CURIA - Documents

Home > Search form > List of results > Documents

Start printing

Language of document : ECLI:EU:C:2023:481

OPINION OF ADVOCATE GENERAL

RANTOS

delivered on 15 June 2023 (1)

Case C‑755/21 P

Marián Kočner

European Union Agency for Law Enforcement Cooperation

(Appeal – Regulation (EU) 2016/794 – European Union Agency for Law Enforcement Cooperation (Europol) – Protection of personal data – Articles 49 and 50 – Liability of Europol for incorrect data processing – Recital 57 – Nature of liability – Criminal proceedings brought in Slovakia against the appellant – Expert’s report drawn up by Europol for the purposes of the investigation – Retrieval of data from mobile telephones and a USB device belonging to the appellant – Alleged unauthorised disclosure of those data by Europol – Non-material damage – Action for damages – Causal link)

I. Introduction

1. By his appeal, Mr Marián Kočner (‘the appellant’) asks the Court of Justice to set aside the judgment of the General Court of 29 September 2021, Kočner v Europol (T‑528/20, not published, ‘the judgment under appeal’, EU:T:2021:631), by which the General Court dismissed his action seeking compensation for the non-material damage which he claims to have suffered on account of the infringement of his right to respect for private and family life resulting, in essence, from data processing operations by the European Union Agency for Law Enforcement Cooperation (Europol) in the context of a criminal investigation initiated in respect of him by the Slovak authorities following the murder of a journalist and the journalist’s fiancée.

2. This appeal affords the Court its first opportunity to rule, among other things, on the nature of Europol’s non-contractual liability under Articles 49 and 50 of Regulation (EU) 2016/794, (2) interpreted in the light of recital 57 of that regulation, and, specifically, on the existence of the special system of joint and several liability between Europol and the Member State in which damage has occurred as a result of incorrect data processing by Europol or that Member State.

II. Legal framework

3. Recitals 56, 57 and 65 of the Europol Regulation state:

‘(56) Europol should be subject to the general rules on contractual and non-contractual liability applicable to Union institutions, agencies and bodies, save as regards the rules on liability for unlawful data processing.

(57) It may be unclear for the individual concerned whether damage suffered as a result of unlawful data processing is a consequence of action by Europol or by a Member State. Europol and the Member State in which the event that gave rise to the damage occurred should therefore be jointly and severally liable.

…

(65) Europol processes data that require particular protection as they include sensitive non-classified and EU classified information. Europol should therefore draw up rules on the confidentiality and processing of such information. The rules on the protection of EU classified information should be consistent with Council Decision 2013/488/EU. [(3)]’

4. Under Article 17(1) of the Europol Regulation, Europol is only to process information that has been provided to it, inter alia, by Member States in accordance with their national law and Article 7 of that regulation. Under Article 17(2), Europol may directly retrieve and process information, including personal data, from publicly available sources, including the internet and public data.

5. Article 32 of that regulation, entitled ‘Security of processing’, provides in paragraph 1:

‘Europol shall implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss or unauthorised disclosure, alteration and access or any other unauthorised form of processing.’

6. Article 49 of the Europol Regulation, entitled ‘General provisions on liability and the right to compensation’, provides in paragraph 3:

‘Without prejudice to Article 49, ^[(4)^] in the case of non-contractual liability, Europol shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by its departments or by its staff in the performance of their duties.’

7. Article 50 of that regulation, entitled ‘Liability for incorrect personal data processing and the right to compensation’, provides:

‘1. Any individual who has suffered damage as a result of an unlawful data processing operation shall have the right to receive compensation for damage suffered, either from Europol in accordance with Article 340 TFEU or from the Member State in which the event that gave rise to the damage occurred, in accordance with its national law. The individual shall bring an action against Europol before the Court of Justice of the European Union, or against the Member State before a competent national court of that Member State.

2. Any dispute between Europol and Member States over the ultimate responsibility for compensation awarded to an individual in accordance with paragraph 1 shall be referred to the Management Board, which shall decide by a majority of two-thirds of its members, without prejudice to the right to challenge that decision in accordance with Article 263 TFEU.’

III. Background to the dispute

8. In the course of an investigation conducted by the Slovak criminal authorities following the murder in Slovakia, on 21 February 2018, of a journalist and his fiancée, Europol, at the request of the Národná kriminálna agentúra (National Crime Agency, Slovakia; ‘NAKA’), took possession, on 10 October 2018, of two mobile telephones allegedly belonging to the appellant and, on 17 October 2018, of a USB storage device.

9. With regard to the mobile telephones, on 21 June 2019, Europol forwarded to NAKA the final scientific reports on the operations carried out on those telephones. According to Europol, the forwarding of those reports was preceded, first, by the delivery to NAKA of a hard drive containing the encrypted data retrieved from the telephones, certified by an official record of 23 October 2018 (‘the official record of 23 October 2018’), and, second, by the return of the telephones in question to NAKA, certified by a receipt/delivery of evidence form of 13 February 2019. (5)

10. Information concerning the appellant originating from those mobile telephones, including transcripts of private conversations, were made available to the public as a result of a number of articles published in the press and one item published on a website in May 2019.

11. With regard to the USB storage device, in its report of 13 January 2019 sent to NAKA on 14 February 2019, Europol stated that the appellant had been in custody since 20 June 2018 for suspected financial crime and that his name was, inter alia, directly linked to the ‘so-called mafia lists’ and the ‘Panama Papers’. (6)

12. By letter of 4 May 2020, the appellant claimed compensation from Europol, under Article 50(1) of the Europol Regulation, in the amount of EUR 100 000 for the non-material damage which he claims to have suffered as a result of, first, the publication in the press and on the internet of personal data and, in particular, the publication of transcripts of conversations of a private and sexual nature, and, second, the inclusion of his name on the ‘mafia lists’, which was reported by the press after a series of leaks involving the case file in the national criminal proceedings for the murder mentioned in point 8 of this Opinion.

13. Following the investigation carried out by the Slovak criminal authorities, referred to in point 8 of this Opinion, the appellant, who was prosecuted for complicity in murder for having ordered the killings, was acquitted at first instance by a judgment that was subsequently quashed by the Najvyšší súd Slovenskej republiky (Supreme Court of the Slovak Republic), which referred the case back to the first-instance court.

IV. Procedure before the General Court and the judgment under appeal

14. By document lodged at the Court Registry on 18 August 2020, the appellant brought an action under Articles 268 and 340 TFEU and Article 50(1) of the Europol Regulation seeking compensation for the non-material damage which he claims to have suffered as a result of Europol’s conduct. He claimed compensation in the amount of EUR 50 000 for the non-material damage allegedly suffered on account of the disclosure of personal data (first head of claim) and compensation in the same amount for the non-material damage allegedly suffered on account of being included on the ‘mafia lists’ (second head of claim).

15. The General Court dismissed that action. It found, as regards the first head of claim, that the appellant had not proven that there was a causal link between the alleged damage and Europol’s conduct (7) and, as regards the second head of claim, that he had not adduced any evidence capable of establishing that the ‘mafia lists’ had been drawn up and held by an EU institution and in particular by Europol. (8) It also stated, concerning the two heads of claim, that those findings were not called into question by recital 57 or by Articles 49 or 50 of the Europol Regulation. (9)

V. Procedure before the Court of Justice and forms of order sought

16. On 8 December 2021, the appellant brought an appeal against the judgment under appeal. He claims that the Court of Justice should set aside the judgment under appeal, refer the case back to the General Court and issue a decision on costs.

17. Europol, supported by the Slovak Republic as intervener, contends that the Court of Justice should dismiss the appeal and order the appellant to pay the costs.

VI. Analysis

A. Consideration of the appeal

18. In support of his appeal, the appellant relies on six grounds of appeal. The first to fourth grounds concern the non-material damage suffered as a result of the disclosure to the public of personal data (first head of claim at first instance) and the fifth and sixth grounds concern the non-material damage suffered as a result of the inclusion of his name on the ‘mafia lists’ (second head of claim at first instance). (10)

19. Europol contends at the outset that the first and fifth grounds are inadmissible, which should be examined first of all.

1. Admissibility of the first and fifth grounds of appeal, alleging errors concerning the nature of Europol’s liability

20. Europol contends, in essence, that the first and fifth grounds of appeal, alleging that the General Court erred in law in ruling out the joint and several liability of Europol and the Member State concerned for damage suffered as a result of unlawful data processing as a consequence of action by Europol or that Member State, were raised for the first time in the reply at first instance. They are therefore new grounds raised in the course of the proceedings and, thus, are inadmissible. (11)

21. The appellant counters by saying that he raised those arguments in his application at first instance, when he mentioned recital 57 and Article 50(1) and (2) of the Europol Regulation.

22. In that regard, I note that, in his application, the appellant claimed that Europol was responsible under Article 49(3) and Article 50 of the Europol Regulation and by reference to recital 57 of that regulation, which he cited in full. In his reply, the appellant subsequently substantiated that argument by stating that, even if it were not established that Europol was responsible for the conduct at issue, it would be jointly and severally liable for the damage caused together with the Member State concerned.

23. In those circumstances, I consider that the appellant raised a plea relating, in essence, to Europol’s joint and several liability in his application at first instance and that, therefore, the first and fifth grounds of appeal are admissible.

2. Grounds of appeal concerning the non-material damage suffered as a result of the disclosure to the public of personal data (first head of claim at first instance)

(a) First ground of appeal, alleging error of law in the categorisation of Europol’s liability for incorrect data processing

24. By his first ground of appeal, the appellant takes issue with the General Court, in essence, for having ruled out that Europol and the Member State concerned were jointly and severally liable for damage deriving from unlawful data processing, by disregarding the binding nature of recital 57 of the Europol Regulation.

25. While acknowledging that the wording of Article 50(1) and (2) of the Europol Regulation does not expressly provide for the joint and several liability of Europol and the Member State concerned, the appellant submits that such liability nevertheless follows from that provision, interpreted in the light of recital 57 of that regulation.

26. According to the appellant, first, Article 50(2) of the Europol Regulation, where it provides for the settlement of disputes between Europol and the Member State concerned through the Management Board of Europol, cannot be interpreted in any other way, short of depriving that provision of all meaning.

27. Second, the existence of joint and several liability on the part of Europol in the present case is also supported by the objective of the rules in question, which derives in particular from recital 57 of the Europol Regulation and which consists in providing enhanced protection for injured parties. (12)

28. Third, the general principles of EU law make it possible, in any event, for joint and several liability to be inferred even in the absence of express provision, having regard to Article 340 TFEU.

29. Europol, supported by the Slovak Republic, states, as a preliminary point, that the joint and several liability of the European Union and the Member State concerned, where they act together, is not recognised, in principle, under the second paragraph of Article 340 TFEU, but requires an express reference to that effect by the EU legislature.

30. In the first place, Article 50 of the Europol Regulation is not applicable to the data processing at issue in the present case, since it applies exclusively to data processing carried out in the course of Europol’s operations and tasks.

31. In the second place, that provision applies only to damage caused jointly by the European Union and a Member State and cannot be applied in the absence of any unlawful conduct on the part of Europol and without proof of a causal link.

32. In the third place, first of all, although recital 57 of the Europol Regulation refers to joint and several liability, that recital is not binding and does not apply in the present case. Next, the concept of joint and several liability is based on the premiss that more than one entity is liable for the same damage, not that an entity whose liability has not been proven must pay compensation. Lastly, the appellant has not even brought an action for damages against the Member State concerned. (13)

33. I would point out that, in the judgment under appeal, the General Court held that Articles 49(3) and 50(1) of the Europol Regulation merely state that Europol must make good any damage caused by its departments or by its staff in the performance of their duties, in accordance with the conditions laid down in Article 340 TFEU, and that the condition relating to the existence of a causal link was not satisfied. (14) In that regard, although recital 57 of that regulation envisages a solidarity mechanism, there is no concrete expression of or basis for it in the provisions of the regulation. (15)

34. Concerning the non-contractual liability of the European Union, it should be noted that the second paragraph of Article 340 TFEU provides that ‘in the case of non-contractual liability, the Union shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by its institutions or by its servants in the performance of their duties’. (16) The Court has consistently held that the non-contractual liability of the European Union under that provision depends on the fulfilment of a number of conditions as regards the unlawfulness of the acts alleged against the institution, the fact of damage and the existence of a causal link between the wrongful act and the damaged complained of. (17) The cumulative nature of those conditions means that, where one of them is not satisfied, the non-contractual liability of the European Union cannot be incurred. (18)

35. As regards, more specifically, the possible joint and several liability of Europol under Article 50 of the Europol Regulation, I note that, in principle, non-contractual joint and several liability means that, if the harmful act is attributable to several persons, they are jointly and severally liable to pay compensation for the damage. (19)

36. In accordance with equally settled case-law of the Court, the interpretation of a provision of EU law requires account to be taken not only of its wording, but also of the context in which it occurs, as well as the objectives and purpose pursued by the act of which it forms part. Furthermore, the legislative history of a provision of EU law may also reveal elements that are relevant to its interpretation. (20)

37. In the first place, concerning the wording of Article 50(1) of the Europol Regulation, that provision states, in essence, that any individual who has suffered damage as a result of an unlawful data processing operation is to have the right to receive compensation for the damage suffered, either from Europol, in accordance with Article 340 TFEU (before the EU Courts), or from the Member State in which the event that gave rise to the damage occurred, in accordance with its national law (before the national court with jurisdiction).

38. It seems to me that Article 50(1) of the Europol Regulation is not, on its wording alone, amenable to an unambiguous interpretation as to the nature of the liability in question.

39. The use of the expression ‘either … or’ is not conclusive in that regard. (21) That expression could just as easily indicate that Europol’s liability is an alternative to the liability of the Member State concerned or that the injured party may make a claim against either the institution concerned or the Member State concerned for the entire damage.

40. Furthermore, the reference in that provision to Article 340 TFEU is not conclusive either and, in the light of the reference in the latter provision to the ‘general principles common to the laws of the Member States’, calls for a comparative interpretation, which I will carry out below in the context of the teleological interpretation of the provision in question. (22)

41. In the second place, concerning the context of which Article 50(1) of the Europol Regulation forms part, I note, first, that recital 56 of the Europol Regulation states that Europol is to be subject to the general rules on contractual and non-contractual liability applicable to Union institutions, agencies and bodies, ‘save as regards the rules on liability for unlawful data processing’. As regards such unlawful data processing, recital 57 of that regulation could not be more explicit where it states that ‘Europol and the Member State in which the event that gave rise to the damage occurred should … be jointly and severally liable’, on the ground that ‘it may be unclear for the individual concerned whether damage suffered as a result of unlawful data processing is a consequence of action by Europol or by a Member State’.

42. It is indeed true, as Europol points out, that the preamble to an EU act has no binding legal force and cannot be relied on either as a ground for derogating from the actual provisions of the act in question or for interpreting those provisions in a manner clearly contrary to their wording. (23) Nevertheless, beyond those limits, the recitals constitute important elements for the purposes of interpretation, which may clarify the intentions of the author of that act. (24)

43. Therefore, since the EU legislature’s intention, clearly expressed in recital 57 of the Europol Regulation, to favour injured parties by making Europol and the Member State concerned jointly and severally liable does not conflict with the wording of Article 50 of that regulation, I conclude that that article may (and must) be interpreted in the light of that recital.

44. That conclusion is confirmed by Article 50(2) of the Europol Regulation, under which any dispute between Europol and Member States over the ultimate responsibility for compensation awarded to an individual in accordance with Article 50(1) is to be referred to the Management Board.

45. As regards, second, Europol’s argument that, in essence, its activities of taking possession of and decrypting the appellant’s mobile telephones are not covered by the concept of ‘personal data processing’ within the meaning of Article 50 of the Europol Regulation, I do not see why – and Europol offers no explanation in that regard – the decryption activities carried out by Europol in the present case do not fall within the definition set out in Article 88(2)(a) TFEU, under which Europol’s tasks may include ‘the collection, storage, processing, analysis and exchange of information, in particular that forwarded by the authorities of the Member States or third countries or bodies’. (25)

46. In the third place, it seems clear to me that one of the objectives of the Europol Regulation, as is apparent from recital 57 thereof, is to make it easier, by means of the joint and several liability of Europol and the Member State concerned, for persons who have suffered damage as a result of incorrect data processing to bring an action for damages. That view is borne out by the legislative history of the provision in question and by a comparative interpretation of that provision in the light of the general principles common to the laws of the Member States.

47. In that regard, concerning, first, the legislative history of Article 50 of the Europol Regulation, I note that the wording of that article and of recital 57 was taken directly from the Commission’s initial proposal, (26) which supports the view that that article transposes the EU legislature’s intention, as expressed in that recital, to introduce a form of joint and several liability between Europol and the Member State concerned. (27)

48. Furthermore, contrary to Europol’s submissions, the application of that provision cannot be limited to the situation of damage caused jointly by the European Union and a Member State since, in such a situation, it would, in my view, be for the court having jurisdiction to rule on the respective liability of the entities or persons who caused the damage. (28)

49. Concerning, second, the comparative interpretation of Article 50(1) of the Europol Regulation, I would point out that, under that provision, the injured party may sue Europol ‘in accordance with Article 340 TFEU’, the second paragraph of which refers to the general principles common to the laws of the Member States. (29)

50. In that connection, it seems to me that Member States’ legal systems overlap somewhat as regards the existence of joint and several liability in situations in which the same damage is attributable to several persons. (30) Moreover, the Principles of European Tort Law point in the same direction. (31)

51. I also note that the joint and several liability mechanism is not alien to EU law on data processing since, in particular, Article 82(4) of Regulation 2016/679 introduces such liability where more than one controller is involved in the same processing. (32)

52. That conclusion is not called into question by the case-law principle that, in situations of concurrent liability of the European Union and a Member State, individuals who have allegedly suffered damage must first bring legal proceedings before the national courts. (33) While that principle applies to situations of joint liability, its application to situations of joint and several liability would deprive it of all practical effect.

53. To conclude, I consider that the General Court erred in law in ruling out that Article 50(1) of the Europol Regulation, interpreted in the light of recital 57 thereof, introduced a system of joint and several liability between Europol and the Member State concerned for damage suffered as a result of unlawful data processing as a consequence of action by Europol or that Member State.

54. I therefore propose that the first ground of appeal be upheld.

55. Accordingly, the judgment under appeal should be set aside in so far as it ruled out any causal link between the damage alleged by the appellant and possible conduct on the part of Europol solely because, for a certain period of time, both Europol and the Slovak authorities had been in possession of the data contained in the mobile telephones in question.

56. That said, I note that if Europol is to be held jointly and severally liable for the alleged damage, it will still be necessary to establish, among other things, the existence of a causal link between the alleged conduct and that damage. (34) Indeed, in order for joint and several liability to exist, the various events giving rise to damage must be capable of causing the alleged damage, irrespective of which infringement was the immediate and decisive cause of the event. (35)

57. It is true that the existence of that causal link in the present case is the common thread running through the arguments put forward in the second to fourth and sixth grounds of appeal.

58. However, given that, in the judgment under appeal, the General Court essentially confined itself to ruling on the absence of an ‘exclusive’ causal link between Europol’s conduct and the alleged damage, and since that analysis does not make it possible to assess whether a causal link exists as is required in a situation of joint and several liability, I consider that, if the Court of Justice endorses my proposal to uphold the first ground of appeal, the judgment under appeal should be set aside and the case referred back to the General Court, as regards the first head of claim at first instance, so that the General Court can rule on the question of the causal link in the context of joint and several liability and, where appropriate, on the other conditions to which the non-contractual liability of the European Union and its institutions or bodies is subject. (36)

59. However, if the Court does not agree with my suggested approach, the other grounds of appeal are examined below. (37)

(b) Second ground of appeal, alleging misinterpretation of the national legislation governing the content of investigation files

60. By his second ground of appeal, the appellant claims that, contrary to the national rules specifying what investigation files should contain, (38) the official record of 23 October 2018 was not part of the investigation file concerning him, which therefore affects its reliability.

61. In the judgment under appeal, the General Court took account of the official record of 23 October 2018 in order to find that, from that date onwards, Europol was not the only entity in possession of the data contained in the mobile telephones in question, since the Slovak authorities held those data too. (39)

62. In response to the appellant’s assertion that the official record was not authentic, the Court held that any failure to include that document in the criminal proceedings file could not, in itself, affect its authenticity and that the appellant had in no way claimed that that record had been altered. (40)

63. In that regard, it seems to me that the appellant’s argument concerning the possible infringement of the national rules governing the content of the file – which, moreover, do not concern the authenticity of the documents on the file – is ineffective, in that it is not sufficient to demonstrate that the General Court erred in its assessment of the validity of the official record of 23 October 2018 and far less that it distorted that item of evidence by failing to take account of the national legislation relied on by the appellant at first instance. A distinction should be drawn between, on the one hand, the possible non-conformity of that record with the national rules governing the content of the file, which might affect the record’s validity as a part of that file, (41) and, on the other hand, the existence (and therefore the authenticity) of the official record itself and its potential probative value in the present case.

64. Similarly, in the light of the patently irrelevant nature of the national legislation relied on by the appellant in order to undermine the probative value of the official record at issue, the argument alleging failure to state reasons in the judgment under appeal, also raised by the appellant, cannot succeed.

65. I therefore propose that the second ground of appeal be rejected.

(c) Third ground of appeal, alleging errors of fact in the assessment of the causal link as regards the first head of claim at first instance

66. By his third ground of appeal the appellant claims, in the first place, that the official record of 23 October 2018 (the authenticity of which is, moreover, disputed) demonstrates only that ‘preliminary results’ were forwarded in the form of data acquisitions and retrievals, which does not prove that the ‘communications’ at issue in the present proceedings were also provided. (42)

67. In that regard, I note that, in paragraph 68 of the judgment under appeal, the General Court found that, on the date of the abovementioned official record, Europol was no longer the only entity in possession of the data at issue, which were accessible to the Slovak authorities from that date. (43)

68. It seems to me that the doubts raised by the appellant concerning the precise content of the data forwarded by Europol to the Slovak authorities and his disagreement with the General Court’s interpretation of the term ‘preliminary results’ contained in the official record of 23 October 2018 are not sufficient to establish the existence of errors of fact or of assessment leading to a distortion of the evidence by the General Court.

69. In the second place, the appellant submits that the General Court failed to establish that Europol never had access to the communications at issue in decrypted form, (44) that even a leak in encrypted form could have caused the alleged damage, after being decrypted by an unauthorised third party, (45) and that, in the present case, decryption would have been particularly easy given that Europol had already retrieved the files with their associated passwords.

70. Although it cannot be ruled out, as the appellant claims, that the data at issue could have been leaked even in encrypted form, the appellant has not submitted any information or evidence to suggest that such a leak occurred when Europol had access to the mobile telephones in question, (46) and far less to suggest that the General Court’s finding that the leak of the communications at issue did not originate from the encrypted data is vitiated by a distortion of the evidence. (47)

71. In the third place, the appellant restates his claim that the official record of 23 October 2018 was backdated – a claim rejected by the General Court as being entirely unsupported by evidence (48) – without providing additional information from which it could be inferred that the General Court distorted the facts. (49)

72. In the fourth place, the appellant adds that the mobile telephones in question had been handed over for the purposes of acquisition and retrieval without the prior consent of a court or an independent administrative body, which demonstrates the existence of a causal link.

73. In that regard, I find it difficult to see how a possible infringement of the rules on acquisition and retrieval of the data at issue could, in itself, prove the existence of a link between that acquisition or that retrieval and the leak of those data to the public. (50)

74. The fact that the data at issue were forwarded by Europol to the Slovak authorities is sufficient, in my view, to break the ‘exclusive’ causal link between the leak of those data and Europol’s conduct, irrespective of whether Europol was also in possession of the data in encrypted or decrypted form and the level of possible decryption. (51)

75. I therefore propose that the third ground of appeal be rejected.

(d) Fourth ground of appeal, alleging failure to state reasons and errors of law as regards the handling of evidence, distortion of the evidence and infringement of the rights of the defence

76. By the first part of his fourth ground of appeal, the appellant takes issue with the General Court for having failed to state the reasons for its finding that Article 50(1) and (2) of the Europol Regulation cannot be regarded as establishing joint and several liability and for having infringed the rules on the burden of proof.

77. It is clear from the analysis carried out in points 24 to 53 of this Opinion that the General Court’s reasoning enabled the appellant to understand the reasons for its view that Article 50 of the Europol Regulation did not establish joint and several liability and enabled him to formulate his arguments against those reasons. I believe it also enables the Court of Justice to carry out its judicial review.

78. By the second part of his fourth ground of appeal, the appellant claims, in essence, that the General Court reversed the burden of proof by requiring him to demonstrate at first instance that the information leak had originated from Europol.

79. In the judgment under appeal, the General Court found that the appellant had not adduced evidence of a causal link between the alleged damage and any conduct by Europol and that that was sufficient to exclude any liability on its part under Article 340 TFEU.

80. In my view, the General Court’s assessment was, in principle, correctly carried out, in the light of settled case-law under which it is for the party seeking to establish the European Union’s non-contractual liability to adduce conclusive proof of the existence of a sufficiently direct causal nexus between the conduct of the institution in question and the damage alleged. (52)

81. By the third part of his fourth ground of appeal, the appellant complains that the General Court failed to consider as evidence the national criminal investigation file concerning him and the decree of the Slovak Ministry of Justice, (53) which specifies what that file is to contain. In essence, the appellant restates the argument put forward in the second ground of appeal, namely that the official record of 23 October 2018 should be included in the criminal investigation file concerning him, in accordance with the requirements laid down by that decree.

82. In that regard, suffice it to note that, as I have pointed out in my analysis of the second ground of appeal, the appellant’s argument concerning the alleged infringement of the national rules governing the content of the file is irrelevant, since the possible non-conformity of that record with those national rules would not affect the probative value of the record in the present case. (54)

83. As regards the argument to the effect that the fact that Europol submitted only a photograph of the official record of 23 October 2018 demonstrates that Europol was not in possession of that record and obtained it from the Slovak authorities in the context of the judicial proceedings, it must be stated that, as the appellant makes clear, this is his lawyer’s ‘belief’, which is not supported by any evidence or information. (55)

84. By the fourth part of his fourth ground of appeal, the appellant complains that the General Court infringed his rights of the defence because he was unable to make known his views, at the hearing on 30 June 2021, on the backdating of the official record of 23 October 2018. Without expressly saying so, he is ostensibly claiming failure to observe the principle that the parties should be heard.

85. However, the appellant does not indicate what arguments and evidence he could have relied on had his rights of the defence been respected, nor does he claim that, in the absence of the alleged failure to observe the principle that the parties should be heard, his arguments could have altered the outcome of the dispute. (56)

86. Furthermore, in paragraphs 74 to 78 of the judgment under appeal, the General Court ruled on the appellant’s arguments concerning the alleged backdating, noting in particular that they were entirely unsupported by evidence and that the appellant had not claimed, in the reply, that the official record of 23 October 2018 or the copy thereof had been altered.

87. The appellant merely states that, to date, the whereabouts of the original copy of the official record of 23 October 2018 are unknown, that it is not in the court file on the case from which it supposedly originates and that the documents from another criminal case show that there are at least two separate copies of that record.

88. In that regard, it should be noted that, under the principle of the unfettered evaluation of evidence, enshrined in the case-law of the Court of Justice, the determination of the probative value of the evidence is left to the discretion of the General Court, (57) save where the evidence is distorted, which, as the Court of Justice has consistently held, must be obvious from the documents in the case file without there being any need to carry out a new assessment of the facts and the evidence. (58) That does not seem to me to be the case here.

89. I therefore propose that the fourth ground of appeal be rejected.

3. Grounds of appeal concerning the non-material damage suffered as a result of the inclusion of the appellant’s name on the ‘mafia lists’ (second head of claim at first instance)

(a) Fifth ground of appeal, alleging error of law in the categorisation of Europol’s liability for incorrect data processing

90. By his fifth ground of appeal, which refers entirely to the first ground, the appellant essentially takes issue with the General Court for having ruled out that Europol and the Member State concerned were jointly and severally liable for damage deriving from unlawful data processing, by disregarding the binding nature of recital 57 of the Europol Regulation.

91. As is apparent from my analysis of the first ground of appeal, (59) the General Court erred in law in holding that Article 50(1) of the Europol Regulation, interpreted in the light of recital 57 thereof, did not introduce a system of joint and several liability between Europol and the Member State concerned for damage suffered as a result of unlawful data processing by Europol or that Member State.

92. That said, I note that, as regards the second head of claim, the General Court found, in paragraph 102 of the judgment under appeal, that the appellant had not adduced any evidence capable of establishing that the ‘mafia lists’ on which he had been included had been drawn up and held by an EU institution and, in particular, by Europol.

93. In my view, the error of law committed by the General Court is not such as to challenge that finding, in so far as it is not called into question by the arguments put forward in the sixth ground of appeal, as I will examine below.

94. In those circumstances, I propose that the fifth ground of appeal be rejected as ineffective.

(b) Sixth ground of appeal, alleging errors of fact in the assessment of the causal link as regards the second head of claim at first instance

95. By his sixth ground of appeal, the appellant claims, in essence, that there was no basis for Europol establishing a link between him and the ‘mafia lists’.

96. However, as the General Court pointed out, Europol, in its report of 13 January 2019, (60) merely stated that the appellant’s name was, inter alia, ‘directly linked to the so-called mafia lists and the Panama Papers’, without including him on any list, and had observed that articles published in the press prior to that report had already referred to the appellant’s possible mafia links. (61)

97. That conclusion is not called into question by the appellant’s arguments, which are essentially confined to claiming that Europol did not explain why it had established a link between the appellant and the ‘mafia lists’ and that, by that conduct, it had infringed the principle of proportionality, since the ‘right to keep mafia lists’ has no basis in national or EU law.

98. By those arguments, the appellant starts from the unproven premiss that Europol actually included him on the ‘mafia lists’, without calling into question the General Court’s finding in paragraph 102 of the judgment under appeal that he had not adduced any evidence capable of establishing that the ‘mafia lists’ on which he had been included had been drawn up and held by an EU institution and, in particular, by Europol.

99. I therefore propose that the sixth ground of appeal be rejected and, consequently, that the appeal be dismissed as regards the grounds relating to the second head of claim at first instance.

B. Consideration of the action at first instance

100. As is apparent from the foregoing analysis, I propose that the judgment under appeal be set aside as regards the first head of claim at first instance and that the appeal be dismissed as regards the second head of claim at first instance.

101. Under Article 61 of the Statute of the Court of Justice of the European Union, the Court of Justice may, where it sets aside the decision of the General Court, itself give final judgment in the matter, where the state of the proceedings so permits.

102. I do not believe that to be the case here.

103. I consider that the error of law committed by the General Court in declining to acknowledge the existence of joint and several liability between Europol and the Member State concerned for damage suffered as a result of unlawful data processing as a consequence of action by Europol or that Member State, means that a new factual assessment is to be carried out by the General Court concerning whether a causal link exists between Europol’s conduct and the damage alleged by the appellant (62) and, where appropriate, concerning the other conditions to which the non-contractual liability of the European Union and its institutions or bodies is subject. (63)

C. Costs

104. Given that I propose that the case be referred back to the General Court, the decision on the costs of the parties relating to the appeal proceedings should be reserved, in accordance with Article 137 of the Rules of Procedure of the Court of Justice, applicable to appeal proceedings by virtue of Article 184(1) of those rules.

VII. Conclusion

105. In the light of the foregoing, I propose that the Court should:

– set aside the judgment of the General Court of the European Union of 29 September 2021, Kočner v Europol (T‑528/20, not published, EU:T:2021:631), as regards the first head of claim;

– refer the case back to the General Court for a decision on the merits of the first head of claim;

– dismiss the appeal as to the remainder;

– reserve the decision as to costs.

1 Original language: French.

2 Regulation of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ 2016 L 135, p. 53, ‘the Europol Regulation’).

3 Council Decision of 23 September 2013 on the security rules for protecting EU classified information (OJ 2013 L 274, p. 1).

4 I note that the reference to that article is probably incorrect and should be construed as a reference to Article 50 of the Europol Regulation, as is apparent from the European Commission’s initial proposal (COM(2013) 173 final of 27 March 2013), in which Article 51 (which corresponds to Article 49 of the Europol Regulation) referred to Article 52 (which corresponds to Article 50 of that regulation).

5 In addition, on 1 April 2019, the Slovak authorities used the information contained in the mobile telephones in question in criminal proceedings against the appellant and, as is apparent from a report from the Slovak police service of 18 June 2019, those authorities analysed the data contained in the telephones.

6 Judgment under appeal, paragraph 10.

7 Judgment under appeal, paragraph 91. The General Court found, first, that Europol was not the only entity in possession of the data contained in the mobile telephones in question, since the Slovak authorities held those data too (judgment under appeal, paragraphs 68 and 84), second, that at no point did Europol have access to the communications at issue in a decrypted and intelligible form (judgment under appeal, paragraph 86) and, third, that it was clear from a press article that information from the national investigation file had been leaked (judgment under appeal, paragraph 90).

8 Judgment under appeal, paragraph 102.

9 Judgment under appeal, paragraphs 92 to 95 and 105.

10 More specifically, the first and fifth grounds concern the possible existence of joint and several liability between Europol and the Member State concerned for damage suffered as a result of unlawful data processing, in accordance with recital 57 of the Europol Regulation, while the second to fourth and sixth grounds essentially concern the assessment of the causal link between the damage allegedly suffered by the appellant and Europol’s conduct.

11 The inadmissibility of those grounds was neither raised by Europol in its rejoinder at first instance nor examined by the General Court of its own motion in the judgment under appeal. That said, the lack of any discussion on that issue at first instance does not prevent the Court of Justice, if appropriate, from finding that the General Court erred in law by not raising that possible inadmissibility as an absolute bar to proceeding.

12 The appellant states, moreover, that the principle that every legislature acts rationally prevents that provision from being assigned a meaning other than that which emerges from recital 57. He maintains that that conclusion is also borne out by the fact that, under the rules in force prior to the Europol Regulation, the Member State concerned was liable even in situations where liability also lay with Europol (in accordance with Article 52(1) of Council Decision 2009/371/JHA of 6 April 2009 establishing the European Police Office (Europol) (OJ 2009 L 121, p. 37)). It would be inconsistent, in his view, to presume that the EU legislature would have swapped that system of simplified liability for a system that was less favourable towards injured parties, who would henceforth have to identify at the outset the entity responsible for the damage before being able to bring legal proceedings, which would run counter to the objective pursued by those rules.

13 Furthermore, the fact – to which the appellant refers – that the EU legislature replaced the previous system of liability, under which the State concerned was the only liable party even where liability also lay with Europol, does not, in Europol’s view, support the appellant’s argument that the current system cannot be less favourable towards injured parties (see footnote 11 of this Opinion). According to Europol, that legislative shift can easily be explained by the fact that, following the amendments introduced by the Treaty of Lisbon, Europol ultimately falls under the jurisdiction of the Court.

14 Judgment under appeal, paragraph 93.

15 Judgment under appeal, paragraph 94.

16 In almost identical wording, Article 41(3) of the Charter of Fundamental Rights of the European Union states that ‘every person has the right to have the Union make good any damage caused by its institutions or by its servants in the performance of their duties, in accordance with the general principles common to the laws of the Member States’.

17 See judgment of 10 September 2019, HTTS v Council (C‑123/18 P, EU:C:2019:694, paragraph 32 and the case-law cited).

18 Judgment of 9 September 1999, Lucaccioni v Commission (C‑257/98 P, EU:C:1999:402, paragraph 63), and order of 12 March 2020, EMB Consulting and Others v ECB (C‑571/19 P, not published, EU:C:2020:208, paragraph 29).

19 See, in particular, Article 9:101 of the Principles of European Tort Law by the European Group on Tort Law (EGTL) (an initiative to codify the principles of European tort law on the basis of a comparative examination of national systems), available at http://www.egtl.org. As regards the definition of joint and several liability applied by the Court (in contractual matters), see judgment of 18 May 2017, Latvijas Dzelzceļš (C‑154/16, EU:C:2017:392, paragraph 85), in which the Court made clear that it follows from the very nature of joint and several liability that each debtor is liable for the total amount of the debt and the creditor remains, in principle, free to request the payment of that debt by one or several debtors as he or she chooses.

20 Judgment of 16 March 2023, Towercast (C‑449/21, EU:C:2023:207, paragraph 31 and the case-law cited).

21 The same is true of other language versions of that provision. In addition to the French-language version, namely the original language of this Opinion (‘soit d’Europol …, soit de l’État membre’), see, in particular, the language versions in Greek (‘είτε εκ μέρους της Ευρωπόλ …, είτε εκ μέρους του κράτους μέλους’), English (‘either from Europol … or from the Member State’) and Italian (‘da Europol … o dallo Stato membro’).

22 As the two methods are closely linked (see, in legal literature, Lenaerts, K. and Gutiérrez-Fons, J.A., Les méthodes d’interprétation de la Cour de justice de l’Union européenne, Bruylant, Brussels, 2020, p. 104).

23 See, inter alia, judgment of 19 June 2014, Karen Millen Fashions (C‑345/13, EU:C:2014:2013, paragraph 31 and the case-law cited).

24 See judgment of 19 May 2022, Spetsializirana prokuratura (Trial of an absconded accused person) (C‑569/20, EU:C:2022:401, paragraph 32 and the case-law cited). See also, for information, the Joint Practical Guide of the European Parliament, the Council and the Commission for persons involved in the drafting of European Union legislation, Publications Office of the European Union, Luxembourg, 2015. According to the introductory wording to guideline 10 of that document, the purpose of the recitals is, inter alia, ‘to set out concise reasons for the chief provisions of the enacting terms’.

25 Moreover, the processing of personal data carried out by Europol in the present case could also fall within the definitions of ‘personal data’, ‘operational personal data’ and ‘processing’ laid down in Article 3(1), (2) and (3) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ 2018 L 295, p. 39). While it is true that Article 2(3) of Regulation 2018/1725 provides that that regulation is not to apply, inter alia, to the processing of operational personal data by Europol until the Europol Regulation has been adapted in accordance with Article 98 of the former regulation, it seems to me that, in the absence of specific definitions in the Europol Regulation, the definitions in question may be used in the present case as parameters for interpretation. In addition, the definitions of ‘personal data’ and ‘processing’ match those set out in Article 4(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and corrigendum OJ 2018 L 127, p. 2), which, however, under Article 2(2)(d) thereof, does not apply, inter alia, to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences.

26 Recital 57 and Article 50 of the Europol Regulation correspond, in essence, to recital 47 and Article 52 of the Commission’s initial proposal (COM(2013) 173 final of 27 March 2013).

27 However, I do not agree with the appellant’s argument, which also draws inspiration from the legislative history of the Europol Regulation, that that regulation could not simply provide the injured party with less protection than the protection guaranteed under the previous rules (see footnote 11 of this Opinion). I am more persuaded by Europol’s position that the provision made in the previous rules for the exclusive liability of the Member State concerned for any damage resulting from the storage or processing of data, including in relation to action by Europol, was motivated by the fact that, when those rules applied (that is to say, before the entry into force of the Treaty of Lisbon), action by Europol fell outside the jurisdiction of the EU Courts.

28 Of course, as Europol points out, according to the case-law, the EU Courts must, before giving judgment, wait until the national court has taken a decision at first instance (see judgment of 14 July 1967, Kampffmeyer and Others v Commission, 5/66, 7/66, 13/66 to 16/66 and 18/66 to 24/66, not published, EU:C:1967:31, p. 266). I will explain that point in more detail in footnote 33 of this Opinion.

29 Using very similar wording, Article 49 of the Europol Regulation states that Europol is to make good any damage caused by its departments or staff in the performance of their duties ‘in accordance with the general principles common to the laws of the Member States’.

30 I refer, by way of example, to Paragraph 840 of the Bürgerliches Gesetzbuch (German Civil Code), Article 926 Αστικού Κώδικα (Greek Civil Code) and Article 2055 of the codice civile (Italian Civil Code). Common law systems also seem to take that possibility into account (see Van Dam, C., ‘Causation’, European Tort Law, Oxford, 2013, p. 331). See also, to that effect, Article 1265 of the draft reform of civil liability in the French legal system, in which, on any view, a joint and several liability obligation known as an ‘in solidum’ obligation, established by case-law, appears already to exist (see, in legal literature, Ligüerre, C.G., ‘Responsabilité solidaire et canalisation de la responsabilité’, Revue des contrats, No 4, 2019, p. 252).

31 Provision is made for such a principle in particular in Article 9:101 of the Principles of European Tort Law (see European Group on Tort Law, Principles of European Tort Law. Text and Commentary, SpringerWienNewYork, 2005, p. 206).

32 Under that provision, where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor is to be held liable for the entire damage in order to ensure effective compensation of the data subject. The person who has made good the damage in full may, under Article 82(5) of that regulation, claim back from the other controllers or processors that part of the compensation corresponding to their part of responsibility for the damage. The application of that provision is precluded in the present case by Article 2(2)(d) of that regulation.

33 More specifically, in case-law dating back to the 1960s, the EU Courts held that, where the same damage is the subject of two actions for compensation, one against a Member State before a national court and the other against the European Union before the EU Courts, it may prove necessary, before deciding on the amount of the damage for which the European Union will be held liable, to wait until the national court has given judgment on any liability on the part of the Member State, in order to avoid the applicant’s being insufficiently or excessively compensated because of the different assessment of two different courts (see judgments of 14 July 1967, Kampffmeyer and Others v Commission, 5/66, 7/66, 13/66 to 16/66 and 18/66 to 24/66, not published, EU:C:1967:31; of 30 November 1967, Becher v Commission, 30/66, EU:C:1967:44; and of 13 December 2006, É.R and Others v Council and Commission, T‑138/03, EU:T:2006:390, paragraph 42). In legal literature, see Lenaerts, K., et al., EU Procedural Law, Oxford University Press, 2014, pp. 506 and 507.

34 Even though EU law does not have its own definition of ‘causal link’ (see Van Dam, C., European Tort Law, Oxford, 2013, p. 321; Gutman, K., ‘The non-contractual liability of the European Union: principle, practice and promise’, Research Handbook on EU Tort Law, 2017, pp. 26 to 60, particularly p. 57), it seems to me that Member States’ national legal systems require that element in case of joint and several liability (see, in particular, Infantino, M., and Zervogianni, Ε., ‘Causation in European Tort Law’, The American Journal of Comparative Law, Cambridge, 2017, pp. 652 and 653).

35 In that regard, it must be stated that neither the second paragraph of Article 340 TFEU nor the principles relating to joint and several liability stemming from the general principles common to the laws of the Member States allow for the liability of an EU institution or body to be established without a causal link between that institution or body’s conduct and the alleged damage.

36 See point 34 of this Opinion.

37 That being said, if the Court of Justice follows my proposal to uphold the first ground of appeal, the second, third and fourth grounds of appeal will be ineffective, since the General Court would be required, in any event, to review its assessment as to whether there is a causal link.

38 Rules laid down in Decree No 618/2005 of the Slovak Ministry of Justice.

39 See judgment under appeal, paragraphs 68 and 84. The General Court assessed the probative value of that document on the basis of the principle of the unfettered evaluation of evidence and having regard to the elements referred to in its case-law (namely, judgment of 13 December 2018, Iran Insurance v Council, T‑558/15, EU:T:2018:945, paragraphs 153 and 154 and the case-law cited) (see judgment under appeal, paragraph 80). It found that the official record at issue accurately identified the items and data delivered by the staff member of Europol to the staff member of NAKA, the file to which the items and data belonged, how they were delivered, the capacity in which the staff members in question were acting and the date and time of delivery (see judgment under appeal, paragraphs 79 to 81).

40 See judgment under appeal, paragraphs 71 and 77. Furthermore, the General Court pointed out that the record was drawn up on paper bearing the official letterhead of NAKA, that it referred to a specific file and that it had been dated and signed by a named member of staff of NAKA, who stated that he had received the hard drive concerned from a staff member of Europol, also identified by name (paragraph 76 of the judgment under appeal). Those circumstances are not disputed by the appellant.

41 I note, moreover, that the Slovak Republic, in its statement in intervention, disputes the appellant’s argument that the official record at issue should have formed part of the investigation file under national legislation, stating that, in accordance with that legislation, some procedural documents are not included in the original investigation file but are stored in a separate copy of that file.

42 The appellant adds that the return of the mobile telephones, mentioned in paragraph 67 of the judgment under appeal, is also not relevant in that regard, since it is not the telephones but the data they contain which must be taken into account. Furthermore, the fact that the Slovak Public Prosecutor’s Office was in possession of the communications at issue as early as 1 April 2019 does not mean that the disclosure of those data would have originated from those communications.

43 That was allegedly confirmed by the fact, recalled by the appellant, that the Slovak criminal authorities had made use of the data at issue on 1 April 2019.

44 In that regard, the appellant disputes the General Court’s finding, based on the testimony of a staff member of Europol before a Slovak criminal court (see judgment under appeal, paragraph 82), according to which Europol simply ‘acquired and retrieved’ data from the mobile telephones in encrypted form, which the Slovak authorities decrypted (see judgment under appeal, paragraph 87). According to the appellant, those acquisition and retrieval operations by Europol involved the downloading of files and the associated passwords, which would have made it easy for anyone to decrypt the data at issue.

45 In that regard, the appellant also raises a ground of appeal alleging failure to state reasons, claiming that the General Court failed to explain why data which might have been leaked in encrypted form could not have been decrypted by a third party. It seems to me, however, that in the present case, the General Court explained to the requisite legal standard that it considered Europol not to be responsible in so far as Europol had not been in possession of the communications at issue in decrypted form, with the question whether that assertion is well founded being related to the question whether the reasoning is well founded.

46 The appellant’s argument is therefore confined to the realm of speculation. Moreover, the appellant himself acknowledges that it is difficult to determine whether liability for the damage lies with Europol or the Member State concerned and, for that reason, argues that those two entities are jointly and severally liable (see the first and fifth grounds of appeal).

47 It should be pointed out that, if it were established that Europol never had access to the communications at issue in decrypted form, that would strongly suggest that there was no ‘non-exclusive’ causal link between Europol’s conduct and the alleged damage, which could lead to the existence of that causal link also being ruled out in the context of Europol’s joint and several liability. However, in my view, that is a factual assessment which should be carried out first of all by the General Court.

48 Judgment under appeal, paragraphs 74 and 75.

49 The appellant does not explain how the retrieval of data from the two mobile telephones in question was carried out subsequent to the official record of 23 October 2018, nor does he state that he challenged that alleged alteration before a criminal court. Similarly, the fact that the respondent submitted only a photograph of the official record of 23 October 2018 is not sufficient to establish that the record was backdated or, a fortiori, to demonstrate that, by failing find that it was, the General Court distorted that evidence.

50 See also point 63 of this Opinion.

51 Based on the sharing of the data at issue between Europol and the Slovak authorities, it cannot be established that only Europol was in possession of the mobile telephones in question and the transcripts they contained, as the General Court found in paragraphs 64 and 65 of the judgment under appeal.

52 See, inter alia, judgment of 30 May 2017, Safa Nicu Sepahan v Council (C‑45/15 P, EU:C:2017:402, paragraph 62 and the case-law cited). That conclusion, which concerns a general assessment of the burden of proving the causal link as applied at all instances of an action for damages, is without prejudice to the assessment of the nature of Europol’s liability, carried out in the context of the first and fifth grounds of appeal. If the Court concludes, as I propose in points 24 to 54 of this Opinion, that Europol is, in the present case, jointly and severally liable with the Member State concerned, it follows that the General Court, while applying an incorrect standard of proof (requiring proof of an ‘exclusive’ causal link between Europol’s processing of the data and the alleged damage), was right to place the burden of proving the causal link on the appellant at first instance.

53 Although the appellant does not specifically say so, he is probably referring to Decree No 618/2005, cited in connection with the second ground of appeal.

54 See point 63 of this Opinion.

55 The same is true of the appellant’s claim that the content of the official record in question was altered, which is not borne out by any supporting evidence (see footnote 49 of this Opinion).

56 See, to that effect, order of 29 October 2004, Ripa di Meana v Parliament (C‑360/02 P, EU:C:2004:690, paragraph 36).

57 See, to that effect, judgment of 22 October 2020, EKETA v Commission (C‑273/19 P, not published, EU:C:2020:852, paragraph 69).

58 See judgment of 6 November 2018, Scuola Elementare Maria Montessori v Commission, Commission v Scuola Elementare Maria Montessori and Commission v Ferracci (C‑622/16 P to C‑624/16 P, EU:C:2018:873, paragraph 86 and the case-law cited).

59 See points 33 to 53 of this Opinion.

60 See point 11 of this Opinion.

61 Judgment under appeal, paragraph 107.

62 As I have stated in points 56 to 58 of this Opinion, the existence of joint and several liability does not require the existence of an ‘exclusive’ causal link between the conduct of one of the persons responsible and the alleged damage in accordance with the common rules (as examined by the General Court in the present case), but requires that the various events giving rise to damage must be capable of causing the alleged damage.

63 See point 34 of this Opinion.