Dr Joyce de Coninck, University of Ghent
Photo credit: Oseveno
Photo credit: Oseveno
The Europol Regulation introduces a system of joint and several EU liability for unlawful data processing in violation of Article 7 and 8 of the Charter of Fundamental Rights. This nascent EU liability regime features at the heart of the dispute in the Marián Kočner v Europol saga, and much like the recent WS and others v Frontex case before the General Court, highlights the urgency for clarification on joint responsibility for human rights violations as a result of shared conduct between the EU’s operational agencies and the EU Member States.
One of the drivers prompting this need for clarification, relates to the increased cooperation between the EU’s operational agencies on the one hand, with EU Member States on the other hand, in achieving common objectives. While Frontex is increasingly endowed with (executive) powers in the EU’s Integrated Border Management (see here, here and here), Europol is endowed with increased powers regarding the processing of large datasets, the screening of foreign direct investment in security-related cases and the acquisition of data from private companies in dealing with terrorist or child abuse material. These enhanced powers result in a multiplicity of public and private actors working together in achieving common goals, where previously such tasks fell within the exclusive purview of the Member States.
The ‘crowding of the operational field’, referred to by Gkliati and McAdam as the ‘many hands’ problem, reveals a significant disconnect between the EU’s contemporary liability regime on the one hand, and the application of this liability regime in practice to situations of joint conduct that give rise to human rights harms on the other hand. In other words, the EU’s liability regime was not legally designed to accommodate questions of joint responsibility for human rights harms flowing from concerted conduct by the EU institutions, bodies, offices and agencies and the EU Member States. The incompatibility – or rather, unsuitability – of the EU’s human rights regime in dealing with joint conduct, features on two distinct levels, and on both levels, a driving force behind the unsuitability is one of legal design.
On the one hand, historical accounts of the constitutionalization of fundamental rights in the EU, giving rise to the Charter of Fundamental Rights in particular, explain that this process was by and large the result of constitutional concerns over EU fundamental rights protection by domestic courts. In other words, this exercise of constitutionalization came about in reaction to constitutional objections by Member States regarding the level of protection of fundamental rights provided under the EU’s chapeau. An unintended consequence of this development appears to be that the drafters of the Charter did not necessarily consider joint and inseparable operational conduct by EU entities and the EU Member States. In turn, and as predicted by Weiler, it did not bring the added clarity to how the state-centric Charter rights – many of which were inspired by and textually almost identical to state-centric international human rights treaties – would translate into enforceable negative and positive human rights obligations that give flesh to the bones of these human rights commitments. In other words, the mere fact that EU entities are bound by fundamental rights in the Charter, does not relay much on how the EU must conduct itself in order to comply with these rights, as I have discussed at length elsewhere (here, here and here).
On the other hand, the EU’s liability regime also was not legally designed to respond to questions of responsibility-allocation flowing from unlawful joint conduct giving rise to human rights harms. This is textually and historically supported, as the EU’s action for damages falls within the exclusive purview of the CJEU (Article 268 in juncto 340 TFEU) and case law has set out rules proclaiming that national courts shall be seized where damages are the result of the incorrect or correct implementation by Member States of EU legislative acts (for a general discussion, see here). In other words, the EU’s action for damages was not developed to consider joint non-contractual responsibility and the conditions for liability subsequently developed through the CJEU’s case law were also not developed with such liability in mind.
However, the increased reliance on inseparable and operational cooperation between EU entities and its Members giving rise to fundamental rights harms, brings to the fore a new dimension of liability that was not foreseen in either the normative human rights developments giving rise to the Charter, nor the liability regime that currently exists within the EU’s framework. Yet it is precisely this question of joint liability that sits at the heart of the case of Marián Kočner v Europol currently pending before the CJEU and the accompanying opinion by Advocate General Rantos as developed and discussed in what follows.
In 2018 Marián Kočner was being investigated by the Slovak criminal authorities within the context of a murder investigation. The investigation resulted in the domestic authorities taking possessing of two mobile phones and a USB drive belonging to the Applicant, which were subsequently handed over to Europol at the request of the domestic authorities in October 2018. Several months later, Europol returned the mobile phones and the USB-drive along with relevant scientific reports concerning its contents, as well as a hard-drive with encrypted data derived from the mobile phones to the Slovak authorities. The contents of the mobile phones and USB drive – transcripts of intimate conversations involving the applicant and his girlfriend, as well as the inclusion of his name on the ‘mafia lists’ – were subsequently leaked in large quantities and made public by the press. On the basis of these leaks the Applicant claimed compensation from Europol for non-material damage stemming from unlawful data processing, underscoring that the leaks by the press violated his right to a private and family life as protected under Article 7 CFR.
In the subsequent action for damages on the basis of Article 268 and Article 340 TFEU, the General Court dismissed the Applicant’s claims (Kočner v Europol T-528/20) holding that no causal link could be established between Europol’s conduct and the purported damages stemming from the data made public from the mobile phones, and that the Applicant had not provided any evidence demonstrating that the ‘mafia lists’ had been drawn up by Europol.
In his appeal, the Applicant asks the Court of Justice to set aside the General Court’s ruling on the basis of six points of law. For the purpose of the current contribution however, the focus will be on the argument raised by the Applicant concerning the nature of the EU’s liability. Specifically, the Applicant argues that the General Court erred in law for having disregarded Europol’s liability in light of recital 57 of the Europol Regulation related to joint and several liability. In other words, this claim by the Applicant juxtaposes the concept of ‘joint and several liability’ with the notion of joint responsibility more generally, contending that the implications of these different approaches to responsibility may have yielded a different outcome in the case. According to the Applicant, the fact that the General Court did not consider Europol’s liability through the standard of ‘joint and several liability’ constitutes an error depriving recital 57 of the Europol Regulation of any significance.
The arguments advanced by the Applicant provide the Court of Justice with the first-ever opportunity to rule on the scope and implications of the concept of joint and several liability of Europol, which – given the marginal case law on joint responsibility for human rights harms more generally – could prove very instructive in clarifying the conditions of joint responsibility and the manner in which such responsibility should be allocated between the EU and the Member States.
After dismissing an admissibility objection by Europol, Advocate General Rantos identifies six grounds of appeal, of which four relate to the question of whether unlawful data processing occurred by Europol. The remaining two points of appeal concern the nature of Europol’s liability and the concept of ‘joint and several liability’ specifically.
The question of the nature of Europol’s responsibility essentially revolves around recital 57 and Article 50 of the Europol Regulation. As aforementioned, recital 57 introduces the concept of joint and several liability where it may “…be unclear for the individual concerned whether damage suffered as a result of unlawful data processing is a consequence of action by Europol or by a Member State”. This provision covers only liability issues relating to unlawful data processing and only insofar it is unclear to which party the (unlawful) data processing should be attributed, whereas the preceding recital 56 recalls that for all other questions of non-contractual liability, the EU’s general liability rules – as articulated in the CJEU’s Bergaderm ruling – apply.
Chapter 7 of the Europol Regulation covers remedies and liability and Article 50 specifically, addresses liability stemming from unlawful data processing. This provision holds in its first paragraph that anyone having suffered damage from unlawful data processing will be entitled to receive compensation from either Europol in line with the general liability rules of article 340 TFEU, or from the Member State in which the unlawful data processing occurred in accordance with its domestic law. The second paragraph (Article 50(2)) holds that where a dispute arises concerning the ultimate responsibility for compensation, the Management Board of Europol shall decide by a two-thirds majority who bears the burden of ultimate responsibility for compensation. Grosso modo the relevant recitals appear to refer to modalities of responsibility allocation between Europol and the implicated Member States, whereas Article 50 is concerned with the ensuing obligation of compensation insofar responsibility has effectively been established.
AG Rantos begins his opinion on the nature of the EU’s liability by pointing out that while the relevant recitals do introduce a solidarity-based responsibility mechanism, this is not mentioned explicitly in its operative counterpart. In fact, the absence of any explicit reference to joint and several liability in Article 50 led the General Court to the conclusion that liability in accordance with the general rules on liability embedded in Article 340 TFEU, could not be causally established.
After recalling the conditions to establish EU liability generally (para 34 – 35), AG Rantos addresses the question of the nature of Europol’s liability in a threefold manner, recalling that a provision of EU law must be interpreted mindful of its wording (1), the context in which it was drafted (2), and its objective and purpose (3), which may be inferred from its legislative history and through comparative interpretation.
Contrary to Europol, AG Rantos concedes that the wording of the relevant recitals (which appear to introduce new modalities of joint responsibility under EU law), and the wording of the Article 50 (which neglects any reference to joint and several liability and refers only to compensation) is not unambiguous. To this end, he underscores that the reference to joint and several liability in recital 57 suggests concurrent liability for Europol and the Member States, whereas Article 50 literally suggests responsibility for compensation as being a responsibility of either the Member State or Europol. Similarly, the generic reference to non-contractual EU liability in Article 340 TFEU, which is to be considered in line with the general principles common in the laws of the Member States, leaves room for interpretation.
As concerns the context of the contested provisions, the AG notes that while recitals have no legally binding force as such, they nevertheless function as an indicator of the intent of the legislator. In casu, the intent of the legislator was to favor the aggrieved parties and eliminate any questions of attribution. The AG concludes that this is not in conflict with Article 50, following which the latter must be interpreted in light of recital 57 and the concept of joint and several liability.
Finally, the objectives of recital 57 of the Europol Regulation may be discerned through its legislative history and a comparative interpretation of its meaning in light of general principles common to the Member States. Here, the AG recalls that the concept of ‘joint and several liability’ had been introduced in the very first Commission proposal and had been included among others to limit the difficulties encountered by aggrieved parties in attributing unlawful processing to either the Member States or the EU. Furthermore, a comparative analysis of this concept reveals that Member States make use of this mode of liability in cases where attribution of unlawful conduct may be hard to establish. The Advocate General concludes that suspending the procedure before EU courts while the concomitant domestic procedure against the Member State is pending – as typically occurs for questions of joint responsibility – would deprive Article 50 interpreted through recital 57 of any significance. It flows from this that concurrent proceedings would thus be possible.
The case deals with a situation of ‘many hands’ cooperation involving a Member State which gives rise to a question of unlawful data processing, arguably falling within the ambit of Article 7 (respect for private and family life) and 8 (protection of personal data) of the Charter. Flowing from this, the Applicant argues that Europol should be held responsible under the rules of joint and several liability, whereas Europol contends that this should be assessed under the standard rules of joint responsibility which are derived from the Bergaderm ruling. In essence, this is a question of whether the lex generalis applies or instead, whether a lex specialis applies. As aforementioned, the Advocate General recommends that the case be re-examined by the General Court, in light of the (underdeveloped) rules on joint and several liability, whereby he concurs with the Applicant that it is unclear to which party the conduct should be attributed.
The Francovich and Brasserie du Pêcheur judgments, spell out the conditions for Member State liability under EU law, whereas the Bergaderm judgment spells out the conditions for non-contractual responsibility of the EU institutions. These conditions require that for responsibility to arise, there must be a (sufficiently serious) breach of EU law, that causally gives rise to damage. In certain cases, the CJEU will also demand that the conduct must be attributable to the EU actor under scrutiny.
These rules apply to responsibility and joint responsibility between the EU and its Member States generally, but importantly do not prejudice more tailored, specific or alternative rules on (joint) liability. An alternative, bifurcated approach to liability exists in the realm of EU data processing. On the one hand, there are the data-processing specific rules for Member State liability embedded in the GDPR. On the other hand, there are specific liability rules for data processing applicable to EU institutions, bodies, offices and agencies as embedded in the Data Protection Law Enforcement Directive, as well as the Data Processing by the EU Institutions and Bodies Regulation. These data processing-specific rules apply, unless there are more specific rules that have been developed, which is the case for processing of operational data by Europol (Article 2(3) Data Processing by the EU Institutions and Bodies Regulation). In other words, more specific rules have been developed for situations involving processing of data for Europol. Accordingly, when it is clear to which actor (the Member State or Europol) unlawful data processing should be attributed, the regular rules on liability apply, in accordance with the domestic regime for Member State liability and in accordance with the action for damages concerning Europol’s liability (Article 50(1) Europol Regulation). However, when attribution is not clear, joint and several liability applies (recital 57 in juncto Article 50(2) Europol Regulation), leaving it to the Management Board to decide in case of conflict who bears the ultimate responsibility to provide compensation for the inflicted harm (Article 50(2) Europol Regulation).
Juxtaposing Joint Liability and Joint and Several Liability
This approach appears to give rise to procedural efficiency from the perspective of the Applicant and appears to relax the Bergaderm conditions for EU responsibility to arise.
Choosing the Judicial Forum
The objective of the joint and several liability mechanism is to ensure that the Applicant’s rights are safeguarded. This means that unlike the system of joint EU-Member State responsibility, the domestic court will not necessarily be the primary forum to establish responsibility and the ensuing burden of reparations. Instead, the aggrieved individual could go through either the domestic legal system or the EU’s action for damages to have responsibility established. Upon conclusion of the legal procedures and once the Applicant has been awarded damages, these actors could subsequently settle any dispute on the duty to provide reparations in a subsequent procedure within the Management Board of Europol, the decision of which could also be subject to legal scrutiny under the annulment procedure. Under this mechanism, the Applicant enjoys a much lesser of a burden in choosing the appropriate judicial venue and is not constrained by which actor will be able to provide reparations. Instead, reparations (in case of responsibility) will be the default from the perspective of the Applicant.
Attribution and Causation Revisited
The system of joint and several liability suggests that as soon as a situation implicates both Europol and a Member State, and the questionable conduct cannot be definitely attributed to either entity, the requirement of attribution becomes obsolete, as the conduct will be considered attributable to both in full. Interestingly, by relaxing the requirement to establish attribution, the condition of causation will arguably also be relaxed. It is important to recall that while attribution links a particular line of conduct to an actor, causality links that actor to the damage. Relaxing the rules of attribution under the joint and several liability regime and doing away with the requirement to definitively attribute conduct to one or the other, ipso facto entails that the requirement of causality as it currently is being applied, can never be met. Causation under general EU liability law demands that there is an uninterrupted relationship between the unlawful conduct by a certain actor, giving rise to damage. Yet, in the absence of an obligation to attribute to either the Member State or the EU, the unlawful data processing will be considered attributable to both. If the unlawful conduct is considered attributable to both, it is then unclear how this impacts the causality requirement, which demands that the chain of causation linking the damage to the unlawful conduct by a particular actor, be uninterrupted by intervening acts.
Lingering Questions for the EU Courts
In light of the limited case law on EU (joint) responsibility generally, a number of questions remain unaddressed including by Advocate General Rantos either.
A first small but pervasive question that demands further clarification concerns when Article 50 read in light of recital 57 of the Europol Regulation is triggered. The presumption appears to be that it is straightforward to distinguish between scenarios in which attribution can be definitively established, and situations in which it is unclear to which entity the unlawful data processing should be attributed. Yet, to date no clear standard of attribution can be definitely discerned under the general system of EU liability. In fact, practice by the EU institutions internally, in international relations, and across different EU policy fields, suggests that the rule of attribution differs significantly in a rather haphazard manner. This is complicated by the absence of a common legal forum to settle responsibility questions implicating the EU and Member States in unlawful data processing. The applied attribution rules under domestic regimes may very well differ from attribution rules under the EU’s liability regime for example, and to date, it is not clear which attribution rules should prevail, much less how this impacts whether Europol’s joint and several liability mechanism is triggered. Arguably, the absence of a coherent and clarified approach to attribution under EU law means that it will be easier for Applicants to trigger joint and several liability under the Europol Regulation. However, this remains to be seen, and is as always, dependent on the applicable burden, standard and method of proof required to show that it’s unclear to which actor the unlawful data processing should be attributed.
Joint and Several Liability Beyond Data Processing
The question of human rights liability for violations occurring at the hands of operational EU agencies has gained much traction in recent years. The current pending actions for damages against Frontex prompt the question whether a – CJEU clarified – system of joint and several liability may be a way forward. Anyone who has attended a conference or workshop involving Frontex representatives, has undoubtedly been confronted with the scripted answer to questions of human rights responsibility: ‘Frontex is not responsible for such actions – Frontex merely coordinates Member State actions’. Leaving aside the veracity of this response, it is undisputed the current regime of liability allocation has resulted in much blame shifting at the expense of individual rights. Conversely, the system of joint and several liability introduced by the Europol Regulation may very well be a way to circumvent this type of blame-shifting, safeguard the rights of the individual while ensuring that the burden of reparation is not circumvented by one at the expense of the other. A well-developed system of joint and several liability could thus fulfill both a remedial function – namely to protect the Applicants’ fundamental rights, as well as a deterrence function. By increasing the likelihood of legal responsibility through more relaxed rules on attribution and causation, EU institutions, bodies, offices and agencies may be disincentivized to resort to ‘many hands’ to circumvent responsibility claims in implementing their policies, or at least be incentivized to clarify their own rules on (human rights) responsibility allocation. Of course, I write this knowing full well that it is precisely these institutions that prefer to continue operating in the ‘many hands’ murkiness and that clarified rules on responsibility will receive political push-back and may disincentivize operational agencies from providing support in tackling transnational issues. Yet, once every so often, a unicorn-like development surfaces in the field of EU human rights responsibility, as evidenced by the joint and several liability mechanism in this case. Who knows – maybe this same unicorn will resurface in the EU’s responsibility acquis more generally? In any event, I await the CJEU’s perspective on this matter eagerly.