Asylum Pact 2.0: the EU moves towards more stringent rules on ‘safe third countries’ and ‘safe countries of origin’

 

Steve Peers, Professor of Law, Royal Holloway University of London

Photo credit: Steve F, via Wikimedia Commons

 

Introduction

The EU’s asylum pact, agreed in 2024, is mostly not fully in force yet; it will largely apply from 12 June 2026. But even before that date, the EU is planning to make its rules more stringent – and even to apply some of them in advance. The prospect of these planned changes moved closer recently, as both the European Parliament and the EU Council, ie Member States’ ministers firmed up their negotiation positions on two separate proposals, and may negotiate an agreed final text of them both in the near future.

This blog post summarises the proposals in their context, and then examines the proposed amendments coming from the EP and the Council, concluding with an assessment of the main issues arising from the negotiations – including the prospect of a ‘Rwanda clause’ in EU law, mirroring the last UK government’s attempt to designate that country as ‘safe’ even for asylum-seekers who had not travelled through it, and the European Parliament’s suggestion to curtail judicial review in a way that would obviously breach the EU’s Charter of Fundamental Rights.

 

Background

The EU asylum pact includes a Regulation on asylum procedures (which I previously discussed here), replacing the current Directive on asylum procedures, dating from 2013, which sets out detailed rules on the processing of asylum applications. These include rules on both supposedly ‘safe countries of origin’ (countries which asylum-seekers originate from) and supposedly ‘safe third countries’ (countries other than the countries of origin, which asylum-seekers ‘should’ apply for asylum in instead).

Variations of these two concepts have existed in EU law for a long time, dating back initially to 1992 in the form of the London Resolutions of Member States’ ministers (see here and here). The concepts then appeared in the initial 2005 asylum procedures Directive, since replaced by the 2013 version of the rules. Although the asylum pact Regulation adopted in 2024 made these rules more restrictive for asylum-seekers, this was deemed insufficient, hence the move to change the rules in the pact already.

 

‘Safe countries of origin’

Current rules

The 2013 rules provide that a country can be considered a ‘safe country of origin’ for non-EU asylum seekers if it meets specified human rights standards, taking account of country of origin information from various sources such as the UNHCR and EU asylum agency. Use of this rule is currently an option for Member States. The rule can only apply if an asylum-seeker is a national of the country concerned, or is a stateless person formerly habitually resident there. Member States must lay down further rules in national law if they use the concept. They must also regularly review the list of countries concerned and inform the Commission of the list.

Unlike the 2005 rules, it is not possible to define a country as safe only in part, either geographically or for selected groups of people, as the Court of Justice has recently confirmed (see here and here). These judgments put a spanner in the works – at least temporarily – of the Italy/Albania arrangements, under which Italy planned to remove to Albania select groups of asylum-seekers who came from a ‘safe country of origin’, which was designated as ‘safe’ for only some groups of people; the asylum-seekers were to remain in Albania while Italy processed their application. In the latter judgment (Alace), the Court of Justice also said that: a Member State had a choice of routes to designate a ‘safe country of origin’ in national law, but its designation must be subject to judicial review; the sources of information used for the designation must be provided to the applicant and to courts; and courts must be able to examine other sources of information.

Defining a non-EU country of origin as ‘safe’ creates a presumption, which can be rebutted by the asylum-seeker if they can show ‘any serious grounds for considering the country not to be a safe country of origin in his or her particular circumstances and in terms of his or her qualification as a beneficiary of international protection’. It is also a ground for fast-tracking the consideration of asylum applications, although the current rule does not specify a time limit to this end (just that it should be ‘reasonable’, and can be exceeded if necessary to examine the application properly). In comparison, the time limit for ‘standard’ asylum applications in the current law is six months (although there are several grounds for extending that deadline).

The ‘safe country of origin’ rule is also one ground for applying a fast-track border procedure to asylum-seekers’ applications; again, such procedures are currently optional. Here there is a specific deadline, namely to conclude the process within four weeks, otherwise the asylum-seeker must be allowed on to the territory, and (as confirmed by Court of Justice case law) released from detention if that was the only ground for it. Finally, Member States may deny suspensive effect appeals in ‘safe country of origin’ cases, although asylum-seekers must have an opportunity to request a court to grant such suspensive effect.

2024 Regulation

Under the 2024 asylum pact Regulation, applicable (as things now stand) to asylum applications made after 12 June 2026, the ‘safe country of origin’ rules become mandatory for Member States. (Most, but not all, Member States were applying them already) The basic definitions of human rights standards in the country of origin remain, as do the rules on the sources of data to be considered. But under the new rules, it will be possible to designate a non-EU country of origin as ‘safe’ in part, either geographically (exceptions for ‘specific parts of its territory’) or for some groups of people (‘clearly identifiable categories’). Conversely, there is nothing to suggest that the other aspects of the Alace judgment (on effective judicial review of designations of ‘safe third countries’) cease to apply.

One new aspect of the rules is that it is possible for the EU to adopt its own common list of ‘safe countries of origin’, via the ordinary legislative procedure. This is accompanied by rules on dropping countries from the list in the event of ‘significant changes’ there, initially by means of a delegated act adopted by the Commission, then via legislation. Member States cannot put the country back on their national list of ‘safe countries of origin’ while a delegated act suspending it from the list applies; for two years after the country is dropped from the common EU list via legislation, Member States need the Commission’s approval to reinstate it on their national lists.

A similar new ground for accelerated procedures has been added: Member States must also fast-track cases where the most recent annual recognition rate for asylum claims for the asylum-seekers’ nationality is below 20% EU-wide at first instance (ie before appeals), ‘unless the determining authority assesses that a significant change has occurred in the third country concerned since the publication of the relevant Eurostat data or that the applicant belongs to a category of persons for whom the proportion of 20 % or lower cannot be considered to be representative for their protection needs, taking into account, inter alia, the significant differences between first instance and final decisions.’

There will now be a specific three-month deadline to decide on accelerated cases, although an authority can decide to consider the asylum application on the merits if the case is too complex. (The general deadline to decide on applications remains six months; the possibilities of extending that deadline have been partly curtailed).

‘Safe country of origin’ remains a ground (alongside now the ‘20% recognition rate’ rule) for considering applications in a border procedure, but that procedure has been overhauled: it is now mandatory for Member States for a certain number of asylum-seekers, provides for a longer period of application (12 weeks, now including appeals), and is subject to more exceptions. In particular, unaccompanied minors can no longer be subjected to it, except where they are ‘national security’ or ‘public order’ risks.

As for appeals in ‘safe country of origin’ cases, it is now the standard rule that they do not have suspensive effect (except for unaccompanied minors in the context of the border procedure), although as before it must be possible for asylum seekers to request suspensive effect from the courts. Some additional safeguards that currently apply to the lack of suspensive effect in border procedure cases have been dropped.

Commission proposal

The Commission’s proposal, dating from April 2025 (see my previous comments here), would first of all allow (as an option) the early application of the revised rules on ‘safe country of origin’, as well as the new ‘20% recognition rate’ rule, in order to provide for the earlier application of the Italy/Albania arrangements; other Member States might have a use for earlier application of the rules too. In fact it would also allow for early application of the partial designation of countries as ‘safe third countries’ too. It will also allow application of the 2024 version of these special rules in the current version of the border procedure (among other things, the 2024 exclusion of most unaccompanied minors from the border procedure will not apply).

Secondly, it would set out a common EU list of ‘safe countries of origin’, as from the entry into force of the Pact: seven named countries (Bangladesh, Colombia, Egypt, India, Kosovo, Morocco and Tunisia) plus candidates for EU accession (Serbia, Montenegro, Albania, North Macedonia, Bosnia-Herzegovina, Turkey, Ukraine, Moldova and Georgia). The accession candidates would be subject to special rules: their listing would switch off if they have been subjected to EU foreign policy sanctions ‘adopted in view of the country’s actions’, or if their recognition rate is above 20% at first instance, or if there is a ‘serious and individual threat to a civilian’s life or person by reason of indiscriminate violence’ in that country (which is one of the grounds for ‘subsidiary protection’ in EU law). It is not certain whether the usual rules on suspending a country from the list also apply to accession candidates, given that a special new category has been created for them. The proposal would list all these countries as a whole, ie not using any of the exceptions for parts of a country or groups of people which the Commission argued were so essential to provide for Member States.

Council position

The recently agreed Council position has taken over most of the Commission proposal. While the Council accepts the early application of parts of the Regulation and the common EU list of ‘safe countries of origin’, including the accession candidate countries (subject to a special rule), it would make a few amendments. (A statement by Hungary objects to having a special rule for accession candidates, preferring to list them automatically without any conditions – although listing them automatically is a special rule in itself)

First of all, the Council position would amend the proposal so that it would be possible to suspend a country partly from a common EU list of ‘safe third country’ or ‘safe country of origin’, on the same basis that Member States can designate a country only partly, ie geographically or as regards groups of people. If a country is partly removed from the common EU list by EU legislation, Member States would not need the Commission’s approval to reinstate that country partly to a national list.  

Secondly, the Council would alter the special conditions applicable to accession countries. The ‘subsidiary protection’ ground for disapplying the status would no longer refer to an ‘individual’ threat, presumably because an assessment is being made of a country as a whole in this context. Also, the foreign policy sanctions ground for disapplying the status would only apply to that country’s actions ‘affecting fundamental rights and freedoms that are relevant for the criteria of designation of a third country as a safe country of origin’ set out in the Regulation. The Council also sets out a procedure for applying these exceptions: the Commission must inform Member States and the Council of the change in status. However, as regards the (quasi-)‘subsidiary protection’ exception, the Commission needs the prior approval of the Council (presumably by qualified majority) before informing Member States of that change. According to the preamble, this is necessary in light ‘of the potential implications for the external relations of the Union and the Member States’ in this scenario.

European Parliament position

The European Parliament’s position (agreed by a committee, and to be reviewed in the full Parliament shortly) is similar to the Council’s. On the first point, the EP agrees that it would, in effect, be possible for countries on the common EU list to be suspended only partly, although it goes into less detail than the Council does.

On the second point, the EP retains the ‘individual’ threat aspect of removing an accession candidate from the common EU ‘safe third country’ list, but also adds that a candidate country should be automatically removed from the list on this ground if the EU’s temporary protection Directive has been applied to that country. This obviously refers solely to Ukraine at present (until March 2027, as things stand). The EP would amend the foreign policy sanctions ground for removal from the list in the same way as the Council.

As for the process, the EP wants the Commission to remove candidate countries from the list by means of a delegated act, rather than by informing the Council and getting the Council’s approval in some cases – although the Council has a role anyway in scrutiny of delegated acts (and in invoking and extending the application of the temporary protection Directive). Using a delegated act – which is, after all, already the usual process set out in the Regulation for suspending a country from the common list – would also give the EP a role in the suspension process.

The EP would also make some amendments to the preamble. One of them, indicating that assessments of the safety of non-EU countries should be ‘accessible’, reflects the Alace judgment. But another amendment to the preamble plainly conflicts with that judgment, purporting that:

…national judicial review should examine the detailed evidence regarding an applicant’s individual situation justifying, in his or her case, the inapplicability of the concept of safe country of origin and not the designation as such.

 

‘Safe third countries’

Current rules

The 2013 rules (again, an option for Member States) provide that a non-EU country can be considered a ‘safe third country’ (the position of EU countries and the associated countries of Switzerland, Norway, Iceland and Liechtenstein is a separate issue) if several criteria are satisfied: no threat to [life or liberty’ on any of the grounds set out in the Refugee Convention; ‘no risk of serious harm’ as defined in EU law as regards subsidiary protection; respect of the non-refoulement principle in the Refugee Convention (ie not sending the asylum seeker to an unsafe country); respect for ‘the prohibition of removal, in violation of the right to freedom from torture and cruel, inhuman or degrading treatment as laid down in international law’; and the possibility ‘to request refugee status and, if found to be a refugee, to receive protection in accordance with’ the Refugee Convention.  

The ‘safe third country’ principle must be ‘subject to rules laid down in national law, including’: rules requiring a ‘connection’ with the other country, ‘on the basis of which it would be reasonable’ for the asylum-seeker to go there; rules on ‘methodology’ concerning the application of the principle to particular countries or applicants; and rules permitting the asylum-seeker to challenge the alleged safety of the country concerned for them, as well as their supposed connection with it.

‘Safe third country’ applications may be considered inadmissible, ie not considered on the merits; but if the supposedly safe country does not permit the person concerned to enter its territory, the Member State must fully consider the merits of their claim. This rule has been confirmed by the Court of Justice, in a case where Greece was breaching it by ruling thousands of claims inadmissible because Turkey was ‘safe’, even though Turkey was no longer readmitting any of the asylum seekers concerned.

A special inadmissibility interview is held, rather than an interview focussed on the well-foundedness of the asylum claim as such. The Directive hints that Member States may have separate time limits for such cases.

As with ‘safe countries of origin’, the ‘safe third country’ rule is another ground to apply a special borders procedure (if Member States opt to do so). Conversely, the suspensive effect of an appeal cannot be denied in ‘safe third country’ cases.

2024 Regulation

The 2024 rules – which remain an option for Member States – are now subject to a definition of ‘effective protection’, in place of an opportunity to request and receive Refugee Convention refugee status: if a non-EU country ‘has ratified and respects’ the Convention, within the limits of any reservations and limitations, that country ‘shall be considered to ensure effective protection’; but if has not ratified the Convention, or applies a geographical limit to it (ie Turkey), that country ‘only’ offers effective protection for people where, ‘as a minimum’, that country allows people to remain, offers subsistence, health care and education, and ‘effective protection remains available until a durable solution can be found’. So even countries which have not ratified the Convention at all can be regarded as offering ‘effective protection’, if they meet these other conditions.

As with ‘safe countries of origin’, it is now possible to regard a country as a ‘safe third country’ only partly, ie ‘with exceptions for specific parts of its territory or clearly identifiable categories of persons’. A country can even be a ‘safe third country’ for an individual applicant. There is a special safeguard for unaccompanied minors:

A third country may only be considered to be a safe third country for an unaccompanied minor where it is not contrary to his or her best interests and where the authorities of Member States have first received from the authorities of the third country in question the assurance that the unaccompanied minor will be taken in charge by those authorities and that he or she will immediately have access to effective protection as defined in [the Regulation].

The law still rules out holding ‘safe third country’ applications to be inadmissible if the other country refuses to admit or readmit the person concerned on to its territory.

There will now be a two-month deadline for deciding ‘safe third country’ applications (and most other inadmissible applications), with a possible extension of up to two months in certain circumstances.

The revised border procedure in the Regulation (described above), also applies to ‘safe third country’ cases. There is also now a new prospect of a common EU list, which works the same way as the possible common list of ‘safe countries of origin’ (and removals from it) described above. Finally, appeals in ‘safe third country’ cases still have automatic suspensive effect.

Commission proposal

The Commission’s proposal, dating from May 2025 (see my previous comments here), would alter the rules as regards the asylum-seeker’s links to the country concerned, so that a ‘connection’ to that country would no longer be the only ground for applying the principle. It could also apply where either the asylum seeker had transited through that country, or a Rwanda-type deal existed with a country that the asylum had neither a connection with nor transited through: ‘there is an agreement or an arrangement with the third country concerned requiring the examination of the merits of the requests for effective protection made by applicants subject to that agreement or arrangement’. However, the latter new criterion would not apply to unaccompanied minors, and in any case there would be an obligation to consider the best interest of the child. Member States would have to inform the Commission and other Member States in advance of concluding such agreements or arrangements.

Secondly, the Commission proposal would alter the rules on appeals, so that there would no longer be automatic suspensive effect in ‘safe third country’ appeals, except for unaccompanied minors subject to the border procedure. Nevertheless, it would be possible to request a court to grant suspensive effect.

The ‘safe third country’ principle would remain optional for Member States, and the Commission does not propose to change the criteria defining the ‘safety’ of a country as such, the applicable deadlines, the related rules on the border procedure, the current safeguard for unaccompanied minors or the requirement that Member States must consider the merits if the third country concerned refuses to admit the asylum seeker. Nor does it propose to use the power to adopt a common EU list of ‘safe third countries’.

Council position

The Council’s position would take on board the Commission’s main points, clarifying that the transit in question must be ‘on the way to the Union’, and providing for the EU, not only Member States, to enter into negotiations with non-EU countries which the asylum seekers have no link at all to. New provisions would require the Commission, when negotiating such agreements or arrangements, to take Member States’ existing agreements or arrangements into account, including the potential impact of EU agreements or arrangements on cooperation of the non-EU countries with certain Member States. But an agreement or arrangements with the EU, once concluded, will take priority over agreements or arrangements with Member States, where they are incompatible.

Member States negotiating such agreements or arrangements must inform other Member States and the Commission of them prior to their entry into force or provisional application, and also inform other Member States and the Commission of any amendments or termination. A notification should come at an (unspecified) earlier point where the agreements or arrangements are with a non-EU country that borders on a Member State (ie Germany sending asylum seekers to Turkey may have a particular impact on Greece). As an option (according to the preamble), Member States could consult the Commission at an earlier stage, with a view to considering the compatibility of the draft agreement or arrangement with EU law. The Council version would also allow for different ways to inform a non-EU country that the applications of asylum-seekers being sent there have not been considered on the merits.

This negotiation position maintains the exclusion of unaccompanied minors from the ‘Rwanda clause’. On the other hand, it would drop the general reference to the rights of the child that the Commission wanted to insert in the main text, although the preamble would retain a reference to this principle, adding that ‘Member States should also take due account of the principle of family unity when applying the safe third country concept’. The safeguard already in the 2024 Regulation for unaccompanied minors, described above, would not be amended by either the Commission or the Council.

The Council’s version would also drop automatic suspensive effect in cases where the asylum seeker has international protection from another Member State. Greece objects to this. It should be noted that the Court of Justice case law provides for the possibility of applying for international protection in another Member State to avoid harsh conditions in the Member State which granted such protection, where the latter Member State treats the beneficiaries of international protection so badly that it amounts to a breach of the EU Charter of Fundamental Rights.

Finally, the Council version tries to clarify some elements of the ‘safe third country’ rule in the preamble. As regards the concept of a ‘connection’ (which will, of course, matter less than it does at present, given the two new categories of ‘safe third countries’):

While taking fully into consideration the parameters outlined in the case law of the Court of Justice of the European Union, Member States should be able to apply the safe third country concept on the basis of a connection as defined in conformity with national law or practice, in so far as specifically defined therein. The connection between the applicant and the third country could be considered established in particular where members of the applicant’s family are present in that country, where the applicant has settled or stayed in that country, or where the applicant has linguistic, cultural or other similar ties with that country.

Transit through a non-EU country is also clarified:

transit through a third country could include the situation where an applicant has passed through, or stayed on, the territory of a third country on the way to the Union, or where the applicant has been at the border or in a transit zone of a third country, where he or she has had the possibility to request effective protection with the authorities of that country

As for the Rwanda-style arrangements, they ‘could include a variety of case-processing modalities, such as simplified, group or prima facie procedures’. This wording seems to imply a potentially dismissive attitude to the non-EU country considering the merits of applications.

European Parliament position

The European Parliament’s position (again agreed by a committee, and to be reviewed in the full Parliament shortly) is similar to the Council’s. In fact, the EP would only make two changes to the main text of the Commission proposal. First, like the Council, the EP would also provide for the possibility of the EU, not only individual Member States, negotiating Rwanda arrangements, although it goes into less detail than the Council version about the mechanics of this. (Its proposed changes to the preamble would, however, require Member States to inform about bilateral talks at an earlier point, and inform the EP too; and the arrangements would have to be in writing).

Second, the EP version would subject unaccompanied minors to the Rwanda clause if there are ‘reasonable grounds’ to believe that they are a security or public order threat ‘under national law’. While the Court of Justice has usually interpreted security exceptions from asylum law narrowly, the reference to national law may be intended to give Member States more leeway. The EP would, however, retain the general reference to the ‘best interests of the child’ being added to the main text.

The EP also suggests changes to the preamble to the proposal, some of which align broadly with the Council’s. On the ‘connection’ with the ‘safe third country’, the EP states that:

The connection between the applicant and the safe third country could be considered established in particular where members of the applicant’s family are present in that country or where the applicant has settled or stayed in that country, or where the applicant has other links with that country, such as the same or similar language, or other economic, cultural, religious, or geographical links.

Unlike the Council’s version, there are, however, no broad references to national law in this context.

The EP version supports automatic suspensive effect being removed from most ‘safe third country’ appeals, although unlike the Council, it would not also remove automatic suspensive effect from appeals made by those who have international protection already from another Member State.

 

Assessment

First and foremost, one of the amendments proposed by the EP would be plainly unlawful, as an obvious breach of the EU Charter of Fundamental Rights. The Court of Justice’s Alace judgment refers several times to Article 47 of the Charter (the right to an effective remedy and a fair trial), when ruling that it must be possible to challenge the designation of countries as ‘safe countries of origin’ (underlining and bold text added):

…it should be noted that the obligation imposed on Member States by Article 46(1) of Directive 2013/32 to provide for a right to an effective judicial remedy for applicants for international protection, the scope of which is defined in Article 46(3) of that directive, corresponds to the right to an effective remedy guaranteed by Article 47 of the Charter… [para 53]

…although, in the absence of EU rules on the matter, it is for the national legal order, in accordance with the principle of procedural autonomy of Member States and subject to the observance of the principles of equivalence and effectiveness, to lay down the detailed procedural rules governing remedies for ensuring that individual rights derived from the EU legal order are safeguarded, Member States nevertheless have the responsibility to ensure observance in every case of the right to effective judicial protection of those rights as guaranteed by Article 47 of the Charter, the scope of that right being clarified, in the present case, by Article 46 of Directive 2013/32… [para 64]

…the choice, by a Member State, of the competent authority and the legal instrument effecting the designation, at national level, of safe countries of origin, in accordance with Articles 36 and 37 of Directive 2013/32, cannot affect its obligations under that directive. It is thus for each Member State, inter alia, to ensure respect for the right to an effective judicial remedy which Article 46(1) of that directive confers on applicants for international protection against decisions taken on their applications, the scope of which is defined by Article 46(3) of that directive. [para 65]

In that regard, the Court has held that, in accordance with Article 46(3) of Directive 2013/32, read in the light of Article 47 of the Charter, where an action is brought before a national court or tribunal against a decision taken on an application for international protection – examined in the context of the special scheme applicable to applications lodged by applicants from third countries designated, in accordance with Article 37 of that directive, as safe countries of origin – that court or tribunal must, as part of the full and ex nunc examination required by Article 46(3) of that directive, raise, on the basis of the information in the file and the information brought to its attention during the proceedings before it, a failure to have regard to the material conditions for such designation, set out in Annex I to that directive… [para 66]

Consequently, and having regard to the case-law referred to in paragraphs 62 and 63 above, the fact that a Member State has chosen to designate safe countries of origin by means of a legislative act cannot be such as to preclude the national court or tribunal seised in the circumstances set out in the preceding paragraph of the present judgment from reviewing, even if only indirectly, whether the designation of the third country in question as a safe country of origin complies with the material conditions for such a designation, set out in Annex I to Directive 2013/32. [para 67]

In the light of the foregoing, the answer to the first questions is that Articles 36 and 37 and Article 46(3) of Directive 2013/32, read in the light of Article 47 of the Charter, must be interpreted as not precluding a Member State from designating third countries as safe countries of origin by means of a legislative act, provided that that designation can be subject to judicial review as regards compliance with the material conditions for such a designation, set out in Annex I to that directive, by any national court or tribunal hearing an action brought against a decision taken on an application for international protection, which had been examined under the special scheme applicable to applications lodged by applicants who are from third countries designated as safe countries of origin. [para 68]

As the Charter has the same legal value as the Treaties (Article 6 TEU), any EU law adopted in breach of it would be invalid.

The EP majority has also not thought this amendment through. It is not reflected in the main text of the Regulation; and it is unclear if the amendment is somehow intended to prevent a review of the validity of a designation on the common EU list too. But Article 267 TFEU provides that a national court can ask the Court of Justice about the validity of EU legislation; if the EP amendment is intended as an attempt to preclude that, then it would be unlawful for a second reason.

Otherwise, as discussed already, there is not must difference between the EP and Council positions on either proposal. Traditionally the EP has taken a significantly more liberal view than the Council on asylum issues, but now the two are broadly in sync (and both in a more restrictive direction than in the past), with the EP even more restrictive than the Council on some points, although the Council is more restrictive than the EP on some points too.

On the ‘safe country of origin’ proposal, the EP’s position on the definitions and process regarding candidate countries is more convincing: it is logical that applying the temporary protection Directive should lead to an automatic exclusion from the common list of ‘safe countries of origin’, and it would make sense to follow the usual delegated acts process for suspending a country from the list, rather than an ad hoc intergovernmental process that only gives a role to the Council (there’s history here: the Court of Justice previously ruled against the Council’s botched attempt at an ad hoc intergovernmental process as regards the very same issue).

As regards the ‘safe third country’ proposal, the Council’s attempt to extend the removal of automatic suspensive effect is an unprincipled reach into another area of EU asylum law, and would in any event remove an essential feature of an effective remedy as regards potential breaches of Charter rights. But the removal of automatic suspensive effective from ‘safe third country’ cases is also problematic, especially in light of the extremely broad definition of the concept that would follow from the proposals.

The introduction of a ‘Rwanda clause’ in EU asylum law undercuts the traditional argument that asylum-seekers ‘should have’ applied in another country. Nevertheless, this rationale even appears in the Council’s press release:

The safe third country concept allows EU member states to reject an asylum application as inadmissible (i.e. without examining its substance) when asylum seekers could have sought and, if eligible, received international protection in a non-EU country that is considered safe for them.

Frankly, this is untruthful. It is not serious to suggest that an asylum-seeker who made their way from Syria, Eritrea or Afghanistan to the European Union ‘could have sought’ international protection in Rwanda, a country many hundreds of miles from any route they would have taken. ‘Could have sought’ is not a rule in the legal text either. Trump-style dishonesty about migration and asylum should not be appearing in the output of the press office of an EU institution.

A Rwanda-clause – unlike the introduction of the transit clause in the ‘safe third country’ definition – has nothing to do with the route the asylum-seeker took, and everything to do with the destination country’s desire to dump the asylum-seeker in any State that will take them. This will inevitably become a key issue as regards the application of the law.

Adding the possibility of the EU asking non-EU countries for Rwanda treaties – as both the EP and the Council would like – does not change the game much. Although the EU has levers at its disposal to use the new transit clause – because its readmission treaties provide that the other parties must take back not only their own citizens, but also non-citizens who transited through their countries, and the EU’s visa code, visa waiver suspension rules, and soon trade policy laws, all sanction countries that do not comply – there are no such levers as regards Rwanda treaties. It remains to be seen what threats and bribes the EU and its Member States are willing to develop, and how easily the Rwandas of the world can be coerced or tempted by them.

 

European Public Prosecutor’s Office: the tension between supranationalism, sovereignty and legitimacy

 

Jacob Öberg, Professor of EU law, University of Southern Denmark

Photo credit: EPPO

The aim of this blog post is to summarise the key argument of a recent article published by the author in 50(6) 2025 European Law Review titled “The European Public Prosecutor's Office - supranationalism, sovereignty and legitimacy”.

For readers not acquainted with the European Public Prosecutor’s Office (“EPPO”) it could be briefly stated that the EPPO is a centralised European public prosecutor tasked with prosecuting and investigating crimes against the EU’s financial interests (as defined in the PIF Directive) following its mandate in Art 86 TFEU. EPPO which commenced its operation in June 2021, is undoubtedly the pinnacle to date of supranational criminal law in the history of European integration. It represents a significant achievement in terms of its potential for a fundamental system change for EU criminal policy, departing markedly from the conventional Member State-centric view that intergovernmental cooperation should remain the dominating principle of governance in this field (Öberg, 2021).

It is well-known that the EPPO was established in October 2017 through the EPPO Regulation on the basis of the new Art 86 , which provides the Council with a competence to ‘establish a European Public Prosecutor’s Office’ which shall ‘be responsible for investigating, prosecuting, and bringing to judgment … the perpetrators of, and accomplices in, offences against the Union’s financial interests’ and ‘exercise the functions of prosecutor in the competent courts of the Member States in relation to such offences’. The final EPPO Regulation had been preceded by politically protracted negotiations over four years, involving the highest number of official negotiation documents in the Council on criminal law to date (Eurocrim database) and a Yellow Card from national parliaments (Commission Communication, 2013).  Because of far-reaching objections from Member States to the creation of the office, the EPPO Regulation ultimately had to be adopted by means of an enhanced cooperation procedure involving 20 Member States under Art 86(1) 2nd para, TFEU.

In light of this brief account of the genesis of the EPPO, this blog offers a critical analysis of the evolution, structure and functioning of the EPPO on the basis of three theoretical frameworks: the theory of supranationalism, the concept of sovereignty and the critical approach of legitimacy. The first part of the analysis accounts for the current design of the EPPO along the supranational-intergovernmental (Stone Sweet and Sandholtz, 1997) spectrum based on the general literature on EU law and integration (Cappeletti, Seccombe and Weiler, 1986, Pescatore, 1974).  Secondly, the analysis proceeds to examine the governance of the EPPO in attempting to ascertain the extent to which Member States have been capable of maintaining control of its operation. Finally, we consider the EPPO from the perspective of legitimacy, with a specific focus on judicial review of the EPPO’s activities.

First, we reflect on the institutional structure of the EPPO. The key argument here is that the establishment and operationalisation of the EPPO marks a significant transformation from a ‘cooperative’ philosophy in EU criminal justice towards an integrated ‘supranational’ criminal justice system based on formal powers exercised by the EPPO (Monar, 2013). The EPPO Regulation nonetheless captures an intricate compromise between a supranational and intergovernmental conception of the EPPO (Schmeer, 2023). The central feature for the supranational characterisation is the creation of a European prosecutor with binding decision-making powers in respect of criminal investigations and prosecutions in the area of crimes against the EU’s financial interest (Art 86(2) TFEU and Art 13(1) of the EPPO Regulation), with jurisdiction transcending the territorial borders of the EU Member States (Art 23 of the EPPO Regulation). However, the complicated rules in the EPPO Regulation on the exercise of competence (Arts 25-27 of the EPPO Regulation), the removal of exclusive competence and the inclusion of a ‘national link’ in the EPPO’s governance structure (Art 13 of the EPPO Regulation) present limits to the ‘supranationalisation’ of the EPPO. A review of the first years of the EPPO’s activities nonetheless suggests that the body operates de facto as a highly supranational body without being restrained by the legal framework surrounding its operations. The limited evidence available indicates that the EPPO in practice defines its mandate broadly (both in terms of the PIF offences and in respect of ‘ancillary offences’) and that national law enforcement agencies acting on behalf of the EPPO act seemingly in a spirit of loyalty towards the EPPO’s interests (see Recital 69 of the EPPO Regulation). This lends some support to the contention that the EPPO – based on its legal powers and operational practice – is the most ‘supranational’ EU body created to date within the context of EU integration (Öberg, 2021).

The establishment of the EPPO, in conjunction with the adoption of the new PIF Directive, makes a compelling argument for holding that the EU appears to have adopted a ‘federal vision’ of criminal law, at least when it comes to protecting its financial interests (Herlin Karnell and Gomez-Jara, 2013). This development asks more fundamental questions about legitimacy and state sovereignty and if the EPPO stand as a role model for the creation of a ‘European criminal justice system’. It is important to observe that the EPPO exerts significant powers with severe implications for the fundamental freedoms of individuals and that the exercise of those powers also markedly encroaches on ‘core state powers’. Whilst there is a strong normative justification for conferring these enforcement powers to the EPPO (Öberg, 2024, ch 5), these powers need to be accompanied with strong fundamental rights safeguards both at national and EU level.

This brings us to the final observation which relates to the key fundamental rights challenges for a European ‘supranational’ prosecutor. While the establishment of the EPPO is a welcome step towards a ‘federalisation’ of EU criminal justice in this area, the EPPO cannot function effectively without some degree of harmonisation of national criminal procedures and national criminal laws. The recent case law of the Court (G.K. and others, Case C-281/22) highlights the implications of this incomplete centralisation of national criminal procedures which makes it more cumbersome for the EPPO to fulfil its task of combatting crimes against the EU’s financial interests. The ‘output’ (legitimacy) perspective aside, another central tenet of legitimacy for the EPPO is that there should be structures and mechanisms established to hold that body responsible and accountable for its actions. Not only must the legality of the EPPO’s decisions be subject to review by the Court of Justice, as follows from Art 263 TFEU, but national courts must also have the comprehensive ability to request preliminary rulings as per Art 267 TFEU. Therefore, the EPPO Regulation needs to be reformulated to make clear that the Court of Justice’s Treaty-based jurisdiction cannot be restricted by reference to secondary law. Furthermore, stronger common EU measures for protecting the rights of the defendant, along with effective safeguards that form the basis for the exercise of the EPPO’s powers, should be a central feature of a potential future amendment of the EPPO Regulation.

As suggested in the analysis, the Court can have an important role to play in this regard. First, the Court should expand its jurisdiction, following Art 47 of the Charter, to ensure robust judicial review of the actions of the EPPO, and by developing common standards constituting the basis for the EPPO’s operation through the autonomous interpretation of key provisions in the EPPO Regulation. Secondly, the Court can contribute to the development of a system of EU judicial remedies against actions undertaken by the EPPO in its operational activities. As demonstrated by G.K. and Others (Parquet européen) and EPPO v I.R.O. & F.J.L.R. (Case C‑292/23), the CJEU has taken a nuanced approach to judicial remedies, carefully balancing the need for an effective supranational system of criminal enforcement with judicial safeguards for defendants. To conclude, a supranational prosecutor such as the EPPO does not only need to have institutional structures, tools and resources to fight effectively against the EU’s financial interests effectively (output). It also needs a robust legal framework surrounding the EPPO’s operational action, combined with strong legal safeguards for individual defendants, is imperative for ensuring the (throughput) legitimacy of this new unique supranational prosecutor.

 

Image Rights and False Claims, Data Protection and Intermediary Immunity: the case of Russmedia

 

 

Lorna Woods, Professor Emerita, University of Essex

 

Image credit: US Department of Defense

 

This Grand Chamber judgment of the Court of Justice in X v Russmedia Digital and Inform Media Press (Case C-492/23) handed down on 2 December 2025 concerns the scope of data protection rights and intermediary immunity in the context of the non-consensual use of someone’s image.  The judgment identifies:

- when someone has responsibilities under the GDPR,

- the relationship between those regulatory obligations and intermediary immunity, and

- the steps an data controller could take to satisfy those GDPR obligations.

 

It has been described as reshaping the obligations of online operators in the EU, while others have questioned how far the points in the judgments may be generalised to other situations.

 

Judgment

 

The Facts

 

Russmedia owns an online marketplace on which advertisements may be published. An unidentified user posted an advertisement falsely representing X as offering sexual services. The advert included X’s photographs (though there is no suggestion that these were intimate images) and phone number, all without her consent. Once notified, Russmedia removed the advert within an hour but the advertisement had been shared across several third party websites and remained accessible. X sued in the national courts in respect of her image rights, rights to reputation and data protection rights. The Romanian courts struggled with the question of whether Russmedia could claim the benefit of intermediary immunity (under the e-Commerce Directive (Directive 2000/31), provisions now replaced by the Digital Services Act (DSA)) and the extent of the obligations under the GDPR.

 

Is Russmedia subject to Obligations under the GDPR?

 

Obligations under GDPR arise when (1) personal data are (2) processed by (3) a data controller.

 

The CJEU commenced its analysis by noting the the information contained in the advert about X was personal data for the purposes of the GDPR and moreover that claims about a person’s sex life (implied in the advert) constituted “sensitive” personal data as protected by Article 9 GDPR, and that remained the case whether or not the claim was true.  Classification of the data as special category data means that there is a higher threshold to show lawful processing of those data. 

 

The Court further noted that “the operation of loading personal data on a webpage constitutes processing” for the purposes of the GDPR (para 54) and therefore covered the publication of the advert.

 

While this puts the advert within the scope of the GDPR, its obligations apply to data controllers and processors, so the question was whether, given Russmedia had no control over the content of the advert, was it a controller or joint controller? The Court reiterated previous jurisprudence to say (para 58) that:

 

any natural or legal person who exerts influence over the processing of such data, for his or her own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller in respect of such processing.

 

It noted also that there may be more than one entity which is a controller in respect of processing – this is the idea of joint controllers, although they may not have equal responsibility depending on the facts (para 63).  Joint decision making is not necessary for there to be joint controllers.

 

While the test for “controller” requires that the person processing the data does so for their own purposes, the Court added that this could include the situation “where the operator of an online marketplace publishes the personal data concerned for commercial or advertising purposes which go beyond the mere provision of a service which he or she provides to the user advertiser”  (para 66).  The Court in this case pointed to the fact that the terms of use give Russmedia “considerable freedom to exploit the information  published on that marketplace” including “the right to use published content, distribute it, transmit it, reproduce it, modify it, translate it, transfer it to partners and remove it at any time” (para 67). Russmedia is therefore not publishing solely on behalf of the user placing the advert. The Court also noted that Russmedia make the data in the advert accessible, allows the placing of anonymous adverts and sets the parameters for the dissemination of adverts (likely to contain personal data).

 

As a result of finding that the advert publishing platform was a joint controller the GDPR obligations bite in relation to the advert and must be able to demonstrate that the advert is published lawfully, which includes the requirement for consent for sensitive data (para 84 and 93) and the requirement for accuracy.  The CJEU notes that once published online and accessible to any Internet user, such data may be copied and reproduced on other websites, so that it may be difficult, if not impossible, for the data subject to obtain their effective deletion from the Internet.  The adds to the seriousness of the risks facing the data subject.

 

The GDPR also requires the implementation of technical and organisational measures – and this should be considered in the design of the service so that such data controllers can identify adverts containing sensitive data before they are published and to verify that such sensitive data is published in compliance with the principles of the GDPR (para 106).  Further, the controller must ensure that there are safety measures in place so that adverts containing sensitive data and not copied and unlawfully published elsewhere (para 122).

 

Are the GDPR Obligations Affected by Intermediary Immunity?

 

While the immunity provisions in the e-Commerce Directive are far-reaching, the e-Commerce Directive specified that it was not to apply to the Data Protection Directive (the legislation in  force at the time the e-Commerce Directive was drafted) and that included the immunities; the Court concluded that this meant the e-Commerce Directive could not interfere with the GDPR. It also specified that GDPR requirements here cannot be classified as general monitoring (which is prohibited by the e-Commerce Directive (and now the DSA)).

 

 

Conclusions, Implications and Questions

 

The ruling in this case does not match existing industry practice. It is not a bolt out of the blue, however, but builds on existing jurisprudence (eg Fashion ID (Case C-40/17)).  While the obligations required of Russmedia in this case may indicate, to some, a landmark shift in the Court’s approach, the judgment does rely on the specific facts in the case and, specifically, the point that “sensitive” data, which effectively requires explicit consent, is in issue. In principle, this could be relevant to other forms of sensitive content, notably non-consensual intimate images (NCII). Certainly, it re-emphasises data protection as a route for victims’ redress, if not preventing harm in the first place.

 

The ruling clarifies that a range of activities typically carried out by platforms - structuring, categorizing, and monetizing user content, can amount to determining “the purposes and means of processing personal data”, the test for responsibility as a controller under the GDPR (article 4 GDPR). In taking this approach, it differed from the Opinion of its Advocate-General (AG’s Opinion, para 120).  The Court noted that the definition of controller in the GDPR is broad – and this is to support the protection of individuals’ fundamental rights to privacy and data protection. Once a body is a controller, that body must be able to demonstrate compliance with the data protection principles, and take appropriate technical and organisational measures to ensure data processing is carried out in accordance with the GDPR. 

 

Here, some of the points that the Court relied on to determine that Russmedia was a joint controller could well be relevant to other services and not just online marketplaces. For example, many sites have broad terms of service similar to those the Court highlighted here; other services also allow anonymous posting and a key feature of many services is the making available of that content for advertising revenue purposes, as well as controlling how content is promoted. (Note the decision of the court in YouTube and Cyanado (Joined Cases C-682/18 and C-683/18), which suggested that automated content curation did not mean that a service is not neutral, is not directly relevant here as it relates to the conditions for maintaining intermediary immunity – and see Russmedia, AG’s Opinion, para 155)  It is unclear how many of these criteria need to be present for a service to constitute a controller in relation to the personal data in third party content it publishes (though the Court seems to list them as alternatives, suggesting any of them would suffice), or whether less far-reaching terms of service may be sufficient to stop a platform being a joint controller.  Where these conditions are satisfied, its impact need not be limited to advertising but to organic content containing third party personal data too.

 

The Court’s confirmation that the clear wording of the e-Commerce Directive, excluding the Data Protection Directive (the predecessor legislation to the GDPR) from its scope, meant that an intermediary cannot escape its own data protection responsibilities does not affect immunity from liability in respect of unlawful content.  Note that this decision was based on the wording of the e-Commerce Directive. This language has not been carried over to the DSA, which is expressed to operate without prejudice to, inter alia, the GDPR. It is not clear if or how this would change the Court’s interpretation. Immunity provisions from the e-Commerce Directive have been carried across to the DSA (albeit with a “carve out” in respect of consumer law in Article 6(3) DSA). While the EDPB has published guidance on the interplay of the GDPR and the DSA, it has looked at the question of the impact of the DSA requirements on data protection rather than the impact of data protection on the DSA.

 

The judgment suggests that services should design checks into their services to ensure compliance with the data protection obligations including pre-publication checks as to whether sensitive data is included and to check the identity of the person posting the material. Of course, while some sorts of posts (eg NCII) clearly constitute sensitive personal data, the outer edges of this category might not be clear cut. The Court here noted that the category should be interpreted broadly (para 52). It could be that some of the obligations could be passed on to the user uploading the advert through terms of service, though this might be capable of being abused by some users.  Further, the CJEU expects the site to prevent third party scraping so far as is possible – the judgment does not introduce strict liability in this regard.  What technical measures would be sufficient in practice remains uncertain.   This is very different from the reactive response required to maintain immunity under the e-Commerce Directive – and which has been the dominant framing until now. Assuming the position on immunity does not change, services may have to implement new systems, probably including automated tools and may ultimately affect choice of business model for some services.

 

There are questions about how this ruling impacts the DSA. How does a pre-check system differ from general monitoring. General monitoring is prohibited under Article 8 DSA (though specific monitoring is not)? The CJEU stated that systems to ensure GDPR compliance could not be classified as “general monitoring” (para 132) – but did not explain this statement any further. There is an argument to say that all content will need to be scanned to identify that which contains sensitive personal data – and by contrast to checking against a database of known CSAM images, for example, which might be considered specific monitoring, this is a more open ended obligation. It is unclear whether there are other routes to pre-check which do not involve content scanning.  The requirements to check whether the person posting the personal data is the person to which the data relates (or is otherwise lawfully processing) may make, for example, anonymity difficult to maintain and it is unclear what level of identity verification would be acceptable.  There are also questions about how this system of pre-checks affects the neutrality of the platform and consequently the possibility for the platform to claim immunity (in respect of other claims relating to the content) under Article 6 DSA.

 

The position in the UK may be slightly different, however. Section 6(1) European Union (Withdrawal) Act provides that decisions of the CJEU post-dating 31 December 2020 do not bind UK courts although they may have regard to such judgments. The provisions which would have had the effect of removing the status of binding precedent from decisions of the CJEU made on or before that date have now not been brought into force (but they remain on the statute book), as the Labour Government revoked the relevant commencement regulations.  Furthermore, old case law from the Northern Irish courts (pre-dating Brexit), CG v. Facebook, suggested the the e-Commerce Directive (the relevant law at the time) could apply to data protection claims.

The Digital Service’s Act Main Character: the EU Commission finally fines X

 

 

Steve Peers, Professor of Law, Royal Holloway University of London

Photo credit: Animated Heaven, via Wikimedia Commons

 

Introduction

The EU’s Digital Services Act (DSA) was conceived before Elon Musk bought Twitter (soon renaming it X); but they were literally born simultaneously, with the DSA being published in the EU’s Official Journal on the same day that Musk completed his takeover. Since then, Musk’s behaviour running X (see my review of a book on the takeover and the aftermath) has exemplified many of the reasons why the EU (and other jurisdictions) contemplated regulating social media in the first place: in particular arguments about the legality of its content and the fairness of its algorithms.

A Twitter user coined the phrase ‘today’s main character’ to describe a poster who becomes the centre of attention for a day – usually due to an absurd or obnoxious post that prompts many negative responses. For the DSA, X has been its main character since its creation, with much of the public debate about the potential use of the Act focussing on how it might apply to the controversial social network.

This debate has now come to a head. Last week, following its preliminary findings back in July 2024, the EU Commission adopted a final decision imposing a fine to enforce the DSA for the first time: €120 million for three breaches of the Act by X. This initial decision is likely to impact upon the broader debate over the Act’s implementation, and – due to Musk’s influence in the current Trump administration – also play a role in the fast-deteriorating relations between the EU and the US.

This blog post first provides an overview of the DSA, then examines the legal issues arising from this specific enforcement decision, and concludes with an assessment of the broader context of this decision: the enforcement of the DSA more generally, and the relations between the EU and the USA.

 

Background: overview of the Digital Services Act

Adoption of the DSA

Although the critics of the EU Commission fining X are quick to argue that the EU is undemocratic, EU legislation needs the support of elected Member State governments and elected Members of the European Parliament (MEPs) to be adopted. In fact, the Act received unanimous support from Member States and a large majority of MEPs.  

In any event, even without the Act, Member States would likely regulate social media – perhaps more quickly and more stringently than the EU has applied the Act in some cases. And even if the whole EU ceased to exist, as Elon Musk and Russian government mouthpieces demand, those countries would still be regulating Big Tech, with national equivalents of the Digital Markets Act and the GDPR, for instance. Indeed, despite leaving the EU, the UK has its own national versions of all three laws: the Online Safety Act, the Digital Markets, Competition and Consumers Act, and the UK GDPR, which sits alongside the Data (Use and Access) Act. While UK regulators may be famously timid about enforcing these laws, Australia – a long way from the EU – was not dissuaded from banning under-16 year olds from social media.

But until Musk and his sympathisers manage to destroy the EU, we have the DSA. It contains rules that govern online platforms generally, regardless of size, but its most prominent rules concern a special regulatory regime for the biggest platforms, defined as ‘very large online platforms’ (VLOPs) and ‘very large online search engines’ (VLOSEs), which subjects them to greater regulation. The Act gives the EU Commission power to designate such platforms and search engines (on the basis that 10% of the EU population visit them monthly) and to enforce the provisions of the DSA against them.

While some claim that the DSA was adopted only to punish US tech firms, the list of designated VLOPs and VLOSEs includes also Chinese companies (AliExpress, TikTok, Temu, Shein), EU companies (Booking.com, Zalando, and two porn sites), and a Canadian site, Pornhub. Overall, nearly half of the companies designated as operating VLOPs and VLOSEs are non-American (although some of the American companies operate more than one platform).

Content of the DSA

For VLOPs, enforcement of the DSA involves a number of measures, including requests for information, a start of an investigation into possible breach of the Act, a preliminary finding of a breach, and a final decision finding a breach – which can result in a fine (of up to 6% of worldwide annual turnover) and orders to change practices. A VLOP or VLOSE can also agree avoid a fine by agreeing binding commitments to change its practices with the Commission (in effect, a settlement) before it reaches a final decision. If a finding of breach is not complied with, the Commission can impose very high fines – up to 5% of worldwide annual turnover per day.

While many critics of X excitedly demand that the EU Commission ban it, the Act imposes a very high threshold before a ban can be imposed – essentially a refusal to remove illegal content, with additional safeguards including involvement of a court. The case law has not yet fleshed out the relationship between the DSA and Member States’ laws on overlapping issues, or clarified whether there can be private enforcement of the DSA (ie individuals challenging the VLOPs and VLOSEs in court for breach of the Act, rather than the Commission enforcing it) in parallel.

Substantively, the Act’s requirements on VLOPs and VLOSEs (in its Articles 33-43) start with risk assessment: they must ‘diligently identify, analyse and assess any systemic risks in the Union stemming from the design or functioning of their service and its related systems, including algorithmic systems, or from the use made of their services’. Systemic risks are further defined as including ‘dissemination of illegal content through their services’, ‘negative effects’ upon various human rights, ‘actual or foreseeable negative effects on civic discourse and electoral processes, and public security’, and ‘actual or foreseeable negative effects in relation to gender-based violence, the protection of public health and minors and serious negative consequences to the person’s physical and mental well-being’.  

Very large platforms and search engines are also obliged to (as further defined): mitigate these risks; comply with a decision requiring a response to a crisis; perform independent audits; offer a recommender system not based on profiling, at least as an option; make public a repository of advertising data; provide access to their data to researchers; explain their algorithms to regulators; establish independent compliance bodies; provide further public data on their operations; and pay an annual supervisory fee to the EU Commission.

The DSA in the EU courts

Even before the first fine was imposed to enforce the DSA last week, its application in practice has been frequently litigated. First of all, Amazon, Zalando and several porn sites have challenged their designation as VLOPs. Zalando lost its challenge in the EU General Court in September, but has appealed to the EU’s Court of Justice (appeal pending). More recently Amazon also lost its challenge in the EU General Court against designation as a VLOP, but it still has time to appeal that judgment to the Court of Justice (Amazon had won an interim measures ruling in this case – delaying its obligation to publish information about its advertisers – but that interim measure was overturned by the Court of Justice, following a successful appeal by the Commission).

The porn companies’ legal challenges to their designations as VLOPs are still pending (see the summary of the arguments made by Pornhub, XNXX and XVideos; a challenge by Stripchat is also still pending even though the Commission has dropped its designation as a VLOP); their applications for interim measures as regards publishing advertisers’ information have been dismissed (see the General Court orders re Pornhub and XVideos, and the failed appeals to the Court of Justice as regards Pornhub and XVideos).  

Of these cases, the recent Amazon judgment has broad implications for the DSA as a whole, considered further below.

Secondly, the Commission’s decisions on fees for regulation (for 2023) have also been challenged. These challenges were all successful in the EU General Court (see the judgments as regards Tiktok and Meta), although the Commission has appealed both the Tiktok and Meta judgments to the Court of Justice (appeals pending). In the meantime, Tiktok, Meta and Google have brought a further round of legal challenges (all still pending) to the regulation fees imposed for 2024.

We can also now expect X to challenge the enforcement decision against it. (If it also requests interim measures, at least that aspect of the case will be decided soon).

Other enforcement of the DSA

In addition to the new decision enforcing the DSA against X, other Commission enforcement actions under the DSA have been adopted or are pending against VLOPs. Leaving aside requests for information (such as the one recently sent to Shein as regards reports of sales of child-like sex dolls):

-          The Commission has accepted binding commitments from AliExpress on various issues, but at the same time also adopted a preliminary finding that its risk assessment as regards illegal products was insufficient;

-          It has opened proceedings against porn sites for inadequate protection of children;

-          It has adopted a preliminary finding that Meta (Facebook and Instagram) is in breach as regards researchers’ access to data, and as regards flagging illegal content and allowing for appeals against content moderation decisions; an investigation as regards deceptive advertising, political data, and misinformation on Meta is still underway; and

-          It has adopted a preliminary finding that Temu has breached the DSA as regards illegal products, and an investigation continues as regards other issues

Finally, the Commission has been particularly active as regards TikTok. It has accepted a commitment to suspend the ‘TikTok Lite’ programme, which was apparently designed to (further) encourage social media addiction by children, having used the threat of issuing an intention to impose interim measures under the DSA earlier on in this case. A new decision, following a preliminary finding, accepts further commitments regarding information on advertisers – also a great irritant to Amazon and the porn companies, as can be seen in the litigation summarised above, as well as an issue in the X case, discussed below. TikTok has deadlines to implement the various commitments it has made, and there are specific powers to monitor whether it is complying with them under the DSA. The Commission has also adopted a preliminary finding against TikTok as regards researchers’ access to data, and further investigations against Tiktok are still underway.

Overall, it can be seen that to date the majority of enforcement actions under the DSA have been initiated against companies that are not American. Also, to date all the offers of binding commitments that have been accepted, in place of fines and enforcement orders, have come from Chinese companies. The potential of negotiating binding commitments instead of an enforcement order is, however, open to a VLOP based anywhere.  

 

The non-compliance decision against X

What did the decision address?

First and foremost, the non-compliance decision against X only concerns certain issues, namely deceptive practices as regards X’s ‘blue ticks’,* researchers’ access to data, and the repository of advertisers. The Commission complaint about ‘blue ticks’ is that they are a ‘deceptive practice’ banned by the DSA (note that this rule applies to platforms generally, not just VLOPs), in that they purport to indicate that an account has been verified, when it has not been. Under Musk, X has earned revenue from the blue ticks by selling them to anyone willing to pay for them, although the sale of the ticks, and the monetisation programme (ie giving money to X users whose posts lead to large numbers of reactions) are apparently not the subject of the non-compliance decision as such. The preference given to blue ticks in the X algorithm is not the subject of the decision as such either.

(*Disclosure: I applied for and obtained a ‘blue tick’ from Twitter prior to Musk’s purchase, when a proper verification system applied. I did not pay for the tick under Musk, and it was initially removed as a result. However, it was reinstated involuntarily – not at my request, and without my paying for it, or monetising my posts – as part of a process of reducing the social opprobrium of having a blue tick under Musk, in which the ticks were reinstated for some accounts. I initially hid the reinstated tick, but the facility to do that was removed. It remains there today; I have not used X since August 2024, due to my objection to Musk encouraging violent racial conflict in the UK, except for a handful of posts encouraging others to leave the platform. I have retained my account there to reduce the risk of anyone impersonating me, which has happened several times.)

The Commission has not yet made a final decision – or even a preliminary finding – as regards other issues involved in its opening of proceedings against X, namely the dissemination of illegal content and the effectiveness of rules against disinformation.

How can the decision be enforced?

X now has 60 days to inform the Commission about measures it will take to enforce the non-compliance decision as regards blue ticks. It has 90 days to submit an action plan to address the other two issues, and the Commission must respond to the action plan two months after that. In the event of non-compliance with the decision, as noted above the DSA gives the Commission the power to impose much higher fines. The method of calculation of last week’s fine is not explained in the press release. (The non-compliance decision itself may explain the calculation, but like most DSA decisions of the Commission, it has unfortunately not been made public; Article 80 of the DSA requires the main content of this decision to be published though)

If X challenges the decision in the EU courts, it can request an interim measures ruling suspending all or part of the decision; the EU General Court will decide on that (subject to appeal to the Court of Justice), as it has done in several DSA cases already, as detailed above. The final judgment of the EU courts can annul the Commission’s non-compliance decision in whole or part, and the DSA (Article 81) gives the EU courts unlimited jurisdiction to cancel, increase or reduce the fine. As for the collection of the fine (and any further fines that might be imposed on X for continued breach of the DSA), Article 299 TFEU sets out the process of enforcing fines imposed by EU bodies; although if X removes all its assets from the EU to the US, it might try to prevent collection by using US law that blocks the enforcement of foreign judgments on ‘free speech’ grounds (perhaps the SPEECH Act, although that concerns defamation; other routes may be available, or fresh routes adopted in light of the Commission decision).

This brings us neatly to the question of whether the non-compliance decision is arguably invalid on ‘free speech’ (or other) grounds.

Is the decision legal?

What are the legal issues as regards last week’s non-compliance decision? As noted above, the recent judgment in the Amazon case addresses two of the issues in the non-compliance decision (advertising repositories and access to data), while also addressing broader criticisms of the Act, some of which may be relevant if X challenges the finding as regards ‘deceptive practices’, or takes this opportunity to challenge the legality of the Act more generally (as Amazon did when challenging the legality of its designation as a VLOP; on such challenges, see Article 277 TFEU).

Amazon’s legal challenge to its VLOP designation did not advance the obviously untenable argument that fewer than 10% of the EU population uses Amazon monthly (conversely, Zalando and the porn sites are arguing about the calculation of the numbers). Rather, Amazon argued that the entire system of special rules for VLOPs in the DSA was invalid, because it violated a number of human rights set out in the EU Charter of Fundamental Rights. All of these arguments were rejected by the EU General Court.

First of all, the Court rejected the argument that the VLOP regime breached the freedom to conduct a business (Article 16 of the Charter). In the Court’s view, although the regime interfered with the freedom to conduct a business, because it imposed significant costs on VLOPs and also had a considerable impact on their organisation or required complex technical solutions, that freedom was not absolute, and the interference with it was justified. According to Article 52(1) of the Charter, limitations on Charter rights have to be prescribed by law, have public interest objectives, respect the essence of the right and be proportionate. Here the limits were admittedly prescribed by law (being set out in the Act) and respected the essence of the right (as Amazon could still carry out its core business); Amazon instead argued mainly that the limits were disproportionate, as online shops did not present systemic risks, the objectives could be satisfied by less onerous means, and the costs were significant. However, the Court believed that there was a systemic risk of illegal content in online marketplaces; other means of designating VLOPs were not necessarily more proportionate; making advertising repositories open to the public was justified in the interests of consumer protection; and the arguments about economic impact made by Amazon as regards recommender systems, researchers’ access to data and advertiser repositories were unconvincing.

Secondly, Amazon’s argument that its right to property was infringed (Article 17 of the Charter) was dismissed at the outset, as it had not identified any of its property rights that were affected by the DSA: an administrative burden did not constitute interference with a property right. Thirdly, the Court rejected the argument that the VLOP regime breached the general right to equal treatment (Article 20 of the Charter), by treating larger companies differently from smaller ones, on the grounds that larger companies presented bigger risks.

Fourthly, Amazon’s arguments about freedom of expression (Article 11 of the Charter) were rejected too. This argument was only made as regards applying the DSA rules on recommender systems to Amazon. On this point, the Court reiterated that the Charter freedom of expression rules must be interpreted consistently with the freedom of expression set out in Article 10 of the European Convention on Human Rights (ECHR), referring also to the case law of the European Court of Human Rights (ECtHR). The Court did not see how the freedom of expression of third-party sellers might be affected by the DSA rules, but it accepted that Amazon’s freedom of expression was limited by having to offer a recommender system not based on profiling.

However, limitations of the right could be justified: the limitation here was prescribed by law; it did not affect the essence of the right (as Amazon could still offer a profiling-based recommender system as an option); it had an objective of general interest (consumer protection); and it was proportionate by only requiring the offer of one non-profiling based recommender system as an option – taking account of ECtHR case law that allows more interference with commercial expression than political expression.

Finally, Amazon complained about a breach of the right to privacy (Article 7 of the Charter). This was a remarkable thing for a company with a business model based on surveillance of its customers to argue about, but the Court considered its arguments seriously nonetheless. Again it followed the ECtHR case law on the corresponding rule (Article 8 ECHR), which states that businesses could invoke the right to privacy. Here the argument concerned the DSA rules on ad repositories and researchers’ access to data. Again the EU court agreed that the DSA interfered with the right, but ruled that it could be justified: it was prescribed by law, did not infringe the essence of the right, and complied with the principle of proportionality, particularly because of the limits built in to the obligations (for instance, no obligation to disclose the personal data of advertising recipients, or about the success of advertising; controls on which researchers can access the data).

How does this judgment (noting that Amazon could still appeal it to the Court of Justice) apply to a legal challenge that X might make to last week’s non-compliance decision? First of all, the judgment in principle disposes of many arguments that X might make about two aspects of the non-compliance decision, as regards ad repositories and researchers’ access to data – although X might try different arguments, or contend that the nuances of its case are different.

While the main US response to the EU Commission’s decision has been to claim that the EU is engaged in censorship, note that Amazon did not even argue that the DSA rules on ad repositories or researchers’ access to data infringed freedom of expression, and remember that X is only being investigated for the dissemination of illegal content and the effectiveness of rules against disinformation. Obviously a freedom of expression argument might be made in respect of those issues, but, as noted above, X has not been subjected to a final decision or even a preliminary finding in respect of them.

Furthermore, according to the Amazon judgment, a VLOP challenging a Commission decision under the DSA can only challenge the validity of those parts of the DSA that are the legal basis for the decision made against them: so X cannot, at this point, specifically attack the validity of the DSA rules on risk assessment or risk mitigation, since there is no decision that it has breached them yet.  X can attack the validity of the DSA system for VLOPs generally, which includes the rules on risk assessment and risk mitigation. Although Amazon has already tried this and failed, X might try to argue its case differently; but it looks like a long shot, given that a non-compliance decision is inherently more narrowly focussed than designation as a VLOP.

Another key point to remember in this debate is that, as the Amazon judgment confirms, the human rights standards applied by the EU courts are those of the EU Charter, interpreted (where relevant) in light of the corresponding ECHR rights, and the ECtHR case law on those rights. The ECHR approach to rights differs in some respects from that of the US courts, arguably providing greater protection for the right to privacy (although not enough for Amazon to win its arguments on this point), but lesser protection for the right to free speech (allowing more leeway for interference with the right). But that is the nature of doing business in another jurisdiction. US law may take the view that (hypothetical) X user ‘ZyklonB1488’, regularly posting ‘Next year in Auschwitz!’ at Jewish people, has the right to set out his stall in the marketplace of ideas. But other legal systems may legitimately take the view that he does not.

Applying this to the sole remaining issue in the Commission’s non-compliance decision – the deceptiveness of X’s blue tick system – this is not directly connected to the content of what blue tick holders (still less anyone else) may post on X. Any effect on freedom of expression of last week’s decision is therefore marginal – although again, free speech arguments would be stronger as regards future decisions the Commission might make in respect of X as regards other issues still under investigation (or Meta – subject to some broadly similar investigations, as summarised above), especially because ‘illegal content’ is the one breach of the DSA that might (subject to many conditions and safeguards) lead to a ban on the whole platform. And to the extent that the non-compliance decision on blue ticks does interfere with freedom of expression, there is a strong argument that the interference is justified both on the ground of consumer protection (cf the scams featuring impersonations of consumer advocate Martin Lewis) and (as Article 52 of the Charter also provides for) on the ground of ‘the need to protect the rights and freedoms of others’ (ie anyone being impersonated, including myself!).

 

Context: enforcing the DSA

Last week’s decision is a definitive sign that the Commission is willing to enforce the DSA, even to the extent of adopting non-compliance decisions. The world is full of ‘light-touch’ regulators – perhaps one of Britain’s more unappealing exports. Usually, the Commission is not seen as such; but its obvious stalling on taking a final decision regarding X, for 17 months since its provisional findings, may have given the impression that – on the DSA, at least – the lion had turned pussycat.

The non-compliance decision should be viewed alongside with the Amazon judgment, which it likely also takes account of. VLOPs now know not only that the Commission is willing to act to enforce the DSA, but also that the EU courts (subject to possible appeal) back up at least some key provisions of the Act. Also, the recent judgment may explain TikTok’s simultaneous willingness to agree on its compliance with the ad repository rules; and the Commission’s willingness (again) to accept commitments, combined with the recent judgment, shows VLOPs that it may be less hassle to negotiate commitments with the Commission, rather than embark upon court action that is unlikely to succeed.  The context also includes a dog that did not bark: the Commission did not propose any amendment to the DSA (or the Digital Markets Act) in its recent proposal for an ‘omnibus’ bonfire of some provisions of EU tech laws.

Having said that, it is striking that the Commission is moving forward on non-compliance decisions and preliminary findings other than on the issues relating more closely to content on social media networks (cf the ongoing investigations into Meta and X), which raise not only the more difficult legal issues (given their greater impact upon freedom of expression) but also have the greater political impact (given the subject-matter, and the closeness of both zillionaire owners to the US government). And this brings us nicely to the impact of the decision upon US/EU relations.  

 

Context: EU-USA relations

Coincidentally, the non-compliance decision was released the day after the US government published a foreign policy review that was intrinsically hostile to the EU, and hyperpartisan in its support of right wing populist parties in Member States. In that context, the decision against X is just a drop in the rapidly-widening Atlantic Ocean. Famously, US diplomat Dean Acheson was ‘present at the creation’ of the post-war alliance; the Trump administration’s goal seems to be to preside over its destruction.

Yet, as noted already, supporters of Trump are nevertheless enraged by the decision, despite its limited impact. Even though, as explained above, the DSA was approved by elected governments and MEPs, does not solely apply to US companies and is not solely enforced against US companies, and the recent decision has at best a marginal impact upon freedom of expression, the response is the same: “They’re eating our free speech!”

Of course, it’s hard to take concerns about free speech from the Trump administration seriously: these are folks who want to expel legal migrants for criticism of a foreign government, and whose leader, between naps, frequently insults and threatens journalists who are insufficiently North Korean in their adoration of him. If these people are genuine free speech defenders, then I’m Alexander Hamilton.

As hypocritical and inaccurate as the Trumpian reactions to the decision are, they were presumably anticipated by the Commission before it took its decision. Even if the EU courts rule in the Commission’s favour in the event of a legal challenge, its MAGA critics will likely remain just as irrational (“They’re eating the snails!”). Yet the Commission took the decision anyway.

The choice to go ahead with the decision regardless can be understood either as a calculated risk that the US will not punish the EU for it – at least no more than it was inclined to punish the EU anyway, for various other reasons – or that even if the US does punish the EU for the decision, it is worth exercising its regulatory powers anyway. Perhaps this is a response to the perception that the Commission had seemed unwilling to stand up to Trump to date. Or maybe the assumption is that Trump is unlikely to pay much attention to this matter for long, particularly if the EU can devise a way to distract him: something like a shiny gold award for ‘best European’, for ending the war between Narnia and Freedonia, may work.  

Whatever happens, the Commission’s decision was certainly a gamble, in the current context of fraught EU/US relations, with far broader trade and security issues at stake. Time will tell whether this assertion of regulatory strength is worth it in light of the reaction it may trigger.