Friday, 22 September 2023

Responsibility in Joint Returns after WS and Others v Frontex: Letting the Active By-Stander Off the Hook


Melanie Fink and Jorrit J Rijpma

Melanie Fink is APART-GSK Fellow of the Austrian Academy of Sciences, Central European University and Assistant Professor, Europa Institute, Leiden University

Jorrit Rijpma is Professor of EU law, Europa Institute, Leiden University

Photo credit: Влада на Република Северна Македонија, via Wikimedia Commons

See also analysis of the human rights aspects of the judgment, by Francesca Romana Partipilo 

On 6 September 2023 the General Court delivered its long-awaited ruling in WS and others v Frontex. In a short and matter-of-fact judgment, it dismissed an action for damages by a Syrian refugee family against the European Border and Coast Guard Agency (Frontex). The family, escaping Aleppo at the height of the Syrian war in 2016, was returned to Turkey just days after their arrival in violation of the principle of non-refoulement. Their return was carried out as a joint return operation between Greece and Frontex. With the action brought before the General Court, they sought compensation from Frontex for its role in the violation of the principle of non-refoulement, as well as their degrading treatment in the return process.

After the many reports of fundamental rights violations at the external borders, including pushbacks, this was the first case in which Frontex came under judicial scrutiny for its role in potential violations. Earlier, a damning OLAF-report, demonstrating that the Agency had turned a blind eye to pushbacks in the course of operations it coordinated, had led to the resignation of its Executive Director.

Since its establishment, successive legislative amendments have consistently increased Frontex’s powers, short of transferring command and control over border guards and return officers. Yet, Frontex has always maintained that it cannot be held responsible for violations of fundamental rights as it merely acts as coordinator and facilitator in joint (return) operations. Wrongdoings in the context of joint operations, so Frontex, would be exclusively on the Member State in charge.

In an unsatisfactory judgment that fails to do justice to the plight of a refugee family that turned to the European Union for protection, the General Court now seems to confirm that stance. Doing so, it failed to acknowledge the role and obligations of Frontex during joint operations. Adopting an unreasonably and unnecessarily high threshold for the establishment of the causal link requirement, it also excludes almost any prospect of Frontex being accountable for any breaches of its obligations. After a brief overview of the judgment, we will discuss each of these points in turn. We refer to Regulation 2016/1624, which governed the activities of Frontex at the time of the return, even though it has been replaced with Regulation 2019/1896 in the meantime. However, the relevant provisions have not substantially changed.


The judgment

On admissibility, the Court rejected two arguments advanced by Frontex. First, it did not consider that it was called upon to make general statements of principle by ruling on the applicants’ damages claim. Second, it did not accept the argument that the applicants were barred from bringing an action for damages, as they could have brough an action for annulment against the letter of the Agency’s fundamental rights officers dismissing their complaint under the individual complaints’ mechanism. The Court held that these two actions do not preclude each other as they pursue different objectives, but explicitly left the question whether the actions of the Agency’s Fundamental Rights Officer within the framework of that administrative procedure constitute challengeable acts under Article 263 TFEU, which if they are would subject this procedure to judicial review by the Court.

On substance, non-contractual liability arises when three cumulative conditions are met: a sufficiently serious breach of a rule of EU law conferring rights on individuals, damage, and a causal link between the unlawful conduct and the damage. Reversing the order in which it assessed the conditions, the General Court dismissed the action based solely on the absence of a sufficiently direct causal link between the conduct of the Agency and the damage that was invoked. At the outset it had already recalled that the unlawful conduct would need to be the determining cause of the damage. It considered that the applicants wrongly departed from the presumption that without the alleged conduct by Frontex they would not have been returned. Here the General Court repeats Frontex’s mantra that it only provides technical and financial support. Most importantly, it emphasizes Frontex’s lack of competence to adopt a return decision or decide applications for international protection, leaving any liability with the responsible Member State.

The General Court skipped the question whether the return of the applicants and their treatment during the return procedure constituted a violation of EU law altogether. Although this may be interpreted as a sign of judicial economy, it is also a way to avoid having to pronounce itself on the behaviour of the Member State in question. In addition, the Court may have otherwise been required it to address the limits of its own jurisdiction under Article 276 TFEU, which precludes it from assessing the validity or proportionality of Member States’ law enforcement authorities.


The Role, Obligations, and Responsibility of Frontex

By virtue of Article 28 Regulation 2016/1624, Frontex is prohibited from ‘entering into the merits of return decisions’ because these ‘remain the sole responsibility of the Member States’. The Court rightly held that Frontex cannot be responsible for any potential unlawfulness of the return decision itself. As with any other national administrative decision, it would be for the Member State authorities to ensure its lawfulness.

Aside from the question whether a return decision was even taken under the Return Directive, and whether this decision was then lawful, the applicants’ allegations in the case go well beyond the decision itself. Frontex’s alleged wrongdoing concerns the implementation of the decision, despite clear indications of a risk of refoulement, and the degrading treatment of the applicants as the expulsion was carried out. This phase of the return process, i.e. the implementation of return decisions in the form of joint return operations, is a core competence of Frontex, which by virtue of Article 28(1) Regulation 2016/1624 renders ‘the necessary assistance’ to return operations and ensures their ‘coordination or […] organisation’.

This coordinating role comes with obligations. Concretely, Article 28(3) Regulation 2016/1624 explicitly states that ‘Agency shall ensure that the respect for fundamental rights, the principle of non-refoulement, and the proportionate use of means of constraints are guaranteed during the entire return operation’ (see also generally Article 34 Regulation 2016/1624). In addition, as an EU body, Frontex is bound by the EU Charter of Fundamental Rights, including the absolute prohibitions of refoulement in Article 19 and of inhuman or degrading treatment in Article 4. These rights are widely understood under European human rights law to include positive obligations that require authorities to actively ensure the protection of a right, for example by taking practical steps to protect a person against interferences by others. Frontex has a whole toolbox of means available to meet these obligations, including reporting and communication duties. As a last resort, Article 25(4) Regulation 2016/1624 requires the agency to withdraw, should violations of fundamental rights or international protection obligations occur that are serious or likely to persist.

Frontex conducts joint return operations together with the Member States. However, if it violates its own obligations under EU law, it bears responsibility that may be invoked through an action for damages. This responsibility is independent from any possible responsibility of the Member State who in turn bears responsibility for its own failures in the process (see also here). Not separating the return decision from its implementation, the Court failed to acknowledge the role of Frontex in the latter. In addition, shielding the agency from responsibility for a violation of its obligations in joint return operations emasculates these provisions, which also negatively affects the credibility of the EU as a rule of law advocate.


Causation and Joint Liability

An important complicating factor in this case, is the interplay between the actions of Frontex and the host Member State. Situations where more than one actor is involved in causing harm are not uncommon, but incredibly complex when it comes to allocating legal responsibility (see also here).

First, it might be unclear who is considered the ‘author’ of a violation, in other words, to whom the unlawful conduct is attributable. As a national administrative decision, the return decision is clearly attributable to the host state. Things are more complicated at the implementation level, where the actions of the host state and Frontex are more intertwined. However, since the Court did not separate the return decision from its implementation, the question of attribution played no role in the case.

The second difficulty concerns causation, that is the link between the unlawful conduct and the damage. The Court denies the existence of a sufficiently direct causal link between Frontex’s conduct and the harm complained of because Frontex lacks the competence to interfere with the return decision or grant international protection. In other words, in the Court’s view, the return decision is the cause for the applicants’ harm, not Frontex’s conduct. Underlying this argument seems to be an assumption that ‘exclusive’ causation might be required for liability to arise. This is also the view the General Court defended in the recent case Kočner v EUROPOL, a case currently under appeal with Advocate General Rantos suggesting the Court of Justice take a less restrictive approach to the causation requirement.

In the past, there have been cases in which the Court seemed accepting of the idea that the existence of an additional determining causes for a damage does not necessarily bar a finding of liability. In light of the coordinating nature of Frontex’s tasks, allegations of wrongdoing will usually, if not always, go hand in hand with (potential) wrongdoing by one or more Member States. If Frontex is not accountable simply because a Member State may have acted unlawfully too, this appears to exclude any reasonable prospect of Frontex being held accountable for breaches of its obligations. In fact, it would seem to stand in the way of joint liability between the Union and a Member State altogether, which has been recognised by the Court as early as 1967 and is a necessary means to ensure accountability in the EU’s multi-level administration (for more detail see here).



The Court, in limiting itself to an assessment of causality, failed to acknowledge a clear violation of one of the core tenants of EU refugee law, the prohibition of refoulement, as well as a range of safeguards laid down in EU secondary legislation. Frontex was present during this violation, and rather than intervened, contributed to it. All of this would not in itself have resulted in Frontex being held liable, but the argument that it is excluded because of a lack of competence regarding the decisions on return and international protection is flawed and lays bare a misconception of the practical reality of joint law enforcement operations as well as the role and obligations of Frontex under EU law in that context.

This judgment begs the question what Frontex’s fundamental rights obligations are worth in the absence of a meaningful way to enforce them. Even if a Member State could, at least in theory, be held responsible before the national judge, and ultimately before the ECtHR, that should not mean that the exercise of public power by a Union body should be allowed to escape judicial review. In a system of shared administration, which the management of the shared external borders has become, joint responsibility carries a need for joint liability.

This case shows how the ‘complete system of remedies’ fails to provide effective judicial control of public power in the EU's area of freedom, security and justice, which is characterised by integration through operational cooperation rather than law. Enforcement powers remain the Member States’ exclusive prerogative in name, but in practice are increasingly exercised jointly by the Member States and the EU. This judgment could have provided a welcome correction to this constitutional oversight. If upheld on appeal, it will reinforce the need for the long overdue accession of the EU to the ECHR.


The EU General Court’s judgment in the case of WS and Others v Frontex: human rights violations at EU external borders going unpunished



Francesca Romana Partipilo, PhD candidate in International Law at Sant'Anna School of Advanced Studies (Pisa) 


Photo credit: Rock Cohen, via Wikimedia commons

(see also critique of the judgment, by Melanie Fink and Jorrit Rijpma) 


On the 6th of September, the EU General Court dismissed a claim filed by a Syrian family who alleged to have suffered material and non-material damages – consisting in feelings of anguish, fear and suffering – at the hands of Frontex on the occasion of a return operation jointly carried out by the EU agency and the Hellenic Republic on the 20th of October 2016.


The case was filed in 2021, five years after the Syrian family was deported by plane to Turkey from the Greek island of Kos, despite having filed a request for international protection. The applicants, arrived on the island of Milos (Greece) on 9 October 2016 and subsequently deported to Turkey, maintained that, if Frontex had not infringed its obligations relating to the protection of fundamental rights in the context of joint operations – in particular the principle of non-refoulement, the right to asylum, the prohibition of collective expulsion, the rights of the child, the prohibition of inhuman and degrading treatment, the right to good administration and to an effective remedy – they would not have been unlawfully returned to Turkey and they would have obtained the international protection to which they were entitled, given their Syrian nationality and the situation in Syria at the material time. However, the Luxembourg-based court decided that, since Frontex does not have the competence to assess the merits of return decisions or applications for international protection, the EU agency cannot be held liable for any damage related to the return of refugees to Turkey. As explained by the EU General Court, Member States alone are competent to assess the merits of return decisions and to examine applications for international protection (para. 65). The judges added that, as regards return operations, under Article 27(1)(a) and (b) and Article 28(1) of Regulation 2016/1624, Frontex’s task is only to provide technical and operational support to the Member States and not to enter into the merits of return decisions.


At first glance, the judgment reveals an argumentative short-circuit. Whilst the examination of asylum applications undeniably falls outside Frontex’s competence, being attributed by EU law to the Member States of the EU, the imperative to respect human rights is contained in Frontex Regulation and in several other documents referring to the agency’s activities, thus representing a legal obligation which is binding on the agency. The fact that Frontex lacks the competence to examine the merits of asylum applications or return decisions does not exempt the EU agency from the respect of migrants’ human rights. As noted by the General Court itself (para. 63), “Regulation 2016/1624, in particular Article 6(3) thereof, provides that [Frontex] shall contribute to the consistent and uniform application of Union law, including the Union acquis concerning fundamental rights, at all external borders”. In addition, the Court stressed that “Article 34(1) of that regulation states that the European Border and Coast Guard shall ensure the protection of fundamental rights in the performance of its tasks under this Regulation in accordance with relevant Union law, in particular the [Charter of Fundamental Rights], relevant international law – including the 1951 Convention Relating to the Status of Refugees and the 1967 Protocol thereto and obligations on access to international protection, in particular the principle of non-refoulement’.”


In addition to the legal instruments binding Frontex to the respect of fundamental rights in its operations, references to human rights have been incorporated into Frontex official documents or press releases since the first years of its operations. For instance, in the annual report for 2008, for the first time, Frontex specified that “[f]ull respect and promotion of fundamental rights […] is the most important corner stone of modern European border management”. Similarly, the 2009 annual report stated that “full and sincere respect of fundamental rights is a firm and strategic choice of Frontex”. More recently, the now disgraced former director of Frontex, Fabrice Leggeri, declared that Frontex was “determined to uphold the highest standards of border control within [its] operations [and] to further strengthen the respect of fundamental rights in all [its] activities”.


In the light of these observations, it needs to be noted that Frontex’s actions in the case of WS and Others v Frontex could have resulted in chain (or indirect) refoulement. Considering that Turkey adopts substantial geographical limitations to the definition of refugee contained in the Refugee Convention, the country may not be considered a “safe third country” where asylum claimants can effectively apply for international protection. In fact, at the time of the ratification of the Additional Protocol to the Refugee Convention, in 1968, Turkey opted for a geographical limitation pursuant to Article 1b of the Convention, limiting the scope of the Convention to “persons who have become refugees as a result of events occurring in Europe”. Consequently, only asylum-seekers fleeing “events occurring in Europe” can enjoy refugee status in Turkey. This is confirmed by the circumstance that Turkey does not grant the status of refugees to people fleeing the war in Syria, but only offers them a form of temporary protection, pursuant to the Turkish Law on Foreigners and International Protection.


It should be noted that Turkey is a signatory of the European Convention of Human Rights, and thus legally bound by Article 3, prohibiting torture and inhuman or degrading treatment or punishment. As well known, in Soering v The United Kingdom the ECtHR established that, pursuant to Article 3, expulsion to torture is never permitted, even in cases where the returnee is not an asylum-seeker or refugee. Accordingly, Article 3 ECHR could have represented a solid legal basis for the protection of the applicants in the case of WS and Others v Frontex, even in the absence of a formal refugee status. Nonetheless, it should also be recalled that, in July 2016, following a failed coup, Turkey had declared a state of emergency and submitted a formal notice of derogation from the ECHR, under Article 15 of the ECHR. Whilst Article 3 ECHR belongs to the list of non-derogable rights, Turkey exploited the state of emergency to introduce a series of amendments to the Law on Foreigners and International Protection, including substantial changes relating to deportation orders and the suspensive effect of appeals against such orders. As a result of the amendments introduced in 2016, a deportation order could be issued at any time to certain applicants/holders of temporary protection (e.g. people suspected of being supporters of a terrorist organization or people who posed a public security threat, in the eyes of the government). For these groups of people, the appeal procedure no longer had a suspensive effect, therefore increasing the risk of refoulement, as noted by Amnesty International. As a consequence, it appears evident that people forcibly expelled to Turkey in 2016 could have suffered chain (that is indirect) refoulement to their countries of origin. Interestingly, this danger was explicitly acknowledged by the EU General Court itself, in the paragraph of the judgment where the Court noted that applicants feared “being returned to Syria by the Turkish authorities” (para. 68). Finally, it has been repeatedly noted that “procedural safeguards that are in place within the EU are not applicable to Turkey, leading to instances where the guarantees to the right to life and prohibition against torture are denied in direct violation of the principle of non-refoulement in the human rights context”. On the basis of such observations, it is evident that Frontex’s return operation was, at the very least, problematic under both EU and international law.


Under a different perspective, the case of WS and Others v Frontex reveals that the responsibility for human rights violations at EU borders may arise as a result of joint actions of States and international organizations (or their agencies). In these instances, interesting questions arise regarding the rules of attribution of conduct, the content and implementation of international responsibility. In the case at hand, while Frontex was under the legal obligation to respect the human rights of asylum-seekers under its jurisdiction and the principle of non-refoulement, Greek authorities had the duty to examine their application for international protection. In fact, as recalled by the European Court of Human Rights in the case Sharifi v. Italy and Greece (appeal no. 16643/09), failure to access the asylum procedure or any other legal remedy within the port of disembarkation constitutes a violation of Article 4 of Protocol no.4 (enshrining the prohibition of collective rejections). In that judgement, the Court highlighted the link between the collective expulsions of the applicants and the fact that they had been prevented from applying for international protection.


It should be mentioned that Greece has not ratified Protocol no.4 of the ECHR and therefore cannot be held responsible of a violation of its Article 4. Nonetheless, although not formally bound by Protocol no.4, Greece could still be held responsible of a violation of the Asylum Procedures Directive as well as the Dublin Regulation III, requiring Member States to allow asylum-seekers effective access to an asylum procedure which hinges on exhaustive and comprehensive information, as stressed by the ECtHR in Sharifi and Others v. Italy and Greece (para. 169).


With regard to the issue of shared responsibility, it is interesting to note that, alongside the complaint against Frontex before the EU General Court, the Syrian family also filed a complaint against the Hellenic Republic before the European Court of Human Rights. In this submission, the family alleged the violation of Articles 5(1), (2), and (4) of the European Convention on Human Rights, Article 4, Article 3, and Article 13 taken together with Articles 3 and 5 of the Convention. This choice was probably motivated by the circumstance that – as stated above – Greece has not ratified Protocol No. 4 of the ECHR. Apparently, the submission resulted in a friendly settlement between the family of asylum-seekers and the Hellenic Republic, pursuant to Article 39 of the Convention.


In conclusion, whilst human rights activists hoped that the case of WS and Others v Frontex would set an important precedent, the judgment of the General Court is both worrying and discouraging. It appears that Frontex got away – once again – with human rights violations. Since its creation, in fact, Frontex has received a considerable amount of criticism. In particular, observers and legal scholars have raised questions about whether and how core fundamental rights, particularly the right to life, the respect of human dignity, the right to an effective remedy and the right not to be sent back to torture, persecution and inhumane treatment (the principle of non-refoulement), are safeguarded at Europe’s external borders. In June 2021, the ONG Sea Watch published a report where it maintained that “[a]erial reconnaissance enables Frontex to gather extensive knowledge about developments in the Central Mediterranean Sea and relay information about boats in distress to the “competent authorities” […] When spotting a boat in the Libyan search and rescue zone, Frontex […] often only informs the Libyan authorities […], despite NGOs or merchant vessels also being in the vicinity. By forwarding the information to the Libyan Joint Rescue Coordination Centre and sometimes even directly guiding the so-called Libyan Coast Guard to the position of a boat, Frontex coordinates and facilitates the interceptions and pullbacks of people in distress to Libya”. Regrettably, the case of WS and Others v Frontex will be remembered as just another episode in which the EU agency disregarded its obligations and violated asylum-seekers human rights at European external borders without incurring in legal consequences.

Thursday, 14 September 2023

The EU’s New Pact on Migration and Asylum: three key arguments



Lilian Tsourdi, Assistant Professor, University of Maastricht

 *Photo credit Délmagyarország/Schmidt Andrea


The New Pact on Migration and Asylum is the EU’s latest policy framework on asylum, migration, and border management policies, and the series of legislative proposals that accompany it. Its stated aim is to establish ‘seamless migration processes and stronger governance’. Negotiations on the Pact legislative instruments have been ongoing since September 2020.


The European Parliament (April 2023) and the Council of the European Union (June 2023) recently adopted negotiating positions on two key instruments: the Asylum Procedures Regulation (APR) that reforms rules on asylum determination and related rights, and the Asylum and Migration Management Regulation (AMMR) reforming the EU’s system on allocating responsibility for processing asylum claims and establishing a solidarity mechanism.


This commentary develops three key arguments: i) while not inherently negative, the Pact’s seamless migration processes are in fact geared to externalising protection obligations thus undermining fundamental rights; ii) the Pact instruments pay greater attention to the policies’ administrative design and carry potential to enhance implementation; iii) the Pact instruments contain a vision of flexible solidarity that remains linked with pressure and misses the mark of fair sharing. 



Externalization as the red thread


Creating seamless migration processes is not inherently negative. This approach acknowledges the intricate links between different policies at the operational level, especially at border areas. The UNHCR had voiced the need for swift identification at the external borders, differentiation between categories of persons making up mixed flows, and referral to an appropriate procedure, as early as 2007 through its so-called Ten Point Plan.


Nonetheless, the Pact’s seamless migration processes are in fact geared to externalising protection obligations thus undermining fundamental rights. First, the Pact instruments establish accelerated screening, asylum, and return procedures at the external borders with curtailed procedural guarantees. Combined with logistic constraints (e.g. facilities, access to counsel) they risk undermining migrants’ (procedural) rights. The instruments also blur the lines between deprivation of liberty and restrictions to the freedom of movement and could lead to the propagation of widespread de facto detention.


Next, the latest negotiating position of the Council on asylum procedures expands the use and scope of the safe third country concept. Where third counties have either not ratified the 1951 Refugee Convention or retain a geographical limitation to its scope (the latter is the case for Turkey for example) the APR introduces the notion of having access to effective protection instead as part of the third country safety assessment. The provisions contain minimal guarantees to ascertain what effective protection entails, which establish standards below those foreseen by the 1951 Refugee Convention.  


In parallel, migration management has been streamlined in the EU’s external relations affecting areas such as development and trade. One way the EU is establishing these linkages is through making access to funding for non-EU countries conditional to cooperation on migration management objectives. The ‘deal’ with Tunisia spearheaded by the EU, Italy, and the Netherlands is the most recent illustration.


A greater attention to the system’s governance


One of the main ills of the EU’s asylum policy is its lack of attention to the administrative dimension. The current administrative design allocates the vast majority of operationalisation obligations – including financial ones – to Member States with different levels of economic development and different conceptualisations of welfare.


The Pact instruments recognise, more adequately than previously, the policies’ implementation dimensions. The Council positions on the AMMR and the APR highlight the opportunities generated through EU funding and EU agencies to implement policy. Nonetheless, the Pact instruments fail to adequately regulate the implications of agency involvement in implementation, while the current design of the EU budget (Multi-Annual Framework 2021-2027) precludes the existence of truly structural forms of EU funding.


Next, the AMMR and APR provide a structured approach to define Member States’ relative capacities and to apportion responsibilities in some areas (e.g. implementing border procedures) on this basis. The triggering of solidarity measures is also linked with quantitative and qualitative indicators that, overall, seem to be well suited to provide a holistic picture and assess relative pressure.


Finally, the Council negotiating position on the AMMR foresees new permanent governance mechanisms, such as annual High Level EU Migration and Technical Level EU Migration fora that are meant to play pivotal roles in animating inter-state solidarity through pledges. Such permanent structures, mirroring UN level processes, seem more apt to establish effective and predictable inter-state cooperation compared to ad hoc bargaining and emergency-driven responses.   


An inadequate vision on solidarity


The AMMR largely keeps intact the basic premises of the current ‘Dublin system’, EU’s responsibility allocation system. In brief, Dublin allocates responsibility to the state primarily ‘responsible’ for the person’s presence in the EU. In practice, this should mean the state of first irregular entry to the EU territory is responsible. However, states have sought to evade their Dublin responsibility (by not registering asylum applications for example) and asylum seekers move clandestinely through the EU and evade Dublin procedures.


To counter this, the AMMR Council negotiating position aims for a more predictable operationalisation of inter-state solidarity through annual Member State pledges. Nonetheless, solidarity measures, gathered under the framework of a so-called Solidarity Pool, are still meant to be triggered in situations of pressure.


The Solidarity Pool will consist of i) relocations (i.e. organised intra-EU transfers) of asylum seekers or recently recognised beneficiaries of international protection or of migrants under a return obligation; ii) direct financial contributions provided by Member States aimed either at boosting Member State or third country capacities in the areas of asylum, migration, or border management; iii) alternative contributions such as capacity building, staff support, equipment etc. All these contributions are meant to be ‘considered of equal value’.


In breaking with the past, solidarity has a mandatory character in the sense that Member States are to annually contribute their fair share that will be calculated through a formula that takes to account their population size (50% weighting) and their total GDP (50% weighting). Nonetheless, to appease Member States that opposed relocation, the Pact instruments foresee that Member States retain full discretion in choosing between the types of solidarity measures they will contribute.


Overall, the Pact’s approach is likely to miss the mark on fair sharing. While creating permanent governance structures, the Pact continues to link the activation of solidarity with pressure. Thus, instead of establishing structural fair sharing, solidarity remains a palliative solution. Next, it is unlikely that capacity building activities in third states, or sharing of personnel and equipment, will be considered by the benefitting Member States as having equivalent impact on the ground as people sharing.


The Long and Winding Road Ahead


June 2023 saw one of the deadliest shipwrecks involving migrants seeking to reach the EU’s shores with more than 500 persons missing and presumed dead off the coast of Pylos in Greece. Unfortunately, such unnecessary loss of life is being normalized with IOM reporting over 27,500 missing migrants in the Mediterranean alone since 2014. Action to reform the EU’s migration policies is imperative.    


EU official cycles hailed the Council’s early June negotiating position as a breakthrough. The timing of the forthcoming European Parliament elections, scheduled for June 2024, generates additional impetus for the EU’s co-legislators to reach compromise positions in the next months. Nevertheless, political rifts remain intense with Poland and Hungary blocking a joint political statement of Heads of State on migration during the late June 2023 European Council meeting.


What promise do the Pact instruments carry? They pay greater attention to policy implementation, governance structures, and the operationalisation of solidarity. Nevertheless, by prioritizing externalization, and by seeking to appease a limited number of Member States that seem to oppose (inter-state solidarity in) migration, they are likely to undermine migrants’ fundamental rights, while missing the mark on fair-sharing. A reform that will fail to deliver results, risks enhancing polarization in migration matters.


Legislative developments in the EU echo the UK’s recently adopted Illegal Migration Act. They testify to Europe’s increasingly defensive policy stance in migration. It is to be hoped that future policy will eventually aim at mutually beneficial partnerships with third countries, migrant, and local populations that move beyond Eurocentric frames to meaningfully address the different components of migration processes and aim at co-development. 



Wednesday, 2 August 2023

The risk of circumvention of EU sanctions through the immediate family of leading businesspersons and the CJEU’s case law



Antje Kunst*

*Antje Kunst is an international lawyer and barrister of Pavocat Chambers, admitted to the bar of England and Wales and the Bar of Berlin advising and representing individuals in a wide range of matters related to the CFSP ranging from EU employment cases to EU and international sanctions against individuals.

***Comments of academic researcher of the University of Luxembourg, Ms. Francesca Finelli were gratefully received. All views contained in this article, however, remain those of the author alone.

Photo credit: W Bulach, via Wikimedia Commons


The inclusion of family members in the categories of persons covered by EU targeted sanctions against Russia has been justified, in the Council’s view, for maximising the effectiveness of those sanctions. The inclusion of family members of leading businesspersons aims to prevent the circumvention of EU targeted sanctions (in the forms of asset freeze) by the transfer of assets between targeted leading businesspersons and their immediate family.

Updating the EU sanctions regime against Russian businesspersons


The EU's targeted sanctions against Russia's economic elites introduced on 5 June 2023 a short but significant amendment to its current sanctions regime. It extended the scope of the sanctions regime through Council Decision (CFSP) 2023/1094 (‘Council decision of 5 June 2023’) to permit the designation of immediate family members of leading Russian businesspersons operating in Russia. There are in other words now EU legal acts in place which allow for the adoption of EU sanctions against the sons and daughters, spouses and parents of Russian oligarchs based on the autonomous designation criterion of immediate family members of leading Russian businesspersons operating in Russia. (In 2015 the Council introduced the ‘leading businessperson operating in Syria’ as an autonomous general listing criterion. See Council Decision (CFSP) 2022/329 and Council Regulation (EU) 2022/330 of 25 February 2022 on the criterion of ‘leading businesspersons’.) Family members of Russian leading businesspersons have been put on the lists since early 2022 but under different grounds.

The Council’s reason for the recent amendment, undoubtedly owing to the initial rulings on Russian sanctions from the General Court in recent months (Case T-743/22 R, Nikita Dmitrievich Mazepin v Council, Order of 1 March 2023 and Case T-212/22, Violetta Prigozhina v Council, ECLI:EU:T:2023:104), is that ‘leading Russian businesspersons have engaged in a systematic practice of distributing their funds and assets amongst their immediate family members and other persons, often in order to hide their assets, to circumvent the restrictive measures and to maintain control over the resources available to them’ (Recital 5 of Council Decision 2023/1094  of 5 June 2023).

The amendment was prompted, in particular by the successful annulment of the listing in Case T-212/22, Prigozhina, which was initiated by the mother of the head of the Wagner Group. In that case, the General Court emphasized that in a legal framework such as the Syrian sanctions regime (after 2015: see Council Decision (CFSP) 2015/1836 of 12 October 2015 and Council Regulation (EU) 2015/1828 of 12 October 2015), the family link with ‘certain families’ may be sufficient to include the name of the persons on the lists at issue. In Prigozhina however, so the General Court, the EU legal acts setting out the framework for EU sanctions as a result of the invasion of Ukraine by Russia, did not refer to the members of ‘certain families’. That is why the Council had not established the risk of circumvention (para. 105 of the judgment). Another main reason was that the Council could not prove a sufficient ‘association’ with the primary target beyond mere family ties.

The curious nature of words

With this most recent amendment of the framework in June 2023, the chosen wording is of particular note. It refers to the possibility of the inclusion of immediate family members of leading businesspersons operating in Russia, even if the question is what exactly immediate family members are. Also, the Council does not refer to members of ‘certain families’ as it previously did as regard sanctions taken against Syria. Rather, the Council’s wording vis-à-vis Russia it appears to imply a presumption of circumvention through immediate family members of leading businesspersons operating in Russia.

In the Syrian sanctions framework since 2015, the EU legal acts have explicitly provided for the freezing of funds of ‘leading businesspersons operating in Syria’ and ‘members of the Assad families or Makhlouf’, as well as persons ‘associated with them’ (Council Decision (CFSP) 2015/1836 and Regulation (EU) 2015/1828). In this context, presumptions are used (by the Council) and accepted by the CJEU (see for example C‑458/17 P, Rami Makhlouf v Council, ECLI:EU:C:2018:441, para. 91, Case T‑186/19, Zubedi v Council, ECLI:EU:T:2020:317 para. 72; Case T‑256/19, Bashar Assi v Council, ECLI:EU:T:2021:818 para. 166) that individuals falling under these categories benefit from the sanctioned regime in order inter alia ‘to avoid the risk of circumvention of restrictive measures through family members’ (Recital 7 of Council Decision (CFSP) 2015/1836). 

Testing the presumption of circumvention

The question, therefore, is whether the Court of Justice – on appeal from a raft of judgments that the General Court will continue to deliver in the immediate future, in the context of the Russian sanction regime – would accept a (new) rebuttable presumption of circumvention (see Case T-5/17 Sharif v Council, EU:T:2019:216, para. 86), i.e., that the Council can legitimately presume leading businesspersons operating in Russia will transfer assets within their immediate family to circumvent EU sanctions (see paras. 103–110 of that judgment).

There is no reference to ‘certain families’ in the EU sanctions legal framework as was the case in the Syrian sanctions regime. Thus, the Court of Justice might not so easily accept a presumption of circumvention based on a sole family link (taken in consideration the Court of Justice’s Tay Za reasoning, and the Advocate General’s Opinion). It is only if the Council could provide solid evidence that there is indeed a ‘systematic practice of distributing their and assets amongst their immediate family members’ (see Recital 5 of Council Decision of 5 June 2023), that the Court of Justice might accept the Council’s rationale, accounting for fundamental rights too.

This information of a ‘systematic practice’ of circumvention might be in the Council’s possession, but it might not be possible to disclose the evidence based on its classified nature. The alternative is disclosing classified evidence, which the Council may be reluctant to do. The Court of Justice’s closed evidence procedure (under Article 105 of the General Court’s Rules of Procedure), introduced as a possibility for use in restrictive measures cases, to date, remains inactive, and has never been utilised.


Immediate family members have been included in EU sanctions lists since early 2022 as ‘associated’ with leading Russian businesspersons in their individual statements of reasons. In Prigozhina, the Council was not able to establish ‘(economic) association’ of the mother of the chief of the Wagner Group at the time the measures were adopted, and sufficiently link her to her son, the primary target, and the Russian government. Thus, the General Court relied on its established case law of Tay Za regarding an ‘association’ which considers a mere family tie to the primary target, a business leader, associated with the government not sufficient. That said, the General Court in Prigozhina ruled that there is a ‘non-negligible risk’ that individuals providing support to the government, e.g., leading businesspersons, might exert pressure on individuals associated with them, e.g., their family members, in order to circumvent the effect of the measures to which they are subject (para. 105 of the Prigozhina judgment. See also Amer Foz v Council, Case T-296/20 ECLI:EU:T:2022:298, paras. 174 and 176, Sharif v CouncilT-540/19, not published, EU:T:2021:220, paragraph 159, and, by analogy, judgment of 4 September 2015, NIOC and Others v CouncilT-577/12, not published, EU:T:2015:596, para. 139).  

Businesspersons vs rulers

Generally speaking, the case law of the Court on the legality of family members’ designations is characterized by two main approaches. Regarding family members of leading businesspersons, their designation would be annulled if based on the sole ground that the family member also benefits from the economic policies of the government (Tay Za approach). Regarding the family members of rulers of a third country, their designation would be lawful by a presumed connection between the individual and the (targeted) regime (Al Assad approach). The case law has been though at times inconsistent. For a broader analysis on circumvention of EU restrictive measures, see Francesa Finelli, ‘Countering Circumvention of Restrictive Measures: The EU Response’.

In Al-Assad, another Syrian ‘immediate family member’ case (concerning the President’s sister), the Court of Justice found that the presumed risk of circumvention was ‘quite obvious’ between leaders of a state and their immediate family members. It also observed that, if the EU sanctions in question targeted only the leaders of the Syrian regime, the objectives pursued by the Council could have been frustrated as the leaders can ‘easily circumvent’ those measures by means of their relatives and associates.

The Al-Assad approach has generally not been followed by the CJEU in the case of immediate family members of leading business persons (see Tay Za) but only in cases of ‘immediate family members’ of rulers of a third country (see Butler, G 2023, 'Of Rulers, Relatives, and Businesspersons: The Imposition of EU Restrictive Measures through Sanctions on Family Members', Legal Issues of Economic Integration, vol. 50, no. 4). The rationale is explained by Advocate General Mengozzi in his Opinion in Tay Za with three circles of targeted individuals, which has been accepted by the CJEU. In the Syrian sanctions case of Foz, the CJEU  accepted the presumption of a real risk of circumvention, in a case of an immediate family member of a leading business person operating in Syria case.  The Court of Justice ruled in that case that it is reasonable to presume a ‘real risk of circumvention’ if a family member has close business and family ties with a designated individual, even when the designated person is a leading businessperson and not a political leader in Syria. Moreover, it found that family ties may pose a real risk of circumvention of EU restrictive measures, irrespective of the role of the designated individual in the targeted regime (see Finelli, ‘Countering Circumvention of Restrictive Measures: The EU Response’).

The relevance of presumptions

Generally, the CJEU has accepted indirect evidence such as rebuttable presumptions in view of the difficulties encountered by the Council to find direct evidence (see para 46 Anbouba v Council, C-605/13 P, ECLI:EU:C:2015:248) for the fact than an individual like an immediate family member of a primary target supports a regime or benefits from it. In Syrian sanctions cases, since 2015, the Council consistently relied on and the Court of Justice accepted rebuttable presumptions rather than evidence that they have engaged in prohibited conduct. Their designation presupposes the personal link between them and the already designated individuals, and ultimately the third country’s regime targeted.

Consistent case law of the Court of Justice provides that the use of presumptions is only permitted on the condition that (i) those presumptions have been provided for by the measures at issue, (ii) are consistent with the objective of the legislation at issue, (iii) proportionate to the aim pursued by the EU, (iv) rebuttable and (vi) safeguard rights of defence are safeguarded (see Case T‑714/20, Ovsyannikov v Council, ECLI:EU:T:2022:674).

The Council will need to establish that the inclusion of immediate family members of Russian business leaders is proportionate to the pursued aim of inter alia preventing circumvention of the sanctions imposed.

At the moment it is unclear whether the Court implied in the case of Prigozhina that the ‘real risk of circumvention’ through family members can only be invoked in the context of EU sanctions against Syria (see Finelli, ‘Countering Circumvention of Restrictive Measures: The EU Response’). The established case law of Tay-Za provides there can be no presumption that leading businesspersons with links and association to a governing regime are using their family members for circumventing EU sanctions (see Butler, 'Of Rulers, Relatives, and Businesspersons’).

The Court of Justice has accepted presumptions if they are rebuttable, but rebuttals for targeted individuals are immensely difficult and have not been successful in most Syrian sanctions cases before the Court of Justice since the presumptions were introduced (see the Zubedi and Bashar Assi judgments).

The family member would have to demonstrate to the Council that s/he has dissociated himself from a parent, child – the primary target – and that s/he does not pose a real risk of circumvention of the restrictive measures. Rebuttals may be possible based on evidence that immediate family members do not assist the primary target to have access or continue controlling the assets.  A difficult task.

The risk of circumventing EU sanctions

The risk of circumvention is considerable in the case of leading businesspersons operating in Russia and their immediate family and the Court of Justice might well opt in developing its case law further for the Russian sanctions context instead of simply continue applying its Tay-Za case law. Similarly, as in the RT France case, it might opt for an exceptional reasoning due to exceptional circumstances. It might even apply its case law on the immediate family of rulers, rather than on the immediate family of leading businesspersons, finding that in certain exceptional cases leading businesspersons are comparable to rulers in the Russian context.

A balance will have to be struck by the Court of Justice between the fundamental rights of the targeted immediate family members, who might pose no risk of circumvention whatsoever and the difficult task to rebut presumptions, on the one hand, and the importance of the effectiveness of targeted sanctions against Russia, accounting for the Council’s ability in certain cases to rely on presumptions on the other hand (for the reasons it set out in its case law (e.g., in Anbouba v Council, para. 46). A general blunt presumption of circumvention of sanctions in cases of immediate family members of leading businesspersons operating in Russia is unlikely to be accepted by the Court of Justice.

Friday, 14 July 2023

Is the UK data protection authority giving free pass to big tech giants?


Asress Adimi Gikay (PhD), Senior Lecture in AI, Disruptive Innovation and Law (Brunel University London)

Photo credit: 

In the online space, it is perhaps difficult to find a more empty promise than “we value your privacy.“ Businesses promise to preserve our data privacy rights, but in reality, they have neither the carrot, nor enough sticks, to make them respect data protection rules. This holds true even in the European Union (EU), where the most comprehensive data protection legislation—the General Data Protection Regulation (GDPR)— failed to satisfactorily deliver on its promise to protect the fundamental rights of citizens.  As businesses openly flout data privacy laws, regulators either struggle to adequately enforce the law or wilfully ignore infractions.

The UK’s data protection authority— the Information Commissioner's Office (ICO)— has succumbed the most to its ambition of promoting innovation and economic growth while simultaneously protecting data protection rights. Unfortunately, the drive to appeal to businesses has reduced data privacy rights to mere buzzwords, not just in the business world but also within the ICO itself.

As a result, the authority's enforcement record defies the primary objective of protecting the public's data privacy rights, displaying an unexplainable leniency towards corporations. I argue that this indefensible record of the ICO’s underscores the authority’s insistence on operating with failed enforcement policy.

The ICO’s enforcement track record—the numbers don’t lie

During the 2021-2022 fiscal year, the ICO reported receiving 35,558  data privacy violation complaints. The complaints were diverse including companies refusing to delete individuals’ personal data or processing their data without consent. Sometimes, organizations infringed the individual’s right to access their own personal data, contrary to what the data protection legislation requires.

Similarly, in the 2022-2023 financial year, a total of 27,130  complaints were filed with the ICO, excluding data from the most recent financial quarter, yet to be reported by the authority. Out of the 62,688 complaints filed over a span of two years, the authority levied only 59 monetary penalties. This means that only approximately 0.094% of the complaints led to real consequences— organizations being sanctioned for breaching data protection rules.

The ICO closed most of the complaints alleging insufficient information to proceed with the complaints or lack of evidence of infraction. It resolved numerous cases through discussions with infringing companies. In such cases, the authority recognises the presence of  infringement by the organization but does nothing concrete other than what it describes as “informal action taken.”

Due to the ICO’s practice of not disclosing comprehensive details about these cases, except for summaries that serve more statistical purposes, the public tends to perceive the authority as prioritizing business interests over safeguarding data privacy rights. Interestingly, this public perception aligns with the available evidence.

The broader context

The enforcement of the GDPR has been unsatisfactory across the EU, since the implementation of what has been described as a breakthrough law, that promised to empower people in the digital world, through giving them more control on their personal data. Even when applying a more forgiving standard, the ICO's enforcement record remains unsatisfactory. Between 2018 and 2022, it levied around 50 monetary penalties, while German and the Italian authorities imposed 606 and 228 penalties between 2018 and 2021.

The ICO is generally passive compared to its European counterparts. In a notable case, the French authority, Commission Nationale de l’Informatique et des Liberté  (CNIL) fined Meta and Google €60 million and €150 million respectively in 2021 for their illegal use of cookies. Despite engaging in similar unlawful data collection practices in the UK, the companies made changes to their cookie-based data collection practices in the UK only while complying with the French ruling. They faced no threat of sanction in the UK.

The ICO's consistently poor enforcement record clearly undermines public confidence in the authority. In its 2022 annual report, the authority itself acknowledged getting the lowest score in complaint resolution in a 2021 customer survey it backed. An independent review—Trustpilot— rates the authority at 1.1 out of 5. This is based on self-initiated reviews conducted by members of the public, some claiming that the ICO prioritizes business interests rather than protecting privacy rights.

Unfit enforcement policy— corporate free pass

The lack of adequate data protection law enforcement in the EU has been explained by resource constraints.  For example, a report by the Dutch ombudsman highlighted that the relevant authority in the country had 9,800 unresolved privacy complaints at the end of 2020. And according to the Irish Council for Civil Liberties, “almost all (98%) major GDPR cases referred to Ireland remain unresolved”— in part due to lack of budget and sufficient specialist staff.

However, the ICO is considered to be a relatively resourced authority. It also has the ability to impose substantial fines that could finance its operations. So, it is unlikely that resource constraints explain its inadequate enforcement record. The ICO’s enforcement policy is largely culpable. 

The authority’s risk-based approach prioritizes a softer approach to ensuring compliance, reserving enforcement actions to violations that are likely to possess the highest risk and harm to the public. Enforcement action includes requiring an offending organization to end violations and comply with relevant rules through enforcement notice and issuing penalty. The ICO considers several factors in determining whether imposing a penalty is appropriate, including the intentional or repeated nature of the breach, the degree of harm to the public, and the number of people impacted.

In practice however, the authority exercises discretion even in cases of intentional and repeat violations impacting millions of people. For example, numerous companies illegally collect consumers’ personal data using cookies.

By tracking a user's browsing behavior, third-party cookies, known as tracking cookies, usually gather information that is enough to identify the person behind a device. Besides visits to particular web pages, they can record a person’s search queries, goods or services purchased, IP address and location.

From this, it is possible to infer a person's name, nationality, language, religion, sexual orientation, health condition, and other intimate details – most of which are considered special categories of personal data. These types of data cannot be processed without the individual's explicit consent, unless limited exceptions apply. Whilst these data could be used, for example for marketing health products, insurance companies could also use them to assess premiums, in a manner unknown and detrimental to the interest of the individual.

To its credit, the ICO has fined Easylife Ltd £1.35m which has later been reduced to £250,000 for using personal data to profile medical conditions without consent, to target individuals with health-related products. But the authority does not seem to recognise that it takes a simple switch to transition from inferring personal data from browsing behavior using cookies to profiling health conditions.

Cookies-based unconsented data collection is illegal and potentially poses a serious harm to the public, as companies could process special categories of data in a detrimental manner. Unfortunately, companies openly violate cookies-related legislations in the UK with impunity.

The ICO also shows unwarranted leniency towards tech companies repeatedly violating data protection rules. In one fiscal year (2022/2023), the ICO found evidence of Google UK’s potential infringement or infringement of the law more than 25 times,  in separate complaints. But the authority claims to have taken informal actions, essentially advising the company to do better work to comply.

Google UK's infractions include refusal or delaying to delete personal data upon request by individuals exercising their right to be forgotten. Meta Platform(formerly Facebook Inc.) received 20 compliance suggestions, after evidence of its infringement or potential infringement has been found, while Microsoft and Twitter each received the same soft compliance advices 8 times, in the same year.

In all these cases, taxpayers go through the stressful process of demonstrating that their data protection rights were violated, providing evidence of infringement by big tech companies. Yet the ICO consistently chose to be lenient to companies that obviously do not mind being told repeatedly that their data protection practices are non-compliant. The authority has essentially transformed itself into a legal advisory office for tech companies, neglecting its role as an overseer.

Data protection law inherently creates hurdles for individuals seeking compensation for privacy rights violations. In 2021, the UK's highest court ruled that without evidence of material damage or distress, mere loss of control over personal data is not compensable under the GDPR. This effectively forces individuals to wait for a recognized harm to occur due to violation of their data privacy rather than preventing it. The ICO, which should deter privacy violation, is unfortunately impotent as well.

The need for policy change

The ICO's enforcement policy heavily relies on collaboration with regulated entities rather than utilizing effective sanctions to deter repeat violations. This approach aims to support the digital economy by avoiding excessive enforcement of data protection rights and fostering data innovation. In theory, it should attract businesses to the UK, create jobs, and stimulate economic growth. However, the policy is currently being misapplied to serve the interest of big tech companies.

The companies repeatedly violating data protection laws do not necessarily contribute to digital innovation exclusively in the UK, while most of them are not strategically positioned to provide job opportunities in the country. But the UK remains their crucial consumer market. As such, sanctioning them is unlikely to change their business decisions and behaviour.  In the event of firm and measured enforcement actions, these companies will be left with no choice but to adhere to the rule of law, considering the market they operate in is one they cannot afford to lose.

The ICO’s failure to effectively enforce data privacy laws risks eroding public trust. It could also discourage data innovation, as the public might refuse to provide data for research and innovation, which could in turn negatively affect the digital economy.