The Supreme Court has ruled that it is legal for the authorities to use specialised software to identify the IP addresses of people who distribute images of child sexual abuse on the internet.

It also ruled that internet service providers can retain IP addresses of all internet users, finding that an IP address in and of itself does not constitute a user’s personal data, as it technically belongs not to the user, but to the service provider.

As such, the police have the right to demand IP data from an internet service provider if a court warrant is secured.

In its decision, the Supreme Court wrote that “the opposite approach would entail a real risk of systemic impunity, not only for criminal offences which infringe on intellectual property rights or related rights, but also for other types of criminal offences committed on the internet”.

The case had been brought by a suspect who had been arrested on suspicion of distributing images of child sexual abuse.

The suspect had allegedly been found to have had in his possession files depicting child sexual abuse, which he had made available for distribution between September 2022 and January this year.

An examination of his IP address revealed that it belonged to a Cypriot internet service provider, and after the police secured a warrant to mandate the disclosure of the user’s information, it was possible for the police to identify him.

The suspect had requested that the warrant be annulled, claiming that the revealing of his details via his IP address is unlawful.

The legal service had argued in the case that one’s IP address is not personal data, and that the retention of it does not run contrary to any local or European Union laws relating to data protection or privacy.