ECHR rules on identifying serious privacy infringers

By EDRi · December 17, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

On 2 December 2008, the European Court of Human Rights (ECHR) gave its
judgement on the case K.U. v. Finland, considering that Article 8 of the
Convention asks for national laws that will protect people from serious
privacy infringements on the Internet, but at the same time demands a legal
framwork that permits the identification and prosecution of offenders,
respecting digital rights.

In this case brought to the ECHR an unknown person or persons placed an
advertisement on a dating site on the Internet in the name of the applicant,
who was 12 years old at the time, without his knowledge. The advertisement
mentioned his age and year of birth, gave a detailed description of his
physical characteristics, a link to the web page he had at the time which
showed his picture, as well as his telephone number, which was accurate save
for one digit. In the advertisement, it was claimed that he was looking for
an intimate relationship with a boy of his age or older “to show him the
way”. The applicant became aware of the announcement on the Internet when
he received an e-mail from a man, offering to meet him and “then to see what
you want”.

The applicant’s father requested the police to identify the person who had
placed the advertisement in order to bring that person to court. The service
provider, however, refused to reveal the identity of the holder of the IP
address in question, considering itself bound by the confidentiality of
telecommunications as defined by law. The Finnish courts could not help the
father, considering that the law in force at that time provided for this
information to be revealed only in respect of the criminal offences.

Therefore the applicant asked the ECHR to judge if the fake ad did not
consitute a violation of his right to a private life under Art. 8 of the
ECHR and if he had not been denied an effective remedy for that violation
under Art. 13 ECHR.

The court held that Finland was in breach of its obligations under Article
8, because it didn’t provide an effective criminal sanction for the
violation of the applicant’s rights. Consequently the court did not continue
to consider the issue under Article 13.

The court considers that serious privacy infringements need to be considered
by the legal framework of the states: “While the choice of the means to
secure compliance with Article 8 in the sphere of protection against acts of
individuals is, in principle, within the State’s margin of appreciation,
effective deterrence against grave acts, where fundamental values and
essential aspects of private life are at stake, requires efficient
criminal-law provisions .”

ECHR concludes by explaining that Article 8 should be interpreted in order
to provide the legal framework to identify wrongdoers and bring them to
justice, respecting the human rights on the Internet (freedom of expression
and confidentiality of communications):

“The Court considers that practical and effective protection of the
applicant required that effective steps be taken to identify and prosecute
the perpetrator, that is, the person who placed the advertisement. In the
instant case such protection was not afforded. An effective investigation
could never be launched because of an overriding requirement of
confidentiality. Although freedom of expression and confidentiality of
communications are primary considerations and users of telecommunications
and Internet services must have a guarantee that their own privacy and
freedom of expression will be respected, such guarantee cannot be absolute
and must yield on occasion to other legitimate imperatives, such as the
prevention of disorder or crime or the protection of the rights and freedoms
of others. ”

TJ McIntyre from EDRi-member Digital Rights Ireland is commenting on the
text that raises a number of questions on the practical implications of the
case:
“The court points out that it is dealing with a “grave” criminal offence,
which leaves open the question of whether the reasoning would apply to less
serious offences or to civil matters only. It also limits itself to
requiring a national balancing framework between the rights of an alleged
victim and the general rights of privacy in communications and freedom of
expression – presumably within that framework states will enjoy a
significant margin of appreciation. On the other hand, it rejects the
argument that other systems (such as notice and takedown or intermediary
liability) can suffice, insisting instead on requiring identification of
users. It also focuses on the “ability of the victim to obtain financial
reparation”, which seems to extend the reasoning to civil matters also.”

Judgement Case of K.U. v. FINLAND (2.12.2008)
http://cmiskp.echr.coe.int/tkp197/view.asp?action=html&documentId=843777&portal=hbkm&source=externalbydocnumber&table=F69A27FD8FB86142BF01C1166DEA398649

Identifying Individuals in Internet Iniquity: ECHR rules on naming
wrongdoers (2.12.2008)
http://www.tjmcintyre.com/2008/12/identifying-individuals-in-internet.html

K.U. v. Finland: No Data Retention Obligation (15.12.2008)
http://www.jorisvanhoboken.nl/?p=236