE<\/strong><\/p>\n 1.\u00a0\u00a0The case originated in an application (no. 62357\/14) against the Republic of Slovenia lodged with the Court under Article 34 of the Convention for the Protection of Human Rights and Fundamental Freedoms (\u201cthe Convention\u201d) by Igor Benedik.<\/p>\n 2.\u00a0\u00a0The applicant was represented before the Court by Mr M. Jeleni\u010d Novak, a lawyer practising in Ljubljana. The Slovenian Government (\u201cthe Government\u201d) were represented by their Agent, Mrs J. Morela, State Attorney.<\/p>\n 3.\u00a0\u00a0The applicant alleged, in particular, that his right under Article 8 of the Convention had been breached because the police had unlawfully obtained information leading to his identification from his Internet service provider.<\/p>\n 4.\u00a0\u00a0On 8 April 2015 the application was communicated to the Government.<\/p>\n THE FACTS<\/strong><\/p>\n I.\u00a0\u00a0THE CIRCUMSTANCES OF THE CASE<\/p>\n 5.\u00a0\u00a0The applicant was born in 1977 and lives in Kranj.<\/p>\n A.\u00a0\u00a0The investigation<\/strong><\/p>\n 6.\u00a0\u00a0In 2006 the Swiss law-enforcement authorities of the Canton of Valais conducted a monitoringexercise of users of the so-called \u201cRazorback\u201d network. The Swiss police established that some of the users owned and exchanged child pornography in the form of pictures or videos. Files containing illegal content were exchanged through the so-called \u201cp2p\u201d (peer-to-peer) file-sharing network in which each of the connected computers acted as both a client and a server. Hence, each user could access all files made available for sharing by other users of the network and download them for his or her use. Among the dynamicInternet Protocol (\u201cIP\u201d) addresses recorded by the Swiss police was also a certain dynamic IP address, which was later linked to the applicant.<\/p>\n 7.\u00a0\u00a0Based on the data obtained by the Swiss police, on 7 August 2006 the Slovenian police, without obtaining a court order,requested company S., a Slovenian Internet service provider (hereinafter \u201cthe ISP\u201d), to disclose data regarding the user to whom the above-mentioned IP\u00a0address had been assigned at 1.28 p.m. on 20\u00a0February 2006. The police based their request on section 149b(3) of the Criminal Procedure Act (hereinafter \u201cthe CPA\u201d, see paragraph 36below),which required the operators of electronic communication networks to disclose to the police information on the owners or users of certain means of electronic communication whose details were not available in the relevant directory. In response, on 10\u00a0August\u00a02006 the ISP gave the police the name and address of the applicant\u2019s father, who was a subscriber to the Internet service relating to the respective IP address.<\/p>\n 8.\u00a0\u00a0On 12 December 2006 the police proposed that the Kranj District State Prosecutor\u2019s Office request the investigating judge of the Kranj District Court to issue an order demanding that the ISP disclose both the personal data of the subscriber and traffic data linked to the IP address in question. On 14 December 2006 such a court order was obtained on the basis of section 149b(1) of the CPA and the ISP gave the police the required data.<\/p>\n 9.\u00a0\u00a0On 12 January 2007 the investigating judge of the Kranj District Court issued an order to carry out a house search of the applicant\u2019s family home. The order indicated the applicant\u2019s father as the suspect. During the house search the police and the investigating judge of the Kranj District Court seized four computers and later made copies of their hard disks.<\/p>\n 10.\u00a0\u00a0Based on a conversation with the applicant\u2019s family members, of which no record is available, the police changed the suspect to the applicant.<\/p>\n 11.\u00a0\u00a0Reviewing the hard disks, the police found that one of them contained files with pornographic material involving minors. The police established that the applicant had installed eMule, a file-sharing program, on one of the computers by means of which he had been able to download different files from other users of the program and had also automatically offered and distributed his own files to them. Among the files downloaded by the applicant, a small percentage had contained child pornography.<\/p>\n 12.\u00a0\u00a0On 26 November 2007 the Kranj District prosecutor requested that a judicial investigation be opened against the applicant.<\/p>\n 13.\u00a0\u00a0In his defence before the investigating judge, the applicant argued, inter alia, that he had not been aware of the content of the files in question.He also argued that the ISPhad unlawfully, without a judicial warrant, passed his data, including his address, to the police.<\/p>\n 14.\u00a0\u00a0On 5 March 2008 the investigating judge of the Kranj District Court, opened a judicial investigation against the applicant on the basis of a reasonable suspicion that he had committed the criminal offence of displaying, manufacturing, possessing and distributing pornographic material under section 187(3) of the Criminal Code. The judge noted, among other things, that the applicant\u2019s father had been the holder of the identified IP address and that the applicant had allegedly been logging into the respective program under the name of \u201cBenet\u201d.<\/p>\n 15.\u00a0\u00a0On 17 March 2008 the applicant\u2019s counsel lodged an appeal against the decision to open a judicial investigation. He argued, inter alia, that the evidence concerning the identity of the user of the respective IP addresshad been obtained unlawfully. That information concerned the traffic data and should therefore not have been obtained without a judicial warrant.<\/p>\n 16.\u00a0\u00a0On 21 March 2008 an interlocutory panel of the court rejected the appeal finding that,although counsel had argued that the identity of the user of the IP address had been obtained unlawfully, he had not requested that certain documents be excluded from the file.<\/p>\n B.\u00a0\u00a0The trial<\/strong><\/p>\n 17.\u00a0\u00a0On 29 May 2008, the Kranj District State Prosecutor\u2019s Office lodged an indictment against the applicant for the above-mentioned criminal offence.<\/p>\n 18.\u00a0\u00a0At the hearing of 8 October 2008 the applicant lodged a written request for exclusion of evidence obtained unlawfully, including the information concerning the user of the respective IP address obtained without a court order.<\/p>\n 19.\u00a0\u00a0On 5 December 2008 the court rejected the applicant\u2019s request, finding that the data concerning the user of the respective IP address had been obtained in compliance with section 149b(3) of the CPA.<\/p>\n 20.\u00a0\u00a0On 5 December 2008 the Kranj District Court found the applicant guilty of the criminal offence with which he had been charged. Based on the opinion of an expert in computer science, the District Court held that the applicant must have been aware of the 630 pornographic pictures and 199 videos involving minors which he had downloaded through p2p networks and made available for sharing with other users. The applicant was sentenced to a suspended prison term of eight months with a probation period of two years.<\/p>\n C.\u00a0\u00a0Proceedings before the Ljubljana Higher Court<\/strong><\/p>\n 21.\u00a0\u00a0Both the applicant and the district state prosecutor appealed against the first-instance judgment. The applicant challenged the facts as established by the District Court. He also alleged that the subscriber information the Slovenian police had acquired without a court order, and thus unlawfully, should have been excluded as evidence. Consequently, all the evidence based on such unlawfully acquired data should also have been excluded.<\/p>\n 22.\u00a0\u00a0On 4 November 2009 the Ljubljana Higher Court granted the appeal of the district state prosecutor in part, converting the applicant\u2019s suspended sentence into a prison term of six months. The applicant\u2019s appeal was dismissed as unfounded. The Higher Court confirmed that the first-instance court had correctly established the facts of the case; moreover, it held that the data concerning the user of the IP address had been obtained lawfully, as no court order was required for such a purpose.<\/p>\n D.\u00a0\u00a0Proceedings before the Supreme Court<\/strong><\/p>\n 23.\u00a0\u00a0The applicant lodged an appeal on points of law before the Supreme Court, reiterating that a dynamic IP address could not be compared to a telephone number which was not entered in a telephone directory, as a new IP address was assigned to a computer each time the user logged on. Accordingly, such data should be considered as traffic data constituting circumstances and facts connected to the electronic communication and attracting the protection of privacy of communication. The applicant argued that the Swiss police should not have obtained the respective dynamic IP address without a court order, and nor should the Slovenian police have obtained the data on the identity of the subscriber associated with the IP address without such an order.<\/p>\n 24.\u00a0\u00a0On 20 January 2011 the Supreme Court dismissed the applicant\u2019s appeal on points of law, reasoning that given the general accessibility of websites and the fact that the Swiss police could check the exchanges in the p2p network simply by monitoring the users sharing certain contents, that is without any particular intervention in internet traffic, such communication could not be considered private and thus protected by Article 37 of the Constitution. Moreover, in the Supreme Court\u2019s view, the Slovenian police had not acquired traffic data about the applicant\u2019s electronic communication, but only data regarding the user of a particular computer through which the Internet had been accessed.<\/p>\n E.\u00a0\u00a0Proceedings before the Constitutional Court<\/strong><\/p>\n 25.\u00a0\u00a0The applicant lodged a constitutional complaint before the Constitutional Court, reiterating the complaints adduced before the lower courts.<\/p>\n 26.\u00a0\u00a0The Constitutional Court asked the Information Commissioner to express her position on the issue. The Information Commissioner was of the view that the reason for obtaining the identity of an individual user of electronic communication was precisely that he or she communicated by means of more or less publicly accessible websites. In the Information Commissioner\u2019s view, it was impossible to separate traffic data from subscriber data, as traffic data alone did not make any sense if one did not ascertain who the person behind those data was \u2013 this latter information was thus considered to be an extremely important element of communication privacy. The Information Commissioner also highlighted that the provisions of the Electronic Communications Act in force at the material time required a court order regarding all data related to electronic communications, irrespective of whether they related to traffic or identification data. In the Information Commissioner\u2019s view, section 149b (3) of the CPA, which required only a written request from the police to obtain data on who was communicating, was constitutionally problematic.<\/p>\n 27.\u00a0\u00a0On 13 February 2014 the Constitutional Court dismissed the applicant\u2019s complaint, holding that his constitutional rights had not been violated. The Constitutional Court\u2019s decision was adopted by seven votes to two. Judge J. Sovdat and Judge D. Jadek Pensa wrote dissenting opinions. The decision was served on the applicant on 11 March 2014.<\/p>\n 1.\u00a0\u00a0The Constitutional Court\u2019s decision<\/em><\/p>\n 28.\u00a0\u00a0The Constitutional Court pointed out, at the outset, that in addition to the content of communications, Article 37 of the Constitution also protected traffic data, that is any data processed for the transmission of communications in an electronic communications network. It considered that IP addresses were included in such traffic data. The Constitutional Court, however, concluded that the applicant, who had not hidden in any way the IP address through which he had accessed the Internet, had consciously exposed himself to the public and could not legitimately have expected privacy. As a result, the data concerning the identity of the user of the IP address were not protected as communication privacy under Article 37 of the Constitution, but only as information privacy under Article 38 of the Constitution,and no court order was required in order to disclose them in the applicant\u2019s case.<\/p>\n 29.\u00a0\u00a0The most relevant parts of the Constitutional Court\u2019s decision are as follows (as translated into English on the Constitutional Court\u2019s website):<\/p>\n \u201cReview of the objections regarding access to the complainant\u2019s IP address by the Swiss police<\/p>\n 11.The second paragraph of Article 37 of the Constitution provides a higher level of protection than Article 8 of the ECHR as it requires a court order for any interference with the right to communication privacy… The right to communication privacy determined by the first paragraph of Article 37 of the Constitution primarily protects the content of the communicated message. … In addition to the message content, the circumstances and facts related to the communication are also protected. In accordance with this view, in Decision No.\u00a0Up-106\/05, dated 2 October 2008 (Official Gazette RS, No. 100\/08, and OdlUS XVII, 84) the Constitutional Court extended the protection provided by Article 37 of the Constitution also to such data regarding telephone calls that by their nature constitute an integral part of communication so that such data cannot be obtained without a court order. The mentioned Decision refers otherwise to telephone communication, but the same conclusion can be applied mutatis mutandis to other types of communication at a distance. The crucial constitutional review test for the review of the Constitutional Court whether a particular communication is protected under Article 37 of the Constitution is the test of the legitimate expectation of privacy.<\/p>\n 12. Communication via the internet takes place, in principle, in an anonymous form, which is essential for the free development of personality, freedom of speech, and the expression of ideas, and, consequently, for the development of a free and democratic society. The privacy of communication protected by the strict conditions determined by the second paragraph of Article 37 of the Constitution is therefore a very important human right that is becoming increasingly important due to technological advances and the related growing possibilities of monitoring. It entails individuals\u2019 legitimate expectation that the state will leave them alone also in their communication through modern communication channels and that they do not necessary have to defend themselves for what they do, say, write or think. If there is a suspicion of a criminal offense the Police must have the ability to identify the individuals who have participated in a certain communication related to an alleged criminal offense, because the perpetrators are harder to trace due to this principle of anonymity on the internet. The conditions under which the Police can carry out investigative actions and whether they need a court order, however, depend on whether such entail an interference with the right to communication privacy.<\/p>\n 13. As was pointed out above, in addition to the content of communications, Article 37 of the Constitution also protects traffic data. Traffic data signifies any data processed for the transmission of communications in an electronic communications network or for the billing thereof. Such entails that the IP address is a traffic datum. The Constitutional Court must therefore answer the question whether the complainant legitimately expected privacy regarding this datum.<\/p>\n 14. Two factors must be weighed in relation to this review: the expectation of privacy regarding the IP address and the legitimacy of this expectation, where the latter must be of such nature that the society is willing to accept it as legitimate. The complainant in the case at issue communicated with other users of the Razorback network by using the eMule application to exchange various files, including those that contained child pornography. With regard to the general anonymity of internet users and also the content of the files, the Constitutional Court has no doubt that the complainant expected that his communications would remain private, and he also certainly expected that his identity would not be disclosed. The question therefore is whether such expectation of privacy was legitimate. The complainant has not established that the IP address through which he accessed the internet was hidden in any way, and thus invisible to other users, or that access to the Razorback network (and thus to the content of the files) was in any way restricted, for example by passwords or other means. …In contrast, in the complainant\u2019s case anyone interested in exchanging such data could have accessed the contested files, and the complainant has not demonstrated that his IP address was in any way concealed or inaccessible by other users of this network. This leads to the conclusion that this entailed an open line of communication with a previously undetermined circle of strangers using the internet worldwide who have shown interest in sharing certain files, while at the same time access to the IP addresses of other users was not limited to users of this network. Therefore, in the view of the Constitutional Court, the complainant\u2019s expectation of privacy was not legitimate; that which a person knowingly exposes to the public, even if from a home computer and the shelter of his or her own home, cannot be a subject of the protection afforded by Article 37 of the Constitution. In view of the foregoing, the contested standpoint of the Supreme Court does not raise concerns regarding constitutional law. Obtaining the data regarding the complainant\u2019s dynamic IP address does not interfere with his right to communication privacy determined by the first paragraph of Article 37 of the Constitution taking into account all the circumstances of the case, therefore a court order was not necessary to access it. By his conduct the complainant himself waived his right to privacy and therefore could not have a legitimate expectation of privacy therewith.<\/p>\n …<\/p>\n Review of the objections regarding access to data on the user of a certain IP address<\/p>\n 16. The complainant also challenges the standpoint of the Supreme Court that by its request to the service provider under the third paragraph of Article 149.b of the CPA the Police did not acquire traffic data, but only data regarding a particular user of a determined means of communication…<\/p>\n 17. In the case at issue, on 7 June 2006, on the basis of the third paragraph of Article 149.b of the CPA, the Police sent a request to the service provider for data regarding the user to whom IP address 195.210.223.200 was assigned on 20 February 2006 at 13:28. In the response, they received data regarding the user\u2019s name, surname, and address, while the time of the communication set to the nearest second was already known. Then on 14 December 2006 the Police also obtained an order issued by the investigating judge on the basis of the first paragraph 149.b of the CPA and the service provider also provided the traffic data on the basis of this order. The main issue for the Constitutional Court at this point is therefore whether obtaining the data regarding the identity of the user of a determined IP address falls within the framework of communication privacy.<\/p>\n 18. In accordance with the position of the Constitutional Court in Decision No. Up-106\/05, Article 37 of the Constitution also protects traffic data, i.e. data regarding, for example, who, when, with whom, and how often someone communicated. The identity of the communicating individual is one of the important aspects of communication privacy, therefore it is necessary to obtain a court order for its disclosure in accordance with the second paragraph of Article 37 of the Constitution. Despite this standpoint, the Constitutional Court decided that the complainant\u2019s allegation of a violation of Article 37 of the Constitution is unfounded in the case at issue. By his conduct, the complainant has himself waived protection of his privacy by publicly revealing both his own IP address as well as the content of his communications, and therefore can no longer rely on it as regards the disclosure of his identity. Since by such he also waived the legitimate expectation of privacy, the data regarding the identity of the IP address user no longer enjoyed protection in terms of communication privacy, but only in terms of information privacy determined by Article 38 of the Constitution. Therefore, by obtaining the data on the name, surname, and address of the user of the dynamic IP address through which the complainant communicated the Police did not interfere with his communication privacy and therefore did not require a court order to disclose his identity. In view of the foregoing, the contested position of the Supreme Court is not inconsistent with Article 37 of the Constitution, and the complainant\u2019s complaints in this part are unfounded.\u201d<\/p>\n 2.\u00a0\u00a0Dissenting opinion by Judge J. Sovdat<\/em><\/p>\n 30.\u00a0\u00a0Judge J. Sovdat welcomed the Constitutional Court\u2019s departure from the Supreme Court\u2019s view that the information concerned had not amounted to traffic data.However, in her view, the police wishing to obtain identification of the subscriber should have requested a court order. She pointed out that the Constitutional Court\u2019s conclusion implied that the protection of privacy of traffic data was always dependent on the protection of the content of communication. Accordingly, traffic data concerning certain communication were protected as long as the content of that communication was protected. Consequently, an individual could not enjoy separate and independent protection of traffic data. Judge Sovdatdisagreed with this view, pointing out that the applicant had not appeared in public under his own name, but only through the digits of his dynamic IP address.<\/p>\n 31.\u00a0\u00a0Judge Sovdatagreed with the Information Commissioner that the police had been interested not in the ownership of the device but in \u201cthe identity of the person communicating and precisely because he had been communicating\u201d. She endorsed the Commissioner\u2019s view that \u201cthe content of communication alone did not have any particular weight in the absence of identification of those communicating\u201d. She also pointed out that under sections 166 and 168 of the new Electronic Communications Act (\u201cECA-1\u201d, see paragraph39 below), the Internet provider was not allowed to transfer the stored information without a court order.Compared with section 149b(3) of the CPA,the ECA was definitely more recent and therefore the decision of the majority rancontrary to the level of rights protection already achieved.<\/p>\n 3.\u00a0\u00a0Dissenting opinion by Judge D. Jadek Pensa<\/em><\/p>\n 32.\u00a0\u00a0Judge D. Jadek Pensa argued that the constitutional guarantees set out in Article 37 of the Constitutionwere aimed at strengthening the expectation of privacy in this area of life and preventingdisproportionate interferences and an abuse of power by the executive.<\/p>\n 33.\u00a0\u00a0As regards the applicant\u2019s expectation of online anonymity,Judge Jadek Pensa argued that none of the data publicly disclosed by the complainant revealed his identity. In her view, anonymity was what prevented the police from linking a particular communication with a particular person \u2013 that is, linking a dynamic IP address and an individual with his or her name and address. She further argued that the question whether the applicant\u2019s manner of communication could lead to the conclusion that his expectation of privacy had not been objectively justified had to be approached by taking all the circumstances into account, including the law that had been in force at the relevant time. She explained that the ECA (sections 103(1(2)), 104(1) and 107 \u2013 see paragraphs37 below) required Internet providers to delete traffic data as soon as they were no longer needed for the transfer of messages. Moreover,section 107 of the ECA provided that the secrecy of communication could be interfered with only on the basis of a decision by a competent authority. A letter from the police to an Internet provider could not be considered to amount to such a decision. Thus, even if section 149b(3) of the CPA could be interpreted as allowing the police to ask for information onan Internet subscriber, it should not apply in the situations covered by the ECA, which explicitly concerned the \u201cprotection of secrecy and confidentiality of electronic communications\u201d. Otherwise, the legislation would be contradictory. The judge concluded that the applicable legal framework could not therefore have led to the conclusion that the applicant, as a reasonably and sufficiently informed individual, could not have expected privacy; that is, he could not have expected that his anonymitywould be protected.<\/p>\n 34.\u00a0\u00a0Judge Jadek Pensa went on to elaborate on the neutrality of traffic data, such as data on the user of a certain dynamic IP address:<\/p>\n \u201c9. The traffic datum \u2013 the dynamic IP address that was assigned randomly at a given moment \u2013 as I understand it, reveals how the internet was used on some computer, because it is inextricably attached to a specific connection. … This is because only the two data jointly communicate how the internet was used in a non-anonymised way, i.e. regarding internet use in connection with an identified person. This essential circumstance in my opinion negates the notion of the neutrality of the datum regarding a specific user of services for a certain (known) dynamic IP address that the police sought through the service provider- namely, the neutrality of the datum in terms of denying its ability to communicate anything more than the name and address of a certain person (who has a subscription contract with the service provider). Precisely because this datum is inseparably linked to a specific communication, the traffic datum falls within the scope of protected communication privacy.<\/p>\n 10. Even if the service provider communicated to the police \u2018only\u2019 the data identifying a person who had a subscription contract with it, by doing so, as I understand it, the service provider in fact communicated (to put it simply) traffic data in an electronic communications network regarding this person. The police also, as I have already explained, wanted to determine more than just the name and surname of a certain person who had concluded a contract. Since, as I understand it, they asked for traffic data associated with a particular person they would have to proceed according to the first paragraph of Article 149.b of the CPA and obtain an order from the investigating judge.\u201d<\/p>\n II.\u00a0\u00a0RELEVANT DOMESTIC LAW AND PRACTICE<\/p>\n A.\u00a0\u00a0The Constitution<\/strong><\/p>\n 35.\u00a0\u00a0Articles 37 and 38 of the Constitution, which provide for the protection of privacy of correspondence and other means of communication and the protection of personal data, respectively, provide as follows:<\/p>\n Article 37<\/p>\n \u201cThe privacy of correspondence and other means of communication shall be guaranteed.<\/p>\n Only a law may prescribe that on the basis of a court order the protection of the privacy of correspondence and other means of communication and the inviolability of personal privacy be suspended for a set time where such is necessary for the institution or course of criminal proceedings or for reasons of national security.\u201d<\/p>\n Article 38<\/p>\n \u201cThe protection of personal data shall be guaranteed. The use of personal data contrary to the purpose for which it was collected is prohibited.<\/p>\n The collection, processing, designated use, supervision, and protection of the confidentiality of personal data shall be provided for by law.<\/p>\n Everyone has the right of access to the collected personal data that relates to him and the right to judicial protection in the event of any abuse of such data.\u201d<\/p>\n B.\u00a0\u00a0Criminal Procedure Act<\/strong><\/p>\n 36.\u00a0\u00a0Section 149b of the Criminal Procedure Act (Official Gazette no. 8\/06), in the chapter regulating measures taken by the police in pre-trial proceedings, provided:<\/p>\n \u201c(1) If there are grounds for suspecting that a criminal offence for which a perpetrator is prosecuted ex officio has been committed, is being committed or is being prepared or organised, and information on communications using electronic communications networks needs to be obtained in order to uncover this criminal offence or the perpetrator thereof, the investigating judge may, at the request of the public prosecutor adducing reasonable grounds, order the operator of the electronic communications network to furnish him with information on the participants and the circumstances and facts of electronic communications, such as: the number or other form of identification of users of electronic communications services; the type, date, time and duration of the call or other form of electronic communications service; the quantity of data transmitted; and the place where the electronic communications service was performed.<\/p>\n (2) The request and order must be in written form and must contain information that allows the means of electronic communication to be identified, an indication of reasonable grounds, the time period for which the information is required and other important circumstances that dictate use of the measure.<\/p>\n (3) If there are grounds for suspecting that a criminal offence for which a perpetrator is prosecuted ex officio has been committed or is being prepared, and information on the owner or user of a certain means of electronic communication whose details are not available in the relevant directory, as well as information on the time that the means of communication was or is in use, needs to be obtained in order to uncover this criminal offence or the perpetrator thereof, the police may request that the operator of the electronic communications network furnish them with this information, at their written request and even without the consent of the individual to whom the information refers.<\/p>\n (4) The operator of electronic communications networks may not disclose to its clients or a third party the fact that it has given certain information to an investigating judge (first paragraph of this section) or the police (preceding paragraph), or that it intends to do so.\u201d<\/p>\n C.\u00a0\u00a0Electronic Communications Act<\/strong><\/p>\n 37.\u00a0\u00a0At the time the data in question were obtained (August 2006), the Electronic Communications Act (\u201cECA\u201d, Official Gazette nos. 43\/04 and 86\/04) was in force.This Act implemented, among other things, Directive 2002\/58\/EC (see paragraph 56 below). The following provisions were relevant:<\/p>\n Section 1<\/p>\n Content of the Act<\/p>\n \u201cThis Act regulates the conditions for the provision of electronic communication networksand for the provision of electronic communication services … determines the rights of users … regulates the protection of the secrecy and confidentiality of electronic communications and regulates other questions related to electronic communications.\u201d<\/p>\n Section 3<\/p>\n Terms used<\/p>\n \u201cThe terms used in this Act have the following meaning:<\/p>\n …<\/p>\n 25. Traffic data are any data processed for the purpose of the conveyance of communication on an electronic communications network or for the billing thereof.<\/p>\n …\u201d<\/p>\n Section 103<\/p>\n Confidentiality of communications<\/p>\n \u201c(1) Confidentiality of communications refers to:<\/p>\n 1.the content of communications;<\/p>\n 2. trafficdata and location data connected to the communication mentioned in subsection (1)1 above;<\/p>\n 3. facts and circumstances relating to unsuccessfulattempts to establish connections.<\/p>\n (2) An operator and anyone involved in the provision and performance of its activities must continue to safeguard the confidentiality of communications after ceasing performance of the activity for which it was bound to safeguard confidentiality.<\/p>\n (3) Those entities liable under subsection (2) above may only obtain the information on communications referred to in subsection (1) above to the extent necessary for the provision of specific publicly available communications services, and may only use or transfer [posreduje] this information to others in order to provide these services.<\/p>\n (4) Where operators obtain information on the content of communications or record or retain communications and the traffic data related to them under subsection (3) above, they must notify the user of this when the subscriber contract is signed or upon the commencement of provision of the publicly available communications service, and erase information on the content of communications or the communications themselves as soon as this is technically feasible and the information is no longer necessary for the provision of the particular publicly available communications service.<\/p>\n (5) All forms of surveillance or interception, such as listening, tapping, recording, retention and transfer [posredovanje] of the communications referred to in subsection (1) above shall be prohibited, unless this is permitted under subsection (4) above or under section 107 of this Act, or if this form of surveillance or interception is necessary for the sending of messages (e.g. facsimile messages, electronic mail, electronic mailboxes, voicemail and SMS services).<\/p>\n …\u201d<\/p>\n Section 104<\/p>\n Traffic data<\/p>\n \u201c(1) Traffic data relating to subscribers and users, and processed and stored by the operator,should be deleted or rendered anonymous, as soon as they are no longer needed for the transfer of messages.<\/p>\n (2) Without prejudice to the provision of subsection (1) above, an operator may, until complete payment for a service but no longer than until the expiry of the limitation period, retain and process traffic data required for the purposes of calculation and of payment relating to interconnection.<\/p>\n (3) For the purpose of marketing electronic communications services or for the provision of value-added services, the provider of a publicly available electronic communications service may process the data referred to in subsection (1) above to the extent and for the duration necessary for such services or marketing, but only if the subscriber or user to whom the data relate has given his prior consent. Subscribers or users must be informed, prior to giving consent, of the types of traffic data which are processed and the duration of such processing. A user or subscriber shall have the right to withdraw his or her consent at any time.<\/p>\n (4) For the purposes referred to in subsection (2) above, a service provider must indicate in the general terms and conditions which traffic data will be retained and processed, and the duration thereof, and declare that they will be treated in accordance with the law on data protection.<\/p>\n (5) Traffic data may only be processed under subsections (1) to (4) above by persons acting under the authority of an operator and handling billing or traffic management, responding to customer enquiries, detecting fraud, marketing electronic communications services or providing a value-added service, and this processing must be limited to what is necessary for the purposes of such activities.<\/p>\n (6) Without prejudice to the provisions of subsections (1), (2), (3) and (5) above, an operator shall, upon a written request of a competent body set up for the purpose of settling disputes, in particular interconnection or billing disputes, and in accordance with the applicable legislation, send traffic data to such body.\u201d<\/p>\n Section 107<\/p>\n Lawful interception of communications<\/p>\n \u201c… (2) An operator should enablethe lawful interception of communications at a determined point of the public communication network as soon as it receives a copy of the operative part of the order of the competent authority indicating the point … at which a lawful interception of communications should take place and other data related to the means, scope and duration of this measure.\u201d<\/p>\n 38.\u00a0\u00a0Further amendments to the ECA, namely ECA-A, which were enacted on 28 November 2006, that is after the contested measures had been taken in the present case (Official Gazette no. 129\/06), regulated the retention of traffic data for the purposes of, inter alia, criminal proceedings. This included data necessary for the identification of the source of communication, such as the name and address of the subscriber to whom a certain IP address was assigned, data needed for the identification of the destination of communications, and data needed to identify the date, time and duration of communications (sections 107.a and 107.b). No distinction between the static and the dynamic IP address was made in this regard. Furthermore, the amendment, introduced by section 107.\u010d, stipulated that the operator was under an obligation to allow access to or to transfer the retained data immediately and no later than three days after receiving the transcript of the \u201corder\u201d issued by the \u201ccompetent body\u201d. Section 107.e of the amended Act provided that \u201cthe court that has ordered that certain data be accessed should keep a record of data concerning ordersfor access and transfer of the retained data\u201d. It also regulated the reporting procedure on access to retained data \u2013 from the courts to the Ministry of Justice and then from the ministry to the European Commission.<\/p>\n 39.\u00a0\u00a0On 20 December 2012a new Electronic Communications Act (\u201cECA-1\u201d, Official Gazette 109\/2012) was adopted. Its sections 166 and 168 provide as follows:<\/p>\n Section 166<\/p>\n Transfer of retained data to competent bodies<\/p>\n \u201c(1) An operator must, immediately or without undue delay, transfer retained data as soon as it receives a copy of the operative part of an order from a competent body stating all the required data on the scope of access.<\/p>\n …<\/p>\n (4) An operator may not disclose an order to the persons to whom the order … relates or to third parties, nor disclose that it has transferred or will transfer retained data to the competent body under this section.<\/p>\n …<\/p>\n (7) The information commissioner shall monitor the fulfilment of the obligations by the providers under this section, in so far as they do not fall under the supervision of other competent bodies on the basis of other laws.\u201d<\/p>\n Section 168<\/p>\n Data on access orders and data transfers<\/p>\n \u201c(1) A court that has ordered access to data shall keep a record of access orders and the transfers of data retained pursuant to section 166 of this Act, comprising:<\/p>\n 1. the number of cases in which access to retained data was ordered;<\/p>\n 2. a statement of the date or period for which the data was requested, the date on which the competent body issued the data access order and the date of the transfer of the data;<\/p>\n 3. the number of cases in which data access orders could not be executed.<\/p>\n (2) The competent court shall forward the record referred to in subsection (1) above for the current year to the ministry responsible for justice by no later than 31 January the following year.<\/p>\n (3) The ministry responsible for justice shall, on the basis of the records received from all courts, prepare a joint report on access to retained data by no later than 20\u00a0February each year for the previous year. It shall forward it to the ministry, which shall in turn forward it without delay to the European Commission and to the National Assembly Committee responsible for supervising the intelligence and security services.<\/p>\n (4) The ministry responsible for justice shall, after obtaining the prior opinion of the President of the Supreme Court of the Republic of Slovenia, issue instructions using the reporting forms under this section.\u201d<\/p>\n D.\u00a0\u00a0Personal Data Protection Act<\/strong><\/p>\n 40.\u00a0\u00a0Further to Slovenia becoming a member of the European Union,the Slovenian Parliament adopted, on 15 July 2004, a new\u00a0Personal Data Protection Act (Official Gazette no. 86\/04), underpinned by Directive 95\/46\/ES (see paragraph 53 below). It provides, in so far as relevant, as follows:<\/p>\n Section 1<\/p>\n Contents of the Act<\/p>\n \u201cThis Act determines the rights, responsibilities, principles and measures to prevent unconstitutional, unlawful and unjustified encroachments on the privacy and dignity of an individual (hereinafter: individual) in the processing of personal data.\u201d<\/p>\n Section 6<\/p>\n Meaning of terms<\/p>\n \u201cThe terms used in this Act shall have the following meanings:<\/p>\n 1. Personal data – are any data relating to an individual, irrespective of the form in which they are expressed.<\/p>\n 2. Individual – is an identified or identifiable natural person to whom personal data relate; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, where the method of identification does not incur significant costs or a disproportionate effort or require a large amount of time.<\/p>\n …<\/p>\n 18. Anonymising – is an alteration to the form of personal data such that they can no longer be linked to the individual or where such link can only be made with disproportionate efforts, expense or use of time.<\/p>\n 19. Sensitive personal data – are data on racial, national or ethnic origin, political, religious or philosophical beliefs, trade-union membership, health status, sexual life, …\u201d<\/p>\n 41.\u00a0\u00a0Section 2 of the Personal Data Protection Act provided that personal data should be processed lawfully and fairly. Section 8 provided that personal data could be processed if the law provided for doing so or on the basis of the consent of the individual affected. Under section 12, personal data could be processed without any other legal basis if this was urgently necessary for the protection of a person\u2019s life or limb.<\/p>\n 42.\u00a0\u00a0The Personal Data Protection Act also provided that data could be collected only for defined and lawful purposes and processed accordingly (section 16) and only on condition that this was necessary for the achievement of those purposes (section 21). Thereafter they should be deleted, destroyed, blocked or anonymised (ibid). The Act also set out the measures and procedures that should be taken by operators and contracted processors to secure personal data, and to prevent accidental or deliberate unauthorised destruction of data, their alteration, loss or unauthorised processing (sections 24 and 25).<\/p>\n E.\u00a0\u00a0Criminal Code<\/strong><\/p>\n 43.\u00a0\u00a0The Criminal Code applicable at the material time prohibited, in itsArticle 187, the presentation of pornographic material to minors under the age of fourteen and the manufacturing and distributing of pornographic material depicting minors. The relevant provision reads as follows:<\/p>\n \u201c…<\/p>\n (2) Whosoever abuses a minor for the manufacturing of pornographic pictures, audio-visual or other objects of pornographic content, or uses a minor to act in a pornographic performance, shall be sentenced to a term of imprisonment of between six months and five years.<\/p>\n (3) Whosoever produces, distributes, sells, imports or exports pornographic or other sexual material depicting minors, supplies it in any other way, or possesses such material with the intent of producing, distributing, selling, importing, exporting or offering it in any other way, shall be liable to the same sentence as in subsection (2) above.<\/p>\n …\u201d<\/p>\n F.\u00a0\u00a0Constitutional Court decision no. Up-106\/05 of 2 October 2008<\/strong><\/p>\n 44.\u00a0\u00a0Case no. Up-106\/05 concerned a complainant who had been convicted of the illicit manufacture and trade in narcotics, based on data (a list of telephone numbers and text messages) obtained from his SIM card, without a court order. He complained that his conviction had been based on unlawfully obtained evidence, as the police had monitored his mobile telephone communication without a court order. The Constitutional Court upheld the complaint and quashed the lower courts\u2019 judgments.<\/p>\n 45.\u00a0\u00a0The Constitutional Court found that not only the content of the communication but also the circumstances and facts connected to the communication were protected, including the data stored in the telephone\u2019s memory,which were an integral element of communication privacy. Therefore, obtaining data on the last dialled and last unanswered calls entailed an examination of the content and circumstances of the communication, and were consequently an interference with the right determined in the first paragraph of Article 37 of the Constitution. The court pointed out that such interference was, pursuant to Article 37 \u00a72 of the Constitution, admissible if the following conditions were met: (1) the interference was prescribed by law;(2) the interference was allowed on the basis of a court order;(3) the duration of the interference was precisely determined; and (4) the interference was necessary for the institution or course of criminal proceedings or for reasons of national security.<\/p>\n III.\u00a0\u00a0RELEVANT INTERNATIONAL LAW<\/p>\n A.\u00a0\u00a0Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data<\/strong><\/p>\n 46.\u00a0\u00a0The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (opened for signature on 28 January 1981, ETS No. 108, hereinafter \u201cthe 1981 Convention\u201d) was ratified by all Council of Europe Member States and entered into force with respect to Slovenia on 1 September 1994. Article 1 sets out the object and purpose of the Convention, which is \u201cto secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him (\u2018data protection\u2019).\u201d The 1981 Convention, among other things, protects individuals against abuses and applies to all data processing carried out by both the private and public sector, such as data processing by the judiciary and law-enforcement authorities. In Article 2 \u201cpersonal data\u201dare defined as any information relating to an identified or identifiable individual. Article 5 requires that personal data undergoing automatic processing be obtained and processed fairly and lawfully.<\/p>\n B.\u00a0\u00a0Convention on Cybercrime<\/strong><\/p>\n 47.\u00a0\u00a0The Convention on Cybercrime (opened for signature on 23\u00a0November 2001, came into force on 1 July 2004, ETS No. 185, hereinafter \u201cthe Cybercrime Convention\u201d) took effect in Slovenia on 1\u00a0January 2005.<\/p>\n 48.\u00a0\u00a0The Cybercrime Convention is the first international treaty on crimes committed via the Internet and is open to all States. It requires countries to establish as criminal offences, among others, child pornography.<\/p>\n 49.\u00a0\u00a0Article 1 defines, for the purposes of the Cybercrime Convention,\u201ctraffic data\u201d as \u201cany computer data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication, indicating the communication\u2019s origin, destination, route, time, date, size, duration, or type of underlying service.\u201d Its Explanatory Report further provides, in the relevant part, as follows (\u00a7\u00a030):<\/p>\n \u201cThe \u2018origin\u2019 refers to a telephone number, Internet Protocol (IP) address, or similar identification of a communications facility to which a service provider renders services. The \u2018destination\u2019 refers to a comparable indication of a communications facility to which communications are transmitted. The term \u2018type of underlying service\u2019 refers to the type of service that is being used within the network, e.g., file transfer, electronic mail, or instant messaging.\u201d<\/p>\n 50.\u00a0\u00a0Pursuant to the Cybercrime Convention the following measures should be available to the authorities to combat the crimes listed therein:<\/p>\n Article 18 \u2013 Production order<\/p>\n \u201c1. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order:<\/p>\n …<\/p>\n b) a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider\u2019s possession or control.<\/p>\n 2. The powers and procedures referred to in this article shall be subject to Articles\u00a014 and 15.<\/p>\n 3. For the purpose of this article, the term \u2018subscriber information\u2019 means any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:<\/p>\n a) the type of communication service used, the technical provisions taken thereto and the period of service;<\/p>\n b) the subscriber\u2019s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;<\/p>\n c) any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.\u201d<\/p>\n Article 20 \u2013 Real-time collection of traffic data<\/p>\n \u201c1.Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to:<\/p>\n a)collect or record through the application of technical means on the territory of that Party, and<\/p>\n b)compel a service provider, within its existing technical capability:<\/p>\n (i)to collect or record through the application of technical means on the territory of that Party; or<\/p>\n (ii)to co-operate and assist the competent authorities in the collection or recording of,<\/p>\n traffic data, in real-time, associated with specified communications in its territory transmitted by means of a computer system.<\/p>\n …<\/p>\n 4. The powers and procedures referred to in this article shall be subject to Articles\u00a014 and 15.\u201d<\/p>\n Article 21 \u2013 Interception of content data<\/p>\n \u201c1.Each Party shall adopt such legislative and other measures as may be necessary, in relation to a range of serious offences to be determined by domestic law, to empower its competent authorities to:<\/p>\n a)collect or record through the application of technical means on the territory of that Party, and<\/p>\n b)compel a service provider, within its existing technical capability:<\/p>\n (i)to collect or record through the application of technical means on the territory of that Party, or<\/p>\n (ii)to co-operate and assist the competent authorities in the collection or recording of,<\/p>\n content data, in real-time, of specified communications in its territory transmitted by means of a computer system.<\/p>\n …<\/p>\n 4.The powers and procedures referred to in this article shall be subject to Articles 14 and 15.\u201d<\/p>\n 51.\u00a0\u00a0With regard to the production order, the Explanatory Report to the Convention on Cybercrime (Budapest, 23 November 2001, ETS No. 185)states that, in the course of a criminal investigation, subscriber information may be needed mainly in two situations. Firstly, to identify which services and related technical measures have been used or are being used by a subscriber, such as the type of telephone service used, the type of other associated services used (for example, call forwarding, voicemail), or the telephone number or other technical address (for example, the email address). Secondly, where a technical address is known, subscriber information is needed in order to assist in establishing the identity of the person concerned. According to the explanatory report, a production order provides a less intrusive and less onerous measure which law-enforcement authorities can apply instead of measures such as interception of content data and real-time collection of traffic data, which must or can be limited only to serious offences.<\/p>\n 52.\u00a0\u00a0The Cybercrime Convention requires that the aforementioned measures provided for in Articles 18, 20 and 21 be subject to the conditions set out in Articles 14 and 15, which, as far as relevant, read as follows:<\/p>\n Article 14 \u2013 Scope of procedural provisions<\/p>\n \u201c1. Each Party shall adopt such legislative and other measures as may be necessary to establish the powers and procedures provided for in this section for the purpose of specific criminal investigations or proceedings.<\/p>\n …\u201d<\/p>\n Article 15 \u2013 Conditions and safeguards<\/p>\n \u201c1. Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality.<\/p>\n 2. Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.\u201d<\/p>\n IV.\u00a0\u00a0RELEVANT EUROPEAN UNION LAW<\/p>\n A.\u00a0\u00a0Directive 95\/46\/EC and Regulation (EU) 2016\/679<\/strong><\/p>\n 53.\u00a0\u00a0Article 2 (1) (a) of Directive 95\/46\/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31, hereinafter \u201cthe Data Protection Directive\u201d) provides that\u201cpersonal data\u201d means \u201cany information relating to an identified or identifiable natural person (\u2018data subject\u2019)\u201d. Furthermore, under the aforementioned provision, an \u201cidentifiable person\u201d is \u201cone who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity\u201d.The Data Protection Directive does not apply to the area of police and criminal justice.<\/p>\n 54.\u00a0\u00a0Recital 26 provides that in determiningwhether a person is identifiable, \u201caccount should be taken of all the means likely reasonably to be used …to identify the said person\u201d; the principles of protection will not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.<\/p>\n 55.\u00a0\u00a0Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation) (OJ 2016 L 119\/1, p. 1), entered into force on 24 May 2016. When it takes effect (25 May 2018), it will replace the Data Protection Directive. Article 4 defines an \u201cidentifiable natural person\u201d as \u201cone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier …\u201d. Recital 26 further provides that, in ascertaining whether means are reasonably likely to be used to identify the natural person, \u201caccount should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.\u201d It further explains that \u201c[t]he principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.\u201d<\/p>\n B.\u00a0\u00a0Directive 2002\/58\/EC<\/strong><\/p>\n 56.\u00a0\u00a0In addition, specifically for the field of electronic communications, Directive 2002\/58\/EC of the European Parliament and of the Council of 12\u00a0July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)(OJ 2002 L 201, p. 37) was adopted on 12\u00a0July 2002. It does not apply to the area of police and criminal justice but harmonises the provisions of the member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communications sector. Article 2 provides a definition of a\u00a0\u201cuser\u201d as meaning \u201cany natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service\u201d. It further defines \u201ctraffic data\u201d as \u201cany data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof\u201d. Moreover, it defines \u201ccommunication\u201d as \u201cany information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service\u201d.<\/p>\n C.\u00a0\u00a0Council Framework Decision 2008\/977\/JHA and Directive (EU) 2016\/680<\/strong><\/p>\n 57.\u00a0\u00a0Council Framework Decision 2008\/977\/JHA of 27\u00a0November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters(OJ 2008 L 350, p. 60, hereinafter \u201cData Protection Framework Decision\u201d) aims at providing protection of personal data of natural persons when their personal data are processed for the purpose of preventing, investigating, detecting or prosecuting a criminal offence or of executing a criminal penalty. The Data Protection Framework Decision relies to a large extent on the principles and definitions which are contained in the 1981 Convention and in the Data Protection Directive.<\/p>\n 58.\u00a0\u00a0Directive (EU) 2016\/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008\/977\/JHA (OJ 2016 L 119, p. 89) governs the handling of data by competent authorities, such as police and criminal justice authorities, for the purposes of, inter alia, investigation and prosecution of criminal offence.Article 3(1) contains the same definition of \u201cidentifiable natural person\u201d and recital 21 the same explanation concerning the means of identification as the General Data Protection Regulation (see paragraph 55 above). Furthermore, Article 4 requires that personal data should be, inter alia, processed lawfully and fairly. Article 1 (3) provides that member States may provide for higher safeguards than those contained in the directive.<\/p>\n 59.\u00a0\u00a0The directive replaces Framework Decision 2008\/977\/JHA with effect from 6 May 2018.<\/p>\n D.\u00a0\u00a0Selected decisions of the Court of Justice of the European Union<\/strong><\/p>\n 60.\u00a0\u00a0As regards the concept of \u201cpersonal data\u201dunder Article 2(a) of the Data Protection Directive, the Court of Justice of the European Union (CJEU) found in a judgment of 24 November 2011 in Scarlet Extended, C-70\/10, EU:C:2011:771, paragraph 51, that users\u2019 IP addresses \u201cwere protected personal data because they allow those users to be precisely identified\u201d.<\/p>\n 61.\u00a0\u00a0In its judgment of 19 October 2016 in Breyer, C-582\/14, EU:C:2016:779, the CJEU dealt with the question of the specific character of dynamic IP addresses. It noted as follows:<\/p>\n \u201c[15] IP addresses are series of digits assigned to networked computers to facilitate their communication over the internet. When a website is accessed, the IP address of the computer seeking access is communicated to the server on which the website consulted is stored. That connection is necessary so that the data accessed maybe transferred to the correct recipient.<\/p>\n [16] Furthermore, it is clear from the order for the reference and the documents before the Court that internet service providers allocate to the computers of internet users either a \u2018static\u2019 IP address or a \u2018dynamic\u2019 IP address, that is to say an IP address which changes each time there is a new connection to the internet. Unlike static IP addresses, dynamic IP addresses do not enable a link to be established, through files accessible to the public, between a given computer and the physical connection to the network used by the internet service provider.\u201d<\/p>\n 62.\u00a0\u00a0The CJEU was of the view that a dynamic IP address did not constitute information relating to an \u201cidentified natural person\u201d, since such an address did not directly reveal the identity of the natural person who owned the computer from which a website had been accessed, or that of another person who might have used that computer (ibid, \u00a7 38). The CJEU went on to determine whether a dynamic IP address, in that case registered by an online media service provider, may be treated as data relating to an \u201cidentifiable natural person\u201d within the meaning of Article 2(a) of the Data Protection Directive. For that purpose the CJEU, relying on recital 26, considered whether the possibility to combine the dynamic IP address, which was in the case at issue in the hands of the online media service provider, with the additional data held by the ISP constituted a means likely reasonably to be used to identify the data subject (\u00a7\u00a7 41 and 45). The ECJU drew the following conclusion on that point:<\/p>\n \u201c[49] Having regard to all the foregoing considerations, the answer to the first question is that Article 2(a) of Directive 95\/46 must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.\u201d<\/p>\n V.\u00a0\u00a0COMPARATIVE LAW<\/p>\n A.\u00a0\u00a0German Federal Constitutional Court<\/strong><\/p>\n 63.\u00a0\u00a0The applicant referred to the judgment of the German Federal Constitutional Court (\u201cthe GFCC\u201d) of 24 January 2012, BVerfG, 1 BvR 1299\/05. The GFCC partly upheld complaints concerning, inter alia, manual retrieval of informationon dynamic IP addresses stored by the telecommunications service providers.<\/p>\n 64.\u00a0\u00a0Under section 113 of the Telecommunications Act (\u201cthe TCA\u201d) the telecommunications service providers were required to supply,at the request of the competent (including law-enforcement) agencies, information on certain data collected, for the purpose of, inter alia, prosecuting criminal offences or regulatory offences. The impugned statutory provision was designed to be able to attribute if possible all telecommunications numbers to their respective subscribers (and in addition, ultimately, if possible, to their users). As found by the GFCC, the provision gave no specific thresholds of encroachment which would have defined its scope in more detail. Instead, it always permitted information in the individual case if this was necessary to perform the aforementioned duties. The GFCC did not find this in itself unconstitutional. However, the question that also arose was whether the impugned provision also covered information on the owner of a dynamic IP address. At the outset,the GFCC addressed the issue of a link between the subscriber information and the pre-existing content information which could be attributed to it. It found as follows (\u00a7113, a citation from a translation provided on the GFCC\u2019s website):<\/p>\n \u201c … the secrecy of telecommunications [Article 10.1 of the Basic Law] does not protect the confidentiality of the circumstances of each provision of telecommunications services, such as for example the attribution of the telecommunications numbers allocated by the service providers to particular subscribers.\u201d<\/p>\n 65.\u00a0\u00a0The GFCCwent on to note the distinction between static and dynamic IP addresses, finding as follows (\u00a7\u00a7115 and 116):<\/p>\n \u201c…the attribution of a static IP address to a particular subscriber \u2013 more precisely, to a network interface of the subscriber \u2013 as a rule also gives indirect information on a particular telecommunications event involving the person in question, since such addresses, even if they are static, are registered and become the subject of attributions identifying an individual almost only in connection with specific communications events. However, here too the conveying of information in this connection is as such limited exclusively to the abstract attribution of number and subscriber.<\/p>\n … In contrast, the situation is different when dynamic IP addresses are attributed to identified persons, for such addresses are particularly closely related to specific telecommunications events. This attribution is within the area of protection of Article 10.1 of the Basic Law. However, here too this does not automatically follow from the fact that the attribution of a dynamic IP address necessarily always relates to a specific telecommunications event of which it therefore indirectly also provides information. For in this connection too the information itself only relates to data which are abstractly attributed to a subscriber. There is therefore no fundamental difference from the attribution of static IP addresses. However, the application of Article 10.1 of the Basic Law is here based on the fact that when the telecommunications enterprises identify a dynamic IP address, they have to take an intermediate step, in which they examine the relevant connection data of their customers, that is, [they] must access specific telecommunications events. These telecommunications connections individually stored by the service providers are subject to the secrecy of telecommunications, irrespective of whether they have to be kept available by the service providers under a statutory duty … or whether they are stored by them on a contractual basis. Insofar as the legislature imposes a duty on the telecommunications enterprises to access these data and to evaluate them in the interest of the state\u2019s performance of its duties, this is an encroachment upon Article 10.1 of the Basic Law. This is the case not only if the service providers must supply the connection data themselves, but also if they have to use the data as a preliminary question for information.\u201d<\/p>\n 66.\u00a0\u00a0The GFCC concluded that section 113.1 of the TCA was in breach of Article 10.1 of the Basic Law to the extent that it was a basis for the supply of information on dynamic IP addresses.<\/p>\n 67.\u00a0\u00a0Furthermore, although the GFCC did not find automated retrieval of data (section 12 of the TCA) concerning the static IP address unconstitutional, such a finding was made against the limited use of such addresses in the following context (\u00a7\u00a7 160 and 161):<\/p>\n \u201c…The allocation of static IP addresses, whose attribution is at present in any case publicly accessibly in practice, is essentially restricted to institutions and large-scale users. The possibility of retrieving such numbers has little weight in these circumstances.<\/p>\n However, \u00a7\u00a0112 TKG [TCA] may acquire substantially greater weight of encroachment if static IP addresses in future \u2013 for example on the basis of Internet Protocol Version 6 \u2013 should become more widely used as the basis of internet communication. For the question of the weight of encroachment of the identification of an IP address does not primarily depend \u2013 even if a number of fundamental rights apply in this case \u2013 on whether an IP address is technically dynamic or static, but on the actual significance of the creation of a duty of information in this connection. But if in practice static IP addresses are allocated to a great extent to private persons too, this may possibly mean that the identities of internet users are broadly or at least largely determined and that communications events in the internet are de-anonymised not only for a limited period of time, but permanently. Such a far-reaching possibility of de-anonymisation of communication in the internet goes beyond the effect of a traditional telephone number register. …[T]he weight for the person affected of the attribution of an IP address to a subscriber may not be equated to that of the identification of a telephone number, because the former makes it possible to access information whose scope and content are substantially more far-reaching …. In view of this increased information potential, the general possibility of the identification of IP addresses would only be constitutionally permissible subject to narrower limits …\u201d<\/p>\n B.\u00a0\u00a0The Canadian Supreme Court<\/strong><\/p>\n 68.\u00a0\u00a0The R v. Spencer (2014 SCC 43, [2014] 2 S.C.R. 212) case concernedtheretrieval, without prior judicial authorisation, of the appellant\u2019s sister\u2019s subscriber information associated with a dynamic IP address, which the police had obtained in relation to online file-sharing involving child pornography. On the basis of the subscriber information received from the ISP, the police obtained a search warrant against the appellant. The latter sought to exclude the evidence found on his computer on the basis that the police actions in obtaining his address from the ISP without prior judicial authorisation amounted to an unreasonable search contrary to the Canadian Charter of Rights and Freedom. The judgment of the Supreme Court of Canada (\u201cthe SCC\u201d) of 13 June 2014, finding in favour of the appellant, was delivered by Judge Cromwell.<\/p>\n 69.\u00a0\u00a0Referring to the previous case-law on the matter, the judgment noted that the reasonable expectation of privacy standard was normative rather than simply descriptive and that it was inevitably \u201claden with value judgments which [were] made from the independent perspective of the reasonable and informed person who [was] concerned about the long-term consequences of government action for the protection of privacy\u201d (\u00a718). The SCC, contrary to the opinion of the trial judge, found that the appellant\u2019s subjective expectation of privacy was justified by the fact that he had been the one using the network connection to transmit sensitive information. The judgment went on to determine whether the appellant\u2019s subjective expectation of privacy had been reasonable. For that purpose the judgment looked at two circumstances: the nature of the privacy interest at stake and the statutory and contractual framework governing the ISP\u2019s disclosure of subscriber information. As to the former, Judge Cromwell drew the following conclusions:<\/p>\n \u201c[31Thus, it is clear that the tendency of information sought to support inferences in relation to other personal information must be taken into account in characterizing the subject matter of the search.<\/p>\n [36]… The analysis turns on the privacy of the area or the thing being searched and the impact of the search on its target, not the legal or illegal nature of the items sought…<\/p>\n [41] There is also a third conception of informational privacy that is particularly important in the context of Internet usage. This is the understanding of privacy as anonymity. In my view, the concept of privacy potentially protected by s. 8\u00a0[right to be secure against unreasonable search or seizure] must include this understanding of privacy.<\/p>\n [50]… In the circumstances of this case, the police request to link a given IP address to subscriber information was in effect a request to link a specific person (or a limited number of persons in the case of shared Internet services) to specific online activities. This sort of request engages the anonymity aspect of the informational privacy interest by attempting to link the suspect with anonymously undertaken online activities, activities which have been recognized by the Court in other circumstances as engaging significant privacy interests….<\/p>\n [51]I conclude therefore that the police request to Shaw [ISP] for subscriber information corresponding to specifically observed, anonymous Internet activity engages a high level of informational privacy. I agree with Caldwell J.A.\u2019s conclusion on this point:<\/p>\n . . . a reasonable and informed person concerned about the protection of privacy would expect one\u2019s activities on one\u2019s own computer used in one\u2019s own home would be private. . . . In my judgment, it matters not that the personal attributes of the Disclosed Information pertained to Mr. Spencer\u2019s sister because Mr. Spencer was personally and directly exposed to the consequences of the police conduct in this case. As such, the police conduct prima facie engaged a personal privacy right of Mr. Spencer and, in this respect, his interest in the privacy of the Disclosed Information was direct and personal…\u201d<\/p>\n 70.\u00a0\u00a0The judgment also answered the concerns of the prosecution authorities to the effect that recognising a right to online anonymity would carve out a crime-friendly Internet landscape. While acknowledging that this concern could not be taken lightly, Judge Cromwell explained that recognising an interest could not be equated to a right to anonymity and that in the present case, for example, it had seemed clear that the police could have easily obtained a production order for the subscriber information.<\/p>\n 71.\u00a0\u00a0As regards the question whether the expectation of privacy was reasonable in the face of the relevant contractual and statutory provisions, the judgment found that the ISP\u2019s collection, use and disclosure of the personal information of its subscribers had been subject to the Personal Information Protection and Electronic Documents Act (\u201cPIPEDA\u201d), which protected personal information held by organisations engaged in commercial activity from being disclosed without the knowledge or consent of the person to whom the information related. The judgment found as follows:<\/p>\n \u201c[62]Section 7(3)\u00a0(c.1)(ii) allows for disclosure without consent to a government institution where that institution has identified its lawful authority to obtain the information. But the issue is whether there was such lawful authority which in turn depends in part on whether there was a reasonable expectation of privacy with respect to the subscriber information. PIPEDA\u00a0thus cannot be used as a factor to weigh against the existence of a reasonable expectation of privacy …Given that the purpose of PIPEDA is to establish rules governing, among other things, disclosure \u201cof personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information\u201d (s. 3), it would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA\u00a0\u2019s general prohibition on the disclosure of personal information without consent.\u201d<\/p>\n 72.\u00a0\u00a0The judgment went on to establish that the police request had had no lawful authority and that the informationhad therefore been obtained unconstitutionally. The court refused to draw a parallel with other police routine inquires, such as an interview with the victim of a crime. Referring to R. v. Duarte, [1990] 1 S.C.R. 30, it found as follows:<\/p>\n \u201c[67]…In Duarte, the Court distinguished between a person repeating a conversation with a suspect to the police and the police procuring an audio recording of the same conversation. The Court held that the danger is \u2018not the risk that someone will repeat our words but the much more insidious danger inherent in allowing the state, in its unfettered discretion, to record and transmit our words\u2019…Similarly in this case, the police request that the ISP disclose the subscriberinformation was in effect a request to link Mr. Spencer with precise online activity that had been the subject of monitoring by the police and thus engaged a more significant privacy interest than a simple question posed by the police in the course of an investigation.\u201d<\/p>\n THE LAW<\/strong><\/p>\n I.\u00a0\u00a0ALLEGED VIOLATION OF ARTICLE 8 OF THE CONVENTION<\/p>\n 73.\u00a0\u00a0The applicant complained that his right to privacy had been breached because (i)the Internet service provider (hereinafter \u201cthe ISP\u201d) had retained his alleged personal data unlawfully and (ii) the police had obtained subscriber data associated with his dynamic IP address and consequently his identity arbitrarily, without a court order, in breach of Article 8 of the Convention, which reads as follows:<\/p>\n \u201c1.\u00a0Everyone has the right to respect for his private and family life, his home and his correspondence.<\/p>\n 2.\u00a0There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.\u201d<\/p>\n A.\u00a0\u00a0Admissibility<\/strong><\/p>\n 1.\u00a0\u00a0As regards the alleged unlawful retention of personal data by the Internet service provider (ISP)<\/em><\/p>\n 74.\u00a0\u00a0The Government argued that the applicant had failed to complain to the domestic courts of the unlawful retention of his personal data by the ISP. Consequently, the domestic courts had not addressed this issue in the impugned decisions. They further argued that as the ISP was a private entity, the applicant could have sued it for damages in civil proceedings. One way or another, this part of the application should, in their view, be declared inadmissible for non-exhaustion.<\/p>\n 75.\u00a0\u00a0In addition, the Government maintained that the applicant could not claim to be a victim of the alleged violation of Article 8 concerning the retention of the personal data, as those data had not concerned him but the Internet service subscriber, which was his father.<\/p>\n 76.\u00a0\u00a0The applicantargued that the ISP had retained his personal data for almost six months without having a clear legal basis for such action and thus in violation of Article 8 of the Convention. In his observations, submitted on 15 October 2015, the applicant claimed that he had lodged his application with the Court not because the ISP had failed tokeep his personal datasecret or because it had retained them beyond the statutory time-limit, but because the State had obtained and used the data in question in the criminal proceedings against him. He argued that he had maintained, throughout the criminal proceedings,that the courts had relied on illegally obtained evidence.<\/p>\n 77.\u00a0\u00a0The Court notes that the Government objected to the applicant\u2019s victim status with respect to this complaint. However, it does not consider it necessary to address this objection because this part of the application is in any event inadmissible for the following reasons.<\/p>\n 78.\u00a0\u00a0The Court observes that the purpose of Article 35 \u00a7 1 is to afford the Contracting States the opportunity of preventing or putting right the violations alleged against them before those allegations are submitted to the Convention institutions. That rule is an important aspect of the principle that the machinery of protection established by the Convention is subsidiary to the national systems safeguarding human rights. Thus the complaint intended to be made subsequently to the Court must first have been made \u2013 at least in substance \u2013 to the appropriate domestic body, and in compliance with the formal requirements and time-limits laid down in domestic law (see, among other authorities, Sejdovic v. Italy [GC], no. 56581\/00, \u00a7\u00a7 43-44, ECHR 2006\u2011II).<\/p>\n 79.\u00a0\u00a0In the present case, the applicant complained in his application to the Court of theretentionby the ISP of what he alleged were his personal data. However, he has failed to exhaust domestic remedies in this regard as he had not made this complaint\u2013 at least in substance \u2013 in the domestic proceedings.<\/p>\n 80.\u00a0\u00a0Consequently, this part of the application should be declared inadmissible under Article 35 \u00a7\u00a7 1 and 4 of the Convention.<\/p>\n 2.\u00a0\u00a0As regards the disclosure of the subscriber information<\/em><\/p>\n 81.\u00a0\u00a0The Government argued that the applicant could not claim to be a victim because the subscriber information thatthe ISP had disclosed to the police concerned his father.<\/p>\n 82.\u00a0\u00a0The applicant disputed that view. He argued that it was his privacy that had been breached, not the subscriber\u2019s, and that the issue at stake was not that of ownership but that of the right to privacy.<\/p>\n 83.\u00a0\u00a0The Court notes that this issue is closely related to the merits of the complaint and therefore joins the Government\u2019s objection to the merits.<\/p>\n 84.\u00a0\u00a0It considers that this complaint is not manifestly ill-founded within the meaning of Article 35 \u00a7 3 (a) of the Convention. It further notes that it is not inadmissible on any other grounds. It must therefore be declared admissible.<\/p>\n B.\u00a0\u00a0Merits<\/strong><\/p>\n 1.\u00a0\u00a0The parties\u2019 submissions<\/em><\/p>\n (a)\u00a0\u00a0The applicant<\/p>\n 85.\u00a0\u00a0The applicant referred to the definition of personal data in the 1981 Convention (see paragraph 46 above),arguing that the obtaining of data without a court order(see paragraph 7 above)had led to his identification.<\/p>\n 86.\u00a0\u00a0He also argued that although he had disclosed the contents of his communication to an unidentifiable public, he had not waived his right to privacy with regard to traffic (metering) data, that is data relating to the length and time of the use of the Internet and data relating to who used the Internet and what site he or she accessed during that use. In his view, such data enjoyed separate protection under the concept of private life, comprising the privacy of communications and informational privacy.<\/p>\n 87.\u00a0\u00a0He submitted in this connection that the significant distinction between static and dynamic IP addresses should be recognised. While it might be possible to draw an analogy between a static IP address which was permanently attributed to the device, and a telephone number, a dynamic IP address was assigned every time the computer accessed the Internet. Referring to the German Federal Constitutional Court\u2019s judgment of 24\u00a0January 2012 (see paragraph 63 above), the applicant argued that by choosing a dynamic IP address, as had the subscriber in the present case, one chose to have his or her identity concealed, as additional data were required for identifying the computer used to access the Internet and thereby the subscriber. In his view, the dynamic IP address therefore fell within the scope of traffic data (metering), to which section 149b(1) applied.<\/p>\n 88.\u00a0\u00a0The applicant further pointed out that the data on the content of communication had been obtained without the Slovenian authorities\u2019 involvement. The Slovenian authorities would have needed a court order for obtaining such data, but had avoided that otherwise necessary step by requesting the subscriber information on the basis of section 149b(3) of the CPA. As regards the letter, the applicant alleged that at the time when the Slovenian police had obtained the data connecting his IP address to his identity, the law regulating access to such data had not been clear (lex certa) and therefore the lawfulness required by the second paragraph of Article 8had not been met. In particular, at the time of the interference (August 2006), the domestic law provisions regarding this issue had been contradictory. The second paragraph of Article 37 of the Constitution required a court order for interference withthe right to privacy of communication. The ECA provided that traffic data should be kept secret and that communication could be intercepted only on the basis of an order by a competent authority.In the domestic legal system that could only be a court order or, theoretically, a prosecution order. Anyhow, under section 107 it was possible only to \u201cintercept\u201d data and not to hand over certain retained data. Moreover, the providers were under an obligation to delete retained data pursuant to section 104 as soon as they no longer needed them for billing purposes. On the other hand, section 149b(1) and (3) of the CPA provided for different conditions of accessing data and it was unclear what the distinction in application between the two was. As a result of that uncertainty in the domestic legislation, one could not say that the legal protection against arbitrary interference by public authorities with the right to privacy was sufficient.<\/p>\n 89.\u00a0\u00a0In the applicant\u2019s opinion, the ECA was lex specialis in relation to the CPA and it did not provide for a possibility to transfer personal data to the police. In such a situation of lacunae in the law, the Constitution should be applied directly, and the Constitution clearly required a court order for the transfer of such data.<\/p>\n (b)\u00a0\u00a0The Government<\/p>\n 90.\u00a0\u00a0The Government explained that IP addresseswere personal data and that likewise dynamic IP addresseswere personal data but did not amount to traffic data. The only difference between the two was that the static IP address stayed with the subscriber as long as he did not change ISP, whereas a new dynamic IP address was assigned every time the subscriber accessed the Internet. With regard to both, the ISP stored data concerning the time of the use of a specific IP address.<\/p>\n 91.\u00a0\u00a0The Government argued that the investigation had focused on the applicant only after the seizure and inspection of the computers had taken place and after those living at his address had been questioned. Thus the link between the subscriber and the applicant had become apparent only after the home search, which had been carried out on the basis of a valid court order.<\/p>\n 92.\u00a0\u00a0While acknowledging that the IP address was an item of personal data because it allowed for the identification of an individual, the Government pointed out that it was each user\u2019s choice whether to use a website that allowed disclosure of personal data and\/or content of communication to an unidentifiable and unlimited circle of individuals. The Government submitted that the applicant had not argued that he had hidden the IP address he had used to access the file-exchangeprogram. As the disclosure of the IP address implied the disclosure of subscriber information, the applicant had not shown intent to keep his identity private or hidden and his right to private life was thus not engaged in the present case.<\/p>\n 93.\u00a0\u00a0The Government argued that the applicant could not have expected that the subscriber information related to the dynamic IP address would have been withheld from the police. In their view, the contested measures had been lawful and proportionate to the aim of safeguarding the integrity of children, who, as particularly vulnerable individuals, enjoyed special protection under the Convention.<\/p>\n 94.\u00a0\u00a0The Government drew a parallel with the situation where a suspect had been caught on closed-circuit television camera when driving. In such a situation, the suspect\u2019s photograph and his registration plates sufficed to identify him. Similarly, in the present case, it must be assumed that the moment the police had had the dynamic IP address and the timeline of its use, the user had been identified by way of such data.\u00a0The Government thus argued that the domestic courts had correctly applied section 149b(3) instead of section 149b(1), as the latter concerned traffic data, not data concerning the owner or user of a communication device.<\/p>\n 2.\u00a0\u00a0The Court\u2019s assessment<\/em><\/p>\n (a)\u00a0\u00a0Preliminary observations and scope of the Court\u2019s assessment<\/p>\n 95.\u00a0\u00a0The Court at the outset observes the particular context of the present case, which concerns the disclosure of subscriber information associated with a dynamic IP address. It takes note of the extensive legislation and of the case-law concerning personal data protection and privacy of electronic communication within the European Union and will rely on them and on other relevant comparative-law material in assessing some of the technical matters applicable to the present case. It will also have regard, where appropriate, to the legal doctrines established therein.<\/p>\n 96.\u00a0\u00a0As a preliminary matter, the Court further notes that an IP address is a unique number assigned to every device on a network, which allows the devices to communicate with each other. Unlike the static IP address, which is permanently allocated to a particular network interface of a particular device, a dynamic IP address is assigned to adevice by the ISP temporarily, typically each time the device connects to the Internet (see paragraphs61,87 and 90 above). The IP address alone enables certain details, such as the ISP to which the user is connected and a broader physical location, most likely the location of the ISP, to be determined. Most dynamic IP addresses can thus be traced to the ISP and not to a specific computer. To obtain the name and address of the subscriber using a dynamic IP address, the ISP is normally required to look up this information and for that purpose to examine the relevant connection data of its subscribers(see paragraphs 61 and 65 above).<\/p>\n 97.\u00a0\u00a0In the present case the information on the dynamic IP address and the time it had been assigned were collected by the Swiss police, who had carried out a monitoring exercise of users of the specific Internet network involving child pornography material. They forwarded the information to the Slovenian police, who obtained from the ISP the name and address of the subscriber associated with the dynamic IP address in question \u2013 the applicant\u2019s father (see paragraphs6and 7 above).<\/p>\n 98.\u00a0\u00a0The Government argued that Article 8 of the Convention did not apply in this case because the applicant had not been directly affected by the contested measure and because even if he had been affected, he had willingly renounced his right to privacy by publicly exchanging the files in question (see paragraphs 92 and 93 above). In order to answer those questions, the Court must consider whether the applicant, or any other individual using the Internet, had a reasonable expectation that his otherwise public online activity would remain anonymous (see paragraphs 115 to 118 above).<\/p>\n 99.\u00a0\u00a0The Court reiterates in this connection that sexual abuse is unquestionably an abhorrent type of wrongdoing, with debilitating effects on its victims. Children and other vulnerable individuals are entitled to State protection, in the form of effective deterrence, from such grave types of interference with essential aspects of their private lives, and that protection includes a need to identify the offenders and bring them to justice (see K.U. v. Finland, no. 2872\/02, \u00a7 46, ECHR 2008-V). However, the questions raised by the Government concerning the applicability of Article 8 are to be answered independently from the legal or illegal character of the activity in question,as well as without any prejudice to the Convention\u2019s requirement that protection of vulnerable individuals must be provided by the member States, as pointed out in, amongst others, K.U. v. Finland(cited above).<\/p>\n (b)\u00a0\u00a0Applicability of Article 8<\/p>\n (i)\u00a0\u00a0Recapitulation of the relevant principles<\/p>\n 100.\u00a0\u00a0The Court reiterates that private life is a broad term not susceptible to exhaustive definition. Article 8 protects, inter alia, the right to identity and personal development, and the right to establish and develop relationships with other human beings and the outside world. There is, therefore, a zone of interaction of a person with others, even in a public context, which may fall within the scope of \u201cprivate life\u201d (see Uzun v.\u00a0Germany, no. 35623\/05, \u00a7 43, ECHR 2010-VI (extracts)).<\/p>\n 101.\u00a0\u00a0There are a number of elements relevant to the consideration of whether a person\u2019s private life is concerned by measures affected outside his or her home or private premises. In order to ascertain whether the notions of \u201cprivate life\u201d and \u201ccorrespondence\u201d are applicable, the Court has on several occasions examined whether individuals had a reasonable expectation that their privacy would be respected and protected (see B\u0103rbulescu v. Romania [GC], no. 61496\/08, \u00a7 73, ECHR 2017, and Copland v. the United Kingdom, no. 62617\/00, \u00a7\u00a7 41- 42, ECHR 2007-I). In that context, it has stated that a reasonable expectation of privacy is a significant though not necessarily conclusive factor (see B\u0103rbulescu, cited above, \u00a7 73).<\/p>\n 102.\u00a0\u00a0In the context of personal data, the Court has pointed out that the term \u201cprivate life\u201d must not be interpreted restrictively.It has found that thebroad interpretation corresponds with that of the 1981 Convention,the purpose of which is \u201cto secure in the territory of each Party for every individual … respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him\u201d (Article 1).Such personal data are defined as \u201cany information relating to an identified or identifiable individual\u201d (Article\u00a02) (see Amann v. Switzerland [GC], no. 27798\/95, \u00a7 65, ECHR 2000\u2011II; see also paragraph 46 above).<\/p>\n 103.\u00a0\u00a0It further follows from well-established case-law that where there has been a compilation of data on a particular individual, the processing or use of personal data or publication of the material concerned in a manner or degree beyond that normally foreseeable, private life considerations arise (see Satakunnan Markkinap\u00f6rssi Oy and Satamedia Oy v. Finland [GC], no.\u00a0931\/13, \u00a7 136, ECHR 2017 (extracts)).Article 8 of the Convention thus provides for the right to a form of informational self-determination, allowing individuals to rely on their right to privacy as regards data which, albeit neutral, are collected, processed and disseminated collectively and in such a form or manner that their Article 8 rights may be engaged (ibid., \u00a7\u00a0137).<\/p>\n 104.\u00a0\u00a0The Court has previously considered information such as metering data on the telephone numbers dialled (see Malone v. the United Kingdom, 2\u00a0August 1984, \u00a7 84, Series A no. 82), personal information relating to telephone, email and Internet usage (see Copland, cited above, \u00a7\u00a7 41 and43), information stored by the prosecution authorities on a card concerning the facts relating to the applicant\u2019s business relations (see Amann, cited above, \u00a766) and public information stored by the authorities on the applicant\u2019s distant past (see Rotaru v. Romania [GC], no. 28341\/95, \u00a7\u00a7 43 and 44, ECHR 2000\u2011V) to fall within the ambit of Article 8.<\/p>\n 105.\u00a0\u00a0Moreover, the Court has previously acknowledged in Delfi ASv.\u00a0Estonia ([GC] no. 64569\/09, \u00a7 147, ECHR 2015) the importance of online anonymity, noting that it has long been a means of avoiding reprisals or unwanted attention. As such, it is capable of promoting the free flow of ideas and information in an important manner, including, notably, on the Internet. At the same time, the Court does not lose sight of the ease, scope and speed of the dissemination of information on the Internet, and the persistence of the information once disclosed, which may considerably aggravate the effects of unlawful speech on the Internet compared to traditional media (ibid).<\/p>\n 106.\u00a0\u00a0In the aforementioned casethe Court elaborated also on different degrees of anonymity engaged in online activity and observed as follows(ibid.,\u00a7148):<\/p>\n \u201cThe Court observes that different degrees of anonymity are possible on the Internet. An Internet user may be anonymous to the wider public while being identifiable by a service provider through an account or contact data that may be either unverified or subject to some kind of verification \u2013 ranging from limited verification (for example, through activation of an account via an e-mail address or a social network account) to secure authentication, be it by the use of national electronic identity cards or online banking authentication data allowing rather more secure identification of the user. A service provider may also allow an extensive degree of anonymity for its users, in which case the users are not required to identify themselves at all and they may only be traceable \u2013 to a limited extent \u2013 through the information retained by Internet access providers. The release of such information would usually require an injunction by the investigative or judicial authorities and would be subject to restrictive conditions. It may nevertheless be required in some cases in order to identify and prosecute perpetrators.\u201d<\/p>\n (ii)\u00a0\u00a0Application of the above principles to the present case<\/p>\n (\u03b1) Nature of the interest involved<\/p>\n 107.\u00a0\u00a0The Government did not dispute that the subscriber informationin principle concerned personal data (see paragraphs 90 and 92above). Such a conclusion also followsfrom the definitions contained in the 1981 Convention, the legislation of the European Union, as well as domestic legislation aimed at their implementation (see paragraphs 40, 46, 53 and 57 above).<\/p>\n 108.\u00a0\u00a0In addition, the Court notes that the subscriber information associated with specific dynamic IP addresses assigned at certain timeswas not publicly available and therefore could not be compared to the information found in the traditional telephone directory or public databaseof vehicle registration numbers referred to by the Government (see paragraph 94above). Indeed, it would appear that in order to identify a subscriber to whom a particular dynamic IP address had been assigned at a particular time, the ISP must access stored data concerning particular telecommunication events (see, for instance, paragraphs 29, 61, 65 and95 above). Use ofsuch stored datamay on its own give rise to private life considerations (see paragraph 103 above).<\/p>\n 109.\u00a0\u00a0Furthermore, the Courtcannot ignore the particular context in which the subscriber information was sought in the present case. The sole purpose of obtaining the subscriber informationwas to identify a particular person behind the independently collected content revealing data he had been sharing. The Court notes in this connection that there is a zone of interaction of a person with others which may fall within the scope of \u201cprivate life\u201d (see paragraph 100 above).Information on such activities engages the privacy aspect the moment it is linked to or attributed to an identified or identifiable individual (for reference to identifiability, albeit ina rather different context, seePeck v. the United Kingdom,no.\u00a044647\/98, \u00a7\u00a062, ECHR 2003\u2011I, andJ.S. v. the United Kingdom (dec.), no.\u00a0445\/10, \u00a7\u00a7\u00a070 and 72, 3 March 2015). Therefore what would appear to be peripheral information sought by the police, namely the name and address of a subscriber, must in situations such as the present one be treated as inextricably connected to the relevant pre-existing content revealing data (see the dissenting Constitutional Court judges\u2019 opinions cited in paragraphs\u00a031 and34;compare also with the position of the Canadian Supreme Court, cited in paragraphs 69 and 72 above, and the German Federal Constitutional Court, cited in paragraphs64 and 65 above). To hold otherwise would be to deny the necessary protection to information which might reveal a good deal about the online activity of an individual, including sensitive details of his or her interests, beliefs and intimate lifestyle.<\/p>\n 110.\u00a0\u00a0In view of the above considerations, the Court concludes that the present case concerns privacy issuescapable of engaging the protection of Article 8 of the Convention.<\/p>\n (\u03b2) Whether the applicant was identified by the contested measure<\/p>\n 111.\u00a0\u00a0The Court must next address the Government\u2019s argument that the subscriber information obtained by the police disclosed only the name and address of the applicant\u2019s father,and not the applicant (see paragraph 91 above).In this connection, the Court observes that it has been generally accepted that the definition of personal data refers to information relating not only to identified but alsoto identifiable individuals (see paragraphs 40,47,53,54, 55 and 58 above).<\/p>\n 112.\u00a0\u00a0In the present context, the applicant was no doubt the user of the Internet service in question (see paragraph 56 above) and it was his online activity that was monitored by the police. The Court further observes that the applicant used the Internet by means of what would appear to be his own computer at his own home. It is of little significance that the applicant\u2019s name was not mentioned in the subscriber information obtained by the police. Indeed, it is not unusual for one household to have a single subscription to the Internet service used by several members of the family. The fact that they are not personally subscribed to the Internet service has no effect on their privacy expectations, which are indirectly engaged once the subscriber information relating to their private use of the Internet is revealed.<\/p>\n 113.\u00a0\u00a0It is clear thatthe purpose of the contested measure, that is the obtaining by the police, without a court order, of subscriber information associated with the dynamic IP address provided by the Swiss police (see paragraph 7 above), was to connect the computer usage to a location and, potentially, to a person. The subscriber information, which contained also the address, allowed the police toidentify the home from which the Internet connections in question had been made.This led them to identify the applicant as the then suspected user of the Razorback network.<\/p>\n 114.\u00a0\u00a0Having regard to the foregoing and bearing also in mind that the domestic courts did not dismiss the case on the grounds that the applicant had not been the subscriber to the Internet service in question, the Court concludes that this fact cannot be taken as a bar to the application ofArticle\u00a08 in the present case. It accordingly dismisses the Government\u2019s objection concerning the alleged lack of victim status (see paragraph 83 above).<\/p>\n (\u03b3) Whether the applicant had a reasonable expectation of privacy<\/p>\n 115.\u00a0\u00a0In order to ascertain whether the notion of a \u201cprivate life\u201d is applicable to the present case,it remains for the Court to examine whether,in view of the publicly accessible nature of the network in question,the applicant had a reasonable expectation that his privacy would be respected and protected (see paragraph 101 above). In this connection, the Slovenian Constitutional Court and the respondent Government (see paragraphs 14 and 18 of the Constitutional Court\u2019s decision, cited in paragraph29 above; see also paragraph 92above) found it important that the applicant had participated in the Razorback network to which access had not been restricted.They considered that he hadknowingly exposed his online activity and associated dynamic IP address to the public. Thus, in their opinion, his expectation of privacy had not been legitimate and, moreover, he should have been considered to have waived it (ibid.).<\/p>\n 116.\u00a0\u00a0The Court, like the Constitutional Court, accepts that the applicant,when exchanging files with pornographic material through the Razorback network, expected, from his subjective angle, that that activitywould remain private and that his identity would not be disclosed (see paragraph 14 of the Constitutional Court\u2019s decision cited in paragraph29 above). However, unlike the Constitutional Court, the Court considers that the fact that he did not hide his dynamic IP address, assuming that it is possible to do so, cannot be decisive in the assessment of whether his expectation of privacy was reasonable from an objective standpoint.In this connection, it notes that the question is clearly not whether the applicant could have reasonably expected to keep his dynamic IP address private but whether he could have reasonably expected privacy in relation to his identity.<\/p>\n 117.\u00a0\u00a0The Court has previously acknowledged the anonymity aspect of online privacy (see Delfi AS, cited in paragraph 105 above, see also paragraph 12 of the Constitutional Court\u2019s decision, cited in paragraph29 above), relating to the nature of the online activity, in which the usersparticipate without necessarily being identifiable. This anonymity conception of privacy is an important factor to be taken into account in the present assessment.In particular, it has not been argued that the applicant had ever disclosed his identity in relation to the online activity in question(see in this connection the dissenting opinion of Judge Jadek Pensa, cited in paragraph33 above) or that he was for example identifiable by the particular website provider through an account or contact data. His online activity therefore engaged a high degree of anonymity (see Delfi AS, cited in paragraph 105 above, \u00a7 148), as confirmed by the fact that theassigned dynamic IP address, even if visible to other users of the network, could not be traced to the specific computer without the ISP\u2019s verification of data following a request from the police.<\/p>\n 118.\u00a0\u00a0Lastly, the Court notes that the applicable legal andregulatory framework might also be a relevant, though not necessarilydecisive, factor in determining the reasonable expectation of privacy (see, for instance,J.S.v. the United Kingdom(dec.), cited above, \u00a7 70, andPeev v. Bulgaria, no.\u00a064209\/01, \u00a7 39, 26 July 2007). In the present case, neither of the parties submitted information regarding theterms of the contract on the basis of which the Internet service had been provided to the applicant\u2019s father. As to the statutory framework, the Courtfinds it sufficient to note that Article 37 of the Constitution guaranteed the privacy of correspondence and of communications and required that any interference with this right be based on a court order (see paragraph 35 above). Therefore, also from the standpoint of the legislation in force at the relevant time, the applicant\u2019s expectation of privacy with respect to his online activity could not be said to be unwarranted or unreasonable.<\/p>\n (\u03b4) Conclusion<\/p>\n 119.\u00a0\u00a0For all of the above reasons, the Court concludes that the applicant\u2019s interest in having his identity with respect to his online activity protected falls with the scope of the notion of \u201cprivate life\u201d and that Article\u00a08 is therefore applicable to this complaint.<\/p>\n (c)\u00a0\u00a0Compliance with Article 8<\/p>\n (i)\u00a0\u00a0Whether there was interference<\/p>\n 120.\u00a0\u00a0Having regard to the above conclusion that the applicant\u2019s right to respect for his private life asguaranteed by Article 8 \u00a7 1 was engaged in the present case, the Court further finds it established that the police request to the ISP and their use of the subscriber information leading to the applicant\u2019s identification amounted to an interference with this right (see, mutatis mutandis, Rotaru, cited above, \u00a7 46,andUzun, cited above,\u00a752). In view of the foregoing, it does not consider it necessary to determine whether the measure in question amounted also to an interference with the applicant\u2019s right to respect for his correspondence.<\/p>\n 121.\u00a0\u00a0The Court must therefore examine whether the interference with the applicant\u2019s rightto privacy was in conformity with the requirements of the second paragraph of Article 8, in other words whether it was \u201cin accordance with the law\u201d, pursued one or more of the legitimate aims set out in that paragraph and was \u201cnecessary in a democratic society\u201d to achieve the aim or aims in question.<\/p>\n (ii)\u00a0\u00a0Whether the interference was in accordance with the law<\/p>\n 122.\u00a0\u00a0The Court notes that the expression \u201cin accordance with the law\u201d, within the meaning of Article 8 \u00a7 2 requires firstly that the contested measure should have some basis in domestic law. Second, the domestic law must be accessible to the person concerned. Third, the person affected must be ableto foresee the consequences of the domestic law for him, and fourth, the domestic law must be compatible with the rule of law (see, among many other authorities, Rotaru, cited above, \u00a7 52; Liberty and\u00a0Others v. the United Kingdom, no.\u00a058243\/00, \u00a7 59, 1 July 2008; and Sallinen and Others v. Finland, no.\u00a050882\/99, \u00a7 76, 27 September 2005).<\/p>\n 123.\u00a0\u00a0The Court also reiterates that it is primarily for the national authorities, notably the courts, to interpret and apply domestic law. However, the Court is required to verify whether the way in which the domestic law is interpreted and applied produces consequences that are consistent with the principles of the Convention as interpreted in the light of the Court\u2019s case-law (see Cocchiarella v. Italy [GC], no. 64886\/01, \u00a7\u00a7 81 and 82, ECHR 2006\u2011V).<\/p>\n 124.\u00a0\u00a0In the present case, assuming that the obtaining by the police of the subscriber information associated with the dynamic IP address in question had some basis in domestic law because section 149b(3) of the CPA\u00a0provided that the\u00a0police could obtain information on the owner or user of a certain means of electronic communication from the ISP (see paragraph\u00a036above), the Court must examine whether that law was accessible and foreseeable and compatible with the rule of law.<\/p>\n 125.\u00a0\u00a0It notes that the present case raises no issues with respect to the accessibility of the law. As regards the remaining requirements, the Court reiterates that a rule is \u201cforeseeable\u201d if it is formulated with sufficient precision to enable any individual \u2013 if need be with appropriate advice \u2013 to regulate his conduct (see Rotaru, cited above, \u00a7 55 and the principles summarised therein).In addition, compatibility with the rule of law requires that domestic law provides adequate protection against arbitrary interference with Article 8 rights (see, mutatis mutandis, Amann, cited above, \u00a7\u00a7 76-77; Bykov v. Russia [GC], no. 4378\/02, \u00a7 76, 10 March 2009; see also Weber and Saravia v. Germany (dec.), no. 54934\/00, \u00a7 94, ECHR 2006\u2011XI; and Liberty and Others, cited above, \u00a7 62). The Court must thus be satisfied also that there exist adequate and effective guarantees against abuse. This assessment depends on all the circumstances of the case, such as the nature, scope and duration of the possible measures, the grounds required for ordering them, the authorities competent to permit, carry out and supervise them, and the kind of remedy provided by the national law (see Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria, no. 62540\/00, \u00a7 77, 28 June 2007, with reference to Klass and Others v.\u00a0Germany, 6 September 1978, \u00a7 50, Series A no. 28, andUzun, cited above, \u00a7 63).<\/p>\n 126.\u00a0\u00a0Having regard to the particular context of the case, the Court would emphasise that the Cybercrime Convention obliges the States to make measures such as the real-time collection of traffic data and the issuing of production orders available to the authorities in combating, inter alia, crimes related to child pornography (see paragraphs 47 to 51 above). However, such measures are, pursuant to Article 15 of that Convention, \u201csubject to conditions and safeguards provided for under [State parties\u2019] domestic law\u201d and must \u201cas appropriate in view of the nature of the procedure or power concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure\u201d (see paragraph 52 above).<\/p>\n 127.\u00a0\u00a0In the present case, the Court notes that section 149b(3)of the CPA (see paragraph 36 above), relied on by the domestic authorities,concerned a request for information on the owner or user of a certain means of electronic communication. It did not contain specific rules as to the association between the dynamic IP address and subscriberinformation. The Court further notes that Article 37 of the Constitution required a court order for any interference with privacy of communication (see paragraph 35 above). Furthermore, the ECA (see paragraph 37 above), which specifically regulated the secrecy and confidentiality of electronic communication, did not at the relevant time provide for the possibility that subscriber information and related traffic data be accessed and transferred for the purposes of criminal proceedings. It provided that electronic communications, including the related traffic data, were confidential and as such should be protected by the ISP (see paragraph 37 above). It further stipulated that the ISP should not transfer the traffic data to others unless this was necessary for the provision of the service, except where the lawful interception of communications had been ordered by the competent authority (see section 103 of the ECA, cited in paragraph 37 above). Therefore, the legislation was, at the very least, not coherent as regards the level of protection afforded to the applicant\u2019s privacy interest.<\/p>\n 128.\u00a0\u00a0Having said that, the Court would be usurping the function of national courts were it to attempt to make an authoritativestatement as to which law should have prevailed in the present case. It must instead turn to the reasoning offered by the domestic courts. It notes in this connection that the Constitutional Court considered that the \u201cidentity of the communicating individual [was] one of the important aspects of communication privacy\u201d and that its disclosure required a court order pursuant to paragraph 2 of Article 37 of the Constitution (see paragraph 18 of the Constitutional Court\u2019s decision, cited in paragraph 29above). More specifically, according to theConstitutional Court\u2019s interpretation, which was consistent with its previous case-law finding that the traffic data, as defined under the domestic law, fell within the protection of Article 37 of the Constitution (ibid.), the disclosure of subscriber information associated with a certain dynamic IP address in principle required a court order and could not be obtained by means of a simple written request by the police.<\/p>\n 129.\u00a0\u00a0The Court observes that, indeed, the only reason for the Constitutional Court dismissing the applicant\u2019s complaint \u2013 that is, for approving of the disclosure of the subscriber information without a court order \u2013 was the presumption that the applicant had \u201cwaived the legitimate expectation of privacy\u201d (see paragraph 18 of the Constitutional Court\u2019s decision, cited in paragraph29 above).However, the Court, having regard to itsfindings in the context of the applicability of Article 8,does not findthe Constitutional Court\u2019s position on that questionto bereconcilable with the scope of the right to privacy under the Convention (see paragraphs 115 to 118 above).Bearing in mind the Constitutional Court\u2019s finding that the \u201cidentity of the communicating individual\u201d fell within the scope of the protection of Article 37 of the Constitution(see paragraph128above) and the Court\u2019s conclusion that the applicanthad a reasonable expectation that his identity with respect to his online activitywould remain private (see paragraphs 115 to 118 above), a court order was necessary in the present case. Moreover, nothing in the domestic law prevented the police fromobtaining itgiven that they, a few months after obtaining the subscriber information, during which time apparently no investigative steps had been taken in the case, requested and obtained a court order for what would seem to be, at least in part, the same information as that which had already been in their possession (see paragraph 8 above). The domestic authorities\u2019 reliance on section 149b(3) of the CPA was therefore manifestly inappropriate and, what is more, it offered virtually no protection from arbitrary interference.<\/p>\n 130.\u00a0\u00a0In this connection, the Court notes that at the relevant time there appears to have been no regulation specifying the conditions for the retention of data obtained under section 149b(3) of the CPA and nosafeguards against abuse by State officials in the procedure for access to and transfer of such data. As regards the latter, the police, having at their disposal information on a particular online activity, could have identified an author by merely asking the ISP provider to look up that information. Furthermoreno independent supervision of the use of these police powers has been shown to have existed at the relevant time, despite the fact that those powers, as interpreted by the domestic courts, compelled the ISP to retrieve the stored connection data and enabled the police to associate a great deal of information concerning online activity with a particular individual without his or her consent (see paragraphs 108 and 109 above).<\/p>\n 131.\u00a0\u00a0The Court further notes that soon after the contested measure had been taken against the applicant, the Parliament adopted amendments to the ECA (see paragraph38 above, as well as the relevant provisions in the subsequent new law cited in paragraph 39). Those amendments provided, among other things, rules on the retention of dataconcerning the origin of communications, that is, inter alia, the name and address of the subscriber to whom a certain IP address had been assigned,and the procedure for accessing and transferring them. This, however, had no effect on the applicant\u2019s situation.<\/p>\n 132.\u00a0\u00a0Bearing in mind the above, the Court is of the view that the law on which the contested measure, that is the obtaining by the police of subscriber information associated with the dynamic IP addressin question (see paragraph 7 above),was based and the way it was applied by the domestic courts lacked clarity anddid not offer sufficientsafeguards against arbitrary interference with Article 8 rights.<\/p>\n 133.\u00a0\u00a0In these circumstances, the Court finds that the interference with the applicant\u2019s right to respect for his private life was not \u201cin accordance with the law\u201d as required by Article 8 \u00a7 2 of the Convention. Consequently, the Court need not examine whether the contested measure had a legitimate aim and was proportionate.<\/p>\n 134.\u00a0\u00a0Having considered all of the above, the Court concludes that there has been a violation of Article 8 of the Convention.<\/p>\n II.\u00a0\u00a0APPLICATION OF ARTICLE 41 OF THE CONVENTION<\/p>\n 135.\u00a0\u00a0Article 41 of the Convention provides:<\/p>\n \u201cIf the Court finds that there has been a violation of the Convention or the Protocols thereto, and if the internal law of the High Contracting Party concerned allows only partial reparation to be made, the Court shall, if necessary, afford just satisfaction to the injured party.\u201d<\/p>\n A.\u00a0\u00a0Damage<\/strong><\/p>\n 136.\u00a0\u00a0The applicant claimed 32,000 euros (EUR) in respect of non-pecuniary damage, which included EUR 7,000 for the distress he had suffered because of the trial against him, EUR 15,000 because he had been unjustifiably imprisoned and EUR 10,000 for the stigmatisation he had suffered in the society as a result of his conviction.<\/p>\n 137.\u00a0\u00a0The Government argued that the applicant\u2019s claim for non-pecuniary damage was unsubstantiated and excessive. They further argued that there was no connection between the violation of Article 8 alleged in the present case and the alleged non-pecuniary damage in relation to the applicant\u2019s criminal conviction andprison sentence. In particular, even if the information in question had been excluded from the file, the applicant could not have avoided the criminal proceedings against him. Moreover, the Government maintained that as the applicant had admitted that he could request the reopening of the proceedings in the event of the finding of a violation, a declaratory finding by the Court should suffice.<\/p>\n 138.\u00a0\u00a0The Court considers that the finding of a violation constitutes sufficient just satisfaction for any non-pecuniary damage that may have been sustained by the applicant.<\/p>\n B.\u00a0\u00a0Costs and expenses<\/strong><\/p>\n 139.\u00a0\u00a0The applicant also claimed EUR 4,335.50 for the costs and expenses incurred before the domestic courts and EUR 2,600 for those incurred before the Court plus value-added tax (VAT). He argued that those sums had been calculated on the basis of the official tariff for lawyers.<\/p>\n 140.\u00a0\u00a0The Government argued that the costs the applicant had claimed with respect to his representation in the domestic proceedings included VAT. They also included the costs of a legal opinion, namely EUR 2,000, whichhad clearly not been produced for the purposes of the domestic proceedings. As regards the claim for the cost of the proceedings before the Court, the Government argued that it was excessive. Moreover, except for the bill for the aforementioned legal opinion, the applicant had not submitted any evidence that he had incurred costs on account of his legal representation.<\/p>\n 141.\u00a0\u00a0According to the Court\u2019s case-law, an applicant is entitled to the reimbursement of costs and expenses only in so far as it has been shown that these have been actually and necessarily incurred and are reasonable as to quantum. In the present case, regard being had to the documents in its possession and the above criteria, the Court considers it reasonable to award the sum of EUR 922 for costs and expenses in the domestic proceedings and EUR 2,600 for the proceedings before the Court. In total, he should thus be awarded EUR 3,522 for costs and expenses.<\/p>\n C.\u00a0\u00a0Default interest<\/strong><\/p>\n 142.\u00a0\u00a0The Court considers it appropriate that the default interest rate should be based on the marginal lending rate of the European Central Bank, to which should be added three percentage points.<\/p>\n FOR THESE REASONS, THE COURT<\/strong><\/p>\n 1.\u00a0\u00a0Decides, by six votes to one, to join to the merits the Government\u2019s objection of the lack of victim status concerning the disclosure of the subscriber information under Article 8 of the Convention and rejects it;<\/p>\n 2.\u00a0\u00a0Declares, by a majority, the complaint concerning the disclosure of the subscriber information under Article 8 of the Conventionadmissibleand the remainder of the application inadmissible;<\/p>\n 3.\u00a0\u00a0Holds, by six votes to one, that there has been a violation of Article 8 of the Convention;<\/p>\n 4.\u00a0\u00a0Holds, unanimously, that the finding of a violation constitutes in itself sufficient just satisfaction for the non-pecuniary damage sustained by the applicant;<\/p>\n 5.\u00a0\u00a0Holds, by six votes to one,<\/p>\n (a)\u00a0\u00a0that the respondent State is to pay the applicant, within three monthsfrom the date on which the judgment becomes final in accordance with Article\u00a044\u00a0\u00a7\u00a02 of the Convention, EUR 3,522 (three thousand five hundred and twenty-two euros) plus any tax that may be chargeable to the applicant, in respect of costs and expenses;<\/p>\n (b)\u00a0\u00a0that from the expiry of the above-mentioned three months until settlement simple interest shall be payable on the above amount at a rate equal to the marginal lending rate of the European Central Bank during the default period plus three percentage points;<\/p>\n 6.\u00a0\u00a0Dismisses, unanimously, the remainder of the applicant\u2019s claim for just satisfaction.<\/p>\n Done in English, and notified in writing on 24 April 2018, pursuant to Rule\u00a077\u00a0\u00a7\u00a7\u00a02 and 3 of the Rules of Court.<\/p>\n Andrea Tamietti\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Ganna Yudkivska ____________<\/p>\n In accordance with Article 45 \u00a7 2 of the Convention and Rule 74 \u00a7 2 of the Rules of Court, the following separate opinions are annexed to this judgment:<\/p>\n (a)\u00a0\u00a0Concurring opinion of Judge G. Yudkivska, joined by Judge M.\u00a0Bo\u0161njak;<\/p>\n (b)\u00a0\u00a0Dissenting opinion of Judge F. Vehabovi\u0107.<\/p>\n G.Y. CONCURRING OPINION OF JUDGE YUDKIVSKA, JOINED\u00a0BY JUDGE BO\u0160NJAK<\/strong><\/p>\n I agree with the outcome of the judgment as well as with the methodology used by the majority. What surprises me, however, is the apparent difficulty with which the conclusion on the existence of interference in this case is reached and, in particular, a very cautious approach to the reasonable expectation of privacy in paragraphs 115-118.<\/p>\n The case in issue presented a unique opportunity to clarify the scope of the reasonable expectation of privacy in the digital age, where a striking amount of information about our private lives is easily circulated beyond our control. \u201cCivilization is the progress toward a society of privacy\u201d, stated Ayn Rand[1]. The modern reality, however, is that privacy is increasingly becoming a cherished value, which requires greater protection day by day. Countless scholars have already announced the \u201cdeath\u201d, \u201cend\u201d or \u201cdestruction\u201d of privacy[2]. It is argued that in order to protect privacy in the modern era we must reconsider the outdated understanding of it as mere secrecy, and move toward legal protection of trust and confidentiality and of the right to control how information is disseminated and used[3]. As judges we are entrusted with the task of rethinking the privacy paradigm in cases such as the present one.<\/p>\n For the first time in this case the Court has gone into a study of the Internet Protocol and forms of IP addressing, namely static and dynamic \u2013 to the extent necessary in the circumstances. In Benedik we are dealing with dynamic IP addressing, that is, assigning new IP addresses at random from a pool of addresses assigned to an Internet service provider on each occasion that a user connects to the internet. Today dynamic IP addressing is the most common form for Internet consumers, and therefore the Court\u2019s conclusions on privacy in the present case will affect the great majority of internet users all around Europe.<\/p>\n It has become commonplace to recall in privacy discussions that the legal notion of privacy was not pronounced until Samuel D. Warren and Louis D. Brandeis published their prominent article \u201cThe Right to Privacy\u201d back in 1890. What deserves to be mentioned is that they were prompted by concern that modern technologies, namely the recently invented portable camera and the rapid development of printed media, would reveal unwanted details about the lives of ordinary people: \u201cInstantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that \u2018what is whispered in the closet shall be proclaimed from the house-tops\u2019.\u201d[4]<\/p>\n Since that time, every development in existing technologies and the appearance of new ones has generated a revisiting of the doctrine of privacy and its reasonable expectations: from concerns about monitoring of telephone conversations at the beginning of the 20th century to wide discussions on mass surveillance, collection and processing of metadata at the beginning of the 21st century. Yet in 1966 Justice William Douglas in his dissenting opinion in Osborn v. United States warned: \u201cWe are rapidly entering the age of no privacy, where everyone is open to surveillance at all times; where there are no secrets from government\u201d[5]. The technical possibilities that exist nowadays are far more intrusive than Justice Douglas could even have imagined some fifty years ago. But the wide expansion of the internet merely presents a new degree of intensity in respect of an old problem.<\/p>\n The notion of a \u201creasonable expectation of privacy\u201d has been used by the Court in several cases, including the present one, but this notion came to us from the United States Supreme Court, where it appeared in the case of Katz v. United States[6], which concerned the use by the FBI of eavesdropping devices for receiving conversations on illegal gambling made by a suspect from a public telephone booth. As the Supreme Court observed, \u201cno less than an individual in a business office, in a friend\u2019s apartment, or in a taxicab, a person in a telephone booth may rely upon the protection of the Fourth Amendment. One who occupies it, shuts the door behind him, and pays the toll that permits him to place a call is surely entitled to assume that the words he utters into the mouthpiece will not be broadcast to the world.\u201d<\/p>\n It was a concurring opinion by Justice Harlan which introduced this particular concept: he wrote that his \u201cunderstanding of the rule that has emerged from prior decisions is that there is a twofold requirement\u201d: (1) a person \u201chas demonstrated the actual (subjective) expectation of privacy\u201d, and (2) society is ready to admit that this expectation is (objectively) reasonable. It is this test which has subsequently been cited in the Supreme Court\u2019s Fourth Amendment case-law.<\/p>\n The concept of a \u201creasonable expectation of privacy\u201d was first used by this Court in Halford v. the United Kingdom[7]. There, the Court concluded that a police officer had reasonable expectations about the privacy of phone calls made at the workplace, in the absence of any warning that those calls could be intercepted. The Court referred to the same concept ten years later in Copland v. the United Kingdom[8], finding that, in the absence of any warning, a college employee also had reasonable expectations about the privacy of the emails she had sent from her college mailbox account.<\/p>\n More recently, the concept was mentioned in the Grand Chamber case of B\u0103rbulescu v. Romania[9]. The case concerned the applicant\u2019s dismissal following the monitoring of his electronic communications, mainly through his Yahoo Messenger account, which the applicant was instructed to create for communicating with clients. It was found that he used the Internet for personal purposes during the working day, in violation of internal rules. The Court left open the question of whether the applicant had a reasonable expectation of privacy, notwithstanding the employer\u2019s clear instructions for abstaining from any personal activity in the workplace, because an \u201cemployer\u2019s instructions cannot reduce private social life in the workplace to zero\u201d.<\/p>\n The present case raises the issue of a reasonable expectation of privacy when it comes to traffic data (metering or metadata), and I regret that the Court missed the opportunity to take a clear stance on it. An interesting discussion of this topic within the Constitutional Court of Slovenia (see paragraphs 28-34 of the judgment) was left unaddressed.<\/p>\n Similar discussions are ongoing among the American judiciary. Under the original conception of US constitutional law, the Supreme Court has clearly proceeded on the basis that while there can be said to be a reasonable expectation of privacy with respect to content, there is no such expectation when it comes to metadata (traffic data). Some forty years ago, in the case of Smith v. Maryland[10], the Supreme Court considered the handling of metadata by telephone companies, which have information on the numbers dialled and the duration of conversations. It observed that \u201cit is too much to believe that telephone subscribers, under these circumstances, harbor any general expectation that the numbers they dial will remain secret.\u201d Under this concept, therefore, an individual does not have a reasonable expectation of privacy with regard to this type of information.<\/p>\n American courts have interpreted the \u201cthird-party doctrine\u201d established in Smith to apply to IP addresses, and have held that Internet users have no reasonable expectation of privacy in their IP addresses because they are voluntarily conveyed to third parties – the users\u2019 ISPs and web service providers[11], noting, however, that \u201cthe mere act of accessing a network does not in itself extinguish privacy expectations\u201d[12] and that \u201cindividuals possess objectively reasonable expectations of privacy in the contents of their computers\u201d[13]. Nevertheless, in 2008 the Superior Court of New Jersey adopted the judgment in the case of\u00a0State v. Reid[14], explaining that \u201cindividuals need an ISP address in order to access the Internet. However, when users surf the Web from the privacy of their homes, they have reason to expect that their actions are confidential. Many are unaware that a numerical IP address can be captured by the websites they visit. More sophisticated users understand that that unique string of numbers, standing alone, reveals little if anything to the outside world. Only an Internet service provider can translate an IP address into a user\u2019s name.\u201d<\/p>\n The NJ Court then proceeded with a crucially important reshaping of the privacy pattern, prompted by modern internet activities: \u201c… while decoded IP addresses do not reveal the content of Internet communications, subscriber information alone can tell a great deal about a person. With a complete listing of IP addresses, one can track a person\u2019s Internet usage… Such information can reveal intimate details about one\u2019s personal affairs in the same way as disclosure of telephone billing records does. Although the contents of Internet communications may be even more revealing, both types of information implicate privacy interests\u201d.<\/p>\n In my view, this is the key challenge to be clearly articulated \u2013 traffic data or metadata is collected nowadays much more broadly than the content data (actual content of communications), and such interference must be \u201cestablished beforehand in a law, and set forth expressly, exhaustively, precisely, and clearly, both substantively and procedurally\u201d, defining \u201cthe causes and conditions that would enable the State to intercept the communications of individuals, collect communications data or \u201cmetadata,\u201d or to subject them to surveillance or monitoring that invades spheres in which they have reasonable expectations of privacy.\u201d[15]. The PACE Resolution on Mass Surveillance[16] urged the Council of Europe member States \u201cto ensure that their national laws only allow for the collection and analysis of personal data (including so-called metadata) with the consent of the person concerned or following a court order granted on the basis of reasonable suspicion of the target being involved in criminal activity…\u201d.<\/p>\n It appears accepted that the collection of metadata was seen (and is still seen) as less intrusive than the collection of content. In the pre-internet era, in 1984, the European Court of Human Rights held that while collecting content is a greater intrusion than collecting metadata, collecting metadata would still be an interference with Article 8. This was the case in Malone v.\u00a0the United Kingdom[17], where the police used devices that recorded the numbers dialled on a particular phone, as well as the time and duration of each call – without interception of the conversations. The Government argued that the collection of such information did not entail an interference with the right guaranteed by Article 8.<\/p>\n The Court noted in Malone that it \u201cdoes not accept … that the use of data obtained from metering, whatever the circumstances and purposes, cannot give rise to an issue under Article 8\u201d, as the numbers dialled were an \u201cintegral element in the communications made by telephone\u201d and the handing over of that information from a telephone service provider to the police without the consent of the subscriber amounted to an interference with a right guaranteed by Article 8 (Malone, \u00a7 84).<\/p>\n This position needs to be substantially strengthened today. The view that metadata does not deserve the same level of protection as content data is shattered as it is confronted with present-day realities: there are currently so many forms of metadata – from phone calls, e-mails, web engines showing your surfing history, to Google Maps showing your location, etc.; and if this data are aggregated, an outstandingly intrusive portrait is obtained of the person concerned, revealing his or her personal and professional relationships, ethnic origin, political affiliation, religious beliefs, membership of different groups, financial status, shopping or disease history, and so on. In order to obtain this information, one need not go to the trouble of listening to conversations or reading letters, as in the good old days. This point was underlined in the United Nations Human Rights Council Resolution on the Right to Privacy in the Digital Age, which noted that \u201cwhile metadata may provide benefits, certain types of metadata, when aggregated, can reveal personal information that can be no less sensitive than the actual content of communications and can give an insight into an individual\u2019s behaviour, social relationships, private preferences and identity\u201d[18].<\/p>\n In his book \u201cData and Goliath\u201d[19], specifically devoted to \u201cthe golden age of surveillance\u201d, leading security expert Bruce Schneier\u00a0gives a fascinating example of an experiment conducted by Stanford University, which examined the phone metadata of a number of people and easily identified among them – using only traffic information about their various phone calls – a heart-attack victim, a home marijuana grower, and a pregnant woman planning an abortion.<\/p>\n The collection and aggregation of several types of protected information from various sources creates new risks for human rights, to which this Court cannot turn a blind eye, given that almost everything we do leaves a digital footprint.<\/p>\n The applicant in the present case, like all other internet users, enjoyed anonymity, as dynamic IP addresses can be linked to one\u2019s identity only if specifically disclosed by the service provider following a relevant request. Thus, there should be no doubt that his expectations of privacy were perfectly legitimate, notwithstanding the abhorrently illegal character of his activity as explained in paragraph 99 (had the interference been in accordance with the law the Court would have proceeded with a further examination of its proportionality and the nature of the crime would have been given due consideration).<\/p>\n In view of the foregoing, I believe that the Court ought to have stated unequivocally that, given the technical anonymity of IP addresses, internet users have reasonable expectations of privacy when surfing the Web. Further processing of this metadata may only be carried out in accordance with a law that satisfies quality requirements, as argued above.<\/p>\n Privacy protection is a crucial achievement in European political and legal culture, not least because it was formed against the backdrop of the horrors of the Nazi and communist regimes. In the long run, privacy will stand as a fundamental right only so long as it is defended by society, and it will disappear if society stops seeing it as essential value. We do have a reasonable expectation that our privacy will be protected even when we go online. Our fundamental right to control how we present ourselves to the outside world is vital, and this stance should be reinforced by the Court.<\/p>\n <\/p>\n DISSENTING OPINION OF JUDGE VEHABOVI\u0106<\/strong><\/p>\n I did not vote with the majority, which found that there had been a violation of Article 8 of the Convention concerning the applicant\u2019s reasonable expectation of privacy and the existence of an interference with the applicant\u2019s rights under Article 8 of the Convention.<\/p>\n The information disclosed on 7 August 2006 to the local authorities by the Internet Service Provider (ISP) was not traffic data or personal information concerning the applicant; it was the address and the name of the applicant\u2019s father who was the subscriber to the internet service. It appears from that fact that the applicant could not claim to be a victim because the subscriber information which the ISP had disclosed to the police concerned his father, who is not the applicant in this case, as pointed out by the Government.<\/p>\n A reasonable suspicion of the transfer of files including child pornography, which is a criminal act, required the local authorities to investigate further, and the information concerning the applicant, that is to say traffic data relating to the internet activities made from this IP address, was revealed to the police on 14 December 2006 after the District Court had issued an order demanding that the ISP disclose both the personal data of the subscriber and traffic data linked to the IP address in question. In addition to that the investigating judge of the Kranj District Court on 12\u00a0January 2007 issued an order to carry out a house search and only then was the applicant connected to the traffic data in question and only from that moment can the applicant claim to be a victim.<\/p>\n In my opinion, the retrieved IP address which led to the address and the name of the applicant\u2019s father is not of sufficient proximity to qualify as the personal data of the applicant himself, as it revealed the identity and traffic data of neither the applicant nor his father.<\/p>\n The Court has on a number of occasions referred to the Data Protection Convention which defines personal data in Article 2 as \u201cany information relating to an identified or identifiable individual\u201d, (see Satakunnan Markkinap\u00f6rssi Oy and Satamedia Oy v. Finland, 931\/13, \u00a7 133, and Amann v.\u00a0Switzerland, 27798\/95, \u00a765). Local authorities did not receive information on the applicant; the applicant was not an identified or an identifiable individual prior to the court order which was the basis for the Court\u2019s finding of a violation of Article 8 of the Convention.I therefore do not agree with the majority\u2019s finding that there was an interference contrary to the applicant\u2019s right under Article 8 of the Convention.<\/p>\n Concerning the reasonable expectation of privacy, I do not agree that the subjective angle of the applicant on his expectation for privacy should be taken into account where a criminal activity is under consideration. In nearly all cases, criminals would not wish their activities to be known to others. This kind of expectation of privacy would not be reasonable when based on an unlawful, or in this case a criminal, incentive. An expectation to hide criminal activity should not be considered as reasonable. On a second issue concerning the reasonable expectation of privacy, the applicant exchanged files including child pornography (which the Chamber, in my opinion, intentionally omitted from \u00a7 115) through a public network account which was visible to others. The applicant therefore knew, or ought to have known, that his actions were not anonymous. The applicant did not intend to conceal his activity at the time of commission of the offence.<\/p>\n Furthermore, in many cases in which aninterference was found, the Court considered the prevention of crime as constituting a legitimate aim. For example in Nada v. Switzerland, the Court decided that \u201c[t]he applicant did not appear to deny that the impugned restrictions were imposed in pursuit of legitimate aims. The Court finds it established that those restrictions pursued one or more of the legitimate aims enumerated in Article 8 \u00a7 2: firstly, they sought to prevent crime\u201d (Nada v. Switzerland, 10593\/08, \u00a7 174). Also, in S. and Marper v. the United Kingdom, \u201c[t]he Court agrees with the Government that the retention of fingerprint and DNA information pursues the legitimate purpose of the detection and, therefore, prevention of crime. While the original taking of this information pursues the aim of linking a particular person to the particular crime of which he or she is suspected, its retention pursues the broader purpose of assisting in the identification of future offenders\u201d (see S. and Marper v. the United Kingdom, 30562\/04 30566\/04, \u00a7\u00a0100). For these reasons, I do not agree with the finding of the majority that there was a violation of the applicant\u2019s rights the under Article 8 of the Convention.<\/p>\n _______________<\/p>\n [1].\u00a0\u00a0Ayn Rand, The Fountainhead.
\nVincent A. De Gaetano,
\nFaris Vehabovi\u0107,
\nCarlo Ranzoni,
\nGeorges Ravarani,
\nMarko Bo\u0161njak,
\nP\u00e9ter Paczolay, judges,
\nand Andrea Tamietti, DeputySection Registrar,<\/p>\n
\nDeputy Registrar\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 President<\/p>\n
\nA.N.T.<\/p>\n
\n[2].\u00a0\u00a0See Daniel Solove, \u201cSpeech, Privacy and Reputation on the Internet\u201d at: Saul Levmore and Martha\u00a0Nussbaum, Eds., The Offensive Internet: Speech, Privacy, and Reputation,Cambridge, Mass.: \u00a0Harvard University Press, 2011, with further references.
\n[3].\u00a0\u00a0Ibid., pp.20 and 22.
\n[4].\u00a0\u00a0Warren & Brandeis, the Right to Privacy, 4 HARV. L. REV. 193 (1890).
\n[5].\u00a0\u00a0Osborn v. United States, 385 U.S. 323 (1966).
\n[6].\u00a0\u00a0Katz v. United States, 389 U.S. 347 (1967).
\n[7].\u00a0\u00a0Halford v. the United Kingdom, 25 June 1997, Reports of Judgments and Decisions 1997\u2011III.
\n[8].\u00a0\u00a0Copland v. the United Kingdom, no. 62617\/00, ECHR 2007\u2011I.
\n[9].\u00a0\u00a0GC, no. 61496\/08, ECHR 2017 (extracts).
\n[10].\u00a0\u00a0Smith v. Maryland, 442 U.S. 735 (1979).
\n[11].\u00a0\u00a0See Alexandra D.Vesalga,\u00a0Location,\u00a0Location,\u00a0Location:\u00a0Updating\u00a0the\u00a0Electronic Communications Privacy Act\u00a0to Protect Geolocational\u00a0Data, 43 GOLDEN GATE U.L.REV. 459(2013), referring to United States v. Bynum, 604 F.3d 161, 164 & n.2 (4th Cir. 2010); United States v. Perrine, 518 F.3d 1196, 1204 (10th Cir. 2008); United States v.\u00a0Forrester, 512 F.3d 500, 509-10 (9th Cir. 2008), etc.
\n[12].\u00a0\u00a0United States v. Heckenkamp, 482 F.3d 1 142, 1 146 (9th Cir.\u00a0\u00a0 2007).
\n[13].\u00a0\u00a0United States v. Howe, 2011 WL 2160472 at.\u00a0\u00a07\u00a0 (W.D.N .Y. May 27, 2011).
\n[14].\u00a0\u00a0State v. Reid, 945 A.2d 26, 28 (N.J. 2008).
\n[15].\u00a0\u00a0The Office of the Special Rapporteur for Freedom of Expression of the Inter-American Commission on Human Rights, Freedom of Expression and the Internet (31 December 2013).
\n[16].\u00a0\u00a0PACE Resolution on Mass Surveillance 2045 (21 April 2015).
\n[17].\u00a0\u00a0Malone v. the United Kingdom, 2 August 1984, Series A no. 82.
\n[18].\u00a0\u00a0UN Human Rights Council Resolution on the Right to Privacy in the Digital Age, U.N. Doc. A\/HRC\/34\/L.7\/Rev.1 (22 March 2017).
\n[19].\u00a0\u00a0Bruce Schneier, \u201cData and Goliath: The Hidden Battles to Collect Your Data and Control Your World\u201d, New York, N.Y.:W.W. Norton & Company, 2015.<\/p>\n