Constitutional Court: No IP address to be Revealed Without a Court Order

17.12.2021

The Constitutional Court of the Republic of Slovenia annulled the criminal conviction for an online defamation, which was based on the IP address of the perpetrator acquired from the website operator, without a court order. The Supreme Court’s view that the violation of an individual’s right to communication privacy was less severe as it was not committed by the state, was rejected as flawed.

An individual (complainant) was found guilty by a District Court of defaming the mayor of a small municipality by posting a comment under an article on an open-access website, using a pseudonym instead of her real name. She was ordered to pay a fine of EUR 1,066.40. The verdict was upheld by the High Court and the Supreme Court.

The complainant argued that her IP address had been acquired from the website operator based on the (allegedly defamed) mayor’s attorney’s request, which in her view, amounted to a violation of her constitutional right to communication privacy. Namely, Article 37 of the Constitution of the Republic of Slovenia provides that any intrusion of one’s (communication) privacy should be based on a court order. Only after the IP address had been acquired from the website operator, did the court – however in a parallel tort (civil) case – order the Internet service provider to reveal the person behind the IP address, thus connecting the complainant to the allegedly defamatory comment on the website.

The regular courts came up with several arguments to defend the position that there had been no violation of complainant’s privacy rights:

  • The IP address is not a piece of information that could identify a website user, and is therefore not considered personal data.
  • There could be no reasonable expectation of privacy as the complainant published the comment on an open-access website, thereby waiving her right to privacy; in effect, also her IP address no longer enjoyed the constitutional protection.
  • even though there was no direct legal ground for the website operator to reveal the IP address to the mayor’s attorney, it was a private company and not the state who violated the law. In light of this fact, the complainant’s right to privacy should, in concreto, give way to mayor’s right to his personal integrity.

The Constitutional Court unanimously rejected such views. The judges stressed that – contrary to a previous case in which the Court held that by using the E-mule peer-to-peer application to disseminate (illegal) content, whereby the IP addresses of the participants were visible to anyone, the perpetrator had no reasonable expectation of privacy regarding his IP address – in the present case the complainant had every reason to expect the privacy (of her IP address) despite the fact that her comment was made on a public and open-access website. Namely, she used a pseudonym instead of her real name. Moreover, on the website, neither her IP address nor any other designation enabling at least indirect identification were published, or visible to her when posting the comment.

The Court also stated that the anonymity of Internet communications, despite its obvious potential for committing criminal acts, enables personal development, freedom of speech and of expression, and in effect the development of a free and democratic society, as recognised also in the jurisprudence of the European Court of Human Rights.

For the said reasons, the Constitutional Court annulled all the regular courts’ decisions and ordered a retrial.

 

Article provided by INPLP member: Matija Jamnik (JK Group, Slovenia)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.