Dr Joyce de Coninck, University
of Ghent
Introduction
The Europol Regulation introduces
a system of joint and several EU liability for unlawful data processing in
violation of Article 7 and 8 of the Charter of Fundamental Rights. This nascent
EU liability regime features at the heart of the dispute in the Marián
Kočner v Europol saga, and much like the recent WS
and others v Frontex case before the General Court, highlights the urgency
for clarification on joint responsibility for human rights violations as a
result of shared conduct between the EU’s operational agencies and the EU
Member States.
One of the drivers prompting this
need for clarification, relates to the increased cooperation between the EU’s
operational agencies on the one hand, with EU Member States on the other hand,
in achieving common objectives. While Frontex is increasingly endowed with
(executive) powers in the EU’s Integrated Border Management (see here,
here
and here),
Europol is endowed with increased
powers regarding the processing of large datasets, the screening of foreign
direct investment in security-related cases and the acquisition of data from
private companies in dealing with terrorist or child abuse material. These
enhanced powers result in a multiplicity of public and private actors working
together in achieving common goals, where previously such tasks fell within the
exclusive purview of the Member States.
The ‘crowding of the operational
field’, referred to by Gkliati
and McAdam as the ‘many hands’ problem, reveals a significant disconnect
between the EU’s contemporary liability regime on the one hand, and the
application of this liability regime in practice to situations of joint conduct
that give rise to human rights harms on the other hand. In other words, the EU’s
liability regime was not legally designed to accommodate questions of joint responsibility
for human rights harms flowing from concerted conduct by the EU institutions,
bodies, offices and agencies and the EU Member States. The incompatibility – or
rather, unsuitability – of the EU’s human rights regime in dealing with joint
conduct, features on two distinct levels, and on both levels, a driving force
behind the unsuitability is one of legal design.
On the one hand, historical
accounts of the constitutionalization of fundamental rights in the EU, giving
rise to the Charter of Fundamental Rights in particular, explain that this
process was by and large the result of constitutional concerns over EU
fundamental rights protection by domestic courts. In other words, this exercise
of constitutionalization came about in reaction to constitutional objections by
Member States regarding the level of protection of fundamental rights provided
under the EU’s chapeau. An unintended consequence of this development appears
to be that the drafters of the Charter did not necessarily consider joint and
inseparable operational conduct by EU entities and the EU Member States. In
turn, and as predicted by Weiler,
it did not bring the added clarity to how the state-centric Charter rights –
many of which were inspired by and textually almost identical to state-centric
international human rights treaties – would translate into enforceable negative
and positive human rights obligations that give flesh to the bones of these
human rights commitments. In other words, the mere fact that EU entities are
bound by fundamental rights in the Charter, does not relay much on how the EU
must conduct itself in order to comply with these rights, as I have discussed
at length elsewhere (here,
here
and here).
On the other hand, the EU’s
liability regime also was not legally designed to respond to questions of
responsibility-allocation flowing from unlawful joint conduct giving rise to
human rights harms. This is textually and historically supported, as the EU’s
action for damages falls within the exclusive purview of the CJEU (Article 268 in
juncto 340 TFEU) and case law has set out rules proclaiming that national
courts shall be seized where damages are the result of the incorrect
or correct
implementation by Member States of EU legislative acts (for a general
discussion, see here).
In other words, the EU’s action for damages was not developed to consider joint
non-contractual responsibility and the conditions for liability subsequently
developed through the CJEU’s case law were also not developed with such
liability in mind.
However, the increased reliance
on inseparable and operational cooperation between EU entities and its Members
giving rise to fundamental rights harms, brings to the fore a new dimension of
liability that was not foreseen in either the normative human rights
developments giving rise to the Charter, nor the liability regime that
currently exists within the EU’s framework. Yet it is precisely this question
of joint liability that sits at the heart of the case of Marián
Kočner v Europol currently pending before the CJEU and the accompanying opinion
by Advocate General Rantos as developed and discussed in what follows.
The Case
In 2018 Marián Kočner was being
investigated by the Slovak criminal authorities within the context of a murder
investigation. The investigation resulted in the domestic authorities taking
possessing of two mobile phones and a USB drive belonging to the Applicant,
which were subsequently handed over to Europol at the request of the domestic
authorities in October 2018. Several months later, Europol returned the mobile
phones and the USB-drive along with relevant scientific reports concerning its
contents, as well as a hard-drive with encrypted data derived from the mobile
phones to the Slovak authorities. The contents of the mobile phones and USB
drive – transcripts of intimate conversations involving the applicant and his
girlfriend, as well as the inclusion of his name on the ‘mafia lists’ – were
subsequently leaked in large quantities and made public by the press. On the
basis of these leaks the Applicant claimed compensation from Europol for
non-material damage stemming from unlawful data processing, underscoring that
the leaks by the press violated his right to a private and family life as
protected under Article 7 CFR.
In the subsequent action for
damages on the basis of Article 268 and Article 340 TFEU, the General Court
dismissed the Applicant’s claims (Kočner v Europol T-528/20) holding that no
causal link could be established between Europol’s conduct and the purported
damages stemming from the data made public from the mobile phones, and that the
Applicant had not provided any evidence demonstrating that the ‘mafia lists’
had been drawn up by Europol.
In his appeal, the Applicant asks
the Court of Justice to set aside the General Court’s ruling on the basis of
six points of law. For the purpose of the current contribution however, the
focus will be on the argument raised by the Applicant concerning the nature of
the EU’s liability. Specifically, the Applicant argues that the General Court
erred in law for having disregarded Europol’s liability in light of recital 57
of the Europol Regulation related to joint and several liability. In other
words, this claim by the Applicant juxtaposes the concept of ‘joint and several
liability’ with the notion of joint responsibility more generally, contending
that the implications of these different approaches to responsibility may have
yielded a different outcome in the case. According to the Applicant, the fact
that the General Court did not consider Europol’s liability through the
standard of ‘joint and several liability’ constitutes an error depriving
recital 57 of the Europol Regulation of any significance.
The arguments advanced by the
Applicant provide the Court of Justice with the first-ever opportunity to rule
on the scope and implications of the concept of joint and several liability of
Europol, which – given the marginal case law on joint responsibility for human
rights harms more generally – could prove very instructive in clarifying the
conditions of joint responsibility and the manner in which such responsibility
should be allocated between the EU and the Member States.
The Opinion
After dismissing an admissibility
objection by Europol, Advocate General Rantos identifies six grounds of appeal,
of which four relate to the question of whether unlawful data processing occurred
by Europol. The remaining two points of appeal concern the nature of Europol’s
liability and the concept of ‘joint and several liability’ specifically.
The question of the nature of
Europol’s responsibility essentially revolves around recital 57 and Article 50
of the Europol Regulation. As aforementioned, recital 57 introduces the concept
of joint and several liability where it may “…be unclear for the individual
concerned whether damage suffered as a result of unlawful data processing is a
consequence of action by Europol or by a Member State”. This provision
covers only liability issues relating to unlawful data processing and only
insofar it is unclear to which party the (unlawful) data processing should be
attributed, whereas the preceding recital 56 recalls that for all other
questions of non-contractual liability, the EU’s general liability rules – as
articulated in the CJEU’s Bergaderm ruling – apply.
Chapter 7 of the Europol
Regulation covers remedies and liability and Article 50 specifically, addresses
liability stemming from unlawful data processing. This provision holds in its
first paragraph that anyone having suffered damage from unlawful data processing
will be entitled to receive compensation from either Europol in line with the
general liability rules of article 340 TFEU, or from the Member State in which
the unlawful data processing occurred in accordance with its domestic law. The
second paragraph (Article 50(2)) holds that where a dispute arises concerning
the ultimate responsibility for compensation, the Management Board of Europol
shall decide by a two-thirds majority who bears the burden of ultimate
responsibility for compensation. Grosso modo the relevant recitals appear to refer
to modalities of responsibility allocation between Europol and the implicated
Member States, whereas Article 50 is concerned with the ensuing obligation of
compensation insofar responsibility has effectively been established.
AG Rantos begins his opinion on
the nature of the EU’s liability by pointing out that while the relevant
recitals do introduce a solidarity-based responsibility mechanism, this is not mentioned
explicitly in its operative counterpart. In fact, the absence of any explicit
reference to joint and several liability in Article 50 led the General Court to
the conclusion that liability in accordance with the general rules on liability
embedded in Article 340 TFEU, could not be causally established.
After recalling the conditions to
establish EU liability generally (para 34 – 35), AG Rantos addresses the
question of the nature of Europol’s liability in a threefold manner, recalling
that a provision of EU law must be interpreted mindful of its wording (1), the
context in which it was drafted (2), and its objective and purpose (3), which
may be inferred from its legislative history and through comparative
interpretation.
Contrary to Europol, AG Rantos
concedes that the wording of the relevant recitals (which appear to introduce
new modalities of joint responsibility under EU law), and the wording of the
Article 50 (which neglects any reference to joint and several liability and
refers only to compensation) is not unambiguous. To this end, he underscores
that the reference to joint and several liability in recital 57 suggests
concurrent liability for Europol and the Member States, whereas Article 50
literally suggests responsibility for compensation as being a responsibility of
either the Member State or Europol. Similarly, the generic reference to
non-contractual EU liability in Article 340 TFEU, which is to be considered in
line with the general principles common in the laws of the Member States,
leaves room for interpretation.
As concerns the context of the
contested provisions, the AG notes that while recitals have no legally binding
force as such, they nevertheless function as an indicator of the intent of the
legislator. In casu, the intent of the legislator was to favor the aggrieved
parties and eliminate any questions of attribution. The AG concludes that this
is not in conflict with Article 50, following which the latter must be
interpreted in light of recital 57 and the concept of joint and several
liability.
Finally, the objectives of recital
57 of the Europol Regulation may be discerned through its legislative history
and a comparative interpretation of its meaning in light of general principles
common to the Member States. Here, the AG recalls that the concept of ‘joint
and several liability’ had been introduced in the very first Commission
proposal and had been included among others to limit the difficulties
encountered by aggrieved parties in attributing unlawful processing to either
the Member States or the EU. Furthermore, a comparative analysis of this
concept reveals that Member States make use of this mode of liability in cases
where attribution of unlawful conduct may be hard to establish. The Advocate
General concludes that suspending the procedure before EU courts while the
concomitant domestic procedure against the Member State is pending – as
typically occurs for questions of joint responsibility – would deprive Article
50 interpreted through recital 57 of any significance. It flows from this that
concurrent proceedings would thus be possible.
Analysis
The case deals with a situation
of ‘many hands’ cooperation involving a Member State which gives rise to a
question of unlawful data processing, arguably falling within the ambit of
Article 7 (respect for private and family life) and 8 (protection of personal
data) of the Charter. Flowing from this, the Applicant argues that Europol
should be held responsible under the rules of joint and several liability,
whereas Europol contends that this should be assessed under the standard rules
of joint responsibility which are derived from the Bergaderm ruling. In
essence, this is a question of whether the lex generalis applies or instead,
whether a lex specialis applies. As aforementioned, the Advocate General
recommends that the case be re-examined by the General Court, in light of the
(underdeveloped) rules on joint and several liability, whereby he concurs with
the Applicant that it is unclear to which party the conduct should be
attributed.
The Francovich and Brasserie du
Pêcheur judgments, spell out the conditions for Member State liability under EU
law, whereas the Bergaderm judgment spells out the conditions for
non-contractual responsibility of the EU institutions. These conditions require
that for responsibility to arise, there must be a (sufficiently serious) breach
of EU law, that causally gives rise to damage. In certain cases, the CJEU will
also demand that the conduct must be attributable to the EU actor under
scrutiny.
These rules apply to
responsibility and joint responsibility between the EU and its Member States
generally, but importantly do not prejudice more tailored, specific or
alternative rules on (joint) liability. An alternative, bifurcated approach to
liability exists in the realm of EU data processing. On the one hand, there are
the data-processing specific rules for Member State liability embedded in the GDPR.
On the other hand, there are specific liability rules for data processing
applicable to EU institutions, bodies, offices and agencies as embedded in the Data
Protection Law Enforcement Directive, as well as the Data
Processing by the EU Institutions and Bodies Regulation. These data
processing-specific rules apply, unless there are more specific rules that have
been developed, which is the case for processing of operational data by Europol
(Article 2(3) Data Processing by the EU Institutions and Bodies Regulation). In
other words, more specific rules have been developed for situations involving
processing of data for Europol. Accordingly, when it is clear to which actor
(the Member State or Europol) unlawful data processing should be attributed,
the regular rules on liability apply, in accordance with the domestic regime
for Member State liability and in accordance with the action for damages
concerning Europol’s liability (Article 50(1) Europol Regulation). However,
when attribution is not clear, joint and several liability applies (recital 57 in
juncto Article 50(2) Europol Regulation), leaving it to the Management Board to
decide in case of conflict who bears the ultimate responsibility to provide
compensation for the inflicted harm (Article 50(2) Europol Regulation).
Juxtaposing Joint Liability
and Joint and Several Liability
This approach appears to give
rise to procedural efficiency from the perspective of the Applicant and appears
to relax the Bergaderm conditions for EU responsibility to arise.
Choosing the Judicial Forum
The objective of the joint and
several liability mechanism is to ensure that the Applicant’s rights are
safeguarded. This means that unlike the system of joint EU-Member State responsibility,
the domestic court will not necessarily be the primary forum to establish
responsibility and the ensuing burden of reparations. Instead, the aggrieved
individual could go through either the domestic legal system or the EU’s action
for damages to have responsibility established. Upon conclusion of the legal
procedures and once the Applicant has been awarded damages, these actors could
subsequently settle any dispute on the duty to provide reparations in a
subsequent procedure within the Management Board of Europol, the decision of
which could also be subject to legal scrutiny under the annulment procedure.
Under this mechanism, the Applicant enjoys a much lesser of a burden in
choosing the appropriate judicial venue and is not constrained by which actor
will be able to provide reparations. Instead, reparations (in case of
responsibility) will be the default from the perspective of the Applicant.
Attribution and Causation
Revisited
The system of joint and several liability suggests that as soon as a
situation implicates both Europol and a Member State, and the questionable
conduct cannot be definitely attributed to either entity, the requirement of
attribution becomes obsolete, as the conduct will be considered attributable to
both in full. Interestingly, by relaxing the requirement to establish
attribution, the condition of causation will arguably also be relaxed. It is
important to recall that while attribution links a particular line of conduct
to an actor, causality links that actor to the damage. Relaxing the rules of
attribution under the joint and several liability regime and doing away with
the requirement to definitively attribute conduct to one or the other, ipso
facto entails that the requirement of causality as it currently is being
applied, can never be met. Causation under general EU liability law demands
that there is an uninterrupted relationship between the unlawful conduct by a
certain actor, giving rise to damage. Yet, in the absence of an obligation to
attribute to either the Member State or the EU, the unlawful data processing
will be considered attributable to both. If the unlawful conduct is considered
attributable to both, it is then unclear how this impacts the causality requirement,
which demands that the chain of causation linking the damage to the unlawful
conduct by a particular actor, be uninterrupted by intervening acts.
Lingering Questions for the EU
Courts
In light of the limited case law
on EU (joint) responsibility generally, a number of questions remain
unaddressed including by Advocate General Rantos either.
Attribution
A first small but pervasive
question that demands further clarification concerns when Article 50 read in
light of recital 57 of the Europol Regulation is triggered. The presumption
appears to be that it is straightforward to distinguish between scenarios in
which attribution can be definitively established, and situations in which it
is unclear to which entity the unlawful data processing should be attributed.
Yet, to date no clear standard of attribution can be definitely discerned under
the general system of EU liability. In fact, practice by the EU institutions
internally, in international relations, and across different EU policy fields,
suggests that the rule of attribution differs significantly in a rather
haphazard manner. This is complicated by the absence of a common legal forum to
settle responsibility questions implicating the EU and Member States in
unlawful data processing. The applied attribution rules under domestic regimes
may very well differ from attribution rules under the EU’s liability regime for
example, and to date, it is not clear which attribution rules should prevail,
much less how this impacts whether Europol’s joint and several liability
mechanism is triggered. Arguably, the absence of a coherent and clarified
approach to attribution under EU law means that it will be easier for
Applicants to trigger joint and several liability under the Europol Regulation.
However, this remains to be seen, and is as always, dependent on the applicable
burden, standard and method of proof required to show that it’s unclear to
which actor the unlawful data processing should be attributed.
Joint and Several Liability
Beyond Data Processing
The question of human rights
liability for violations occurring at the hands of operational EU agencies has
gained much traction in recent years. The current pending actions for damages
against Frontex prompt the question whether a – CJEU clarified – system of
joint and several liability may be a way forward. Anyone who has attended a
conference or workshop involving Frontex representatives, has undoubtedly been
confronted with the scripted answer to questions of human rights
responsibility: ‘Frontex is not responsible for such actions – Frontex merely
coordinates Member State actions’. Leaving aside the veracity of this response,
it is undisputed the current regime of liability allocation has resulted in
much blame shifting at the expense of individual rights. Conversely, the system
of joint and several liability introduced by the Europol Regulation may very
well be a way to circumvent this type of blame-shifting, safeguard the rights
of the individual while ensuring that the burden of reparation is not
circumvented by one at the expense of the other. A well-developed system of
joint and several liability could thus fulfill both a remedial function –
namely to protect the Applicants’ fundamental rights, as well as a deterrence
function. By increasing the likelihood of legal responsibility through more relaxed
rules on attribution and causation, EU institutions, bodies, offices and
agencies may be disincentivized to resort to ‘many hands’ to circumvent
responsibility claims in implementing their policies, or at least be
incentivized to clarify their own rules on (human rights) responsibility
allocation. Of course, I write this knowing full well that it is precisely
these institutions that prefer to continue operating in the ‘many hands’
murkiness and that clarified rules on responsibility will receive political
push-back and may disincentivize operational agencies from providing support in
tackling transnational issues. Yet, once every so often, a unicorn-like
development surfaces in the field of EU human rights responsibility, as
evidenced by the joint and several liability mechanism in this case. Who knows
– maybe this same unicorn will resurface in the EU’s responsibility acquis more
generally? In any event, I await the CJEU’s perspective on this matter
eagerly.
No comments:
Post a Comment