European Convention on Human Rights v. Privacy Violations and Data Held by Internet Service Providers

European Convention on Human Rights v. Privacy Violations and Data Held by Internet Service Providers

European citizens claiming violation of privacy have looked for legal remedy on articles 8 and 13 of the European Convention on Human Rights when their domestic legislation does not provide effective response to their claims.  Although member states have adopted the European Convention on Cybercrime and directives on privacy, certain violations of privacy arising out of the use of the Internet remain unpunished due to legal technicalities. In these cases, individuals seek readdress before the European Court of Human Rights; specifically, articles 8 and 13 of the convention.  These articles provide an example of a European Union case involving data held by Internet Service Providers (ISPs), Internet calumny, and violation of privacy.

In KU v. Finland [2008] ECHR 2872/02, the European Court of Human Rights held that there was a violation of articles 8 and 13 of the Human Rights Convention when an ISP refused to provide the identity of an individual who published a sexually explicit advertisement (Ad) involving a minor.  An unidentified individual published an Ad on an Internet dating site on the name of a 12-year old minor.  The Ad mentioned the minor’s age, date of birth, physical characteristics, phone number, and had a link that lead to the minor’s picture.  The Ad stated that the minor was looking of intimate relationship with a boy his age.  Some people responded to the Ad by calling the minor. The minor’s father reported the incident to his country’s authorities and initiated legal action.  The father’s minor requested the ISP information on the individual publishing the Ad but the ISP refused to provide this information invoking privacy directives.  The domestic courts in Finland, where the action took place, held that the Ad was an act of calumny and, as such, the authorities did not have the legal tools to force ISPs to disclose this information without violating privacy laws.  The minor’s father sought legal remedy before the European Court of Human Rights (ECHR) invoking violation of articles 8 and 13.  Despite Finland’s opposition to this violation, the ECHR interconnected articles 8 and 13 of the Human Rights Convention with other European laws and concluded that there was a violation of article 8 as applied to the specific facts of this case.

Article 8 of the Human Rights Convention Article 8 provides that “[E]veryone has the right to respect for his private and family life, his home and his correspondence.” This article also establishes that “[T]here shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."  Article 13 provides that "[E]veryone whose rights and freedoms as set forth in [the] Convention are violated shall have an effective remedy before a national authority notwithstanding that the violation has been committed by persons acting in an official capacity." To reach its holding, the ECHR combined these two precepts with the following European laws.

1. The Council of Europe adopted Recommendation No. R (89) 9 on Computer-Related Crime.  This recommendation recognizes the need to respond rapidly and effectively to new technologies crimes.  Also, the Committee of Ministers adopted Recommendation No. R (95) 13 concerning criminal procedure law for information technology crimes.  Recommendation No. R (95) 13 impose obligations on service providers who offer telecommunication services to the public through public or private networks, to provide information to identify users when ordered by competent investigating authority. These recommendations also state that domestic legal systems allow investigating authorities to order persons to submit data under their control in computer systems.  Investigating authorities should have the power to order persons to provide data in computer systems under their control and to provide all necessary information to enable access to a computer system and the data therein. 

2.  The ECHR also mentioned the European Convention on Cybercrime when deciding this case.  The court stated that the Cybercrime Convention requires member states to adopt legislative measures to establish the powers and procedures for criminal investigations regarding criminal conducts committed through the use of computer systems, and the collection of electronic evidence. Article 12 (1) and (2).  Article 18 of the Cybercrime Convention establishes that member states may empower public authorities to order submission of public data under their control and stored in computer systems or any other electronic means; and order “a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider's possession or control.”  Article 14 and 15 describes the type of subscribers’ information that can be ordered. This includes, telephone numbers, names, addresses, billing and payment information, etc.

3. The ECHR mentioned the "Guidelines for the cooperation between law enforcement and internet service providers against cybercrime," adopted at the global conference "Cooperation against Cybercrime" held in Strasbourg on 1-2 April 2008.  These guidelines allow cooperation between investigating authorities and ISPs against cybercrime.

4. The United Nations General Assembly resolutions 55/63 of 4 December 2000 and 56/121 of 19 December 2001 on "Combating the criminal misuse of information technologies" were quoted by the ECHR.  Resolution 55/63, in particular, recommends that “[L]egal systems should permit the preservation of and quick access to electronic data pertaining to particular criminal investigations."

5.  Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks, amending the previous data retention Directive 2002/58/EC are other European laws that require ISPs to make available retained data for purposes of criminal investigations.  The ECHR particularly quoted the following article 5 provision: "[M]ember States shall ensure that the following categories of data are retained under this Directive: (a) data necessary to trace and identify the source of a communication: ... (2) concerning Internet access, Internet e-mail and Internet telephony: … (iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication."

Therefore, the ECHR found enough legislation to support member states authorities’ request of data from ISPs when it is required in the course of a criminal investigation.