The Digital Service’s Act Main Character: the EU Commission finally fines X

 

 

Steve Peers, Professor of Law, Royal Holloway University of London

Photo credit: Animated Heaven, via Wikimedia Commons

 

Introduction

The EU’s Digital Services Act (DSA) was conceived before Elon Musk bought Twitter (soon renaming it X); but they were literally born simultaneously, with the DSA being published in the EU’s Official Journal on the same day that Musk completed his takeover. Since then, Musk’s behaviour running X (see my review of a book on the takeover and the aftermath) has exemplified many of the reasons why the EU (and other jurisdictions) contemplated regulating social media in the first place: in particular arguments about the legality of its content and the fairness of its algorithms.

A Twitter user coined the phrase ‘today’s main character’ to describe a poster who becomes the centre of attention for a day – usually due to an absurd or obnoxious post that prompts many negative responses. For the DSA, X has been its main character since its creation, with much of the public debate about the potential use of the Act focussing on how it might apply to the controversial social network.

This debate has now come to a head. Last week, following its preliminary findings back in July 2024, the EU Commission adopted a final decision imposing a fine to enforce the DSA for the first time: €120 million for three breaches of the Act by X. This initial decision is likely to impact upon the broader debate over the Act’s implementation, and – due to Musk’s influence in the current Trump administration – also play a role in the fast-deteriorating relations between the EU and the US.

This blog post first provides an overview of the DSA, then examines the legal issues arising from this specific enforcement decision, and concludes with an assessment of the broader context of this decision: the enforcement of the DSA more generally, and the relations between the EU and the USA.

 

Background: overview of the Digital Services Act

Adoption of the DSA

Although the critics of the EU Commission fining X are quick to argue that the EU is undemocratic, EU legislation needs the support of elected Member State governments and elected Members of the European Parliament (MEPs) to be adopted. In fact, the Act received unanimous support from Member States and a large majority of MEPs.  

In any event, even without the Act, Member States would likely regulate social media – perhaps more quickly and more stringently than the EU has applied the Act in some cases. And even if the whole EU ceased to exist, as Elon Musk and Russian government mouthpieces demand, those countries would still be regulating Big Tech, with national equivalents of the Digital Markets Act and the GDPR, for instance. Indeed, despite leaving the EU, the UK has its own national versions of all three laws: the Online Safety Act, the Digital Markets, Competition and Consumers Act, and the UK GDPR, which sits alongside the Data (Use and Access) Act. While UK regulators may be famously timid about enforcing these laws, Australia – a long way from the EU – was not dissuaded from banning under-16 year olds from social media.

But until Musk and his sympathisers manage to destroy the EU, we have the DSA. It contains rules that govern online platforms generally, regardless of size, but its most prominent rules concern a special regulatory regime for the biggest platforms, defined as ‘very large online platforms’ (VLOPs) and ‘very large online search engines’ (VLOSEs), which subjects them to greater regulation. The Act gives the EU Commission power to designate such platforms and search engines (on the basis that 10% of the EU population visit them monthly) and to enforce the provisions of the DSA against them.

While some claim that the DSA was adopted only to punish US tech firms, the list of designated VLOPs and VLOSEs includes also Chinese companies (AliExpress, TikTok, Temu, Shein), EU companies (Booking.com, Zalando, and two porn sites), and a Canadian site, Pornhub. Overall, nearly half of the companies designated as operating VLOPs and VLOSEs are non-American (although some of the American companies operate more than one platform).

Content of the DSA

For VLOPs, enforcement of the DSA involves a number of measures, including requests for information, a start of an investigation into possible breach of the Act, a preliminary finding of a breach, and a final decision finding a breach – which can result in a fine (of up to 6% of worldwide annual turnover) and orders to change practices. A VLOP or VLOSE can also agree avoid a fine by agreeing binding commitments to change its practices with the Commission (in effect, a settlement) before it reaches a final decision. If a finding of breach is not complied with, the Commission can impose very high fines – up to 5% of worldwide annual turnover per day.

While many critics of X excitedly demand that the EU Commission ban it, the Act imposes a very high threshold before a ban can be imposed – essentially a refusal to remove illegal content, with additional safeguards including involvement of a court. The case law has not yet fleshed out the relationship between the DSA and Member States’ laws on overlapping issues, or clarified whether there can be private enforcement of the DSA (ie individuals challenging the VLOPs and VLOSEs in court for breach of the Act, rather than the Commission enforcing it) in parallel.

Substantively, the Act’s requirements on VLOPs and VLOSEs (in its Articles 33-43) start with risk assessment: they must ‘diligently identify, analyse and assess any systemic risks in the Union stemming from the design or functioning of their service and its related systems, including algorithmic systems, or from the use made of their services’. Systemic risks are further defined as including ‘dissemination of illegal content through their services’, ‘negative effects’ upon various human rights, ‘actual or foreseeable negative effects on civic discourse and electoral processes, and public security’, and ‘actual or foreseeable negative effects in relation to gender-based violence, the protection of public health and minors and serious negative consequences to the person’s physical and mental well-being’.  

Very large platforms and search engines are also obliged to (as further defined): mitigate these risks; comply with a decision requiring a response to a crisis; perform independent audits; offer a recommender system not based on profiling, at least as an option; make public a repository of advertising data; provide access to their data to researchers; explain their algorithms to regulators; establish independent compliance bodies; provide further public data on their operations; and pay an annual supervisory fee to the EU Commission.

The DSA in the EU courts

Even before the first fine was imposed to enforce the DSA last week, its application in practice has been frequently litigated. First of all, Amazon, Zalando and several porn sites have challenged their designation as VLOPs. Zalando lost its challenge in the EU General Court in September, but has appealed to the EU’s Court of Justice (appeal pending). More recently Amazon also lost its challenge in the EU General Court against designation as a VLOP, but it still has time to appeal that judgment to the Court of Justice (Amazon had won an interim measures ruling in this case – delaying its obligation to publish information about its advertisers – but that interim measure was overturned by the Court of Justice, following a successful appeal by the Commission).

The porn companies’ legal challenges to their designations as VLOPs are still pending (see the summary of the arguments made by Pornhub, XNXX and XVideos; a challenge by Stripchat is also still pending even though the Commission has dropped its designation as a VLOP); their applications for interim measures as regards publishing advertisers’ information have been dismissed (see the General Court orders re Pornhub and XVideos, and the failed appeals to the Court of Justice as regards Pornhub and XVideos).  

Of these cases, the recent Amazon judgment has broad implications for the DSA as a whole, considered further below.

Secondly, the Commission’s decisions on fees for regulation (for 2023) have also been challenged. These challenges were all successful in the EU General Court (see the judgments as regards Tiktok and Meta), although the Commission has appealed both the Tiktok and Meta judgments to the Court of Justice (appeals pending). In the meantime, Tiktok, Meta and Google have brought a further round of legal challenges (all still pending) to the regulation fees imposed for 2024.

We can also now expect X to challenge the enforcement decision against it. (If it also requests interim measures, at least that aspect of the case will be decided soon).

Other enforcement of the DSA

In addition to the new decision enforcing the DSA against X, other Commission enforcement actions under the DSA have been adopted or are pending against VLOPs. Leaving aside requests for information (such as the one recently sent to Shein as regards reports of sales of child-like sex dolls):

-          The Commission has accepted binding commitments from AliExpress on various issues, but at the same time also adopted a preliminary finding that its risk assessment as regards illegal products was insufficient;

-          It has opened proceedings against porn sites for inadequate protection of children;

-          It has adopted a preliminary finding that Meta (Facebook and Instagram) is in breach as regards researchers’ access to data, and as regards flagging illegal content and allowing for appeals against content moderation decisions; an investigation as regards deceptive advertising, political data, and misinformation on Meta is still underway; and

-          It has adopted a preliminary finding that Temu has breached the DSA as regards illegal products, and an investigation continues as regards other issues

Finally, the Commission has been particularly active as regards TikTok. It has accepted a commitment to suspend the ‘TikTok Lite’ programme, which was apparently designed to (further) encourage social media addiction by children, having used the threat of issuing an intention to impose interim measures under the DSA earlier on in this case. A new decision, following a preliminary finding, accepts further commitments regarding information on advertisers – also a great irritant to Amazon and the porn companies, as can be seen in the litigation summarised above, as well as an issue in the X case, discussed below. TikTok has deadlines to implement the various commitments it has made, and there are specific powers to monitor whether it is complying with them under the DSA. The Commission has also adopted a preliminary finding against TikTok as regards researchers’ access to data, and further investigations against Tiktok are still underway.

Overall, it can be seen that to date the majority of enforcement actions under the DSA have been initiated against companies that are not American. Also, to date all the offers of binding commitments that have been accepted, in place of fines and enforcement orders, have come from Chinese companies. The potential of negotiating binding commitments instead of an enforcement order is, however, open to a VLOP based anywhere.  

 

The non-compliance decision against X

What did the decision address?

First and foremost, the non-compliance decision against X only concerns certain issues, namely deceptive practices as regards X’s ‘blue ticks’,* researchers’ access to data, and the repository of advertisers. The Commission complaint about ‘blue ticks’ is that they are a ‘deceptive practice’ banned by the DSA (note that this rule applies to platforms generally, not just VLOPs), in that they purport to indicate that an account has been verified, when it has not been. Under Musk, X has earned revenue from the blue ticks by selling them to anyone willing to pay for them, although the sale of the ticks, and the monetisation programme (ie giving money to X users whose posts lead to large numbers of reactions) are apparently not the subject of the non-compliance decision as such. The preference given to blue ticks in the X algorithm is not the subject of the decision as such either.

(*Disclosure: I applied for and obtained a ‘blue tick’ from Twitter prior to Musk’s purchase, when a proper verification system applied. I did not pay for the tick under Musk, and it was initially removed as a result. However, it was reinstated involuntarily – not at my request, and without my paying for it, or monetising my posts – as part of a process of reducing the social opprobrium of having a blue tick under Musk, in which the ticks were reinstated for some accounts. I initially hid the reinstated tick, but the facility to do that was removed. It remains there today; I have not used X since August 2024, due to my objection to Musk encouraging violent racial conflict in the UK, except for a handful of posts encouraging others to leave the platform. I have retained my account there to reduce the risk of anyone impersonating me, which has happened several times.)

The Commission has not yet made a final decision – or even a preliminary finding – as regards other issues involved in its opening of proceedings against X, namely the dissemination of illegal content and the effectiveness of rules against disinformation.

How can the decision be enforced?

X now has 60 days to inform the Commission about measures it will take to enforce the non-compliance decision as regards blue ticks. It has 90 days to submit an action plan to address the other two issues, and the Commission must respond to the action plan two months after that. In the event of non-compliance with the decision, as noted above the DSA gives the Commission the power to impose much higher fines. The method of calculation of last week’s fine is not explained in the press release. (The non-compliance decision itself may explain the calculation, but like most DSA decisions of the Commission, it has unfortunately not been made public; Article 80 of the DSA requires the main content of this decision to be published though)

If X challenges the decision in the EU courts, it can request an interim measures ruling suspending all or part of the decision; the EU General Court will decide on that (subject to appeal to the Court of Justice), as it has done in several DSA cases already, as detailed above. The final judgment of the EU courts can annul the Commission’s non-compliance decision in whole or part, and the DSA (Article 81) gives the EU courts unlimited jurisdiction to cancel, increase or reduce the fine. As for the collection of the fine (and any further fines that might be imposed on X for continued breach of the DSA), Article 299 TFEU sets out the process of enforcing fines imposed by EU bodies; although if X removes all its assets from the EU to the US, it might try to prevent collection by using US law that blocks the enforcement of foreign judgments on ‘free speech’ grounds (perhaps the SPEECH Act, although that concerns defamation; other routes may be available, or fresh routes adopted in light of the Commission decision).

This brings us neatly to the question of whether the non-compliance decision is arguably invalid on ‘free speech’ (or other) grounds.

Is the decision legal?

What are the legal issues as regards last week’s non-compliance decision? As noted above, the recent judgment in the Amazon case addresses two of the issues in the non-compliance decision (advertising repositories and access to data), while also addressing broader criticisms of the Act, some of which may be relevant if X challenges the finding as regards ‘deceptive practices’, or takes this opportunity to challenge the legality of the Act more generally (as Amazon did when challenging the legality of its designation as a VLOP; on such challenges, see Article 277 TFEU).

Amazon’s legal challenge to its VLOP designation did not advance the obviously untenable argument that fewer than 10% of the EU population uses Amazon monthly (conversely, Zalando and the porn sites are arguing about the calculation of the numbers). Rather, Amazon argued that the entire system of special rules for VLOPs in the DSA was invalid, because it violated a number of human rights set out in the EU Charter of Fundamental Rights. All of these arguments were rejected by the EU General Court.

First of all, the Court rejected the argument that the VLOP regime breached the freedom to conduct a business (Article 16 of the Charter). In the Court’s view, although the regime interfered with the freedom to conduct a business, because it imposed significant costs on VLOPs and also had a considerable impact on their organisation or required complex technical solutions, that freedom was not absolute, and the interference with it was justified. According to Article 52(1) of the Charter, limitations on Charter rights have to be prescribed by law, have public interest objectives, respect the essence of the right and be proportionate. Here the limits were admittedly prescribed by law (being set out in the Act) and respected the essence of the right (as Amazon could still carry out its core business); Amazon instead argued mainly that the limits were disproportionate, as online shops did not present systemic risks, the objectives could be satisfied by less onerous means, and the costs were significant. However, the Court believed that there was a systemic risk of illegal content in online marketplaces; other means of designating VLOPs were not necessarily more proportionate; making advertising repositories open to the public was justified in the interests of consumer protection; and the arguments about economic impact made by Amazon as regards recommender systems, researchers’ access to data and advertiser repositories were unconvincing.

Secondly, Amazon’s argument that its right to property was infringed (Article 17 of the Charter) was dismissed at the outset, as it had not identified any of its property rights that were affected by the DSA: an administrative burden did not constitute interference with a property right. Thirdly, the Court rejected the argument that the VLOP regime breached the general right to equal treatment (Article 20 of the Charter), by treating larger companies differently from smaller ones, on the grounds that larger companies presented bigger risks.

Fourthly, Amazon’s arguments about freedom of expression (Article 11 of the Charter) were rejected too. This argument was only made as regards applying the DSA rules on recommender systems to Amazon. On this point, the Court reiterated that the Charter freedom of expression rules must be interpreted consistently with the freedom of expression set out in Article 10 of the European Convention on Human Rights (ECHR), referring also to the case law of the European Court of Human Rights (ECtHR). The Court did not see how the freedom of expression of third-party sellers might be affected by the DSA rules, but it accepted that Amazon’s freedom of expression was limited by having to offer a recommender system not based on profiling.

However, limitations of the right could be justified: the limitation here was prescribed by law; it did not affect the essence of the right (as Amazon could still offer a profiling-based recommender system as an option); it had an objective of general interest (consumer protection); and it was proportionate by only requiring the offer of one non-profiling based recommender system as an option – taking account of ECtHR case law that allows more interference with commercial expression than political expression.

Finally, Amazon complained about a breach of the right to privacy (Article 7 of the Charter). This was a remarkable thing for a company with a business model based on surveillance of its customers to argue about, but the Court considered its arguments seriously nonetheless. Again it followed the ECtHR case law on the corresponding rule (Article 8 ECHR), which states that businesses could invoke the right to privacy. Here the argument concerned the DSA rules on ad repositories and researchers’ access to data. Again the EU court agreed that the DSA interfered with the right, but ruled that it could be justified: it was prescribed by law, did not infringe the essence of the right, and complied with the principle of proportionality, particularly because of the limits built in to the obligations (for instance, no obligation to disclose the personal data of advertising recipients, or about the success of advertising; controls on which researchers can access the data).

How does this judgment (noting that Amazon could still appeal it to the Court of Justice) apply to a legal challenge that X might make to last week’s non-compliance decision? First of all, the judgment in principle disposes of many arguments that X might make about two aspects of the non-compliance decision, as regards ad repositories and researchers’ access to data – although X might try different arguments, or contend that the nuances of its case are different.

While the main US response to the EU Commission’s decision has been to claim that the EU is engaged in censorship, note that Amazon did not even argue that the DSA rules on ad repositories or researchers’ access to data infringed freedom of expression, and remember that X is only being investigated for the dissemination of illegal content and the effectiveness of rules against disinformation. Obviously a freedom of expression argument might be made in respect of those issues, but, as noted above, X has not been subjected to a final decision or even a preliminary finding in respect of them.

Furthermore, according to the Amazon judgment, a VLOP challenging a Commission decision under the DSA can only challenge the validity of those parts of the DSA that are the legal basis for the decision made against them: so X cannot, at this point, specifically attack the validity of the DSA rules on risk assessment or risk mitigation, since there is no decision that it has breached them yet.  X can attack the validity of the DSA system for VLOPs generally, which includes the rules on risk assessment and risk mitigation. Although Amazon has already tried this and failed, X might try to argue its case differently; but it looks like a long shot, given that a non-compliance decision is inherently more narrowly focussed than designation as a VLOP.

Another key point to remember in this debate is that, as the Amazon judgment confirms, the human rights standards applied by the EU courts are those of the EU Charter, interpreted (where relevant) in light of the corresponding ECHR rights, and the ECtHR case law on those rights. The ECHR approach to rights differs in some respects from that of the US courts, arguably providing greater protection for the right to privacy (although not enough for Amazon to win its arguments on this point), but lesser protection for the right to free speech (allowing more leeway for interference with the right). But that is the nature of doing business in another jurisdiction. US law may take the view that (hypothetical) X user ‘ZyklonB1488’, regularly posting ‘Next year in Auschwitz!’ at Jewish people, has the right to set out his stall in the marketplace of ideas. But other legal systems may legitimately take the view that he does not.

Applying this to the sole remaining issue in the Commission’s non-compliance decision – the deceptiveness of X’s blue tick system – this is not directly connected to the content of what blue tick holders (still less anyone else) may post on X. Any effect on freedom of expression of last week’s decision is therefore marginal – although again, free speech arguments would be stronger as regards future decisions the Commission might make in respect of X as regards other issues still under investigation (or Meta – subject to some broadly similar investigations, as summarised above), especially because ‘illegal content’ is the one breach of the DSA that might (subject to many conditions and safeguards) lead to a ban on the whole platform. And to the extent that the non-compliance decision on blue ticks does interfere with freedom of expression, there is a strong argument that the interference is justified both on the ground of consumer protection (cf the scams featuring impersonations of consumer advocate Martin Lewis) and (as Article 52 of the Charter also provides for) on the ground of ‘the need to protect the rights and freedoms of others’ (ie anyone being impersonated, including myself!).

 

Context: enforcing the DSA

Last week’s decision is a definitive sign that the Commission is willing to enforce the DSA, even to the extent of adopting non-compliance decisions. The world is full of ‘light-touch’ regulators – perhaps one of Britain’s more unappealing exports. Usually, the Commission is not seen as such; but its obvious stalling on taking a final decision regarding X, for 17 months since its provisional findings, may have given the impression that – on the DSA, at least – the lion had turned pussycat.

The non-compliance decision should be viewed alongside with the Amazon judgment, which it likely also takes account of. VLOPs now know not only that the Commission is willing to act to enforce the DSA, but also that the EU courts (subject to possible appeal) back up at least some key provisions of the Act. Also, the recent judgment may explain TikTok’s simultaneous willingness to agree on its compliance with the ad repository rules; and the Commission’s willingness (again) to accept commitments, combined with the recent judgment, shows VLOPs that it may be less hassle to negotiate commitments with the Commission, rather than embark upon court action that is unlikely to succeed.  The context also includes a dog that did not bark: the Commission did not propose any amendment to the DSA (or the Digital Markets Act) in its recent proposal for an ‘omnibus’ bonfire of some provisions of EU tech laws.

Having said that, it is striking that the Commission is moving forward on non-compliance decisions and preliminary findings other than on the issues relating more closely to content on social media networks (cf the ongoing investigations into Meta and X), which raise not only the more difficult legal issues (given their greater impact upon freedom of expression) but also have the greater political impact (given the subject-matter, and the closeness of both zillionaire owners to the US government). And this brings us nicely to the impact of the decision upon US/EU relations.  

 

Context: EU-USA relations

Coincidentally, the non-compliance decision was released the day after the US government published a foreign policy review that was intrinsically hostile to the EU, and hyperpartisan in its support of right wing populist parties in Member States. In that context, the decision against X is just a drop in the rapidly-widening Atlantic Ocean. Famously, US diplomat Dean Acheson was ‘present at the creation’ of the post-war alliance; the Trump administration’s goal seems to be to preside over its destruction.

Yet, as noted already, supporters of Trump are nevertheless enraged by the decision, despite its limited impact. Even though, as explained above, the DSA was approved by elected governments and MEPs, does not solely apply to US companies and is not solely enforced against US companies, and the recent decision has at best a marginal impact upon freedom of expression, the response is the same: “They’re eating our free speech!”

Of course, it’s hard to take concerns about free speech from the Trump administration seriously: these are folks who want to expel legal migrants for criticism of a foreign government, and whose leader, between naps, frequently insults and threatens journalists who are insufficiently North Korean in their adoration of him. If these people are genuine free speech defenders, then I’m Alexander Hamilton.

As hypocritical and inaccurate as the Trumpian reactions to the decision are, they were presumably anticipated by the Commission before it took its decision. Even if the EU courts rule in the Commission’s favour in the event of a legal challenge, its MAGA critics will likely remain just as irrational (“They’re eating the snails!”). Yet the Commission took the decision anyway.

The choice to go ahead with the decision regardless can be understood either as a calculated risk that the US will not punish the EU for it – at least no more than it was inclined to punish the EU anyway, for various other reasons – or that even if the US does punish the EU for the decision, it is worth exercising its regulatory powers anyway. Perhaps this is a response to the perception that the Commission had seemed unwilling to stand up to Trump to date. Or maybe the assumption is that Trump is unlikely to pay much attention to this matter for long, particularly if the EU can devise a way to distract him: something like a shiny gold award for ‘best European’, for ending the war between Narnia and Freedonia, may work.  

Whatever happens, the Commission’s decision was certainly a gamble, in the current context of fraught EU/US relations, with far broader trade and security issues at stake. Time will tell whether this assertion of regulatory strength is worth it in light of the reaction it may trigger.

 

EU General Court rules for the first time on financial consequences of alleged irregularities regarding a former member of the EU Court of Auditors

 

 

Alessandro Nato* and Camilla Ramotti**

 

*Associate Professor in European Union law, University of Teramo

**Postdoctoral Research Fellow in Administrative Law, Luiss Guido Carli, Rome

 

Photo credit: Cedric, via Wikimedia Commons

 

 

1.     Introduction

 

The role of EU institutions and officials in managing and protecting Union funds remains a relatively underexplored area within European legal scholarship. For this reason, the present post will address this specific issue, investigating case-law that evaluates how effectively EU institutions handle supranational public finances.

 

On September 11^th, 2024, in its Judgment in Case T-386/19, CQ v Court of Auditors, the General Court of the European Union partially annulled a decision concerning CQ, a former Member of the European Court of Auditors (ECA).

 

The dispute arose from an action brought by CQ against the ECA on June 24^th, 2019, in which the applicant requested, in essence, that the Court: (i) declare the action admissible and well-founded; (ii) annul the decision of the Secretary General of the Court of Auditors of April 11^th, 2019, which classified the sum of € 153,407.58 as an undue payment and order the recovery of that amount, plus interest at a rate of 3.5% from May 31^st, 2019.

 

CQ had served as a Member of the Court of Auditors from March 1^st, 2006 until April 30^th, 2018, completing two terms of office. Prior to his appointment, CQ had held various political roles in the Kingdom of Belgium dating back to the 1980s. During his tenure at the Court, he was assigned to the section responsible for auditing EU expenditure related to external relations, enlargement, and humanitarian aid.

 

In 2016, the Court of Auditors received information regarding several serious irregularities allegedly committed by CQ, who was informed of these allegations in July 2016, which he has consistently denied.

 

In October 2016, the Secretary-General of the Court of Auditors referred the matter to the European Anti-Fraud Office (OLAF), concerning activities by CQ that had led to potential undue expenditure being charged to the EU budget. OLAF subsequently decided to initiate an investigation and, in March 2017, the Director-General of OLAF formally notified the President of the Court of Auditors of the opening of an investigation into potential irregularities involving CQ. These included allegations of misuse of the Court's resources, breaches of applicable rules concerning official missions, and matters affecting the financial interests of the Union.

 

Following several exchanges of information and documents between OLAF and CQ, the Court of Auditors received OLAF’s final report, which concluded that CQ had misappropriated resources of the Court in connection with activities unrelated to his official duties. The report found that CQ had improperly used fuel cards, misused the insurance policy for his official vehicle, been absent from work without justification, failed to declare external activities, disclosed confidential information, and been involved in a conflict of interest.

 

Meanwhile, the Court of Auditors had sought to recover the full contested sum of over €157,000 for the irregularities attributed to CQ. CQ paid this amount but simultaneously lodged an action before the General Court of the European Union seeking the annulment of the recovery decision and compensation for non-material damage allegedly suffered.

 

 

2.              The protection of Eu’s financial interests

 

In Case T-386/19 (for further comments, see EU Law Live Blog and BETKONEXT Newsletter n. 2/2024) the General Court found that the OLAF investigation had not uncovered evidence of all the alleged irregularities. The Court also concluded that the ECA’s decision to recover the sums in question was sufficiently reasoned and well-founded.

 

On the merits, the General Court held that although five years had elapsed between the facts in question and the establishment of the financial entitlements, the majority of the claims were not time-barred, as the ECA could only have identified the relevant sums after OLAF’s investigation was concluded.

 

Moreover, in relation to the allegations concerning breaches of procedural safeguards, the Court found that it could not be excluded that the applicant had been afforded a sufficient opportunity to be heard on the relevant elements, even those he could not comment on prior to OLAF’s report. Given the absence of any new or concrete evidence to the contrary, and the applicant’s ability to raise such matters during the written stage of the proceedings, the plea was rejected as unfounded.

 

The Court further determined that a significant proportion of CQ’s meetings with politicians were unrelated to his duties as a Member of the Court of Auditors, rendering the expenses associated with those meetings irregular. However, finding that certain claims were time-barred and that certain mission and representation expenses, along with costs related to CQ’s driver, were legitimate, the Court annulled part of the recovery decision.

 

Ultimately, the General Court set aside certain aspects of the ECA’s recovery decision.

 

It ruled that several claims were indeed time-barred and that some of the mission and representation expenses, as well as driver-related costs, were valid. Consequently, the General Court partially annulled the ECA’s decision, reducing the contested amount by €19,254.20, while rejecting most of CQ’s claims.

 

Regarding CQ’s claim for compensation, the General Court held that there was insufficient evidence to establish that the ECA’s actions caused direct damage to his reputation or that it was responsible for the unauthorized disclosure of information.

 

 

3.              Damage compensation

 

In the CQ case at hand, the plaintiff sought compensation of 50,000 euros, claiming that he had suffered serious damage to his career and reputation from the dissemination of information related to an OLAF investigation. According to him, the ECA had violated the presumption of innocence by disseminating elements suggesting his responsibility before he was formally informed. He disputes that the report was forwarded to third parties (members of the Court and Parliament) before him, and that the press was able to publish its contents as early as July 11, 2018. On the same day, the Court issued an internal briefing note, according to the appellant, reinforcing the perception of guilt.

 

The criticism levelled at the Court of Auditors was thus twofold: on the one hand, there would have been an active tortious behavior - the disclosure of information not yet known to the person concerned, in a context that suggested liability; on the other hand, an omission - the failure to activate an internal investigation to identify the source of the leak. The Court responded by first raising a plea of inadmissibility on grounds of procedural defect, holding that the claim for compensation could not be brought in the context of an action for annulment (Article 263 TFEU), but only through an autonomous action based on Articles 268 and 340 TFEU.

 

However, the same Court later recognized that, in principle, it is possible to cumulate claims for annulment and compensation within the same proceeding, provided certain formal requirements are met. In this case, however, it was held that the plaintiff had not adequately substantiated, from the outset, the grounds for the Union’s non-contractual liability.

 

On the merits of the case, the Court rejected allegations of infringement of the presumption of innocence and the principle of good administration, finding that the internal communication of July 11, 2018, was after the publication of the news by the press, which occurred as a result of a leak from an anonymous source.

 

However, this reconstruction raises several questions. The fact that the Court reacted with communications directed within the institution, even after the newspaper article came out, does not rule out the possibility that these communications contributed to consolidating a negative portrayal of the plaintiff. The strongest objection relates precisely to the principle of impartiality: even in the presence of a leak that cannot be attributed to the administration, the latter remains bound to prudent and neutral management of information, particularly when the person concerned has not yet been put in a position to formally know the acts that concern him or her. The principle of good administration requires not only transparency and timeliness, but also balance in communication, especially when it affects personal rights.

 

The Court also dismissed the failure to launch an internal inquiry, citing no obligation to do so. Yet, even without a binding rule, confidentiality and administrative accountability could justify such action. In a rule-of-law framework, institutional inaction can also entail liability. Furthermore, the Court rejected the claim for failing to establish wrongful conduct — the first condition for non-contractual liability — making examination of damage and causality unnecessary. Legally consistent, this outcome nonetheless raises doubts about the actual protection of fundamental rights and principles in EU administrative action.

 

 

4.              Concluding remarks 

 

The CQ v. Court of Auditors case is a significant test in assessing the effectiveness of judicial protection with respect to the protection of the Union’s financial interests. The case highlights a latent tension between two fundamental requirements: on the one hand, the need to respect the procedural guarantees of the person involved; on the other, the imperative to effectively protect the integrity of the EU budget.

 

In this delicate balance, the ruling ends up downplaying the proactive role and responsibility that institutions should assume in preventing and dealing with irregularities. The fact that CQ’s conduct resulted in a misuse of public funds that was not contested in substance, but only partially acknowledged for procedural reasons, raises questions about the level of diligence and control exercised by the European institution.

 

However, this case law cannot be viewed in isolation. On 28 April 2025, the Official Journal of the European Union published a summary of an action for annulment brought by the European Public Prosecutor’s Office (EPPO) before the Court of Justice (case T-99/25, lodged on 10 February 2025) pursuant to Article 263(4) TFEU. In that action, the EPPO challenges the decision adopted by the European Court of Auditors on 9 December 2024, denying the authorization to hear certain staff members as witnesses in an ongoing criminal investigation into alleged wrongdoing within the same institution. The investigation, launched at the end of 2022 following a report from the European Anti-Fraud Office (OLAF), concerns facts that potentially constitute offences affecting the financial interests of the Union.

 

According to the EPPO, the repeated refusal by the Court of Auditors to cooperate—first by denying access to its electronic archives, then by refusing to lift immunity and finally by preventing witnesses from testifying—has obstructed the investigation and hindered the EPPO’s ability to determine whether the allegations should lead to prosecution. Under the EU Staff Regulations, authorization from the institution is required for staff members to testify about matters known to them in the exercise of their duties. However, as clarified by the Court of Justice, such authorization may only be withheld in cases where the Union’s “interest of considerable importance and vital to the Union” is at stake. The EPPO argues that this condition clearly does not apply in the present case.

 

Taken together, these two cases—one dealing with individual financial responsibility, the other with institutional resistance to judicial cooperation—reveal a deeper tension within the EU legal and governance system: the challenge of ensuring both personal accountability and institutional transparency in the management and protection of EU public funds. On the one hand, the EU seeks to recover unduly paid amounts from former members of its institutions; on the other, it encounters systemic obstacles when a key institution refuses to cooperate with its own prosecutorial authority.

 

This duality exposes a structural concern. When an EU institution can, in effect, block a criminal investigation by withholding key testimonies, it undermines the very logic of interinstitutional checks and the role of the EPPO as an independent prosecutorial body. Such conduct raises fundamental questions about the coherence of the EU’s system for protecting the rule of law and financial integrity. More broadly, it calls into question whether the principle of sincere cooperation—enshrined in Article 13(2) TEU—is being fully respected when institutional interests are perceived to outweigh those of justice and public accountability.

 

In conclusion, the CQ v. Court of Auditors case and the EPPO’s appeal in T-99/25 highlight the growing need for a systematic reflection on how to ensure both individual and institutional accountability within the EU legal framework. At a time when the Union is managing unprecedented levels of public expenditure—particularly through instruments such as Next Generation EU—it is essential to ensure that mechanisms for oversight, enforcement, and judicial cooperation are not only available in theory, but fully operational and unobstructed in practice. A deeper and more critical exploration of these legal and institutional dynamics—across academia, jurisprudence, and policymaking—is not merely advisable: it is imperative. In a context where EU funds are increasingly significant and politically sensitive (i.e. Next Generation EU), opaque management by officials can undermine public trust and the effectiveness of the protection of the Union’s financial interests.

 

 

Misreading the Temporary Protection Directive? The CJEU sets the record straight on access to subsidiary protection in Framholm (C-195/25)

 

Dr Meltem Ineli Ciger, Associate Professor of International Law, Suleyman Demirel University

 

Photo credit: Dietmar Rabich, Münster, Stadtweinhaus, Beflaggung Ukraine und EU -- 2022 -- 0219, CC BY-SA 4.0

Framholm (C-195/25), delivered on 20 November 2025, is the Court of Justice’s third ruling interpreting the Temporary Protection Directive (Council Directive 2001/55/EC, TPD) following Joined Cases C‑244/24 and C‑290/24 (Kaduna) (cf. analysis here), and Case C‑753/23 (Krasiliva) (cf. analysis here). The ruling provides further clarification of Articles 3, 17 and 19 of the TPD and, crucially, confirms that temporary protection does not exclude access to subsidiary protection, ie the type of international protection available for those who do not qualify for refugee status. It therefore marks an important step in aligning the TPD, an instrument drafted in 2001, with the contemporary Common European Asylum System (CEAS).

The reference for a preliminary ruling to the Court of Justice originated in Sweden, where several third-country nationals displaced from Ukraine were granted temporary protection and subsequently applied for subsidiary protection. For years, the Swedish Migration Agency (Migrationsverket) had maintained a practice of automatically rejecting subsidiary protection applications lodged by temporary protection beneficiaries, without any examination on the merits. It interpreted Swedish law as allowing temporary protection beneficiaries to apply only for refugee status and treated all subsidiary protection applications as per se inadmissible. Faced with this restrictive and legally questionable approach, the Göteborg Administrative Court for Immigration Matters asked the CJEU whether EU law really permits a Member State to deny access to subsidiary protection solely because the applicant already enjoys temporary protection. The Court’s answer is unequivocal: No.

1.    What is the case about?

 On 11 March 2025, the Göteborg Administrative Court for Immigration Matters referred questions to the CJEU concerning whether beneficiaries of temporary protection may apply for subsidiary protection under the Qualification Directive (or QD – which defines refugee and subsidiary protection status in the EU) and have that application examined on the merits. All applicants (a Nigerian national holding a permanent residence permit in Ukraine and his Ukrainian family members) had been displaced from Ukraine following the Russian invasion and were granted temporary protection in Sweden. When they applied for international protection, the Migration Agency rejected their refugee status applications but declared their subsidiary protection claims inadmissible solely because they already held temporary protection. No assessment of eligibility under Article 15 of the QD (ie the definition of subsidiary protection) was undertaken. The referring court rightly doubted whether such a blanket exclusion could be reconciled with the development of EU asylum law since 2001, which clearly conceptualises “international protection” as including both refugee status and subsidiary protection. (cf. The Judgment paras 28-37)

2.     The questions referred to and the Court’s short answers

The Göteborg Court referred four questions to the CJEU (OJ C/2025/2651, 19 May 2025), all centred on how temporary protection interacts with the CEAS:

1.    Do the QD and the Asylum Procedures Directive 2013/32/EU (APD) apply to international protection applications lodged by persons already benefiting from temporary protection under the TPD? Yes.

2.    a) Does the term “application for asylum” in Articles 17(1) and 19(2) of the TPD cover applications for both refugee status and subsidiary protection, and must such applications be examined under the QD and APD? Yes.
b) Does Article 3(1) of the TPD prevent Member States from recognising subsidiary protection for persons who are eligible for, or already enjoying, temporary protection? No.

3.    If Articles 17(1) and 19(2) of the TPD also cover the right to apply for subsidiary protection status under the QD, are those articles, in conjunction with Article 10(2) of APD, sufficiently clear and precise to have direct effect?  Yes, and kind of yes (the Court said the QD and APD provisions have direct effect, but did not say that the TPD provisions alone have direct effect)

4.    Is Swedish law, which allows temporary protection beneficiaries to apply only for refugee status (but not subsidiary protection), compatible with EU law? No.

3.    What are Articles 3, 17 and 19 of the TPD about?

Article 3(1) of the TPD makes clear that temporary protection does not prejudge refugee status under the Refugee Convention. It is not a derogation from the Refugee Convention, nor does the grant or expiry of temporary protection affect the substantive assessment of whether an applicant meets the refugee definition.  

Article 17 of the TPD guarantees that beneficiaries of temporary protection may lodge an asylum application at any time and provides that any applications still pending when temporary protection ends must be assessed and decided hereafter.

Article 19 of the TPD regulates the interaction between temporary protection and the asylum procedure: Article 19(1) allows Member States to decide that a person cannot simultaneously hold the status of “asylum seeker” and benefit from temporary protection while their asylum application is being examined. Whereas Article 19(2) ensures continuity of protection: if, after examining an asylum application, the authorities do not grant refugee status or another form of protection, the person must still be allowed to enjoy temporary protection for the rest of the designated duration. (Cf. for a detailed commentary on these articles Skordas’ chapter; Peers’ post; Ch. 5 of my book)

4.    The AG Opinion (which I fully agree with)

The Advocate General’s analysis is worth examining closely, not least because it is carefully constructed and has clear implications for how the TPD must be read today. His reasoning develops along five points.

First, AG interprets Article 17(1) TPD’s reference to an “application for asylum” as an application for international protection, encompassing both refugee status and subsidiary protection. Although the TPD predates the CEAS, it must now be read in light of Article 78(2) TFEU, which is a Treaty provision on asylum (AG Opinion, paras 49-58). He adds “A restrictive understanding of the term ‘asylum’ in Article 17(1) of Directive 2001/55 would fail to take into account the context in which that directive applies following the entry into force of the FEU Treaty, as well as the objectives and scope of the legislation concerning ‘international protection’ which has been adopted in the intervening period.”  (para 50)  

Secondly, the AG stresses that temporary protection does not suspend or exclude access to subsidiary protection. Beneficiaries of temporary protection may lodge applications for refugee or subsidiary protection “at any time,” and the TPD operates as a complement, not an alternative, to the individual assessment required under the Qualification Directive (AG Opinion, paras 43-45, 51-52, 59-61, 66).

Thirdly, he confirms that being a temporary protection beneficiary is not a lawful ground of inadmissibility or exclusion. The exhaustive lists in Articles 12 and 17 of the QD (on grounds for excluding people from refugee or subsidiary protection status) and Article 33(2) APD (grounds for inadmissibility of asylum applications) do not include temporary protection, and national authorities cannot refuse subsidiary protection applications on that basis (AG Opinion, paras 70-72, 78-81).

Fourthly, he accepts that Member States may postpone examination of international protection applications in mass influx situations but makes clear that this administrative flexibility cannot justify a blanket inadmissibility rule for all subsidiary protection applications lodged by temporary protection beneficiaries (AG Opinion, paras 73-80, especially 7-78, 86).

Finally, he concludes that Article 17(1) TPD (not Article 19), read together with the overall CEAS architecture, confers a sufficiently clear and directly effective right to lodge an application for international protection.  

5.    What did the Court say?

The Court’s reasoning proceeds in three clear steps.

First, the Court explains that nothing in Articles 3, 17 or 19 TPD authorises Member States to refuse to examine a subsidiary protection claim simply because the applicant enjoys temporary protection (paras 45-46). Article 19(2) even anticipates the existence of “other kinds of protection,” which must be read today as encompassing subsidiary protection (para 46). The omission of subsidiary protection in the TPD text reflects only the fact that this status did not yet exist in EU law, a point that AG raised. (paras 46-47).

Secondly, the Court turns to the purpose and logic of the TPD. Temporary protection is designed to ensure immediate, time-limited protection while preserving the “effective possibility” of receiving international protection (paras 47–49). Here the Court explicitly follows its reasoning in Joined Cases C‑244/24 and C‑290/24 (Kaduna), where it held that “the purpose of the temporary protection mechanism is, inter alia, to maintain the efficient operation of the international protection system in the Member States” and that the TPD “safeguards, in particular, the effective possibility for third-country nationals and stateless persons benefiting from temporary protection" of obtaining international protection following an appropriate examination of their individual situation” (Kaduna, paras 125 and 127). A national rule excluding subsidiary protection applications as such would therefore contradict the very objective of the TPD (paras 49–50).

Thirdly, and most decisively, the Court relies on the architecture of the CEAS. It emphasises that the QD establishes two forms of international protection – namely, refugee status and subsidiary protection – and that Member States must grant whichever status an applicant qualifies for (paras 51–54). Member States have no discretion to refuse subsidiary protection except on the exclusion grounds exhaustively listed in the Qualification Directive (para 54). The Asylum Procedures Directive reinforces this: an application may be declared inadmissible only on the five grounds set out in Article 33(2) APD, which must be interpreted strictly (paras 58–60). Temporary protection is not among these grounds; national authorities, therefore, cannot reject a subsidiary protection application solely because the applicant enjoys temporary protection (para 61).

Finally, the Court addresses the direct-effect question. The Swedish court had essentially asked whether Articles 17(1) and 19(2) of the TPD, if interpreted as including the right to apply for subsidiary protection, are sufficiently clear and precise, read together with Article 10(2) of the APD, to have direct effect. The CJEU reformulates the issue. Rather than grounding the direct effect in the TPD itself, the Court bases it on two CEAS provisions: Article 18 of the QD, which imposes an unconditional duty to grant subsidiary protection when criteria are met, and Article 33 of the APD, which exhaustively lists the admissibility grounds (paras 71-72). These provisions are both unconditional and sufficiently precise, and thus confer directly effective rights. The consequence is clear: if a national rule conflicts with these obligations and cannot be interpreted in conformity with EU law, domestic courts must disapply the national provision (para 73).

That said, the Court’s approach leaves an important ambiguity unresolved. The referring court had explicitly asked whether Articles 17(1) and 19(2) of the TPD, read together with Article 10(2) APD (which governs the relationship between refugee and subsidiary protection status applications), were sufficiently clear and precise to have direct effect. Instead of answering that question squarely, the Court effectively sidesteps it by grounding direct effect not in the TPD at all, but in Article 18 QD and Article 33 APD. Put simply, the judgment does not tell us whether Articles 17(1) and 19(2) of the TPD are capable of producing direct effect. 

6.    My analysis

The AG’s Opinion and the Court’s judgment reach the same legal outcome, but they do so through markedly different interpretative routes. The Advocate General adopts a more TPD-centred approach, grounding his analysis in Articles 3, 17 and 19 of the TPD and then interpreting these provisions in light of later CEAS instruments. He reads “asylum application” in Article 17 as an application for international protection covering both refugee status and subsidiary protection, emphasises that temporary protection cannot suspend or exclude access to subsidiary protection, and rejects temporary protection as a lawful ground of inadmissibility because it does not appear in the exhaustive list in Article 33(2) of the APD. Although he accepts that Member States may postpone international protection application examinations in mass influx situations, he stresses that a blanket ban on subsidiary protection applications is incompatible with the TPD and the CEAS.

By contrast, the Court relies primarily on the Qualification Directive and the Asylum Procedures Directive, using the CEAS instruments themselves as the main foundation for each key step. It interprets “asylum application” in light of the QD and APD definitions of international protection, derives the duty to grant protection from Article 18 of the QD and the obligation to examine claims (and the limits on inadmissibility) from Articles 10(2) and 33 APD, and treats Article 33(2) of the APD as an exhaustive rule that excludes any TP-based inadmissibility ground (paras 58-60). On the direct effect, the Court bases its analysis on Article 18 of the QD and Article 33 of the APD (paras 70-73), whereas the AG reaches the same conclusion via a combined reading of Article 17 of the TPD with the CEAS provisions.

Compared to the AG’s Opinion, which engages more directly with the wording, structure and logic of the TPD, the Court reaches essentially the same conclusions but grounds its reasoning far more firmly in the QD and APD. Put differently, while the AG reads the TPD through the lens of the CEAS, the Court treats the CEAS instruments themselves as the primary legal basis for explaining why Member States cannot refuse to examine (and, where appropriate, must grant) subsidiary protection to temporary protection beneficiaries.

I must admit that I prefer the AG’s TPD-centred approach: it is more faithful to the architecture of the TPD, and does not treat the TPD as a second-rate asylum instrument because it has never been updated to reflect two decades of CEAS development.

The outcome of the judgment is fully in line with what many of us working on the TPD have long expected. The TPD was never intended to operate as an obstacle to accessing international protection, whether refugee status or subsidiary protection. For over a decade, “international protection” in EU law has included both statuses, and nothing in the Directive suggested a closed or self-standing regime intended to override the CEAS.

The central logic of the TPD has always been pragmatic: to give Member States facing a mass influx breathing space by allowing them to suspend the processing (not lodging) of asylum claims where their systems would otherwise be overwhelmed. It was and never has been designed to bar access to subsidiary protection altogether. Member States with fewer temporary protection beneficiaries, or with sufficiently strong asylum systems, remain entirely free to process claims during temporary protection and examine the merits of their international protection applications.

Interpreting the TPD in the restrictive and literal manner adopted by the Swedish administration, treating “asylum” in the TPD as excluding subsidiary protection and ignoring the subsequent development of EU asylum law, was therefore misguided. It runs counter to the TPD’s objectives, its underlying logic, and the entire evolution of the CEAS. Most importantly, it results in a clear violation of the rights of temporary protection beneficiaries to access international protection.

This judgment matters well beyond Sweden. Even if Sweden appears to be the only Member State to have openly applied such a blanket rule, Framholm makes clear that no Member State may treat temporary protection alone as a ground for declaring subsidiary protection applications inadmissible. Across the EU, temporary protection can never justify a blanket refusal to examine the merits of a subsidiary protection claim.

7.    Conclusion

Framholm matters because it definitively closes the door on any national attempt to use temporary protection as a barrier to subsidiary protection. The judgment also exposes a broader structural problem: the Temporary Protection Directive, drafted in 2001, simply do not reflect the legal architecture of the CEAS in 2025. This is visible not only in Sweden’s misinterpretation but also in the Court’s need to rely so heavily on the QD and APD to reach a decision rather than the TPD’s own articles.

This brings me to a point that, as far as I am aware, no one else has explicitly raised: we know that the TPD remains useful and conceptually sound as a framework for managing mass influx situations, contrary to the Commission’s initial 2020 proposal to repeal it. Temporary protection works. It has proven its value during the Ukrainian displacement and remains a necessary instrument in the EU’s protection toolbox. Even today, 4.3 million non-EU citizens who fled Ukraine have temporary protection status in the EU. Moreover, the adoption of the Crisis and Force Majeure Regulation does not render the TPD unnecessary or obsolete: the two instruments, although they can be invoked in exceptional mass influx situations, operate on different logics. In my opinion, the Crisis and Force Majeure Regulation, which is based on derogations more than anything, cannot fully substitute for the protection mechanism established by the TPD.

Despite the usefulness of the ongoing relevance of the TPD, the judgment also implicitly makes clear that the TPD urgently requires updating. Many of the problematic national practices stem precisely from the fact, highlighted by the AG, that the TPD is an old instrument, never recast and never aligned with two decades of CEAS development. The result is predictable: legal ambiguities that should no longer exist, and litigation over issues that should be obvious.

I wish to conclude with a call to the EU institutions, above all, to the Commission. Once the current temporary protection regime for Ukrainians comes to an end, the Commission should initiate a targeted revision of the TPD, drawing directly on the lessons of its implementation during the mass displacement from Ukraine and the emerging body of CJEU case law, including Kaduna, Krasiliva and Framholm. An updated TPD can significantly narrow the scope for misinterpretation, perhaps introduce a new and clear time limit, align the instrument with the contemporary CEAS architecture, and prevent further unnecessary litigation on matters that ought already to be legally settled.