The General Court of the European Union upholds the Data Privacy Framework

 

 

Dr Samira Allioui, Research fellow, Centre d'études internationales et européennes, Université de Strasbourg

Photo credit: Ibrahim Rustanov, via Wikimedia Commons

French Member of Parliament Philippe Latombe, who also sits on the board of the French data protection authority, the Commission Nationale de l’Informatique et des Libertés, brought an action, in his personal capacity, in the General Court of the European Union calling for the annulment of the Data Privacy Framework. On Wednesday, September 3, the General Court of the European Union dismissed MP Philippe Latombe's appeal against the Data Privacy Framework adequacy decision, the agreement governing data transfers between the EU and the United States, at the heart of a long legal saga. Since Latombe's case was brought as an action for annulment and not as a preliminary question by a national court, he not only had to prove that the deal was substantively wrong, but also that he was directly affected in order to be entitled to bring an action at all.

The DPF is the successor to the EU-U.S. Privacy Shield (the Privacy Shield), after the adequacy decision on the EU side adopted in light of the Privacy Shield was declared invalid in 2020 by the CJEU following litigation by privacy advocate Maximilian Schrems, acting through not-for-profit NOYB (none of your business), in the landmark case of Schrems II. The Privacy Shield was the successor to the EU-U.S. Safe Harbor Framework, which was declared invalid in 2015 in Schrems I. In response, the United States established the Data Protection Review Court (DPRC). The European Commission approved the DPF in July 2023.

Personal data transferred from the European Union to third countries is no longer subject to the GDPR in those countries. This requires compliance with certain safeguards prior to transfer, with the aim of ensuring adequate data protection in the destination country. An adequacy decision is one of the mechanisms for ensuring this protection, and the GDPR provides for a Commission decision recognizing, after a thorough examination, that the law of a third country offers guarantees deemed adequate.

It is clear that even though American law has since evolved towards greater oversight of intelligence services, one particular issue has long been a problem in US-EU relations: access to effective remedies in the United States, allowing Europeans affected by transatlantic transfers to challenge the processing of their data. This issue was already the subject of progress in 2022 with Executive Order 14086, which paved the way for a challenge mechanism. This allowed the European Commission to adopt a new adequacy decision in 2023, the very one that is being challenged in the Latombe case.

The new ruling

This new ruling is therefore part of a series of developments relating to transatlantic transfers. The fundamental issue is the adequacy of the safeguards provided abroad, and therefore the degree of requirement that the European Union must have vis-à-vis the states to which data are transferred. However, on this point, the reasoning followed by the General Court of the European Union contrasts sharply with the rulings handed down by the Court of Justice of the European Union in the Schrems I and II cases. In the Schrems II ruling, the Court insisted that "the third country must offer guarantees to ensure an adequate level of protection essentially equivalent to that guaranteed in the European Union," while also using the terms "essential equivalence" and "substantial equivalence" interchangeably. Only the latter expression—"substantial equivalent"—is adopted by the General Court, although it gives it a scope that appears to be weakened.

In its assessment of the adequacy of American law, the Court appears to be less demanding than the Court of Justice. In recent years, the latter has initiated a particularly demanding jurisprudential movement in matters of personal data protection, giving rise to numerous tensions with Member States, which themselves struggle to comply with the requirements of the Court of Justice. While the Schrems I and II judgments were perfectly in line with this trend, the Court's judgment seems to propose another direction, perhaps more favorable to national security issues.

In any case, in its analysis of the conditions to be met to conclude that foreign law is adequate, the Court draws its inspiration primarily from the ECtHR case of Big Brother Watch v. United Kingdom. On the contrary, the major decisions of the CJEU – we are thinking in particular of the La Quadrature du Net I case – dealing with the activities of intelligence services are not considered relevant by the Court. The latter were particularly demanding, where the ECtHR recognizes certain margins of appreciation for States, in particular due to the very sensitive nature of intelligence and national security issues.

The next developments?

Since this is a General Court ruling, it is likely that there will be an appeal to the CJEU. Let us assume, however, that the Court upholds the existing adequacy decision. Another fundamental question would inevitably arise. The General Court is not taking into account recent developments in US law, particularly since the return of President Donald Trump. However, some of the guarantees applicable in US law, highlighted by the General Court, already appear to be weakened. Let us give an example: the Privacy and Civil Liberties Oversight Board (PCLOB) which role is fundamental, particularly because it is involved in the appointment of members of the Data Protection Review Court, whose independence and impartiality are discussed at length in the General Court's ruling. However, President Donald Trump has terminated the terms of several PCLOB members, preventing it from functioning. The impact this could have on transatlantic data transfers has already been the subject of debate in the European Parliament and the United States. The saga surrounding transatlantic data transfers could thus, despite the Court's ruling, be the subject of new twists and turns.

Today, more than 2,800 US companies are DPF-certified, allowing them to continue relying on the adequacy decision (Article 45 of the GDPR) as the legal basis for their transatlantic transfers Data Privacy Framework. However, while this prevents massive disruptions to data flows, the stability of the framework is not guaranteed. It must be actively monitored, given regulatory or judicial events that may disrupt it.

Plus, if Mr. Latombe can still appeal the General Court's decision to the CJEU, it is uncertain whether the CJEU would follow the General Court's reasoning. It should be recalled here that the CJEU has in the past held that adequacy decisions must be assessed on the basis of the legal and factual situation at the time of the appeal, while in Latombe, the General Court departed from this standard and stated that decisions must be assessed on the basis of the situation at the time of their adoption (i.e., under the previous administration). Finally, the European Commission could, in theory, decide to suspend or repeal the DPF if it considers in the future that US law no longer provides sufficient protection for European Economic Area personal data.

Fake Judges are Great Administrators! A New Word on Judicial Independence from CJEU in T.B. v. C.B.

 

Dimitry Kochenov, CEU Democracy Institute

Photo credit: Charles J Sharp, via Wikimedia commons

Past summer was marked by further deterioration of the Rule of Law standards in the EU, especially weakening judicial independence. In T.B. v. C.B. the Court of Justice of the European Union (CJEU) ruled that unlawfully appointed judges on lawfully established courts, although presumably unable to adjudicate, can nevertheless be great administrators. Since they are not sitting as judges when deciding on internal adminsitrative matters within their courts (86), and since the establishment of the court, which the unlawfully appointed individuals infiltrated is grounded in law, Article 19 TEU and the EU Charter do not prevent them from terrorising lawfully appointed judges on the same court, since, in the words of the CJEU, ‘such measures do not constitute a means of exercising control over the content of judicial decisions’ (88). To fall short of EU law standards it is thus not sufficient for a fake person posing as a judge ‘appointed […] under the conditions which are incompatible with the requirements arising from the second sub-paragraph of Article 19(1) TEU’ (100) to abuse lawfully appointed members of the court she has infiltrated: she also has to order those abused to reach particular substantive outcomes, when they are judging, since we cannot doubt the independence of the lawfully appointed judges (89), who are being abused by the impostors harnessing the administrative powers on the court they have usurped.

The case is a rare and interesting example of deference in a field marred by untamed judicial activism and hands a clean victory to those willing to abuse the very idea of judicial independence in direct breach of national and ECHR standards. The bottom-line is humiliatingly absurd. The CJEU states explicitly that whether someone is actually a lawfully appointed judge or not in the sense of Article 19 TEU is of no relevance in the light of EU law in the context of administrative matters pertaining to the management of a Member State court, where Article 19 TEU and Article 47 of the Charter are applicable. The idea of internal judicial independence in the sence of shielding judges from direct interference with the organization of their activities by known unlawful appointees only pretending to be judges, has thus been declared as not a matter of judicial independence or concern in the light of the application of the principle of Rule of Law as expressed in Article 2 TEU. Moreover, the fact that an unlawfully appointed individuals interfere with the work of a real judges by doubling such judges’ workloads (33) and assigning the real judges to sit on the panels dealing with matters outwith of their expertise and with no consultation or consent of the judges concerned (28), as well as with no means to appeal such decisions, is of no relevance, as per the CJEU (100), for the preservation of the EU value of the Rule of Law and, in particular, judicial independence, in accordance with Articles 2 and 19 TEU.

Although this case was somewhat lost in the harvest of other summer suprises, in particular Commission v. Malta, which has eliminated liberal and empowering EU citizenship as we thought we knew it, as I have argued with Guillermo Íñiguez in the pages of the ELRev., T.B. v. C.B. is of potentially immense importance, adding to the significant track-record of deep ambiguity, and half-heartedness, marking CJEU’s engagement with this area. This ambuguity goes back to the Sharpston cases, where the Court has denied itself structural independence from the Herren der Verträge in a contra-legem move I analysed in the ELJ with Graham Butler and the Getin Noble Bank case law, analysed in JCMS in cooperation with Petra Bárd, as well as by Barbara Grabowska-Moroz where the Court established that a fake judge named as such in a final instance decision of the Polish Supreme Court (as well as ECtHR) sitting on a lawfully established court as a panel of one does not diminish the standing of that court in the context of the operation of preliminary references under Article 267 TFEU. In other words, the Court has a long-standing track-record of aiding the actors sowing abusive constitutionalism and ‘ruling by cheating’ in András Sajó’s word. The ‘salami’ principle, introduced by the Court following an ill-conceived opinion of AG Bobek as he then was, now allows even 100% unlawfully composed courts, just as in Getin Noble Bank, to benefit from a newly-established presumption of kosher-illegality, invented by the Grand Chamber in contradiction to the long-established principle that it is up to the Court itself to decide who among the national judicial actors is to be regarded as a ‘court or tribunal’ able to refer. Broberg and Fenger have exhaustively analyzed in their Magnum Opus, which now needs significant watering down, following recent Court’s departure from long established law to the detriment of the promise of Articles 2 and 19 TEU.

What emerges is not only a double duality, as it were, which includes the solidification of double standards in terms of a principled departure from the well-established requirements of Article 6 ECHR, as the Court has done in relation to own composition too, in the Sharpston cases – Opinion 2/13 on steroids – but also pretending that due process guarantees differ depending on the Treaty provision in action in a particular case. To be a ‘court’ under Article 267 TFEU is thus much easier than to remain such in the face of all the harmful government mingling, when Article 19 TEU enters the picture.

Both dualities are as artificial as they are principally wrong. This is because to pretend that Articles 19 and 267 refer to some different Courts is an obviously dishonest and impermissible misinterpretation of the Treaties in violation of Article 6 ECHR standards. This is because, as I explained in more detail in the pages of the Cambridge Yearbook of European Legal Studies, allowing an Article 19 TEU non-judge to be considered a lawful court in the sense of Article 267 TFEU lands a victory to all those supporting attacks against judicial independence: a kangaroo court, is then – under cover of a presumption not grounded in the Treaties and newly-invented by the CJEU for this very purpose – enters a ‘judicial dialogue’ (sic!) with the CJEU. The absurdity here is that, plainly, dialoguing with a non-judge cannot be qualified as ‘judicial dialogue’ and is only lawful in the eyes of the CJEU since the latter is, to the astonishment of many, pretends not to be bound by Article 6 ECHR, thanks to the low point of its own doing: Opinion 2/13. Whatever the non-judge appointed in violation of Article 6 ECHR does on the bench, where that person is not supposed to be, as part of dialoguing with CJEU is thus ok, among all the Courts of the European continent, only and solely for the CJEU – not for the lawfully established and appointed national courts and not for ECHR, for whom such double standard would be unthinkable.

The result is amusing to say the list: the ECJ makes a strict distinction between an unlawfully appointed judge (even if sitting alone), and an unlawfully established court – all this almost on the assumption that the two are somehow not connected to each other. A variety of interesting combinations is possible here, all of them in violation of the ECHR case-law, which is as clear as day, as Laurent Pech also explained: a court, whose composition is tainted by an unlawful appointment is not a court of law. We have seen the results that the CJEU’s inability to align itself with such most basic ECHR standards produces: a court with an unlawfully appointed member is ok (think of a fake ‘AG’ tainting CJEU’s composition following the Sharpston cases); a court sitting as a panel of one, with the one judge being unlawfully appointed is also fine for the purposes of Article 267 TFEU (Getin Noble Bank) but a court chamber, which is as a whole created in breach of the law and staffed 100% by unlawful appointees, is not acceptable under Article 19 TEU and does not enjoy the capacity of issuing decisions producing legal effects (‘R’S.A. v. AW ‘T’ sp. Z o.o.). The bottom-line is that hijacking existing courts by staffing them with fake judges is acceptable to the CJEU, while forming new courts and chambers in breach of the law and staffing them with similarly fake judges is not ok. It goes without saying that the outcome is essentially the same and comes down to a square violation of Article 6 ECHR either way.

T.B. v. C.B. pushes the absurdity of this shameful approach to the extremes: when the court itself is lawfully established, but fake judges have hijacked all the key administrative positions and use this to abuse the lawfully appointed members by interfering with their workloads is not a violation of EU law, it is perfectly fine to let the impostors harass the actual judges. CJEU thus passively assists the attacks against lawfully appointed judges, constantly extending the baseless Getin Noble Bank presumption, which now also covers the context where a known fake judge, posing as a court administrator purposefully doubles workloads of lawfully appointed judges. In fact, the facts described are deemed by the CJEU ‘irrelevant in this regard’ (90) and should not lead us to doubting the independence of the court in question (89). The Court has thus clarified that helping fake individuals posing as judges to terrorize lawfully appointed members of lawfully established Member States’ courts is now one of the functions of Article 19 TEU: this is EU law.

The Commission’s position here is most surprising. The institution argued that the case was not even admissible (59) clearly mindlessly and irresponsibly playing on the abusers team. In the end, this is just what the CJEU ended up doing, by pretending that the harassment of lawfully appointed judges by impostors having no right to sit on the courts in question, who came to occupy administrative positions on lawfully established courts, is of no relevance to the judicial independence standards of Article 19 TEU, 47 CFR and Article 2 TEU. Agreeing with the Commission’s proposal could at least help the Court to save face. It chose the opposite: it is now the law that known impostors appointed as ‘judges’ in breach of the standards of Article 19(1) TEU are great court administrators and this has no implications for judicial independence and the Rule of Law in the EU.

 

Policing Facial Recognition — Between Risks, Misconceptions, and the Need for a More Honest Debate

 

Asress Adimi Gikay (PhD) Senior Lecturer in AI, Disruptive Innovation and Law, Brunel University of London

 

Photo credit: Abyssus, via Wikimedia commons

 

Live facial recognition on the rise

 

Live facial recognition (LFR), is quickly gaining ground across Europe, with countries like Germany having used it to target serious criminal offences. The technology scans people’s faces in real time and matches them against police watchlists (e.g., people suspected of committing serious crimes). The EU’s Artificial Intelligence(AI) Act, allows police in member states to use LFR for serious crimes such as terrorism. However, the implementation of the EU AI Act in member states will likely face challenges as technical issues such as accuracy and legal boundaries are yet to be adequately tested.

 

Meanwhile, the UK Metropolitan Police have gained an extensive experience in managing the risk posed by the technology, arresting more than 1,000 people between January 2024 and August 2025.  In August 2025, despite opposition from 11 civil liberty groups, the Metropolitan deployed LFR at the Europe’s largest street festival celebrating African-Caribbean culture,  Notting Hill Carnival,  making  61 arrests.

 

The Metropolitan Police have taken the most step to address one of the biggest challenges in the use of the technology, i.e., ethnic bias. However, a controversy remains as to whether ethnic bias has been adequately tackled with data being interpreted differently to support the specific narrative being advanced. Misconception or misframing of critical notions in the field surveillance also shape public perception and could potentially inform policy and regulatory choices that are not necessarily evidence based.  I believe the prevailing positions adopted by academics and civil society groups also partly reflect such a state of affairs— selective use of data, unwarranted anxiety about surveillance and misconceptions around core legal concepts.

 

The view  predominantly advanced today by academics and civil liberty groups is a proposal for banning or imposing moratorium on the use of LFR on the ground that it is inaccurate, ethnically biased, susceptible to racially discriminatory use and enables mass surveillance. Whilst these are valid concerns, the Metropolitan Police’s experience over the past decade and the debate it sparked illustrates that the debate over governing the technology often doesn’t fairly weigh human rights and public safety concerns. Based on the experiences from the use of LFR technology in UK policing, in this post, I cover issues that often don’t surface wider-public discourse, some of these issues being crucial in providing insights into how LFR technology can deployed in the EU under the AI Act as well as other jurisdictions.

 

From backlash to acceptance 

 

Critics often describe policing facial recognition as Orwellian surveillance tool.  Yet history shows facial recognition is not the first or only technology to raise such a fear.

 

When Transport for London released a poster in 2002 announcing CCTV on buses, the design featured a double-decker bus gliding under a sky, with floating eyes. Its slogan read— “Secure Beneath the Watchful Eyes.” Simon Davies, the then head of Privacy International described it as “acutely disturbing.”  Two decades later, CCTV is widely accepted as an essential tool for solving crimes.  

 

 

Big Brother Watch, initially opposed airport facial recognition e-gates, warning that the system creates  privacy intrusive massive database of personal information and is prone to risk of error. Today, automated border control in Europe is considered a privilege, allowing faster passport control, available primarily to European passport holders. ‘Other travellers’ undergo more intrusive security control, including through fingerprints.

 

New technologies usually caused alarm, until their public benefits become clearer and they gain legitimacy. I don’t believe policing facial recognition is any different.

 

Measuring the impact of ethnic bias is tricky

 

Concerns about bias in facial recognition stem from early studies of commercial gender-classification algorithms and Metropolitan Police’s initial deployments that showed poorer accuracy especially for black women.  

 

However, a 2023 audit by the National Physical Laboratory (NPL), commissioned by the Metropolitan police found that when the system is optimally set, it works without significant ethnic disparities.

 

A crucial factor is the ‘recognition confidence threshold,’ or ‘face match threshold’ which determines how accurately the software matches faces. It ranges between 0-1. Higher settings reduce errors but yield fewer face matches while lower settings give more matches with less accuracy. The Metropolitan Police currently uses 0.64, a level recommended by the NPL to reduce ethnic bias significant enough to treat is as not concerning(statistically insignificant).

 

The NPL’s test involved 400 volunteers embedded in an estimated crowd of 130,000. The test showed that at a 0.64 setting or higher, there was no ethnic disparity in accuracy. At thresholds of 0.62 and 0.60, ethnic bias was statistically insignificant, while at 0.58 and 0.56, the system struggled to identify black faces.

 

Pete Fussey, a recognised expert in this field, contends the sample was too small to support  such a conclusion and notes that “false matches were not actually assessed at the settings where ethnic bias was non-existent”.   This essentially rests on the fact that for a technology that scans millions of faces, testing it on faces of 400 volunteers is less likely to generate a sufficient evidence base. In their book, Facial Recognition Surveillance: Policing in the Age of Artificial Intelligence (p, 58), Pete Fussey and Daragh Murray argue:

 

“Also of note are claims that no demographic bias is discernible above the 0.64 threshold. This is because no false positives occurred at this level. Put another way, no bias was observed because the system was not adequately tested in this range. Notable here is that such arguments rest less on how FRT operates and more on how statistics work  A suitable analogy would be the claim that 90 per cent of car accidents occur within a quarter-mile of home. This is less because such locales are inherently hazardous and more because almost all car journeys happen within a quarter-mile of home. Fewer journeys occur 600 miles away so accidents in that category are rarer. ”

 

However, a counter-argument to above is that the test in question did show steady decline in ethnic disparities with higher face match thresholds— at 0.56, 22 vs. 3 (Black vs. White); at 0.58, 11 vs. 0; at 0.60, 4 vs. 0; at 0.64, 0 vs. 0.  Despite the sample being smaller, the consistent decline implies that face match threshold clearly determines accuracy. The insistence on testing the technology until bias is completely removed is also unrealistic. So, if no inaccuracy was recorded at 0.64 and ethnic bias declined gradually up to that point, it would not be unreasonable to conclude that the technology works optimally at the given setting.

 

The NPL’s test is consistent with the risk management system in the EU AI Act, which sets strict standards for high-risk AI systems.  In its provisions requiring risk management for high-risk AI systems, in particular article 9(3), the AI Act requires that

 

“The risk management measures referred to in paragraph 2, point (d), shall be such that the relevant residual risk associated with each hazard, as well as the overall residual risk of the high-risk AI systems is judged to be acceptable.”

 

It means that the expectation in terms of risks including risk of ethic bias is not a complete elimination rather it is mitigation to the extent that some acceptable(tolerable) level of risks could still exist. By these standard, NPL’s testing is likely considered robust, since at 0.64 ethnic bias would reasonably be seen as low enough to be acceptable in view of the technology’s benefits

 

 

Subsequent Metropolitan Police’s deployment data is also indicative of this.  Between January and August 2025, the Metropolitan Police have misidentified only eight people using LFR, leading to no arrests. While ethnic breakdown for these false matches is not studied, the small number makes any ethnic disparity likely negligible.

 

Currently, there is one pending legal action brought against the Metropolitan Police by Big Brother Watch concerning prolonged police engagement with a mistakenly identified individual. This was not officially documented as false arrest, and therefore the official record in the UK is that there has not been a single false arrest following misidentification by LFR in the UK.

 

The above highlights that statistics alone doesn’t capture the complex ways LFR really affect people. Human oversight, responsible police judgment, and procedural safeguards play a crucial role; and the current debate discounts these components.

 

Policing by consent isn’t policing by of everyone’s consent

 

A common misconception is that overt(transparent) LFR surveillance undermines policing by consent, as people don’t meaningfully consent to being surveilled. 

 

Peter Fussey and Daragh Murray argue that, for instances, signages placed by the Metropolitan Police at deployment spots to inform the public of LFR operations were insufficient to obtain informed consent, as they contained inadequate information, lacked visibility and offered no opportunity for refusing consent.

 

Echoing this, former director of Big Brother Watch, Silkie Carlo stated in an interview, “there’s no meaningful consent process whatsoever. You certainly can’t withdraw consent.”

 

I think this view misrepresents both the law and the idea of policing by consent. The relevant UK Surveillance Camera Code of practice requires overt surveillance to be based on consent, specifically clarifying that consent in this context  should be regarded as “analogous to policing by consent”.

 

Policing by consent is  traced to the 9 point principles of Robert Peel, UK’s Home Secretary set out in the general instructions issued to new officers in 1829. Essentially, it requires public consent for police to serve the community where the legitimacy of policing power drives from public support. It does not require individual member of the public to consent to specific policing operations.

 

Similarly, surveillance by consent requires the community broadly to agree to visible camera systems as a legitimate tool for public safety, not whether everyone agrees to the surveillance. Besides facilitating legitimacy, transparent police surveillance ensures that those aggrieved by potentially unlawful surveillance can take legal actions.  The Surveillance Camera Code of Practice itself which is the basis for transparency in overt surveillance confirms this point by not only specifying that consent in this context is equivalent to policing by consent but also indicating the reason why consent is required. Section 3.3.2. states that “Surveillance by consent is dependent upon transparency and accountability on the part of a system operator. The provision of information is the first step in transparency and is also a key mechanism of accountability.” Nowhere in the code or any other legislation is it stated that surveillance by consent entitles individuals to consent to or withdraw consent to specific operations on individual level. Despite quoting the SCC including the relevant reference to policing by consent in their recent book, Peter Fussey and Daragh Murry don’t engage with the notion of policing by consent when they discuss consent in the context of overt surveillance, instead engaging with data protection law notion of consent. If consent of everyone who could be captured by LFR camera or even a normal CCTV came is to be secured, most public facing CCTV cameras would have to be removed.  

 

It is therefore legally and conceptually unfounded to claim that overt LFR surveillance requires the consent of everyone who walks by the LFR camera. Neither can this be realistically achieved in practice.

 

Surveillance harms, but context matters 

 

Opponents often alert that surveillance in public space, can deter people from speaking freely, attending protests, or joining public events, a phenomenon called the ‘chilling effect.’

 

In the context of LFR, Daragh Murray asserted that it might discourage attendance at the 2025 Notting Hill Carnival, citing uncertainty about how the technology is used and historical allegations of institutional racism against the Metropolitan Police.

 

The 2024 Carnival experienced two murders, multiple assaults, and stabbings, and yet an estimated two million people attended the Carnival this year, undeterred by the potential violence. Suggesting that surveillance would deter participation in such a cultural event is clearly implausible.  At the very least, there is no evidence to back this claim.

 

The chilling effect of surveillance is a concern in the context of political protests, where authorities may target opposition groups and threaten civil liberties. It can also be argued that excessive policing of minority communities may create a chilling effect to some extent, though this is highly context dependent. For example, the 2025 Carnival had 7,000 police officers with supporting technologies, and their presence was requested by the organisers and generally welcomed by the public. To suggest that adding LFR to this setting would have altered the behaviour of potential attendees is hardly credible. The blanket claim that surveillance suppresses civil rights  and alters behaviours in all contexts is not supported by evidence.

 

The bottom-line

 

Facial recognition will inevitably become routine policing tool. Rather than pushing unrealistic proposals of bans or moratoriums, regulatory debate should properly weigh the trade-offs between human rights and public safety in ensuring the proportionate use of the technology.   Questions about when LFR should be used and considered proportionate and other issues such as oversight should be debated carefully. However, the UK police’s use LFR, and the ongoing debate highlights that policy and regulatory proposals could be based on shaky interpretation of data and understanding of essential legal concepts.

 

Nissan Iberia (C-21/24): The Court of Justice Defers Limitation Periods for National Competition Authorities’ Decisions

 

Marwan Ben Moussa, law clerk, Cour de Cassation

Photo credit: CMNC building, by Luis Garcia, via Wikimedia Commons

On 4 September 2025, the Court of Justice of the European Union (CJEU), sitting as the Grand Chamber, delivered its judgment in CP v Nissan Iberia (C-21/24). The case, referred by the Commercial Court n.º 1 of Zaragoza, raises a deceptively technical but decisive question: when does the limitation period begin to run for follow-on damages claims based on infringement decisions of national competition authorities (NCAs)?

In line with Advocate General Medina’s Opinion of 3 April 2025, the Court held that the dies a quo does not start upon publication of an NCA decision (in this case the Spanish competition authority, the CNMC) but only when that decision becomes final following judicial review and has been published in an official, public, and dated manner. This holding, which departs from the rule applicable to Commission decisions, recalibrates private enforcement of Articles 101 and 102 TFEU.

This post unpacks the background, the AG’s opinion, the Court’s reasoning, and the implications for European litigation at large

Background to the Preliminary Reference

The case arises from the CNMC’s decision of 23 July 2015 in Expediente S/0482/13 – Fabricantes de Automóviles, sanctioning major car manufacturers, including Nissan, for information exchanges concerning distribution networks and after-sales marketing. The CNMC issued a press release on 28 July 2015 and published the full decision on its website on 15 September 2015.

Several manufacturers appealed. Between April and December 2021, the Spanish Supreme Court dismissed all fourteen cassation appeals, thereby making the CNMC’s decision final (see, inter alia, STS 1420/2021, 1 December 2021).

In March 2023, CP, a purchaser of a Nissan vehicle, brought a follow-on action for damages before the Commercial Court in Zaragoza. Nissan argued that the action was time-barred: under Article 1968 CC, the one-year limitation period began in September 2015 when the decision was published. The claimant countered that the dies a quo could not be triggered until the CNMC’s decision became final.

Spanish courts had been divided on this issue. Some Audiencias Provinciales pegged the dies a quo at publication; others deferred it until finality. Faced with this conflict, the referring court asked whether EU law requires limitation to begin only once an NCA decision is final and, crucially, whether publication on an NCA’s website is equivalent to the Commission’s publication of summaries in the Official Journal.

 

AG Medina’s Opinion

Advocate General Medina’s Opinion framed the problem squarely under the principle of effectiveness, given that the Damages Directive (2014/104/EU) was not yet applicable ratione temporis to infringements that had ceased in 2013.

Heureka as the starting point

In Heureka (C-605/21,paras 62–65), the Court had held that limitation for follow-on actions based on Commission decisions begins upon publication of the summary in the Official Journal. That publication provides claimants with the requisite knowledge: the fact of infringement, its legal qualification, the identity of infringers, its duration, and the products concerned.

Distinguishing Commission and NCA decisions

AG Medina reasoned that this logic cannot simply be transposed to NCA decisions under appeal. Commission decisions, even if not yet final, are binding on national courts by virtue of Article 16(1) of Regulation 1/2003: “When national courts rule on agreements, decisions or practices under Article 81 or Article 82 of the Treaty which are already the subject of a Commission decision, they cannot take decisions running counter to the decision adopted by the Commission.”

By contrast, NCA decisions lack such binding effect while under judicial review. Their probative value is provisional until finality is achieved. It would therefore undermine legal certainty to require claimants to sue within a limitation period triggered by a decision that might yet be annulled or modified (Opinion, paras 65–67).

Policy considerations

AG Medina stressed two considerations in her Opinion:

a)     Effectiveness: Claimants must not be forced to act while the legal basis of their claim is unsettled. To do so would make exercising their EU rights excessively difficult. (Opinion, para 63)

b)    Fairness to defendants: If damages actions are brought while public enforcement is still under appeal, defendants would face parallel proceedings, raising issues of prejudice to their rights of defence. (Opinion, para 63)

Accordingly, she concluded that the dies a quo for follow-on actions based on NCA decisions begins only when those decisions become final.

 

The Judgment of the Court

The Grand Chamber largely endorsed AG Medina’s approach.

a)    General principles

The Court recalled that the right to compensation for infringements of Articles 101 and 102 TFEU is guaranteed under Courage v Crehan (C-453/99, EU:C:2001:465, para. 26) and Manfredi (C-295/04, EU:C:2006:461, para. 59). Member States retain procedural autonomy in setting limitation rules, but these must respect equivalence and effectiveness (Cogeco, C-637/17, EU:C:2019:263, para. 42).

Two conditions must be met before limitation starts: the infringement must have ceased and the claimant must know, or be reasonably expected to know, the facts necessary to bring an action (Volvo and DAF Trucks, para.56.; Heureka, para. 64).

b)    Application to NCA decisions

The Court held that claimants cannot be deemed to have the requisite knowledge until an NCA decision is final. While publication of the decision online may provide factual information, its legal effects remain unsettled during appeals. National courts are not bound by non-final decisions, unlike Commission decisions under Article 16(1). To start the clock before finality would make exercising the right to compensation excessively difficult (Judgment, paras 64–67).

c)     Rejection of alternative safeguards

The Court rejected arguments that suspension or interruption of limitation, or the possibility of staying civil proceedings, sufficed to protect claimants. These mechanisms were contingent, discretionary, or incomplete, and thus inadequate to satisfy the principle of effectiveness (Judgement paras 69–73).

d)    Publication requirement

The Court added that final judgments upholding NCA decisions must be published in an official, public, and accessible manner, with a clear date of publication. Otherwise, claimants cannot be presumed to have knowledge (Judgement para. 74).

e)     Directive 2014/104

The Court held that Article 10 of the Damages Directive applied ratione temporis because, by the transposition deadline (27 December 2016), the limitation period had not yet begun: the CNMC decision was not final until 2021. The Directive therefore governed the limitation period in this case (Judgment paras 79–80).

Commentary

The judgment represents a significant step in reinforcing private enforcement of EU competition law. By tying the start of limitation periods to the finality of a decision, the Court reduces the risk that victims are forced to bring actions on unstable legal ground, only to see their claims undermined if the decision is later annulled or altered.

One line of criticism concerns the treatment of Spanish procedural law. Limitation periods in Spain can be interrupted with relative ease, often through simple extrajudicial steps such as a formal letter or email. This mechanism already provides claimants with a practical safeguard against premature expiry. In addition, CNMC decisions are immediately enforceable, save for the payment of fines which may be suspended on appeal, and they benefit from a presumption of validity. Against this background, treating such decisions as devoid of legal effect until the conclusion of judicial review does not sit comfortably with the way Spanish administrative law operates.

A second concern is the introduction of a sharp distinction between stand-alone and follow-on actions. In practice, the right to damages under Article 101 TFEU is a single right, and the rules governing limitation should not vary according to whether the claimant relies on a prior decision or constructs the case independently. Tying the dies a quo to finality in follow-on cases risks extending liability considerably, exposing defendants to actions many years after the initial publication of the decision.

The Court’s focus on knowledge linked to the binding force of a decision also represents a conceptual shift. Knowledge is no longer understood primarily in terms of factual awareness i.e when the claimant can reasonably be said to know about the infringement and its effects, but rather in terms of whether the decision carries legal certainty and binding probative value. This approach prioritises institutional status over the actual informational content available to potential claimants.

On the other hand, the judgment could be welcomed for strengthening the effectiveness of competition law. Victims cannot realistically be expected to rely on decisions that remain under appeal and may be annulled or altered. By deferring the start of the limitation period until finality, the Court provides clarity and fairness, ensuring that claimants base their actions on stable legal ground.

Doctrinal Position in Case Law

Nissan Iberia extends the line of Courage, Manfredi, Cogeco, Volvo/DAF Trucks, and Heureka. It entrenches the dual requirements of cessation and knowledge, but redefines knowledge for NCA cases in institutional terms: it arises only when a decision is final and binding.

This creates a structural asymmetry. For Commission decisions, limitation begins at publication in the Official Journal (Heureka, para. 78). For NCA decisions, limitation begins only upon finality. The Court justified this on the basis of Article 16 of Regulation 1/2003, but we can wonder whether the difference is truly justified, given that both Commission and NCA decisions are immediately enforceable and presumed valid.

Implications for European Litigation

For claimants, the judgment provides a significant procedural safeguard. The limitation period no longer runs while appeals are pending, giving injured parties the assurance that they will not be time-barred before the underlying infringement decision becomes final. This is especially relevant in Spain, where CNMC proceedings often take several years to clear all levels of judicial review.

For defendants, the consequence is prolonged exposure. Companies may face damages claims long after the initial publication of an infringement decision. This extended horizon complicates accounting practices, increases the cost of legal uncertainty, and alters the incentives for settlement.

For national legal systems, the Court has introduced an additional layer of responsibility. Final judgments upholding NCA decisions must be published in an official, public, and clearly dated manner. Failure to ensure transparent publication could have the unintended effect of leaving limitation periods open-ended, undermining predictability for all parties involved.

For EU law as a whole, the judgment continues the Court’s emphasis on effectiveness as the guiding principle of private enforcement. By privileging the position of claimants, it ensures that rights under Articles 101 and 102 TFEU are enforceable in practice. At the same time, the asymmetry created between Commission and NCA decisions raises concerns of doctrinal coherence. Whether this differentiation proves sustainable, or whether it prompts further clarification from the Court, remains an open question.

Conclusion

The Nissan Iberia judgment represents a decisive step in the construction of a claimant-friendly regime for antitrust damages. By requiring finality before limitation begins, the Court secures effectiveness but at the cost of legal certainty and symmetry.

For Spain, it resolves conflicting case law and ensures that claimants in the “car cartel” litigation remain within time. For the Union, it marks another expansion of private enforcement under the banner of effectiveness, extending the bridges built by Courage, Manfredi, and Heureka.

The Court has drawn a bright line: for NCA decisions, the limitation clock starts ticking only when the decision is final. Whether this asymmetry will endure or be recalibrated in future remains to be seen. For now, defendants must live with a longer tail of liability, and claimants with a clearer pathway to redress.