Why the European Parliament should reject (or substantially amend) the Commission’s proposal on EU Information Security (“INFOSEC”): (1) The issue of “classified information”

 

 

 

Emilio De Capitani, Former EP Official (1985-2011) Secretary of the LIBE parliamentary Committee (1998-2011). Affiliated to the Scuola superiore S.Anna (Pisa).  

Court Cases on Transparency so far: T-540/15 v. European Parliament (Trilogues), T-163/21 v Council (transparency of Council Working Parties), T-590/23 v. Council (EU legislative transparency - to be decided on October 29th). 

Pending cases: T-146/25 v Commission (EC internal rules "clarifying" access to documents), T-621/25 v. Commission (access to national plans implementing the EU Pact on Asylum), T-661/25 v EUAA (mandatory nature of deadlines of Confirmatory Applications)

Photo credit: openclipart, via Wikimedia commons

1.Setting the scene: the EU legal framework on access to documents and to confidential information before the Lisbon Treaty

To better understand why the Commission “INFOSEC” draft legislative proposal (2022/0084(COD) on information security shall be substantially amended, let’s recall what was before the Lisbon Treaty and of the Charter, the EU legal framework on access to documents, and notably of EU classified information. With the entry into force of the Amsterdam Treaty on May 1999 the EP and the Council have been under the obligation (art.255 TCE) of adopting in two years’ time new EU rules framing the individual  right of access to documents by establishing at the same time “the general principles and limits of public interests” which may limit such right of access. (emphasis added).

Notwithstanding a rather prudent Commission’s legislative proposal the EP strongly advocated a stronger legal framework for access to documents, for legislative transparency and even for the treatment at EU level of information which, because of their content, should be treated confidentially (so called “sensitive” or “classified information”). 

Needless to say  “Sensitive” or “classified information” at Member States level, are deemed to protect “essential interests”  of the State and, by law, are subject to a special parliamentary and judicial oversight regime.[1] As a consequence, at EU level, even after Lisbon, national classified information are considered an essential aspect of national security which “.. remains the sole responsibility of each Member State” (art. 4.2 TEU) and “..no Member State shall be obliged to supply information the disclosure of which it considers contrary to the essential interests of its security” (art 346.1(a)TFEU).

However, if national classified information is shared at EU level as it is the case for EU internal or external security policies it shall be treated as for any other EU policy by complying with EU rules. The point is on what legal basis these rules should be founded. This issue came to the fore already in 2000 when the newly appointed Council Secretary General Xavier SOLANA negotiated with NATO a first interim agreement on the exchange of classified information. The agreement which mirrored at EU level the NATO Classification standards (“Confidential”, “Secret” and “Top Secret”) was founded  on the Council internal organizational power  but this “administrative” approach was immediately challenged before the Court of Justice by the a Member State (NL) [2] and by the European Parliament itself [3] which considered that the correct legal basis should had been the new legislation on access to documents foreseen by art 255 of TEC which was at the time under negotiation.  The Council, at last, acknowledged that art.255 TEC on access to documents was right legal basis and a specific article (art.9[4]) was inserted in in Regulation 1049/01 implementing art.255 TEC and the EP and NL withdrew their applications before the CJEU[5].

Point is that Art.9 of Regulation 1049/01 still covers only the possible access by EU citizens and such access may be vetoed by the “originator” of the classified information. Unlike national legislation on classified information art.9 didn’t solve, unfortunately, for the lack of time, the issue of the democratic and judicial control by the European Parliament and by the Court of Justice to the EUCI. Art.9(7) of Regulation 1049/01 makes only a generic reference to the fact that “The Commission and the Council shall inform the European Parliament regarding sensitive documents in accordance with arrangements agreed between the institutions.” A transitional and partial solution has then been founded by negotiating Interinstitutional Agreements between the Council and the EP in 2002 [6]and in 2014 [7]and between the European Commission[8] in 2010.

Point is that interinstitutional agreements even if they may be binding (art.295 TFEU) they can only “facilitate” the implementation of EU law which, as described above,  in the case of democratic and judicial control of classified information still does not exists. Not surprisingly, both the Council and the Commission Interinstitutional agreements consider that the “originator” principle should also be binding for the other EU institutions such as the European Parliament  and the Court of Justice.

This situation is clearly unacceptable in an EU deemed to be democratic and bound by the rule of law as it create zones where not only the EU Citizens but also their Representatives may have no access because of “originator’s” veto. As result, in these situations the EU is no more governed by the rule of law but only by the “goodwill” of the former.

To make things even worse, the Council’s established practice is to negotiate with third Countries and international organizations agreements [9]covering the exchange of confidential information by declaring that the other EU Institutions (such as the EP and the Court of Justice) should be considered “third parties” subject then to the “originator” principle.

Such situation has become kafkaesque with the entry into force of the Lisbon treaty which recognizes now at primary law level the EP right to be “fully and timely” informed also on classified information exchanged during the negotiation of an international agreement[10]. Inexplicably, fourteen years since the entry into force of the Treaty the European Parliament has not yet challenged before the Court of Justice these clearly unlawful agreements.

That Institutional problem kept apart, fact remains that until the presentation of the draft INFOSEC proposal none challenged the idea that in the EU the correct legal basis supporting the treatment also of classified information should be the same of access to documents which after the entry into force of the Lisbon treaty is now art.15.3 of the TFEU[11].

2 Why the Commission choice of art 298 TFEU as the legal basis for the INFOSEC proposal is highly questionable [12]

After the entry into force of the Lisbon Treaty and of the Charter the relation between the fundamental right of access to documents and the corresponding obligation of the EU administration of granting administrative transparency and disclose or not its information/documents has now been strengthened also because of art. 52 of the EU Charter.

In an EU bound by the rule of law and by democratic principles, openness and the fundamental right of access should be the general rule and  “limits” to such rights should be an exception  framed only “by law”. As described above the correct legal basis for such “law” is art.15 of the TFEU which, as the former art.255 TEC, states that  “General principles and limits on grounds of public or private interest..” may limit the right of access and the obligation of disclosing EU internal information / documents. Also from a systemic point of view  “limits” to disclosure and to access are now covered by the same Treaty article which frames (in much stronger words than art 255 before Lisbon) the principles of “good governance”(par 1), of legislative transparency  (par 2) and of administrative transparency (par 3).

Such general “Transparency” rule is worded as following: “1. In order to promote good governance and ensure the participation of civil society, the Union institutions, bodies, offices and agencies shall conduct their work as openly as possible.(..) Each institution, body, office or agency shall ensure that its proceedings are transparent and shall elaborate in its own Rules of Procedure specific provisions regarding access to its documents, in accordance with the regulations referred to in the second subparagraph.”

Bizarrely, the European Commission has chosen for the INFOSEC regulation art.298 TFEU on an open, independent and efficient EU administration by simply ignoring art.15 TFEU and by making an ambiguous reference to the fact that INFOSEC should be implemented “without prejudice” of the pre-Lisbon Regulation 1049/01 dealing with access to documents and administrative transparency.  How a “prejudice” may not exist when both Regulations are overlapping and INFOSEC Regulation is upgrading the Council Internal Security rules at legislative level is a challenging question.

It is indeed  self evident that both the INFOSEC Regulation and Regulation 1049/01 deal with the authorized/unauthorised “disclosure” of EU internal information/documents.

Such overlapping of the two Regulations is even more striking for the treatment  EU Classified information (EUCI) as these information are covered both by art. 9 of Regulation 1049/01 and now  by articles 18 to 58 and annexes II to VI of the INFOSEC Regulation.

As described above, Art 255 TCE has since Lisbon been replaced and strengthened by art 15 TFEU so that the Commission proposal of replacing it with art.298 TFEU looks like a “detournement de procedure” which may be challenged before the Court for almost the same reasons already raised in 2000 by the EP and by NL.  It would then been sensible to relaunch the negotiations on the revision of Regulation 1049 in the new post-Lisbon perspective but the Commission has decided this year to withdraw the relevant legislative procedure. Submitting a legislative proposal such INFOSEC promoting overall confidentiality and withdrawing at the same time a legislative proposal promoting transparency seems a rather strong message to the public from the Commission.

3 Does the INFOSEC proposal grant true security for EU internal information?

European Union administrative transparency is now a fundamental right of the individual enshrined in the Charter (Article 42). The protection of administrative data is one of the aspects of the “duty” of good administration enshrined in Article 41 of the Charter, which stipulates that every person has the right of access to their file, “with due regard for the legitimate interests of confidentiality and professional and business secrecy.”  

However Art.298 TFEU is not the legal basis framing professional secrecy. It is only a provision on the functioning of the institutions and bodies which, “in carrying out their tasks … [must be based] on an “open” European administration”[13] and is not an article intended to ensure the protection of administrative documents.

This objective is better served by other legal bases in the Treaties.

First of all, protecting the archives of EU institutions and bodies from outside interference is, even before being a legitimate interest, an imperative condition laid down by the Treaties and the related 1965 Protocol on the Privileges and Immunities of the Union adopted on the basis of the current Article 343 TFEU. Articles 1 and 2 of that Protocol stipulate that the premises and buildings of the Union, as well as its archives, “shall be inviolable.”

Furthermore, in order to ensure that, in the performance of their duties, officials are obliged to protect the documents of their institutions, Article 17 of the Staff Regulations stipulates that

1. Officials shall refrain from any unauthorized disclosure of information coming to their knowledge in the course of their duties, unless such information has already been made public or is accessible to the public.

Again, (as for Regulation 1049/01), the INFOSEC regulation  reinstate that it should be applied “without prejudice” of the Staff Regulation by so mirroring the second paragraph of art.298 TFEU which states that itself states that it should be implemented  “in accordance with the Staff Regulations and the rules adopted on the basis of Article 336.” So, also from this second perspective, the correct legal basis for INFOSEC could be Articles 339 (on professional secrecy) and 336 TFEU, with the consequent amendment of the Staff Regulations by means of a legislative regulation of the Parliament and the Council.

By proposing a legislative regulation on the basis of Article 298, the Commission therefore circumvents both the obligation imposed by Article  336, art 339 (on professional secrecy)  and, more importantly  of Article 15(3) TFEU, according to which each institution or body “..shall ensure (i.e., must ensure) the transparency of its proceedings [and therefore also their protection from external interference] and shall lay down in its rules of procedure specific provisions concerning access to its documents [and therefore also concerning their protection], in accordance with the regulations referred to in the second subparagraph.”(NDR currently Regulation 1049/01)

The objectives set out in Article 298 cannot therefore override the requirements of protecting the fundamental right of access to documents, nor those of Article 15 TFEU which could be considered the “center of gravity” when several legal bases are competing [14].

The same applies to compliance with the regulation establishing the Statute and, in particular, compliance with Article 17 thereof, cited above.

Ultimately, the provisions on the legislative procedure for Union legislative acts are not at the disposal of the Commission, given that administrative transparency is a fundamental right and the protection of documents is a corollary thereof and not a means of functioning of the institutions. Administrative transparency is a fundamental right of every person; the protection of administrative data is a legitimate interest of every administration.

A ”public” interest that can certainly limit the right of access, but only under the conditions established by the legislator of art 15 TFEU and only by the latter.

4. Conclusions

If a recommendation may be made now to the co-legislators is to avoid illusionary shortcuts such as the current Commission proposal whose real impact on the EU administrative “bubble” is far to be clear[15]. The EU Legislator, since the entry into force of the Lisbon Treaty more than fourteen years ago is faced with much more pressing problems.

What is mostly needed is not inventing several layers of illusionary “protection” of the EU information but framing the administrative procedures by law as suggested several times by the European Parliament and by the multiannual endeavour of brilliant scholars focusing on EU Administrative law[16].

What matters is that the management and the access to EU information should be framed by law and not depend upon the goodwill of the administrative author or the receiver as proposed by the INFOSEC Regulation. Nor is information security strengthened transforming each one of the 64 EU “entities” covered by the INFOSEC Regulation [17] in sand-boxes where the information is shared only with the people who, according to the “originator” has a “need to know” and not a “right to know”.

Moreover the EU should limit and not generalize the power for each one of the 64 EU entities of create “classified” information (EUCI). In this perspective art.9 of Regulation 1049/01 needs indeed a true revision but in view of the new EU Constitutional framework and of the new institutional balance arising from the Lisbon treaty and of the Charter.

Fourteen years after Lisbon the democratic oversight of the European Parliament and the judicial control of the Court of Justice on classified documents, shall be granted by EU law as it is the case in most of the EU Countries and not by interinstitutional agreements which maintain the “Originator” against these institutions in violation of the rule of law principle as well as of the EU institutional balance.

Is it still acceptable fourteen years after the entry into force of the Lisbon Treaty that the European Parliament and the Court of Justice are not taken in account in the dozens of international agreements by which the Council frames the exchange of EUCI with third countries and international organizations?

Instead of dealing with these fundamental issues, the European Commission in its 67 page proposal makes no reference to 24 years of experience in the treatment of classified information and prefers dragging the co-legislators in Kafkaesque debates dealing with “sensitive but not classified information”  or on the strange idea by which documents should marked “public” by purpose and not by their nature (by so crossing the line separating public transparency from public propaganda).

But all that been said, it is not the Commission which will be responsible before the Citizens (and the European Court) for badly drafted legislation. It will be the European Parliament and the Council which shall now take their responsibility. They can’t hide behind the Commission unwillingness to deal with substantive issues (as well as with other aspects of legislative and administrative transparency) ; if the Council also prefer maintain the things as they were before Lisbon it is up to the European Parliament to take the lead and establish a frank discussion with the other co-legislator and verify if there is the will of fixing the real growing shortcomings in the EU administrative “Bubble”.

Continuing with the negotiations on the current version of the INFOSEC proposal notably on the complex issue of classified information paves the way to even bigger problems which (better soon than later) risk to  be brought as in 2000 on the CJEU table.

---

[1] According to the Venice Commission “.. at International and national level access to classified documents is restricted by law to a particular group of persons. A formal security clearance is required to handle classified documents or access classified data. Such restrictions on the fundamental right of access to information are permissible only when disclosure will result in substantial harm to a protected interest and the resulting harm is greater than the public interest in disclosure.  Danger is that if authorities engage in human rights violations and declare those activities state secrets and thus avoid any judicial oversight and accountability. Giving bureaucrats new powers to classify even more information will have a chilling effect on freedom of information – the touchstone freedom for all other rights and democracy – and it may also hinder the strive towards transparent and democratic governance as foreseen since Lisbon by art.15.1 of TFEU (emphasis added) The basic fear is that secrecy bills will be abused by authorities and that they lead to wide classification of information which ought to be publicly accessible for the sake of democratic accountability.  Unreasonable secrecy is thus seen as acting against national security as “it shields incompetence and inaction, at a time that competence and action are both badly needed”. (…) Authorities must provide reasons for any refusal to provide access to information.  The ways the laws are crafted and applied must be in a manner that conforms to the strict requirements provided for in the restriction clauses of the freedom of information provisions in the ECHR and the ICCPR.” 

[2] Action brought on 9 October 2000 by the Kingdom of the Netherlands against the Council of the European Union (Case C-369/00) (2000/C 316/37)

[3] Action brought on 23 October 2000 by the European Parliament against the Council of the European Union (Case C-387/00)

[4] Regulation 1049/01 Article 9 ”Treatment of sensitive documents

1. Sensitive documents are documents originating from the institutions or the agencies established by them, from Member States, third countries or International Organisations, classified as “TRÈS SECRET/TOP SECRET”, “SECRET” or “CONFIDENTIEL” in accordance with the rules of the institution concerned, which protect essential interests of the European Union or of one or more of its Member States in the areas covered by Article 4(1)(a), notably public security, defence and military matters.

2. Applications for access to sensitive documents under the procedures laid down in Articles 7 and 8 shall be handled only by those persons who have a right to acquaint themselves with those documents. These persons shall also, without prejudice to Article 11(2), assess which references to sensitive documents could be made in the public register.

3. Sensitive documents shall be recorded in the register or released only with the consent of the originator.

4. An institution which decides to refuse access to a sensitive document shall give the reasons for its decision in a manner which does not harm the interests protected in Article 4.

5. Member States shall take appropriate measures to ensure that when handling applications for sensitive documents the principles in this Article and Article 4 are respected.

6. The rules of the institutions concerning sensitive documents shall be made public.

7. The Commission and the Council shall inform the European Parliament regarding sensitive documents in accordance with arrangements agreed between the institutions.

[5] Notice for the OJ. Removal from the register of Case C-387/00. By order of 22 March 2002 the President of the Court of Justice of the European Communities ordered the removal from the register of Case C-387/00: European Parliament v Council of the European Union. OJ C 355 of 09.12.2000.

[6] Interinstitutional Agreement of 20 November 2002 between the European Parliament and the Council concerning access by the European Parliament to sensitive information of the Council in the field of security and defence policy (OJ C 298, 30.11.2002, p. 1).

[7] According to the Interinstitutional Agreement of 12 March 2014 between the European Parliament and the Council concerning the forwarding to and handling by the European Parliament of classified information held by the Council on matters other than those in the area of the common foreign and security policy (OJ C 95, 1.4.2014, pp. 1–7) “4.   The Council may grant the European Parliament access to classified information which originates in other Union institutions, bodies, offices or agencies, or in Member States, third States or international organisations only with the prior written consent of the originator.”

[8] According to annex III point 5 of the Framework Agreement on relations between the European Parliament and the European Commission (OJ L 304, 20.11.2010, pp. 47–62) In the case of international agreements the conclusion of which requires Parliament’s consent, the Commission shall provide to Parliament during the negotiation process all relevant information that it also provides to the Council (or to the special committee appointed by the Council). This shall include draft amendments to adopted negotiating directives, draft negotiating texts, agreed articles, the agreed date for initialling the agreement and the text of the agreement to be initialled. The Commission shall also transmit to Parliament, as it does to the Council (or to the special committee appointed by the Council), any relevant documents received from third parties, subject to the originator’s consent. The Commission shall keep the responsible parliamentary committee informed about developments in the negotiations and, in particular, explain how Parliament’s views have been taken into account.”

[9] SEE : Agreements on the security of classified information

[10] Article 218.10 TFUE states clearly that “The European Parliament shall be immediately and fully informed at all stages of the procedure” when the EU is negotiating international agreements even when the agreements “relates exclusively or principally to the common foreign and security policy,” (art.218.3 TFUE).

[11] Interestingly reference to art.15 of the TFEU is also made in the EP-Council 2014 Interinstitutional Agreement on access to classified information (not dealing with External Defence) See point 15 :  This Agreement is without prejudice to existing and future rules on access to documents adopted in accordance with Article 15(3) TFEU; rules on the protection of personal data adopted in accordance with Article 16(2) TFEU; rules on the European Parliament’s right of inquiry adopted in accordance with third paragraph of Article 226 TFEU; and relevant provisions relating to the European Anti-Fraud Office (OLAF)

[12] However this legal basis was fit for another legislative proposal, of a more technical nature, which  has now become EU Regulation 2023/2841 layng  down measures for a high common level of cybersecurity for the institutions, bodies, offices and agencies of the Union. This Regulation applies at EU administrative level the principles established for the EU Member States by Directive (EU) 2022/2555 (2)  improving the cyber resilience and incident response capacities of public and private entities. It created an Interinstitutional Cybersecurity Board ( IICB) and a Computer Emergency Response Team (CERT) which operationalizes the standards defined by the IICB and interact with the other EU Agencies (such as the EU Agency dealing with informatic security, Enisa), the corresponding structures in the EU Member States and even the NATO structures. It may be too early to evaluate if the Regulation is fit for its purpose ([12]) but the general impression is that its new common and cooperative system of alert and mutual support between the EU Institutions, Agencies and bodies may comply with the letter and spirit of art.298 of the TFEU.

[13] Quite bizarrely this “open” attribute is not cited in the INFOSEC proposal and, even more strangely, none of the EU institutions has until now consulted the EU Ombudsman and/or the Fundamental Rights Agency.

[14] See Case C-338/01 Commission of the European Communities v Council of the European Union(Directive 2001/44/EC – Choice of legal basis)“The choice of the legal basis for a Community measure must rest on objective factors amenable to judicial review, which include in particular the aim and the content of the measure. If examination of a Community measure reveals that it pursues a twofold purpose or that it has a twofold component and if one of these is identifiable as the main or predominant purpose or component whereas the other is merely incidental, the act must be based on a single legal basis, namely that required by the main or predominant purpose or component. By way of exception, if it is established that the measure simultaneously pursues several objectives which are inseparably linked without one being secondary and indirect in relation to the other, the measure must be founded on the corresponding legal bases…”

[15]  Suffice to cite the following legal disclaimer :”This Regulation is without prejudice to Regulation (Euratom) No 3/1958 17 , Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of other servants of the European Economic Community and the European Atomic Energy Community 18 , Regulation (EC) 1049/2001 of the European Parliament and of the Council 19 , Regulation (EU) 2018/1725 of the European Parliament and of the Council 20 , Council Regulation (EEC, EURATOM) No 354/83 21 , Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council 22 , Regulation (EU) 2021/697 of the European Parliament and of the Council 23 , Regulation (EU) [2023/2841] of the European Parliament and of the Council 24 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.

[16]  See ReNEUAL Model Rules on EU Administrative Procedure. ReNEUAL working groups have developed a set of model rules designed as a draft proposal for  binding legislation identifying – on the basis of comparative research – best practices in different specific policies of the EU, in order to reinforce general principles of EU law

[17] The Council has listed not less than 64 EU entities (EU Institutions Agencies and Bodies – EUIBAs) in document WK8535/2023

 

European Union Product Liability Law and its (Uncertain) Future – Some Thoughts on LF v. Sanofi Pasteur case

Magdalena Tulibacka, Director of the Center of International and Comparative Law, Visiting Assistant Professor of Practice, Emory Law School 

Photo credit: Pexels, via Wikimedia commons

 

It is difficult to overstate the importance of the forthcoming judgment of the European Court of Justice (ECJ) in LF v. Sanofi Pasteur.¹ The judgment, if it follows the recent opinion of ECJ’s Advocate General (AG) Medina,² is likely to create a major shift in the system of liability established by the EU’s Product Liability Directive (PLD).³

Three questions referred to the ECJ by the Court of Appeal of Rouen arose in a case involving a vaccine produced by Sanofi Pasteur. The case concerns a type of a health injury referred to by the French court as a progressive condition.⁴ The claimant started experiencing pain and other health complaints after being vaccinated. Her condition kept getting progressively worse. Even accounting for the continued worsening of LF’s health, however, it is somewhat puzzling how long it took for the case to reach the courts.⁵ It appears that LF waited 11 years from the time of appearance of first symptoms and 7 years from the diagnosis of her condition to commence proceedings before a compensation scheme, which rejected the claim because of lack of causal link,⁶ and 3 further years to bring a lawsuit against Sanofi.⁷ As held by two French courts considering this case, following Article 1245-15 and 1245-16 of Code Civil (implementing the provisions of the PLD on limitation periods), LF’s actions were thus time-barred.⁸

The Cour de Cassation, however, decided to refer the case back to a Court of Appeal of Rouen to test some of the recent arguments that appeared in its own jurisprudence and in judgments of other courts against the application of limitation periods in other domestic regimes when progressive conditions are concerned.⁹

In order to enable LF’s case against Sanofi to proceed, the Court of Appeal asked first of all whether a potential victim of a defective product could bring a case against its manufacturers based on fault in lack of vigilance and lack of information about the risks of using the products. This is very difficult to reconcile with the PLD - a system that does not allow any other general product liability system functioning on the same basis to exist. The primary reason that this question arose in the case seems to be that French law has more generous time limits for general tort liability claims, and thus LF could still arguably bring her claim against Sanofi.

The two remaining questions relate to the system of liability established by PLD and implemented into French law, and specifically its limitation periods and their application in cases of progressive diseases. The questions can be summarized as follows:

Does the PLD’s 10-year long stop period comply with the right to an effective remedy as provided in Article 47 of the EU’s Charter of Fundamental Rights,¹⁰ when it applies to cases of progressive conditions?

Does the Directive allow for the 3-year limitation period to start, in cases of progressive injuries, when the injury or condition has stabilized, not when the claimant knew or should have known about it, as indicated in PLD?

These questions push the boundaries of what the system of the Directive established. With its strict liability for property damage, personal injury and death caused by defective products, the PLD introduced one of the world’s most influential and comprehensive product liability systems. The Directive aims to be a complete system of liability rules, carefully balancing the variety of interests involved: the interests of victims of defective products, the industry, and even society as a whole. Recently, the PLD experienced a major overhaul, and a new Directive was enacted, bringing the European product liability law into the digitalized, increasingly complex market reality.¹¹ The new rules are not yet in force and do not apply in the case at hand, but they do reflect the current consensus on the whole system. The changes related to limitation periods will be described below.

The Directive continues to rely on national laws of EU Member States for interpretation and application of major elements of liability, such as defect, damage, and causal link. It also co-exists with other national contractual and non-contractual liability systems as well as compensation schemes for redress of damage caused by defective products. It is at this juncture – the interaction with the national systems of laws and remedies – that many questions arise, this case being a good example.

In response to the French court’s questions, the AG suggests that the ECJ ought to conclude as follows:

-          Victims of defective products can bring actions against the producers of these products using national tort-based, fault-based liability, as long as the alleged fault consists of factors not exclusively related to defectiveness of the product (like failures in vigilance).¹²

-          The ten-year long stop introduced in the Directive is invalid in the light of Article 47 of the EU’s Charter of Fundamental Rights, ‘in so far as its application has the effect of extinguishing the right to claim compensation of injured persons suffering from a progressive disease who, according to medical evidence, due to the progressive nature of their medical condition, cannot fully evaluate the damage caused to them and have therefore been unable to initiate proceedings against the producer within that period, thereby depriving those persons of their right of access to a court’.¹³

‘In the situation of a progressive disease, the three-year limitation period established in that provision starts to run on the date of stabilisation of the damage, defined as the moment from which, according to medical evidence, the condition of the injured person is no longer evolving.’¹⁴

For some context: the French system continues to challenge the maximum harmonization the PLD was meant to ensure. As regards the implementation of the PLD, France was reprimanded by the ECJ for late and then improper implementation and needed to amend its law.¹⁵

Further, the French tort liability system, and to some extent even its contractual liability, historically presented a more attractive option for victims of defective products.16 The French product liability law was developed by courts in the overall consumer-friendly climate, where the key role of liability rules was for victims of defective products to be compensated, as mostly strict liability of manufacturers and suppliers.¹⁷ French courts were open to abandoning the requirement of proving fault, as well as to adopting presumptions of causation and defect in product liability cases – the approach that is not common among other EU Member States.¹⁸ As mentioned above, the general tort liability system in France provides more generous limitation periods as well. It is thus not difficult to understand why some victims may wish to resort to this general liability system instead of the one established by the implementation of the PLD.

 

Reflecting on question 1.

In reference to the interaction between the PLD and the national liability systems, the AG’s opinion reflects a unique conundrum. While the Directive was not meant to be the only system of liability where victims of defective products could recover compensation, it is the only system of objective (‘defect-based’)¹⁹ liability for such products. Within the scope of liability as set out by the Directive, its rules constitute the threshold and the ceiling. Article 13 PLD provides that the Directive does not affect any rights an injured person may have according to the rules of contractual and non-contractual liability or a special liability system. This provision was further elucidated in ECJ’s jurisprudence. In Gonzalez Sanchez the Court highlighted that liability systems based on other grounds: such as fault or a warranty in respect of hidden defects, could remain it operation.²⁰ In Commission v France, a general product liability system different from that provided by the Directive was held not permissible.²¹ According to Gonzalez Sanchez, as confirmed by the AG in the current case, the Directive is the exclusive source for cases where the liability follows a defective product (as defined by PLD) causing damage or injury a person.²² Fault is not relevant in this system. The notion of defect as provided by the Directive focuses on lack of safety.²³

The AG’s argument that resorting to general tort liability rules should be possible if it could be established that the defendant was at fault by failing in its vigilance duties, however, is not very convincing. If the essence of the defendant’s fault is lack of vigilance over the product and the alleged lack of reaction (perhaps by pulling the vaccine off the market), is not the lack of safety in the product the condition si ne qua non here? Safety and vigilance seem to be very closely tied in European law. Within the context of product liability, courts cannot deem that there was a failure in vigilance without also assessing whether there was a defect (lack of safety). The AG suggests that fault in this case consists of factors not exclusively related to defectiveness of the product.²⁴

But surely, monitoring of the product’s safety once it enters the market is a requirement that features heavily in European Union laws on product safety. Pharmaceutical products carry a uniquely stringent set of requirements as regards monitoring. Further, in the context of product liability, failure to warn of potential risks, rather than being some additional criterion or requirement, is a feature of defect. Even though the PLD does not recognize the US-style ‘boxing’ of types of defects (into manufacturing, failure to warn and design defects), those three types are widely recognized in literature and jurisprudence across the EU and beyond.

In my opinion, the AG’s recommendations in this matter do not comply with the text of the Directive and the nature and spirit of product liability law as established by it.

 

Reflecting on Questions 2 and 3:

Let us now move to the question of limitation periods under the Directive. Generally, legal systems distinguish two types of limitation periods:

-          What we can call ‘ordinary’ limitation periods - procedural in nature and often, in product liability cases, dependent on subjective discovery of the injury/damage and the person responsible or liable to redress it. This moment of subjective discovery is also when the cause of action accrues.

-          Long-stops (also referred to as preclusion, prescription, long-stop, or repose) - more substantive in nature (in some systems, such as the PLD, a long stop is referred to as a period after which the claimant’s rights are extinguished), and dependent on objective criteria, not on the subjective position/situation of the claimant.

Factors at play in the determination of these periods can be broadly classified into the following categories:

-          Substantive, constitutional and fundamental rights arguments: legal certainty and rule of law, finality, fair trial, access to justice and effective remedy,

-          Procedural and evidential arguments: effect of the passing of time on availability of evidence, and

-          Economic arguments – ‘closing the books’, calculation of risk and liability exposure, obtaining affordable insurance coverage.

In summary: determination of limitation and expiry periods is always a product of compromise between the plaintiff and the defendant interests, but also wider social interests in justice being done on the one hand and in encouraging progress and development of new products on the other hand. Such a compromise has been established in the PLD. It has remained in place till today and survived the comprehensive reform of the Directive in 2024, with some changes.

In the old PLD, claimants can bring product liability suits within 3 years from when they became aware, or should reasonably have become aware, of the damage, the defect and the identity of the producer. Further, the rights under the Directive expire 10 years from when the product was placed into circulation.²⁵ In the new PLD, the 3-year limitation period has been retained virtually unchanged. The 10-year long-stop is now called ‘expiry period’. It has also been retained largely unchanged (with the modification of the start of the period for substantially modified products). However, an exception was introduced where an injured person is not able to initiate proceedings within 10 years due to the latency of her injury. The period in such cases is extended to 25 years.

The French Court’s questions address both the limitation period and what is now called the expiry period. With regard to the latter, the question is whether its very existence is contrary to Article 47 of the EU Charter of Fundamental Rights as regards progressive conditions. The Charter, as part of the Treaties and thus primary EU law, can be the basis for a constitutional review by the ECJ of any legally binding EU measure. Any secondary EU law, including the PLD, which does not comply with its requirement that everyone whose rights guaranteed by EU law were violated should have access to an effective remedy (Article 47), can be declared at least partially void.

The opinion of the AG recommending exactly such an outcome should be looked at in the context of the views of the ECtHR. In its 2020 judgment in Sanofi v. France and in an earlier judgment in Howard Moor v Switzerland the ECtHR held that the long-stop violated the right to access to justice of victims who suffered from latent diseases.²⁶

The recent amendment of the PLD extending the expiry period to 25 years for latent conditions addresses these concerns, albeit unfortunately the new PLD does not provide a definition of latency leaving its determination to national law. It is possible that even this longer period may not always be sufficient, as certain products may well cause injuries and diseases with a much longer latency period than 25 years. Perhaps the period will need to be extended in the future for some latent conditions, but we are not ready to abandon it entirely. We are also not ready to leave the decision whether or not it applies to courts if the conditions are already present but, according to the claimant’s doctors, may not have stabilized. The long-stop (expiry period) constitutes one of the fundamental elements of the balance of consumer-business interests set out by the PLD. Any amendments to it will no doubt cause a push-back from the industry side and calls for rebalancing the whole system. Especially amendments that have their roots in undefined legal and medical concepts.

What is particularly concerning in the case at hand is that the AG is willing to allow the unique approach adopted by some French judiciary for progressive conditions to be used in cases based on the Product Liability Directive, potentially extending its effect across other EU Member States. The question of progressive injuries is itself problematic. Further, this approach focuses on an (as yet undefined) concept of ‘stabilization’.

I will now address both these concepts and their application to limitation periods.

Progressive conditions mean that the injury is known for some time, albeit not in its entirety. The French argument is that the claimant will not be able to assess the full extent of the damage while her condition keeps developing, and thus, no limitation period should be running until the claimant’s condition ‘stabilizes’.²⁷ The notion of a progressive condition or disease is not defined in the Directive. It is also unlikely that the ECJ would provide such a definition, as it is rather a medical and a case-specific term. Thus, the exact meaning would be determined by doctors within each EU state – and that’s what the AG seeks to avoid.

If one were to agree with the opinion of the AG addressing questions 2 and 3, it would mean that for progressive diseases the only limitation period is three years from the moment when the claimant’s doctors conclude that her condition has stabilized (as the ten-year period would be disapplied). The AG’s argument that an EU-level approach is needed in such cases and the response cannot be left to Member States, should be commended but what she suggests is, in my view, the wrong way to approach this.

It seems from the submissions by the German government in the case that the problems with the progressive diseases and the resulting limitations in access to remedy may well be a problem with the French system. While it is a fact that provisional damages are normally not available in civil law systems, such systems have other ways in which victims can bring suits before their injuries present themselves in their entirety (such as bringing declaratory actions). Suits can be brought while the claimant’s condition is developing, and courts can assess potential future damages as part of the compensation award. Additional suits can potentially be brought as follow-on actions when new conditions develop, or the existing condition worsens beyond what was initially predicted. The text of the AG’s opinion contains statements to the effect that French law, in contrast to other legal systems in the EU, does not allow claims for compensation of future damages or provisional damages. It seems to also indicate that the claimant may not be able to bring follow-on claims. If that is indeed the case, there is a significant systemic problem in French rules of damages. But a more likely answer is that, in France, there are options for assessing of future damages and taking them into account in the final determination of compensation amounts due to the claimant, and there are also possibilities for bringing follow-on claims.

The application and enforcement of substantive rights granted by EU law has always been dependent on national remedial and procedural rules, subject to the requirements of effectiveness and equivalence. Here this principle is applied backwards – the AG is allowing the perceived deficiencies in these national systems to cause the whole, carefully constructed compromise of PLD to be shaken. Would it not be a better idea for the ECJ to request that only French law is clarified in this respect, thus maintaining the coherence of the whole PLD system across the EU?

The French requirement that the limitation period does not start running until the claimant’s disease has ‘stabilized’, was already subject to a judgment by the ECtHR, where Sanofi challenged France alleging that Article 6.1 of the European Convention of Human Rights (right to fair trial) was violated. The ECtHR concluded that France was within the limits of the discretion (margin of appreciation) granted by the Convention when it allowed the limitation period to be approached in this way by its courts.²⁸ This judgment was issued in a different legal context – specifically one where the ECHR is known for granting the states-parties a certain margin of appreciation. Here, in the context of the EU PLD, the discretion is severely limited.

Keeping the start of the limitation period flexible and subject to the decision of the doctor and the court in each case to the extent suggested by the AG can potentially create uncertainty. It is problematic from the perspective of access to evidence, the question of who has the power to determine ‘stabilization’, and the rights of the defendants.²⁹ It can also lead to potentially undesirable consequences of depriving the victim of a defective product of access to a remedy. The way the start of the ordinary limitation periods is usually understood is that it means the cause of action accrued. If the cause of action does not accrue until the person’s condition ‘stabilizes’, could it not be argued that patients who do not wish to wait for this moment do not have a claim? Would this not deprive many victims of access to remedy for a potentially long time, and often for the rest of their life?

Another point worth noting is that if we allow victims of defective products to wait with bringing cases until their condition has stabilized, which can mean after their death, we may be leaving the defendants in a position where they are to expect lurking lawsuits, usually by families of people who died. Thus, if the ECJ were to adopt the AG’s suggestion in this respect, perhaps it would be advisable to introduce a notification requirement into the PLD for such situations, such as the one in the Payment Services Directive, recently interpreted by the ECJ.30 If we take the need for an effective remedy into account, it may be a more effective, and more proportionate, response to require the claimant to notify the defendant of their injury, even if the latter is still progressing. Such a step would provide the defendant with the knowledge of the claim and some level of clarity, as well as provide the claimant with the certainty that their claim will not be time barred. Further, the notification could provide an encouragement for the parties to settle.

 

Conclusions:

In spite of the recent comprehensive reform of the PLD, some very important parts of the European Union product liability system are by no means settled, thus creating uncertainty for potential plaintiffs and defendants. This comment cautions against following the AG’s opinion because, while it may assist the claimant (LF) in her case, it could create a destabilizing effect on the EU-wide product liability system. The AG’s recommendations in this case are a concern. In a reality where European legal systems - through their legislators and courts – continue to face difficult cases of injuries, they are bound to experiment, introduce new systems, new rules, and new ways of interpretation and application of the existing rules. Perhaps it is not realistic to expect that PLD will fully achieve its objective of harmonization, and PLD is playing ‘catch up’ with national systems – the latest reform is an example. But the system should remain stable, and such national experimentation can threaten this stability.

The arguments raised in this comment are particularly notable after the new EU Directive on Representative Actions came into force. Product liability cases can now be brought using a pan-EU representative procedure. With some major private international law issues still unresolved, there will be scope for forum shopping. If we allow national peculiarities to remain part of the product liability system to the extent suggested by the AG in LF v. Sanofi Pasteur, we increase the risk of forum shopping.

 

¹ Case C-338/24, LF v. Sanofi Pasteur SA, Request for a preliminary ruling from the Cour d’appel de Rouen (France) lodged on 7 Mary 2024, https://eur-lex.europa.eu/eli/C/2024/4716/oj/eng.

₂ Opinion of AG Medina delivered on 19 June 2025.

³ Council Directive 85/374/EEC on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products, OJ L 210, 7.8.1985, pp. 29-33, recently replaced by Directive (EU) 2024/2854 of the European Parliament and of the Council of 23 October 2024 on liability for defective products and repealing Council Directive 85/374/EEC, OJ L 2024/2853, 18.11.2024; in the text of this comment: ‘PLD’ or ‘the Directive’ and ‘new PLD’ or ‘new Directive’.

⁴ No precise definition of such a progressive disease is provided, except for it being a condition that develops over a long period (para. 53 of the AG Opinion, see note 2).

⁵ LF received the Revaxis vaccine manufactured by Sanofi Pasteur in 2003. One explanation advanced in the case indicates that a residual amount of aluminum hydroxide (detected in LF’s body), used in certain vaccines, could have caused her condition.

⁶ The Board for Conciliation and Compensation for Medical Accidents is a French no-fault compensation scheme: Commission de Conciliation et d’Indemnisation des Accidents Medicaux (CCI). Her claim was rejected by CCI following an assessment by the expert appointed in the case who did not find a causal link.

⁷ LF’s condition was deemed stabilized 8 years after her diagnosis. In 2020 LF brought a lawsuit against Sanofi Pasteur, based on tort liability (fault liability - Article 1240 Code Civil), and strict product liability (Article 1245 Code Civil). The lawsuit was dismissed by the Court of Alençon and then by the Court of Appeal of Caen because LF’s claims were time-barred. Under the Code Civil, in the provisions implementing the PLD (Articles 1245-15 and 1245-16, implementing Articles 10 and 11 PLD) a claimant in a product liability case must bring a claim within three years from the date on which she was aware or ought to have been aware of the defect, the damage and the identity of the defendant. Further, in actions based on strict product liability there is a strict ten-year time limit (starting on the date when the product was placed on the market). The Cour de Cassation overturned the Court of Appeal’s decision and referred the case to the Court of Appeal of Rouen.  

⁸ As per Articles 10 and 11 of the current PLD, see below for analysis.

⁹ As per some previous judgments: Cass 1ère civ. 1 June 1999, B. 178; Cass. 2ème civ., 4 May 2000, no. 97-21.731; Cass 2ème civ. 11 July 2002, no. 01-02.182). The Cour de Cassation’s held that, in the event of an action for damages seeking compensation for bodily injury, the limitation period could only start running on the date when the damage has ‘stabilized’. Only then, according to the Court, the claimant would be able to assess the complete scope of her damage or injury.

¹⁰ Article 47 of the Charter provides for the right to an effective remedy: ‘Everyone whose rights and freedoms guaranteed by the Law of the Union are violated has the right to an effective remedy before a tribunal …’.

¹¹ See n. 3.

¹² C-338/24, AG Opinion, para. 43.

¹³ C-338/24, AG Opinion, para. 105.

¹⁴ C-338/24, AG Opinion, para. 124.

¹⁵ For instance, in Case C-52/00 Commission v. France, Judgment of 25 April 2002.

¹⁶ J.S. Borghetti, The development of product liability in France, in S. Whittaker (ed.) The development of product liability, Volume 1, Cambridge University Press, 2010, pp. 87-113., at p. 98.

¹⁷ Ibid. J.S. Borghetti, The development of product liability in France.

¹⁸ This approach was accepted by the ECJ as in line with the PLD in C-621/15 NW, LW, CW v. Sanofi Pasteur MSD SNC, judgment of 21 June 2017. Presumptions of defect and causation were also introduced in the new PLD: see Article 10.

¹⁹ H. Taschner, ‘Product liability: Basic problems in a comparative law perspective’, in Fairgrieve, D. (ed.), Product Liability in Comparative Perspective, Cambridge University Press, Cambridge, 2005, pp. 155 to 166, at p. 161.

²⁰ Case C-183/00 Gonzalez Sanchez v. Medicina Asturiana SA, Judgment of 25 April 2002, para. 31.

²¹ Case C-52/00 Commission v. France, Judgment of 25 April 2002.

²² AG Opinion, para. 36. See note 2.

²³ As defined in Article 6 of the old PLD.

²⁴ C-338/24, AG Opinion, (para. 48).

²⁵ Articles 10 and 11 old PLD, Articles 16 and 17 new PLD.

²⁶ ECtHR in Sanofi Pasteur v France, 2020. In Howard Moor, the court held that, ‘where it is scientifically proven that a person is unable to know that they are suffering from a certain illness, such circumstances should be taken into account when calculating the limitation period or statute of limitations.’ Elimination of a long-stop is not merely a European idea: for instance some U.S. states’ supreme courts struck down as unconstitutional the periods of repose in all product liability cases or only in cases of personal injuries. See: “50-State Survey of Statutes of Limitations and Repose in Prescription Product Liability Cases”, JD Supra, 2020.

²⁷ LF – the claimant in the French case – has indeed, according to her doctors, stabilized.

²⁸ This case involved the general tort liability system.

²⁹ For instance – it would be more difficult to assess liability risks for the purpose of obtaining insurance.

³⁰ Case C-665/23 IL v. Veracash SAS, Judgment of 1 August 2025.

 

 

 

The General Court of the European Union upholds the Data Privacy Framework

 

 

Dr Samira Allioui, Research fellow, Centre d'études internationales et européennes, Université de Strasbourg

Photo credit: Ibrahim Rustanov, via Wikimedia Commons

French Member of Parliament Philippe Latombe, who also sits on the board of the French data protection authority, the Commission Nationale de l’Informatique et des Libertés, brought an action, in his personal capacity, in the General Court of the European Union calling for the annulment of the Data Privacy Framework. On Wednesday, September 3, the General Court of the European Union dismissed MP Philippe Latombe's appeal against the Data Privacy Framework adequacy decision, the agreement governing data transfers between the EU and the United States, at the heart of a long legal saga. Since Latombe's case was brought as an action for annulment and not as a preliminary question by a national court, he not only had to prove that the deal was substantively wrong, but also that he was directly affected in order to be entitled to bring an action at all.

The DPF is the successor to the EU-U.S. Privacy Shield (the Privacy Shield), after the adequacy decision on the EU side adopted in light of the Privacy Shield was declared invalid in 2020 by the CJEU following litigation by privacy advocate Maximilian Schrems, acting through not-for-profit NOYB (none of your business), in the landmark case of Schrems II. The Privacy Shield was the successor to the EU-U.S. Safe Harbor Framework, which was declared invalid in 2015 in Schrems I. In response, the United States established the Data Protection Review Court (DPRC). The European Commission approved the DPF in July 2023.

Personal data transferred from the European Union to third countries is no longer subject to the GDPR in those countries. This requires compliance with certain safeguards prior to transfer, with the aim of ensuring adequate data protection in the destination country. An adequacy decision is one of the mechanisms for ensuring this protection, and the GDPR provides for a Commission decision recognizing, after a thorough examination, that the law of a third country offers guarantees deemed adequate.

It is clear that even though American law has since evolved towards greater oversight of intelligence services, one particular issue has long been a problem in US-EU relations: access to effective remedies in the United States, allowing Europeans affected by transatlantic transfers to challenge the processing of their data. This issue was already the subject of progress in 2022 with Executive Order 14086, which paved the way for a challenge mechanism. This allowed the European Commission to adopt a new adequacy decision in 2023, the very one that is being challenged in the Latombe case.

The new ruling

This new ruling is therefore part of a series of developments relating to transatlantic transfers. The fundamental issue is the adequacy of the safeguards provided abroad, and therefore the degree of requirement that the European Union must have vis-à-vis the states to which data are transferred. However, on this point, the reasoning followed by the General Court of the European Union contrasts sharply with the rulings handed down by the Court of Justice of the European Union in the Schrems I and II cases. In the Schrems II ruling, the Court insisted that "the third country must offer guarantees to ensure an adequate level of protection essentially equivalent to that guaranteed in the European Union," while also using the terms "essential equivalence" and "substantial equivalence" interchangeably. Only the latter expression—"substantial equivalent"—is adopted by the General Court, although it gives it a scope that appears to be weakened.

In its assessment of the adequacy of American law, the Court appears to be less demanding than the Court of Justice. In recent years, the latter has initiated a particularly demanding jurisprudential movement in matters of personal data protection, giving rise to numerous tensions with Member States, which themselves struggle to comply with the requirements of the Court of Justice. While the Schrems I and II judgments were perfectly in line with this trend, the Court's judgment seems to propose another direction, perhaps more favorable to national security issues.

In any case, in its analysis of the conditions to be met to conclude that foreign law is adequate, the Court draws its inspiration primarily from the ECtHR case of Big Brother Watch v. United Kingdom. On the contrary, the major decisions of the CJEU – we are thinking in particular of the La Quadrature du Net I case – dealing with the activities of intelligence services are not considered relevant by the Court. The latter were particularly demanding, where the ECtHR recognizes certain margins of appreciation for States, in particular due to the very sensitive nature of intelligence and national security issues.

The next developments?

Since this is a General Court ruling, it is likely that there will be an appeal to the CJEU. Let us assume, however, that the Court upholds the existing adequacy decision. Another fundamental question would inevitably arise. The General Court is not taking into account recent developments in US law, particularly since the return of President Donald Trump. However, some of the guarantees applicable in US law, highlighted by the General Court, already appear to be weakened. Let us give an example: the Privacy and Civil Liberties Oversight Board (PCLOB) which role is fundamental, particularly because it is involved in the appointment of members of the Data Protection Review Court, whose independence and impartiality are discussed at length in the General Court's ruling. However, President Donald Trump has terminated the terms of several PCLOB members, preventing it from functioning. The impact this could have on transatlantic data transfers has already been the subject of debate in the European Parliament and the United States. The saga surrounding transatlantic data transfers could thus, despite the Court's ruling, be the subject of new twists and turns.

Today, more than 2,800 US companies are DPF-certified, allowing them to continue relying on the adequacy decision (Article 45 of the GDPR) as the legal basis for their transatlantic transfers Data Privacy Framework. However, while this prevents massive disruptions to data flows, the stability of the framework is not guaranteed. It must be actively monitored, given regulatory or judicial events that may disrupt it.

Plus, if Mr. Latombe can still appeal the General Court's decision to the CJEU, it is uncertain whether the CJEU would follow the General Court's reasoning. It should be recalled here that the CJEU has in the past held that adequacy decisions must be assessed on the basis of the legal and factual situation at the time of the appeal, while in Latombe, the General Court departed from this standard and stated that decisions must be assessed on the basis of the situation at the time of their adoption (i.e., under the previous administration). Finally, the European Commission could, in theory, decide to suspend or repeal the DPF if it considers in the future that US law no longer provides sufficient protection for European Economic Area personal data.