Austria

[AT] OGH Confirms Obligation to Provide Information on Dynamic IP Address Users in Criminal Procedures

IRIS 2011-7:1/7

Sebastian Schweda

Institute of European Media Law (EMR), Saarbrücken/Brussels

In Austria, Internet service providers are required to inform the public prosecutor’s office, at its request, about the master data of the user to whom a particular IP address was assigned at a particular point in time. In a ruling of 13 April 2011, the Austrian Oberste Gerichtshof (Supreme Court - OGH) confirmed this on the basis of the legal situation before the introduction of data retention. It therefore rejected a nullity appeal lodged by the Generalprokuratur (Procurator General’s Office).

The initial case concerned the identification of a suspect who was accused by the Steyr public prosecutor’s office of using false account numbers to buy online tickets from the website of the state railway company, ÖBB (Österreichische Bundesbahnen), between 4 May and 1 June 2009. The public prosecutor’s office ordered that the relevant “master data documentation” should be obtained. The Internet provider concerned opposed this order, but its objection was rejected by the Landesgericht Steyr (Steyr district court).

The Generalprokuratur, a special public prosecution office that acts as custodian of the law within the Austrian legal system, then lodged a nullity appeal. It argued, inter alia, that the secrecy of telecommunications, protected under Article 10a of the Staatsgrundgesetz (Basic Law - StGG), covered, according to an accurate interpretation, not only the content, but also the traffic data that “often refers to the content of the communication”. It argued that, if the provider had to access traffic data in order to obtain requested master data, it would be processing traffic data, which was protected by Article 10a StGG. An infringement was therefore committed even if the data was processed not by a State authority, but by a private entity acting “on behalf of the State and exclusively for State purposes”. According to Article 10a(2) StGG, this was only admissible on the basis of a judicial warrant.

The Generalprokuratur also considered that the obligation to disclose master data only applied if the traffic data that needed to be processed for this purpose had been legitimately stored. However, under the flat-rate tariffs for Internet access that were now in common use, storage for billing purposes was no longer necessary. Therefore, this data should, as a rule, be erased after disconnection from the Internet.

The OGH disagreed. It thought it was irrelevant whether the provider needed to process traffic data internally in order to issue information about master data. Confirming a decision it took in 2005, it ruled that telecommunications secrecy was not infringed if the “secret is not leaked”. Since data processing by a party in possession of confidential information was not the same as that carried out by State bodies, a judicial warrant was not required for the disclosure of master data.

Furthermore, operators were required under Article 103(4) of the Telekommunikationsgesetz (Telecommunications Act - TKG) to make “technical and organisational arrangements” to ensure that such requests for information could be complied with. This was a sufficient basis for processing traffic data even after disconnection. Otherwise, the OGH ruled, “the storage of traffic data would be totally prohibited” and “any investigation and prosecution of criminal offences would be de facto impossible”. It was “obvious” that this was not the legislature’s intention.

The first civil court of appeal of the OGH ruled differently last year: with reference to the relationship between data protection and copyright law, it concluded that the obligation to erase traffic data that was no longer needed for the purpose for which it had been stored, meant that it could not be used to identify people who had used file-sharing networks to commit offences (see IRIS 2009-9/7).