Court/Judicial body: European Court of Human Rights
Citation: Application no. 2872/02
Date: 2 December 2008
Instrument(s) cited:Domestic Finnish Constitution Act, Article 10 §8 (everyone’s right to private life is guaranteed) Penal Code, Chapter 24 Article 3 (concerning acts of calumny) Coercive Measures Act, Chapter 5a §3 (preconditions of telecommunications monitoring) Protection of Privacy and Data Security in Telecommunications Act §18(1) (police right to obtain identification data) Personal Data Act §48 (identity and defamatory announcement on websites) Personal Files Act §§43,44 (data protection offense of the publication of sensitive information concerning sexual behavior on an internet server) Exercise of Freedom of Expression in Mass Media Act §17 International European Convention on Human Rights, Article 8: respect for private and family life The Council of Europe, Committee of Ministers Recommendation No. 9, No. 13 (1995) (computer related crimes) European Committee on Crime Problems, Convention on Cybercrime (1 July 2004) (procedural powers and identity information) Cooperation against Cybercrime (1 April 2008) (guidelines for the cooperation between law enforcement and internet service providers against cybercrime) General Assembly Resolutions 55/63 (4 December 2000), 56/121 (19 December 2001) (combating the criminal misuse of information technologies) European Parliament and the Council of the European Union directive 2006/24/EC (15 March 2006) (data in connection with publicly available electronic communications)
Background: A 12-year-old boy was the target of an advertisement of a sexual nature on an Internet dating site. The advertisement, posted without his knowledge, included his name, year of birth, detailed description of his physical characteristics, a photo and telephone number (only one digit off from the correct number). The advertisement claimed he was looking for an intimate relationship with a boy of his age or older “to show him the way.” The child learned of the existence of the advert when a man contacted him via email offering to meet him and “then to see what you want.” The service provider refused to disclose the identity of the author, saying it was bound by the confidentiality of telecommunications. Legislation in effect at the time prohibited Internet service providers from disclosing user identity. The goal of this legislation was to protect the freedom of expression and the right to anonymous expression. The national courts confirmed that the service provider did not have to provide the information because of their duty to uphold confidentiality. The child complained to the European Court of Human Rights that his right to respect for his private life had been violated ( Article 8 of the European Convention on Human Rights (ECHR)) and the the State had failed to provide him with an effective remedy (as required by Article 13 ECHR).
Issue and resolution: Privacy – digital rights. The issue before the Court was whether the State must require internet service providers to disclose the identity of a private user who posted information about a child – without their consent – on a website that made him a target for paedophiles. The Court unanimously held there had been a violation of the applicant’s privacy contrary to Article 8.
Court reasoning: The Court declared that “both the public interest and the protection of the interests of victims of crimes committed against their physical or psychological well-being require the availability of a remedy enabling the actual offender to be identified and brought to justice.” The lack of a criminal sanction that could be applied to the current case was a serious problem, the Court said, because “[t]he act was criminal, involved a minor and made him a target for approaches by pedophiles.” Article 8 of the Convention not only protects against government interference, but also imposes positive obligations to secure respect for citizens’ private lives. The Court emphasised that children and other vulnerable individuals must be end to State protection, in the form of effective deterrence, from such grave types of interference with essential aspects of their private lives. The Court rejected the Government’s argument that sufficient protection for privacy was provided by the existence of the criminal offence of calumny (the making of untrue comments intended to damage to reputation), because : “[t]he existence of an offence has limited deterrent effects if there is no means to identify the actual offender and to bring him to justice.” It also rejected the Government’s argument that the applicant had a remedy because he could obtain damages from the service provider, saying it was “insufficient in the circumstances of this case.” Lastly, the Court stated that although freedom of expression and privacy of communications are important considerations and users of this technology should have a guarantee that their own privacy and freedom of expression be respected, such “guarantee cannot be absolute, and must yield… to the prevention of disorder or crime or the protection of the right and freedoms of others.” Given that a violation of Article 8 was already established, the Court did not consider the alleged breach of Article 13.
Link to full judgement: https://www.coe.int/t/dghl/standardsetting/dataprotection/Judgments/K.U.%20v.%20FINLAND%20en.pdf