Joint and Several Liability for Unlawful Data Processing: Relieving the Claimant from Procedural Hurdles in an Action for Damages

Corte di giustizia, 5 Marzo 2024, causa C-755/21 P, Kočner c. Europol

La responsabilità in solido per trattamento illecito di dati personali: alleggerimento degli ostacoli processuali in un ricorso per risarcimento danni

La responsabilité solidaire pour un traitement illicite de données personnelles : allégement des obstacles procéduraux dans un recours en indemnité

Brief introductory remarks

The question whether the direct action for damages before the EU judicature can actually provide an effective remedy, considering the procedural hurdles that applicants may be faced with in this procedure, is a recurrent topic in the academic debate (see, inter alia, Hanf, 2018; Van Dam, 2013; Gutman, 2011; Biondi & Farley, 2009). In the case C-755/21 P, Kočner v Europol, the Court of Justice (hereinafter, ‘CJ’) recognised the joint and several liability of an EU agency, the European Union Agency for Law Enforcement Cooperation (hereinafter, ‘Europol’), and a Member State (hereinafter, ‘MS’), the Slovak Republic, for unlawful data processing. Most importantly, within the appeal procedure, the Court relieved the applicant from significant procedural hurdles and, more generally, contributed to strengthening the level of effective protection within the Union’s judicial architecture.

Under Articles 268 and 340 of Treaty on the Functioning of the European Union (hereinafter, ‘TFEU’) and Article 50(1) of Regulation (EU) n. 794/2016 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol), Mr Marián Kočner, a Slovak national subject to a criminal investigation conducted by the Slovakia’s National Criminal Agency with the support of Europol, sought to obtain compensation before the General Court (hereinafter, ‘GC’) for the non-material damage allegedly suffered, as a result of the processing of his personal data by Europol in breach of Article 7 of the EU Charter of Fundamental Rights (respect for private and family life). In its judgment delivered on September 29th 2021, the GC dismissed this direct action considering that the claims concerning the disclosure of the appellant’s personal data to the public (first head of claim) and his inclusion on the so-called ‘mafia list’ (second head of claim) were unfounded. Concerning, in particular, the disclosure of private information, the GC held that the appellant had not shown that the alleged damage was attributable to Europol (T-528/20, Kočner v. Europol). On March 5th 2024, in examining the appeal brought by Mr Kočner according to Article 56 of the Statute of the Court, the Grand Chamber of the Court set aside the judgment of the GC and ordered Europol to pay compensation for the non-material damage relating to the first head of claim (C-755/21 P, Kočner v. Europol).

This short note will first discuss the recognition by the Court of Justice of a system of joint and several liability for unlawful data processing under Regulation 2016/794, which is undoubtedly the main issue at stake. Two other procedural aspects permeate the Court’s reasoning and will be addressed in turn: the depth of Court’s review in the appeal procedure analysed against the principled distinction between facts and points of law, and the quantification method of the amount of the damage ordered by the Court.


Relieving the claimant from the burden of attributing conduct

Through a systematic and teleological reading of Regulation 2016/794 on Europol (in particular of its Article 50(1) on liability for incorrect personal data processing and the right to compensation and its recital 57 providing for the possibility to hold Europol and MS jointly and severally liable for unlawful data processing), the Court of Justice recognised a system of joint and several liability for the non-material damage caused by Europol and the Slovak Republic to the honour and reputation of the applicant, as a result of the disclosure of his intimate communications to unauthorised persons. According to the Court’s interpretation, this system is to be understood as a derogation to the general principles regulating the non-contractual liability of the Union under Article 340 TFEU: when the applicant is in doubt to whom the unlawful data processing is attributable, he or she can choose indiscriminately whether to bring an action against the concerned MS before its national courts according to domestic law, or against Europol before the Court of Justice under the second paragraph of Article 340 TFEU. Should a dispute arise between Europol and the concerned MS on the entity who is ultimately responsible for the compensation, it will then be for an extra-judicial mechanism, the Europol Management Board, to decide on the matter under Article 50(2) of Regulation 2016/794.

As clearly stated in the Opinion delivered by Advocate General Rantos (hereinafter, ‘AG’), this mechanism of joint and several liability is distinguished from the principle of concurrent (or joint) liability of the EU and a MS emanating from the 1960s case law of the Court (para 52 of the Opinion). According to this case law, the same damage caused by the concurrent action of the EU and its MS can be subject to two separate actions: one directed against the MS before national courts and one directed against the Union before the EU judicature. Yet, in this case law, the Court established that it can be necessary, in order to avoid under or overcompensating the claimant, to wait for the delivery of the national judgment on State liability before the Court can pronounce itself on the liability of the Union (the so-called ‘exhaustion rule’) (Joined Cases 5/66, 7/66, 13/66 to 16/66 and 18/66 to 24/66, Kampffmeyer and Others v. Commission). Compared to the system of joint liability, the Court’s interpretation of the mechanism of liability in solidum, established on the basis of Regulation 2016/794 on Europol, relieves the applicant from the burden of identifying the entity against which the action for damages may be brought. Showing that, while cooperating, Europol and a MS unlawfully processed personal data suffices to support the claim for damages, without the need to specify the attribution of conduct, or the liability share, of each involved actor, as this assessment will henceforth fall within the competence of the Europol Management Board. It is exactly on this point that the Court based its reasoning in establishing that the GC erred in law by not relieving the individual from the obligation to attribute the damage to Europol or the MS concerned, therefore vitiating the entirety of the GC’s rejection of the first head of claim.

If, on the one hand, this reasoning relieves the applicant from procedural hurdles, on the other hand, it does not exclude entirely the issue of attribution of conduct from the Court’s assessment. In fact, the attribution of conduct becomes (more) relevant for the examination on the merits of the case carried out by the Court, especially in the establishment of the causal link between the conduct violating the rule in question and the alleged damage.


The fine line between determination of facts and assessment on points of law

According to the Opinion delivered by AG Rantos, the case under appeal should have been referred back to the GC since a new factual assessment was necessary to examine whether the substantive conditions to trigger Europol’s non-contractual joint and several liability were fulfilled (para 103 of the Opinion). Noteworthily, in his submission, the appellant asked the Court to annul the judgment under appeal and to refer the case back to the GC, being aware of the importance of carrying a new factual assessment for the settlement of the dispute at hand. Yet, the Court resorted to its autonomous power to decide, according to Article 61(1), second sentence, of the Statute, to deliver its final judgment in the appeal procedure, without referring the case back to the GC. In its reasoning, the Court assessed the fulfilment of the substantive conditions of the Union’s non-contractual liability for the data processing in question. In doing so, it referred to the nature of the personal data processed (para 124 and para 130 of the judgment) as well as to the factual impact of the unlawful processing of the data for the situation of the applicant (para 133). The review exercised by the Court therefore aims at determining the legal effects that can be derived from the facts established by the GC itself (Naome, 2016; Torresan, 2024). In casu, such determination mainly concerned the impact of the disclosure of the applicant’s private conversations to the public on his family life and reputation.

While the Court does not wander into the forbidden territory of the establishment of facts and evidence, which rests within the GC’s exclusive jurisdiction (see C-14/19 P, CSUE v. KF, para. 103) – except in cases of distortion of the facts or evidence (see, inter alia, C-143/95 P, Commission v. Socurte and Others, para. 36), the delimitation line between the assessment of facts and the analysis in law, falling within the Court’s mandate (see, inter alia, C-318/90 P, Pitrone v. Commission, para. 12), becomes less sharp. While such a legal determination incidentally and naturally led to a marginal assessment of the facts, this was necessary to the ratio decidendi of the final judgment delivered by the Court, which cannot be read separately from its grounds (Joined Cases 97/86, 193/86, 99/86 and 215/86, Asteris and Others v. Commission, para. 27). In the interest of ensuring a uniform interpretation of Regulation 2016/794, and especially, of the disputed role of its recital (57), the Court takes the opportunity to engage with the analysis on the merits of the case considering it to be functional, if not necessary, to the operative part of the judgment: the recognition of the system of joint and several liability and the order to pay the damage suffered by the appellant.


Final observations

On the basis of this short analysis, it can be concluded that, according to the approach adopted by the Court in Kočner v Europol (C-755/21 P), the applicant is relieved from the procedural obstacle of attributing the (share of) conduct to Europol and the MS cooperating in the processing of personal data under a ‘two-stage liability mechanism’ (para 79 of the judgment) set up by Regulation 2016/794. In this system, direct actions can be brought indiscriminately before national or EU courts, with the further possibility for the Management Board of Europol to adjudicate on the entity having the ultimate responsibility to compensate. Essential to the recognition of such a system of joint and several liability are the grounds on which the Court based its reasoning. While the establishment of the evidence and appraisal thereof rest within the jurisdiction vested in the GC, the Court maintains a flexible approach by assessing the legal effects derived from the facts at stake and draws a blunt separation between analysis on points of facts and on points of law. Finally, considering that neither the Rules of Procedure nor the Court’s Statute provide for precise indications on the calculation method of damages, it would have been a more than welcome development if the Court had decided, in the interest of transparency of proceedings, to ascertain how the amount granted to the appellant in compensation had been calculated considering the general principles common to the MS (Article 340 TFEU).

By providing clarifications on the mechanism of joint and several liability for unlawful data processing under Regulation 2016/794, the Court of Justice added a building block to the ‘interlocking system of jurisdiction of the Community courts and the national courts’ (Lenaerts, 2007, p. 1625). While the Treaties and the provisions of Regulation 2016/749 do not expressly mention the notion of ‘joint and several liability’ (except for recital (57) of the Regulation), the Court gave a powerful impetus for the recognition of a mechanism of liability that gravitates around two fundamental axes: first, the relief of a notable procedural burden from the claimant’s shoulders (viz. the relief from attributing the conduct in question to the EU and/or MS); second, and more generally, its contribution to the correct interpretation of ‘the law’, within the meaning of Article 19 TEU, through a systematic and teleological interpretation of Regulation 2016/794. Such developments must be welcomed.

The situations in which the cooperation between the EU and its MS is hardly discernible in terms of attribution of conduct, especially from an applicant’s perspective, are manifold in the EU system. This raises the (open) question whether the developments commented above could serve as a source of inspiration for a consequent evolution, not only through the voie prétorienne, but also for the EU legislature to recognise and, eventually, establish similar ‘solidarity mechanism’ of liability in other fields of Union law beyond data processing.