Provisional text
JUDGMENT OF THE COURT (Grand Chamber)
5 March 2024 (*)
(Appeal – Law enforcement cooperation – Regulation (EU) 2016/794 – Article 49(3) and Article 50 – Protection of personal data – Unlawful data processing – Criminal proceedings brought in Slovakia against the appellant – Expert’s report drawn up by the European Union Agency for Law Enforcement Cooperation (Europol) for the purposes of the investigation – Retrieval of data from a mobile phone and a USB storage device belonging to the appellant – Disclosure of those data – Non-material damage – Actions for damages – Nature of non-contractual liability)
In Case C‑755/21 P,
APPEAL under Article 56 of the Statute of the Court of Justice of the European Union, brought on 8 December 2021,
Marián Kočner, residing in Bratislava (Slovakia), represented by M. Mandzák and M. Para, advokáti,
appellant,
the other party to the proceedings being:
European Union Agency for Law Enforcement Cooperation (Europol), represented by A. Nunzi, acting as Agent, and by M. Kottmann and G. Ziegenhorn, Rechtsanwälte,
defendant at first instance,
supported by:
Slovak Republic, represented initially by S. Ondrášiková and subsequently by E.V. Drugda and S. Ondrášiková, acting as Agents,
intervener in the appeal,
Kingdom of Spain,
intervener at first instance,
THE COURT (Grand Chamber),
composed of K. Lenaerts, President, L. Bay Larsen, Vice‑President, A. Arabadjiev, A. Prechal, E. Regan, F. Biltgen, N. Piçarra and O. Spineanu‑Matei (Rapporteur), Presidents of Chambers, S. Rodin, P.G. Xuereb, L.S. Rossi, N. Wahl, I. Ziemele, J. Passer and D. Gratsias, Judges,
Advocate General: A. Rantos,
Registrar: A. Calot Escobar,
having regard to the written procedure,
after hearing the Opinion of the Advocate General at the sitting on 15 June 2023,
gives the following
Judgment
1 By his appeal, Mr Marián Kočner seeks to have set aside the judgment of the General Court of the European Union of 29 September 2021, Kočner v Europol (T‑528/20, EU:T:2021:631; ‘the judgment under appeal’), by which the General Court dismissed his application under Article 268 TFEU seeking compensation for the damage he allegedly suffered as a result of the disclosure by the European Union Agency for Law Enforcement Cooperation (Europol) of personal data and the inclusion by Europol of his name on the ‘mafia lists’.
Legal context
2 Recitals 23, 45, 56, 57 and 65 of Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ 2016 L 135, p. 53) are worded as follows:
‘(23) For the purposes of preventing and combating crime falling within the scope of its objectives, it is necessary for Europol to have the fullest and most up-to-date information possible. Therefore, Europol should be able to process data provided to it by Member States, …
…
(45) To guarantee the security of personal data, Europol and Member States should implement necessary technical and organisational measures.
…
(56) Europol should be subject to the general rules on contractual and non-contractual liability applicable to [EU] institutions, agencies and bodies, save as regards the rules on liability for unlawful data processing.
(57) It may be unclear for the individual concerned whether damage suffered as a result of unlawful data processing is a consequence of action by Europol or by a Member State. Europol and the Member State in which the event that gave rise to the damage occurred should therefore be jointly and severally liable.
…
(65) Europol processes data that require particular protection as they include sensitive non-classified and EU classified information. Europol should therefore draw up rules on the confidentiality and processing of such information. The rules on the protection of EU classified information should be consistent with Council Decision 2013/488/EU [of 23 September 2013 on the security rules for protecting EU classified information (OJ 2013 L 274, p. 1)].’
3 Article 2 of that regulation, headed ‘Definitions’, provides:
‘For the purposes of this Regulation:
…
(h) “personal data” means any information relating to a data subject;
(i) “data subject” means an identified or identifiable natural person, an identifiable person being a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
…
(k) “processing” means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…’
4 Article 3 of that regulation, headed ‘Objectives’, states, in paragraph 1:
‘Europol shall support and strengthen action by the competent authorities of the Member States and their mutual cooperation in preventing and combating serious crime affecting two or more Member States, terrorism and forms of crime which affect a common interest covered by a Union policy …’
5 Article 17 of that regulation, headed ‘Sources of information’, provides in paragraph 1:
‘Europol shall only process information that has been provided to it:
(a) by Member States in accordance with their national law and Article 7;
…’
6 Article 18 of Regulation 2016/794, headed ‘Purposes of information processing activities’, provides, in paragraph 1:
‘In so far as is necessary for the achievement of its objectives as laid down in Article 3, Europol may process information, including personal data.’
7 Article 28 of that regulation, headed ‘General data protection principles’, provides, in paragraph 1:
‘Personal data shall be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes. …
…
(f) processed in a manner that ensures appropriate security of personal data.’
8 Article 32 of that regulation, headed ‘Security of processing’, provides, in paragraph 1:
‘Europol shall implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss or unauthorised disclosure, alteration and access or any other unauthorised form of processing.’
9 Article 38 of that regulation, headed ‘Responsibility in data protection matters’, states in paragraphs 4, 5 and 7:
‘…
4. Europol shall be responsible for compliance with the principles referred to in points (a), (b) … and (f) of Article 28(1).
5. The responsibility for the legality of a data transfer shall lie with:
(a) the Member State which provided the personal data to Europol;
(b) Europol in the case of personal data provided by it to Member States …
…
7. Europol shall be responsible for all data processing operations carried out by it, …’
10 Article 49 of Regulation 2016/794, headed ‘General provisions on liability and the right to compensation’, provides, in paragraph 3:
‘Without prejudice to Article 49, in the case of non-contractual liability, Europol shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by its departments or by its staff in the performance of their duties.’
11 Article 50 of that regulation, headed ‘Liability for incorrect personal data processing and the right to compensation’, provides:
‘1. Any individual who has suffered damage as a result of an unlawful data processing operation shall have the right to receive compensation for damage suffered, either from Europol in accordance with Article 340 TFEU or from the Member State in which the event that gave rise to the damage occurred, in accordance with its national law. The individual shall bring an action against Europol before the Court of Justice of the European Union, or against the Member State before a competent national court of that Member State.
2. Any dispute between Europol and Member States over the ultimate responsibility for compensation awarded to an individual in accordance with paragraph 1 shall be referred to the Management Board, which shall decide by a majority of two-thirds of its members, without prejudice to the right to challenge that decision in accordance with Article 263 TFEU.’
Background to the dispute
12 The background to the dispute, as set out in paragraphs 1 to 16 of the judgment under appeal, may, for the purposes of the present proceedings, be summarised as follows.
13 In the course of an investigation conducted by the Slovak authorities following the murder of a journalist and his fiancée in Slovakia in February 2018, Europol, at the request of the Národná kriminálna agentúra (National Crime Agency, Slovakia; ‘NAKA’), supported those authorities by retrieving the data stored (i) on two mobile telephones which were allegedly owned by the appellant (‘the mobile telephones at issue’) and were delivered to it on 10 October 2018 by NAKA, and (ii) on a USB storage device.
14 On 21 June 2019, Europol forwarded to NAKA the final scientific reports on the operations carried out on the mobile telephones at issue.
15 According to Europol, before those reports were forwarded, Europol had delivered to NAKA on 23 October 2018 a hard drive containing encrypted data extracted from, inter alia, the mobile telephones at issue and had returned those mobile telephones to NAKA on 13 February 2019.
16 By way of proof that they had been returned, Europol provided a copy of an official record on NAKA’s letterhead, dated 23 October 2018, bearing the reference PPZ-203/NKA-PZ-ZA-2018 and signed by the head of the investigation team, A, and a copy of a receipt/delivery of evidence form, dated 13 February 2019, bearing the same reference, listing, inter alia, the mobile telephones at issue and signed by both the person delivering them and by the addressee of the evidence.
17 That official record of 23 October 2018 was worded in the following terms:
‘Today, 23 October 2018, at 1.30, a black external HDD disc containing the provisional results of the Europol investigation, recovered by Decision[s] of 8 October 2018 and 10 October 2018, was delivered to me. That external disc was delivered personally by Europol employee B, from Europol’s headquarters in The Hague [Netherlands].
The disc in question contains provisional results in the form of memory acquisitions and retrievals for evidence 1Z (SIM card only), 2Z, 3Z, 4Z (SIM card only), 5Z, 6Z, 7Z, 8Z, 1K, 2K.
The content of that HDD disc is protected by a password which has been communicated to me.’
18 On 17 October 2018, NAKA requested Europol’s assistance in order, inter alia, to examine the data contained on the USB storage device.
19 The Europol report of 13 January 2019 (‘the Europol report’), sent to NAKA on 14 February 2019, states, under the heading ‘Context (historical)’, that ‘[the appellant] has been detained on suspicion of a financial offence since 20 June 2018. His name is, inter alia, directly linked to the “so-called mafia lists” and to the “Panama Papers”’.
20 On 1 April 2019, the Slovak criminal authorities allegedly made use of the information contained in the mobile telephones at issue in a criminal prosecution brought against the appellant. Similarly, it is apparent from an official report of the Slovak police services of 18 June 2019 that those authorities carried out a full analysis of the data contained on those telephones.
21 In addition, various press articles and websites, including that of an international network of investigative journalists, referred to a very large amount of information relating to the appellant from, inter alia, the mobile telephones at issue and made that information available to the public. In particular, on 20 and 29 May 2019, several press articles referred to the data from those telephones. Similarly, on 19 May 2020, a website published a selection of documents relating to the appellant and, in particular, transcripts of intimate communications stored on those telephones, which had been exchanged between him and his girlfriend by means of an encrypted messaging service. That selection of documents was used by the Slovak press on 21 May 2020.
22 By letter of 4 May 2020, the appellant sent a complaint to Europol seeking, on the basis of Article 50(1) of Regulation 2016/794, compensation in the amount of EUR 100 000 as reparation for the non-material damage which he claims to have suffered, on two grounds, as a result of the failure to observe his right to respect for his private and family life. He claims that that damage was caused, first, by the publication in the press and on the internet of personal data, in particular by the publication of transcripts of his intimate and sexual communications. He claims that the second cause of that damage was the inclusion of his name on the ‘mafia lists’, allegedly on the basis of the Europol report, since the press reproduced those lists following leaks concerning the file on the national criminal prosecution relating to the murder of the journalist and his fiancée referred to in paragraph 13 of the present judgment, whereas that file included that report.
23 Following the investigation carried out by the Slovak authorities, referred to in paragraph 13 of the present judgment, the appellant was prosecuted as an accomplice to that murder for having ordered the killings.
24 On 3 September 2020, at first instance, the Slovak court with jurisdiction acquitted the appellant. On 15 June 2021, the Najvyšší súd Slovenskej republiky (Supreme Court of the Slovak Republic) set aside the judgment at first instance and referred the case back to the first-instance court.
The procedure before the General Court and the judgment under appeal
25 By application lodged at the Registry of the General Court on 18 August 2020, the appellant brought an action under Articles 268 and 340 TFEU and Article 50(1) of Regulation 2016/794 seeking compensation for the non-material damage which he claims to have suffered as a result of Europol’s actions. Under the first head of claim, he sought compensation in the amount of EUR 50 000 as reparation for the damage which he claims to have suffered as a result of the disclosure of personal data from the mobile telephones at issue, data which, subsequently, were published on the internet and reproduced by the Slovak press. That disclosure of personal data adversely affected his honour and professional reputation and infringed his right to respect for his private and family life and his right to respect for his communications, which are enshrined by Article 7 of the Charter of Fundamental Rights of the European Union (‘the Charter’). Under the second head of claim, the appellant sought compensation in the same amount as reparation for the damage which he claims to have suffered as a result of Europol’s inclusion of his name on the ‘mafia lists’.
26 By the judgment under appeal, first, the General Court, after examining the pleas of inadmissibility raised by Europol concerning the appellant’s first head of claim, held that that head of claim was admissible only in so far as, by that head of claim, the appellant claimed non-material damage arising from the alleged disclosure by Europol of the transcripts of the conversations of an intimate and sexual nature between him and his girlfriend, taken from the mobile telephones at issue. In that regard, the General Court found that, as regards the scope of the alleged damage, although the appellant claimed that Europol had disclosed a large volume of personal data from those telephones, only the disclosure of those transcripts was supported by documentary evidence, unlike the alleged disclosure of photographs ‘of a highly confidential nature’, some of which showed that girlfriend in a state of undress.
27 Next, as to the substance, the General Court rejected that first head of claim as circumscribed above. In the first place, it held, in paragraphs 58 to 91 of the judgment under appeal, that the appellant had not adduced ‘evidence of a causal link established to a sufficient degree’ between the damage alleged and any conduct on the part of Europol. In particular, the appellant has not shown that the disclosure of the data in the mobile telephones at issue or the transcripts of the conversations between the appellant and his girlfriend was attributable to Europol.
28 In the second place, in paragraphs 92 to 95 of that judgment, the General Court held that the conclusion that the disclosure of the data in question could not be attributed to Europol was not undermined by recital 57, Article 49(3) or Article 50 of Regulation 2016/794, on which the appellant relied.
29 In that regard, first, the General Court held, in paragraphs 93 to 95 of the judgment under appeal, that Article 49(3) and Article 50(1) of Regulation 2016/794 merely stated that, as regards non-contractual liability and, in particular, liability arising from unlawful data processing operations, Europol had to make good any damage caused by its services or by its staff in the performance of their duties, subject to the conditions under Article 340 TFEU. According to the General Court, those conditions were not satisfied in the present case. Second, the General Court recalled that, although it is true that recital 57 of Regulation 2016/794 states, in essence, that Europol and the Member State in which the damage arising from unlawful data processing carried out by that agency or by that Member State occurred are jointly and severally liable for that damage, it must nevertheless be held that that joint and several liability mechanism is neither expressed by or based on the provisions of that regulation. In addition, it pointed out that, according to the case-law of the Court, the preamble to an EU act has no binding legal force and cannot be relied on as a ground for derogating from the actual provisions of the act in question. Thus, the General Court held that ‘recital 57 of Regulation 2016/794 cannot create joint and several liability incumbent on Europol in the present case’.
30 Consequently, the General Court rejected the first head of claim as unfounded, holding that it was not necessary to examine whether the other conditions for the European Union to incur non-contractual liability were satisfied.
31 As regards the second head of claim, relating to compensation for the damage allegedly suffered as a result of Europol’s inclusion of the appellant’s name on the ‘mafia lists’, the General Court found, in paragraphs 102 and 105 of the judgment under appeal, that it had not been established that those lists had been drawn up and kept by an EU institution, within the meaning of the second paragraph of Article 340 TFEU, in particular by Europol, and that that conclusion was not called into question either by recital 57, Article 49(3) or Article 50 of Regulation 2016/794, for the same reasons as those set out in paragraphs 92 to 95 of the judgment under appeal and summarised in paragraph 29 above.
32 The General Court also stated, in paragraphs 106 to 109 of the judgment under appeal, that, assuming that the second head of claim ‘had to be understood as alleging that Europol was at the origin of the changes in the descriptions used by the Slovak press with regard to the appellant, in that he was no longer presented as a “controversial entrepreneur” but, now, as “a member of the mafia” or as “a person on the mafia lists”’, that head of claim also proved to be unfounded. In that regard, the General Court found, inter alia, that the appellant had not provided any evidence capable of establishing that the information published in the Slovak press originated in the Europol report, or to establish to the requisite legal standard a causal link between the leak of that report and the fact that the Slovak press had altered, from the beginning of 2019, the way in which it described the appellant. The alleged coincidence in time is contradicted by the evidence provided both by the appellant and by Europol, from which it followed that, well before the beginning of 2019, the Slovak press occasionally represented the appellant as a ‘a member of the mafia’, which means that they did not describe him as such as a result of the leak of the national criminal file pertaining to the appellant that contained that report.
33 Consequently, the General Court rejected as unfounded the second head of claim and dismissed the action in its entirety.
Procedure before the Court of Justice and forms of order sought
34 By a document lodged at the Registry of the Court of Justice on 8 December 2021, the appellant brought an appeal against the judgment under appeal.
35 By its appeal, the appellant claims that the Court of Justice should:
– annul the judgment under appeal;
– refer the case back to the General Court; and
– order that the decision as to costs be given in the main proceedings.
36 Europol contends that the Court of Justice should:
– dismiss the appeal; and
– order the appellant to pay the costs.
37 By decision of the President of the Court of Justice of 1 April 2022, the Slovak Republic was granted leave to intervene in support of the form of order sought by Europol.
The appeal
38 The appellant puts forward six grounds in support of its appeal. The first to fourth grounds concern the rejection of the first head of claim, in which the appellant seeks compensation for the non-material damage which he claims to have suffered as a result of the disclosure to the public of personal data from the mobile telephones at issue. The fifth and sixth grounds concern the rejection of the second head of claim, in which the appellant seeks compensation for the non-material damage which he claims to have suffered as a result of his name being included on the ‘mafia lists’.
Admissibility of the first and fifth grounds of appeal
Arguments of the parties
39 Europol claims that the first and fifth grounds, alleging that the General Court erred in law by holding that Europol and the Member State concerned were not jointly and severally liable for the damage suffered as a result of unlawful data processing, are inadmissible in so far as they relate to a plea submitted belatedly by the appellant before the General Court, namely at the stage of the reply. The General Court should have raised the inadmissibility of that plea of its own motion.
40 The appellant contends that the plea of inadmissibility should be rejected.
Findings of the Court
41 It follows from Article 84(1) and (2) of the Rules of Procedure of the General Court that pleas put forward for the first time in the reply and which are not based on matters of law or of fact which came to light in the course of the procedure must be declared inadmissible. However, the Court of Justice has already held in that regard that a plea or argument which may be regarded as amplifying a plea put forward previously in the application must be regarded as admissible (see, to that effect, judgment of 26 April 2007, Alcon v OHIM, C‑412/05 P, EU:C:2007:252, paragraphs 38 to 40 and the case-law cited). Accordingly, such a plea cannot be declared inadmissible on the ground that it was raised with undue delay.
42 In the present case, in paragraph 58 of his application before the General Court, the appellant argued that, on the basis of the joint and several liability provided for in Article 49(3) and Article 50 of Regulation 2016/794, and in the light of recital 57 of that regulation, Europol had to be held liable for the damage he suffered even if the acts that caused that damage were committed together with the Slovak authorities. In paragraph 24 of the reply, the appellant developed that line of argument, claiming that, under those provisions and, in particular, in the light of that recital, Europol was in any event jointly and severally liable with the Member State concerned for the damage caused as a result of unlawful data processing.
43 In so doing, the appellant expressly relied, in his application, on the existence of a mechanism for the joint and several liability of Europol based on Articles 49 and 50 of Regulation 2016/794, read in the light of recital 57 of that regulation, which means that the General Court was fully entitled to take the view that, by that application, the appellant had raised before it the issue of that joint and several liability in the context of the present case. Paragraph 24 of the reply must therefore be regarded as an amplification of the line of argument set out in the application in that regard.
44 In those circumstances, the General Court was correct to analyse the provisions and the recital relied on by the appellant in the context of that line of argument.
45 Consequently, the plea of inadmissibility raised by the Europol must be rejected.
The first ground of appeal
Arguments of the parties
46 By his first ground of appeal, the appellant complains that the General Court erred in law by deciding, in paragraphs 94 and 95 of the judgment under appeal, not to take account of recital 57 of Regulation 2016/794 for the purposes of determining Europol’s liability under Article 50(1) of that regulation, on the ground that the preamble to a regulation has no binding legal force. It follows that the General Court erred in so far as it rejected the first head of claim by holding that that recital cannot give rise to joint and several liability on the part of Europol for the unlawful processing of data by that agency or by the Member State concerned.
47 In that regard, the appellant claims, in essence, that the General Court held that the damage had to be borne by the person to whom such damage is attributable, namely either Europol or the Member State concerned, whereas it follows from Article 49(3) and Article 50 of Regulation 2016/794, read in the light of recital 57 thereof and the objectives pursued by that regulation, that that regulation establishes joint and several liability on the part of Europol and the Member State in which the damage resulting from unlawful data processing carried out by that agency or that Member State occurred.
48 Europol, supported by the Slovak Republic, contends that the first ground is unfounded.
49 That agency claims that, in order for the European Union to incur liability under Article 340 TFEU, a number of conditions must be satisfied, including the unlawfulness of the conduct alleged against the EU institution concerned. It also submits that, in the absence of unlawful conduct on the part of one of its institutions, the European Union cannot incur liability and that damage caused by the Member States cannot give rise to such liability. Furthermore, in situations in which the authorities of the European Union and those of the Member States interact, the Court has stated, inter alia, that, where damage is caused jointly by the European Union and by a Member State, the EU Courts may rule on the damage only after the national court has taken a decision in that regard. The joint and several liability of the European Union and the Member State concerned, where they act together, is not acknowledged, in principle, under the second paragraph of Article 340 TFEU, but requires an express reference to that effect by the EU legislature.
50 Furthermore, Europol claims that Article 50 of Regulation 2016/794 is not applicable to the data processing at issue in the present case, since it applies exclusively to data processing carried out in the course of Europol’s operations and tasks. Given that the alleged harmful events occurred during storage of the national investigation file, they do not constitute ‘unlawful data processing operations’, within the meaning of that article, that come within the scope of that regulation.
51 Moreover, Article 50(1) of Regulation 2016/794 does not expressly provide for the joint and several liability of Europol and the Member State concerned. Under that provision, Europol is liable solely ‘in accordance with Article 340 TFEU’, which means that that liability can be incurred only where the three conditions arising from that provision are satisfied. Consequently, even if Article 50(1) were applicable in the present case, Europol could not incur liability in the absence of any unlawful conduct on its part and of a causal link between such conduct and the damage suffered. Moreover, the European Union cannot be required to make good damage resulting from an action of a Member State under Article 50(1), which applies only to damage caused jointly by the European Union and a Member State, as is confirmed by the wording of Article 50(2) of that regulation.
52 According to Europol, it cannot be inferred from recital 57 of Regulation 2016/794 that that is not the case. The concept of ‘joint and several liability’ referred to in that recital presupposes that more than one entity is liable for the same damage, and not that Europol could, in the absence of any unlawful conduct on its part, be held liable for the action of a Member State. The interpretation of that recital by the appellant runs counter to the scope of that regulation and the wording of Article 50 of that regulation. Since the preamble of an EU act does not have binding legal force, it cannot be relied on in order to deviate from the clear wording of a provision.
Findings of the Court
53 It is appropriate to start by considering whether Article 50(1) of Regulation 2016/794 establishes rules on the joint and several liability of Europol and the Member State concerned in the event of the unlawful processing of data. If such rules do exist, it will then be necessary to determine the conditions under which that liability may be incurred.
– Nature of the rules on liability under Article 50(1) of Regulation 2016/794
54 For the purposes of interpreting Article 50(1) of Regulation 2016/794, in particular in order to determine the nature of the rules on liability laid down therein, it is necessary, according to the Court’s settled case-law, to consider not only their wording but also their context and the objectives pursued by the rules of which they are part (see, to that effect, judgment of 3 June 2021, TEAM POWER EUROPE, C‑784/19, EU:C:2021:427, paragraph 43 and the case-law cited).
55 As regards the wording of Article 50(1) of Regulation 2016/794, that provision states that the person who has suffered damage as a result of an unlawful data processing operation is to have the right to receive compensation for the damage suffered ‘either from Europol … or from the Member State in which the event that gave rise to the damage occurred …’. As the Advocate General observed in point 38 of his Opinion, that wording is not unambiguous as regards the nature of the liability in question. It could indicate that the individual who has suffered damage must turn either to Europol where the latter is entirely or in part responsible for that damage, or to the Member State concerned where the latter is entirely or in part responsible for that damage. However, since it could also follow from that wording that the individual who has suffered damage may turn indiscriminately to each of the entities – therefore either to Europol or to the Member State concerned – for compensation in respect of all of the damage suffered as a result of the unlawful data processing that has occurred in the context of cooperation between Europol and that Member State, that same wording does not preclude that provision from establishing joint and several liability on the part of those entities.
56 It is therefore necessary to examine whether, in the light of the objective pursued by Article 50(1) of Regulation 2016/794 and its context, that provision lays down rules under which Europol and the Member State concerned are jointly and severally liable for damage suffered as a result of unlawful data processing that has occurred in the context of cooperation between Europol and that Member State under that regulation.
57 According to recital 57 of Regulation 2016/794, which expresses that objective, ‘it may be unclear for the individual concerned whether damage suffered as a result of unlawful data processing is a consequence of action by Europol or by a Member State[, and] Europol and the Member State in which the event that gave rise to the damage occurred should therefore be jointly and severally liable’.
58 It follows from the above that, taking into consideration the situation in which an individual who has suffered damage as a result of unlawful data processing is unable to determine whether the damage is attributable to the action of Europol or to that of a Member State with which it has cooperated, the EU legislature has established rules on the joint and several liability of Europol and the Member State in which the event that gave rise to the damage occurred in order to ensure the complete protection of that individual if he or she were to be in such a situation.
59 In that regard, the Court recalls that, whilst having no binding legal force, a recital of an EU act has important interpretative value, in that it is capable of explaining the content of a provision of the act in question and of clarifying the intention of the author of that act (see, to that effect, judgment of 13 July 2023, Commission v CK Telecoms UK Investments, C‑376/20 P, EU:C:2023:561, paragraphs 104 and 105 and the case-law cited).
60 It is true that the recital of an EU act cannot be relied on as a ground for derogating from the actual provisions of the act in question or for interpreting those provisions in a manner that is clearly contrary to their wording (see, to that effect, judgments of 19 June 2014, Karen Millen Fashions, C‑345/13, EU:C:2014:2013, paragraph 31 and the case-law cited, and of 16 February 2022, Hungary v Parliament and Council, C‑156/21, EU:C:2022:97, paragraph 191).
61 However, in the present case, recital 57 of Regulation 2016/794 in no way contradicts the wording of Article 50(1) of that regulation. As has been pointed out in paragraph 55 of this judgment, that wording supports, inter alia, an interpretation according to which that provision establishes rules under which Europol and the Member State concerned are jointly and severally liable for damage suffered by an individual as a result of the unlawful processing of data in the context of cooperation between them.
62 It follows from those factors that Article 50(1) of Regulation 2016/794, read in the light of recital 57 of that regulation, creates, in accordance with the intention of the EU legislature to favour an individual who has suffered damage, a set of rules under which Europol and the Member State concerned are jointly and severally liable for the damage suffered as a result of such processing.
63 That interpretation is supported by the context of that provision, in particular by Article 49 and Article 50(2) of Regulation 2016/794.
64 First, Article 49 of Regulation 2016/794 lays down, according to its heading, general provisions on liability and the right to compensation. By contrast, it is apparent from the heading of Article 50 of that regulation that that article specifically concerns liability for incorrect data processing and the resulting right to compensation. The fact that Article 50 derogates from the general principles regarding the non-contractual liability of the European Union is emphasised, in particular, by Article 49(3) of that regulation, read in the light of recital 56 thereof.
65 Under Article 49(3), which relates to non-contractual liability, Europol, in accordance with the general principles common to the laws of the Member States, is to make good any damage caused by its departments or by its staff in the performance of their duties. That rule is, however, set out ‘without prejudice to Article 49’ of Regulation 2016/794.
66 In that regard, it must be observed that the reference to ‘Article 49’, set out in the wording of Article 49(3) of that regulation, is an obvious drafting error. That reference would be meaningless if it referred to the article of which it forms part. Therefore, and given that Article 50 of that regulation establishes rules which derogate from the general rules regarding the non-contractual liability of the European Union referred to in Article 49(3), the latter provision must be read, as regards its initial part comprising the words ‘without prejudice to’, as referring to Article 50.
67 Recital 56 of Regulation 2016/794 supports the interpretation set out in the preceding paragraph by stating that ‘Europol should be subject to the general rules on contractual and non-contractual liability applicable to Union institutions, agencies and bodies, save as regards the rules on liability for unlawful data processing’.
68 It follows that Article 50 of Regulation 2016/794 seeks to establish special rules regarding non-contractual liability concerning unlawful data processing operations, which derogate from the general liability rules laid down by that regulation.
69 Second, it is apparent from Article 50(2) of Regulation 2016/794 that the putting in issue, before the Court of Justice of the European Union or before the competent national court, of the liability of Europol or the Member State concerned for the unlawful processing of data in the context of cooperation between them is only the first of the two stages of the liability mechanism provided for in Article 50 of that regulation. According to Article 50(2) of that regulation, the second stage of that mechanism consists in determining the ‘ultimate responsibility’ of Europol and/or the Member State concerned for the compensation awarded to an individual in accordance with Article 50(1) of that regulation, since any dispute between Europol and the Member States may be referred to the Management Board of Europol in that regard, without prejudice to the right to challenge that decision before the Court of Justice of the European Union under Article 263 TFEU.
70 The possibility provided for in Article 50(2) of Regulation 2016/794 of having Europol’s Management Board determine, in the context of that second stage, the ‘ultimate responsibility’ of the entity to which the unlawful conduct giving rise to the damage is attributable, or even the share of liability incumbent on each of the entities in the event of concurrent unlawful conduct, would have no logical basis if those entities were not jointly and severally liable.
71 In the light of the foregoing, the Court holds that Article 50 of Regulation 2016/794, read in the light of Article 49(3) and recitals 56 and 57 of that regulation, lays down rules rendering Europol and the Member State in which the damage resulting from unlawful data processing occurred jointly and severally liable in the context of cooperation between them under that regulation.
72 As the Advocate General observed in point 51 of his Opinion, those rules on joint and several liability are not alien to EU law on data processing. Thus, Article 82(4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) provides for such liability where there are several data controllers.
– Conditions for incurring liability under Article 50(1) of Regulation 2016/794
73 In accordance with the conditions laid down in Article 340 TFEU, to which Article 50(1) of Regulation 2016/794 refers, where the individual who has suffered damage brings an action against Europol, the European Union may incur non-contractual liability under Article 340 only if a number of conditions are satisfied, namely the conduct alleged against the EU institution, body, office or agency concerned must be unlawful, actual damage must have been suffered and there must be a causal link between that conduct and the damage complained of (see, to that effect, judgment of 16 December 2020, Council v K. Chrysostomides & Co. and Others, C‑597/18 P, C‑598/18 P, C‑603/18 P and C‑604/18 P, EU:C:2020:1028, paragraphs 79 and 80 and the case-law cited).
74 In the specific context of Regulation 2016/794, it is apparent from the wording of Article 50(1) of that regulation that an individual who intends to assert his or her right to compensation, on the basis of that provision, against either Europol or the Member State implicated must establish an ‘unlawful data processing operation’, ‘damage’ and a causal link between that operation and that damage. Thus, with regard to the first of the conditions referred to in the preceding paragraph, that individual need establish only that unlawful data processing took place in the context of cooperation involving Europol and a Member State under that regulation.
75 As has been pointed out in paragraphs 57 and 58 of the present judgment, according to recital 57 of that regulation, the objective pursued by Article 50(1) of Regulation 2016/794 is to address the difficulties which the individual concerned may experience in determining whether the damage suffered as a result of unlawful data processing which has occurred in the context of such cooperation is a consequence of an action by Europol or the Member State concerned.
76 In order not to deprive Article 50(1), read in the light of recital 57, of its effectiveness, that individual cannot be required to establish to whom, out of Europol or the Member State concerned, that damage is attributable or to bring proceedings against both of those entities in order to obtain full compensation for the damage suffered.
77 With regard to the foregoing, the Court notes that Article 50(1) of Regulation 2016/794 does not provide that the individual concerned may bring proceedings against both of the entities potentially liable for the unlawful data processing before the same court, since that provision requires that individual to bring an action against Europol before the Court of Justice of the European Union or against the Member State before a court of that Member State that has jurisdiction.
78 Therefore, first of all, although the Member State concerned and Europol may intervene before the General Court or before a court of that Member State respectively, it cannot be ruled out that that person may be compelled to pursue his or her action in the absence of one of those entities. Next, in any event, if the two entities are parties to the proceedings before the court ruling on the action, it follows from the preceding paragraph that only the liability of one of them may be examined in the context of ongoing proceedings, which may prejudice the establishment of the facts. Lastly, actions brought by the individual concerned against, respectively, Europol before the General Court and the Member State concerned before the courts of that Member State could lead to the same finding being reached by those two courts that each of those defendant entities was not liable, since that individual has failed to establish to the requisite legal standard that the alleged damage is attributable to them.
79 It is precisely in order to take account of those evidential difficulties that the EU legislature made provision, in Article 50 of Regulation 2016/794, for compensation for damage caused by an unlawful data processing operation, a two-stage liability mechanism which, first, relieves the individual concerned of the burden of establishing the identity of the entity whose conduct gave rise to the alleged damage and, second, provides that, after that individual has been compensated, the ‘ultimate responsibility’ for that damage must, where appropriate, be definitively settled in proceedings involving only Europol and the Member State concerned before the Management Board of Europol.
80 It follows that Article 50(1) of Regulation 2016/794, read in the light of recital 57 of that regulation, must be interpreted as not requiring the individual concerned who has established that unlawful data processing has occurred in the context of cooperation between Europol and a Member State under that regulation to identify which of the entities involved in that cooperation undertook the conduct constituting that unlawful processing.
81 It is sufficient, in order for Europol or the Member State concerned to incur joint and several liability and for the purposes of enabling the individual concerned to obtain full compensation for the damage he or she has suffered either before the EU Courts or before the national courts, under Article 50(1) of Regulation 2016/794, that that individual show that, in the course of cooperation between Europol and the Member State concerned under that regulation, unlawful data processing which caused him or her to suffer damage has been carried out, without there being any need for him or her to establish additionally to which of those two entities that unlawful processing is attributable.
82 That being said, it remains open to the defendant entity to establish by any legal means that the alleged damage did not arise in connection with an alleged unlawful processing of data occurring in the context of such cooperation. That would be the case, for example, if that entity established that that damage originated from events prior to the cooperation undertaken under Regulation 2016/794.
83 It follows from all the foregoing that, by rejecting, in paragraph 91 of the judgment under appeal, the appellant’s first head of claim on the ground that he had not established that the disclosure of his personal data was attributable to Europol and had not, therefore, ‘adduced evidence of a sufficiently established causal link between the damage alleged in the context of [that head of claim] and any conduct on the part of Europol’, and by finding, in paragraphs 92 to 95 of the judgment under appeal, that that rejection was not called into question by recital 57, Article 49(3) and Article 50 of Regulation 2016/794, the General Court erred in law in that it incorrectly held that Article 50(1) of that regulation, read in the light of recital 57 thereof, did not relieve the individual concerned of the obligation to establish to whom the unlawful data processing is attributable.
84 It follows that the first ground is well founded.
85 That error of law vitiates the entirety of the General Court’s rejection of the first head of claim, as circumscribed in paragraph 49 of the judgment under appeal, whereas that circumscription was not challenged in the appeal.
86 Consequently, the first ground of appeal must be upheld and the judgment under appeal set aside in so far as the General Court rejected that first head of claim, as circumscribed above, as unfounded.
The second, third and fourth grounds of appeal
87 Much like the first ground, the second, third and fourth grounds concern the rejection of the first head of claim, which seeks compensation for the non-material damage which the appellant claims to have suffered as a result of the disclosure to the public of personal data from the mobile telephones at issue.
88 Since examining the second, third and fourth grounds of appeal cannot lead to the judgment under appeal being set aside to a greater extent than that resulting from the first ground of appeal being upheld, there is no need to examine them.
The sixth ground of appeal
Arguments of the parties
89 The sixth ground, which it is appropriate to examine before the fifth, comprises two parts and relates to paragraphs 102 and 106 to 111 of the judgment under appeal.
90 By the first part of the sixth ground, the appellant complains that the General Court erred in concluding, in those paragraphs of the judgment under appeal, that there was no causal link between the unlawful conduct alleged in the second head of claim, namely the inclusion by Europol of his name on the ‘mafia lists’ or the establishment by Europol of a link between him and those lists, and the damage that he claims to have suffered as a result of that inclusion or the establishment of that link.
91 In support of that first part, the appellant submits that Europol did not state the reasons for establishing such a link between him and the ‘mafia lists’ and that, by establishing that link, that agency infringed the principle of proportionality by going beyond its task which consisted solely of analysing the USB storage device in question.
92 Furthermore, he submits that, since the Europol report was part of the national criminal file concerning the appellant and information contained in that file was leaked, it must be concluded that there is a causal link between Europol’s unlawful conduct and the damage suffered by the appellant. The fact that none of the press articles in question mentions that report, as the General Court states in paragraph 107 of the judgment under appeal, does not call into question the existence of that causal link.
93 The appellant submits, moreover, that it is only Europol that has established, in that report, that link between him and the ‘mafia lists’, whereas neither national law nor EU law provides for the possibility of drawing up and keeping such lists. In that regard, it is not possible to take into account the Slovak media, according to which the ‘mafia lists’ were kept by the Slovak police. Furthermore, by relying on publicly available sources in order to establish that link, Europol failed to meet its obligations under Article 29(6) of Regulation 2016/794. According to the appellant, it should be inferred (i) from the fact that Europol’s report does not state that Europol found the information relating to the link between the appellant and the ‘mafia lists’ in the media and (ii) from the fact that that information appears expressly in that report that it was Europol that established the link, that link not being apparent from the ‘tabloid press’.
94 The second part of that ground alleges that the clear sense of the evidence was distorted. The appellant submits that the General Court’s finding in paragraphs 108 and 109 of the judgment under appeal to the effect that it follows from the press articles produced in the proceedings before it that the appellant was described as a ‘member of the mafia’ even before the Europol report was drawn up is incorrect. The title of the press article that appeared on 28 February 2012 which presents the appellant as ‘the mafia man who does not exist’ is evidence that he had no link to the ‘mafia lists’.
95 Europol and the Slovak Republic contend that the sixth ground should be rejected.
Findings of the Court
96 As regards the second part of the sixth ground, which it is appropriate to examine first, it must be borne in mind that, according to settled case-law, there is distortion of the evidence where the General Court has manifestly exceeded the limits of a reasonable assessment of that evidence. That distortion must be obvious from the file, without there being any need to carry out a new assessment of the facts and the evidence. In that regard, it is not sufficient to show that a document could be interpreted differently from the interpretation adopted by the General Court (see, to that effect, judgment of 16 February 2023, Commission v Italy and Spain, C‑635/20 P, EU:C:2023:98, paragraph 127 and the case-law cited).
97 In the present case, in paragraph 108 of the judgment under appeal, the General Court found that ‘the coincidence in time alleged by the [appellant] is contradicted by the evidence provided by the [appellant] himself and by Europol’. In that regard, it noted, in the same paragraph, that ‘the [appellant] referr[ed], in the application, to a press article published on 28 February 2012, with the headline “Marián Kočner. The mafia man who does not exist” according to which “the entrepreneur Marián Kočner – who is on the so-called ‘mafia lists’ that were leaked from the police in 2005 – appeared under the heading ‘motorised vehicles of interest’”’ and that ‘Europol was referring to press articles published on 21 June 2005 and 9 July 2017, which also referred to the [appellant’s] possible mafia involvement’.
98 Thus, it appears that the General Court based its conclusion that the appellant had been described as a ‘member of the mafia’ even before the Europol report was drawn up on a series of press articles relating to the appellant, and not solely on the article from 2012 provided by the appellant which, according to the General Court, dissociated him from the ‘mafia lists’. In so doing, contrary to what the appellant claims, the General Court did not exceed the limits of a reasonable assessment of that evidence, taken as a whole, or distort the press article relied on by the appellant by interpreting it in a manner irreconcilable with its wording.
99 Accordingly, the second part of the sixth ground must be rejected as unfounded.
100 As regards the first part of that ground, the Court notes that, so far as the non-contractual liability of the European Union is concerned, the question as to whether there is a causal link between the wrongful act and the damage, a condition for that liability to be incurred, is a question of law which, as a consequence, is subject to review by the Court of Justice (judgment of 16 July 2009, Commission v Schneider Electric, C‑440/07 P, EU:C:2009:459, paragraph 192, and order of 3 September 2019, FV v Council, C‑188/19 P, EU:C:2019:690, paragraph 36). That review cannot, however, consist, for the Court of Justice, of calling into question the findings and assessments of facts made by the General Court (see, to that effect, judgment of 16 July 2009, Commission v Schneider Electric, C‑440/07 P, EU:C:2009:459, paragraph 193).
101 Clearly, by that first part, the appellant seeks, in reality, to call into question certain assessments of fact made by the General Court in the light of the evidence produced before it. These are, first, the finding in paragraph 102 of the judgment under appeal that the appellant had not provided any evidence capable of establishing that the ‘mafia lists’ on which his name was allegedly included were drawn up and maintained by Europol. Second, the appellant also challenges the General Court’s finding that there is no causal link between Europol’s allegedly unlawful conduct and the alleged damage, in so far as the General Court found, first, in paragraph 107 of the judgment under appeal, that the appellant had not provided any evidence that the information published in that regard originated in the Europol report and, second, in paragraphs 108 and 109 of that judgment, that, well before the beginning of 2019, the Slovak press already represented the appellant as a member of the mafia. Since, by that part of the present ground, the appellant does not allege a distortion of the evidence, those assessments are not subject to review by the Court of Justice.
102 Consequently, the first part of the sixth ground is inadmissible.
103 It follows that that ground must be dismissed as inadmissible in part and unfounded in part.
The fifth ground of appeal
104 By his fifth ground, based on the same line of argument as the one put forward in support of the first ground, the appellant complains that the General Court erred in law in deciding, in paragraph 105 of the judgment under appeal, not to take account of recital 57 of Regulation 2016/794 when determining Europol’s liability, on the ground that the preamble to a regulation has no binding legal force. He alleges that, accordingly, the General Court erred when it rejected the second head of claim, seeking compensation for the damage which the appellant claims to have suffered as a result of Europol’s alleged inclusion of his name on the ‘mafia lists’, by holding that the provisions of that regulation neither express nor form the basis for a mechanism for joint and several liability in the event of unlawful data processing by Europol or the Member State concerned.
105 Europol, supported by the Slovak Republic, contends that the fifth ground should be rejected, relying on the same arguments as those referred to in paragraphs 49 to 52 of this judgment, in response to the line of argument put forward by the appellant in the context of the first ground.
106 In that regard, the Court of Justice notes that, when it rejected the second head of claim, seeking compensation for the damage which the appellant claims to have suffered as a result of Europol’s inclusion of his name on the ‘mafia lists’, the General Court – which has sole jurisdiction to find and assess the facts and to examine the evidence which it admits in support of those facts – has relied on a number of factors. Thus, it found, first, in paragraph 102 of the judgment under appeal, which is referred to in the sixth ground in the appeal, which was rejected, that the appellant had failed to establish that the ‘mafia lists’ on which his name had allegedly been included had been drawn up and kept by Europol. Second, in paragraphs 108 and 109 of that judgment, which are also referred to in the sixth ground in the appeal, which was rejected, the General Court held that the coincidence in time alleged by the appellant between the Europol report and the changes in how the appellant was referred to in the Slovak press – which, after the leak of the national criminal file concerning him, represented him as a ‘member of the mafia’ or as ‘a person on the mafia list’ – was contradicted by the evidence provided both by the appellant and by Europol, by reference to press articles published in 2005, 2012 and 2017. In that regard, the General Court also found, in paragraph 109 of the judgment under appeal, that ‘well before the beginning of 2019, the Slovak press already represented the [appellant] as a “member of the mafia”, and not only as a “controversial entrepreneur”’, and, on the basis of that evidence, ruled out that ‘that representation of the [appellant] could originate from the leak of the [national] criminal file [concerning him], [which contained] the Europol report’.
107 Thus, it is apparent, in particular, from the findings made in paragraphs 108 and 109 of the judgment under appeal that, since the Europol report was subsequent to and, for that reason alone, unrelated to the event that gave rise to the damage alleged by the appellant in the context of the second head of claim, it cannot be accepted that the damage on which the appellant relies may be linked to any unlawful data processing in the context of cooperation between Europol and the Slovak authorities. As was held in paragraphs 96 to 102 of the present judgment, the appellant failed to show, in the context of the sixth ground, that the General Court distorted the evidence or made an error in law in the context of those findings.
108 Consequently, the requirement, set out in paragraph 81 of the present judgment, in order for Europol to incur joint and several liability on the basis of Article 50(1) of Regulation 2016/794 has, in the present case, not been met, with the result that such liability cannot, in any event, be incurred for the purpose of the second head of claim.
109 It follows that, notwithstanding the error of law made by the General Court in rejecting, in paragraph 105 of the judgment under appeal and for the reasons set out in paragraphs 92 to 95 thereof, the principle itself of the joint and several liability of Europol in the context of that regulation, the fifth ground must be rejected as ineffective.
110 Since the fifth and sixth grounds have been rejected, it follows that the appeal must be dismissed in so far as it concerns the second head of claim.
The action before the General Court
111 In accordance with the second sentence of the first paragraph of Article 61 of the Statute of the Court of Justice of the European Union, if the decision of the General Court is set aside, the Court of Justice may itself give final judgment in the matter, where the state of the proceedings so permits.
112 In the present case, in view of, in particular, the fact that the appellant’s action before the General Court is based on pleas that were the subject of an exchange of arguments before that Court and whose examination does not require any further measure of organisation of procedure or inquiry to be taken in the case, the Court of Justice considers that the state of the proceedings is such that it may give final judgment in the matter and that it should do so, within the limits of the matter before it (see, by analogy, judgment of 4 March 2021, Commission v Fútbol Club Barcelona, C‑362/19 P, EU:C:2021:169, paragraph 108 and the case-law cited).
113 In the light of the fact that the judgment under appeal has been set aside in part, it is necessary to rule solely on the first head of claim put forward before the General Court, as defined in paragraph 49 of that judgment.
114 The appellant claims, on the basis of Articles 268 and 340 TFEU and Article 50(1) of Regulation 2016/794, payment of a sum of EUR 50 000 as compensation for the damage which he claims to have suffered as a result of the disclosure to the public of personal data from the mobile telephones at issue, which were made available to the public on the internet and reproduced in the Slovak press. That disclosure of personal data, through their publication, allegedly adversely affected his honour and professional reputation and infringed his right to respect for his private and family life and his right to respect for his communications, which are guaranteed in Article 7 of the Charter.
115 In that regard, the appellant, relying on recital 57 of Regulation 2016/794, claims that Europol can be held jointly and severally liable on the basis of Article 50(1) of that regulation if the damage which he claims to have suffered as a result of unlawful data processing is the result of the action of Europol or of a Member State.
116 Europol contends that it has not been established that it processed data unlawfully, since it has not been shown that the leak of the appellant’s data originated from it. In any event, any leak of information, even if it were established, would not automatically give rise to non-contractual liability. Europol submits that, according to the case-law of the Court of Justice, the non-contractual liability of EU bodies can be incurred only where, inter alia, there has been a sufficiently serious breach of a rule of law intended to confer rights on individuals. Article 32(1) of Regulation 2016/794 does not lay down an absolute obligation as to the result to be achieved, but merely requires Europol to implement appropriate technical and organisational measures to protect personal data against any form of unauthorised processing, which it did. Furthermore, Europol never processed the data extracted from the mobile telephones at issue in a decrypted and intelligible format.
117 According to the Court’s case-law, the European Union may incur non-contractual liability under the second paragraph of Article 340 TFEU only if a number of conditions are fulfilled, namely the existence of a sufficiently serious breach of a rule of law intended to confer rights on individuals, the fact of damage and the existence of a causal link between the breach of the obligation resting on the author of the act and the damage sustained by the injured parties (judgment of 10 September 2019, HTTS v Council, C‑123/18 P, EU:C:2019:694, paragraph 32 and the case-law cited).
118 It follows from that case-law that the first condition for such liability, which concerns the unlawfulness of the conduct alleged against the EU institution, body, office or agency concerned, within the meaning of the case-law referred to in paragraph 73 of the present judgment, comprises two parts, namely that it is necessary (i) that a breach of a rule of EU law intended to confer rights on individuals has occurred and (ii) that that breach is sufficiently serious (see, to that effect, judgment of 10 September 2019, HTTS v Council, C‑123/18 P, EU:C:2019:694, paragraph 36).
119 As regards the first part of that condition, according to well-established case-law, the rights of individuals arise not only where they are expressly granted by provisions of EU law, but also by reason of positive or negative obligations which those provisions impose in a clearly defined manner, whether on individuals, on the Member States or on the EU institutions, bodies and agencies (see, to that effect, judgment of 22 December 2022, Ministre de la Transition écologique and Premier ministre (Liability of the State for air pollution), C‑61/21, EU:C:2022:1015, paragraph 46). That rule also applies to obligations imposed by EU law in the context of cooperation between an agency of the European Union, such as Europol, and the Member States.
120 The failure to meet such obligations is liable to affect adversely the rights implicitly conferred on individuals under the provisions of EU law in question. The full effectiveness of those rules of EU law and the protection of the rights which they are intended to confer require that individuals have the possibility of obtaining redress (see, to that effect, judgment of 22 December 2022, Ministre de la Transition écologique and Premier ministre (Liability of the State for air pollution), C‑61/21, EU:C:2022:1015, paragraph 47).
121 In the present case, the Court notes that Regulation 2016/794 imposes on Europol and the competent authorities of the Member States called upon to cooperate with that EU agency for the purposes of criminal prosecution an obligation to protect individuals against the unlawful processing of their personal data, which follows, in particular, from a combined reading of Article 2(h), (i) and (k), Article 28(1)(a) and (f), Article 38(4) and Article 50(1) of that regulation.
122 Article 2(k) of Regulation 2016/794 defines ‘processing’ as any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as disclosure by transmission, dissemination or otherwise making available. Article 2(h) and (i) of that regulation defines ‘personal data’ as any information relating to a ‘data subject’, the latter concept referring to an identified or identifiable natural person. Furthermore, Article 28(1)(a) and (f) of that regulation requires personal data to be processed ‘fairly and lawfully’ and in a manner that ensures appropriate security of personal data. Under Article 38(4) of that regulation, Europol is to be responsible for compliance with the principles referred to in Article 28(1)(a) and (f). Lastly, Article 50(1) of Regulation 2016/794, in so far as it requires the entities involved in the cooperation provided for in that regulation to provide compensation for the damage suffered by an individual as a result of unlawful data processing, entails an implicit obligation on those entities to protect any individual against the personal data concerning him or her being made available unlawfully.
123 It follows from a combined reading of the provisions referred to in the two preceding paragraphs that any disclosure of personal data processed in the context of cooperation between Europol and the national competent authorities under Regulation 2016/794 to persons who are not authorised to receive them constitutes an infringement of a rule of EU law intended to confer rights on individuals.
124 In the present case, it follows from the findings made by the General Court in paragraphs 1, 2, 44, 84, 85 and 90 of the judgment under appeal, which the Court of Justice endorses, that personal data relating to the appellant – consisting of intimate conversations between him and his girlfriend which were stored on the mobile telephones at issue, which were delivered by the Slovak authorities to Europol in the context of cooperation under Regulation 2016/794 – were extracted from those telephones and that those data, which were in the possession, first of all, of Europol and, from 23 October 2018, of Europol and those authorities, were disclosed to persons not authorised to have knowledge of them, which led to their publication in the Slovak press on 20 May 2019. Such circumstances are indicative of an infringement such as the one referred to in the preceding paragraph.
125 In that regard, it is appropriate to reject Europol’s argument that it met its obligations under Regulation 2016/794 by implementing appropriate technical and organisational measures to protect personal data against any form of unauthorised processing. As has been pointed out in paragraph 80 of the present judgment, Article 50(1) of that regulation establishes rules on joint and several liability under which a person who considers himself or herself a victim of unlawful data processing is not required to establish to which of the entities involved in cooperation under that regulation such processing is attributable, without prejudice to the possibility open to Europol of referring the matter, where appropriate, to its Management Board subsequently, on the basis of Article 50(2) of that regulation, so that it can determine who has the ultimate responsibility for the compensation awarded to that person.
126 As regards the second part of the first condition for establishing the non-contractual liability of the European Union, relating to the requirement of a sufficiently serious breach of a rule of EU law intended to confer rights on individuals, the decisive criterion in that regard for finding that a breach of EU law is sufficiently serious is that there must have been a manifest and grave disregard for the limits of the discretion laid down by the rule infringed (see, to that effect, judgments of 4 July 2000, Bergaderm and Goupil v Commission, C‑352/98 P, EU:C:2000:361, paragraph 43 and the case-law cited, and of 4 April 2017, Ombudsman v Staelen, C‑337/15 P, EU:C:2017:256, paragraph 31 and the case-law cited). Where the authority concerned has only considerably reduced, or even no, discretion, the mere infringement of EU law may be sufficient to establish the existence of a sufficiently serious breach of that law (judgment of 10 July 2003, Commission v Fresh Marine, C‑472/00 P, EU:C:2003:399, paragraph 26 and the case-law cited). In particular, inexcusable mistakes, grave negligence in the exercise of a duty or an obvious lack of care constitute such an infringement (see, to that effect, judgment of 30 January 1992, Finsider and Others v Commission, C‑363/88 and C‑364/88, EU:C:1992:44, paragraph 22 and the case-law cited).
127 The assessment to be carried out requires account to be taken of the field, the circumstances and context in which the obligation in question falls on the authority concerned (see, to that effect, judgment of 4 April 2017, Ombudsman v Staelen, C‑337/15 P, EU:C:2017:256, paragraph 40 and the case-law cited).
128 In addition, account must be taken, in particular, of the degree of clarity and precision of the rule infringed and of the measure of discretion left by that rule to the authority concerned (see, to that effect, judgment of 30 May 2017, Safa Nicu Sepahan v Council, C‑45/15 P, EU:C:2017:402, paragraph 30 and the case-law cited), the complexity of the situation to be regulated and difficulties in the application or interpretation of the legislation (judgment of 19 April 2007, Holcim (Deutschland) v Commission, C‑282/05 P, EU:C:2007:226, paragraph 50 and the case-law cited).
129 In the present case, the Court finds, first, that the provisions referred to in paragraphs 122 and 123 of the present judgment do not leave the entities involved in cooperation under Regulation 2016/794 any discretion as regards their obligation to protect any individual against any unlawful form of making personal data concerning him or her available by implementing appropriate technical and organisational measures for that purpose. Second, that obligation forms part of the sensitive context of cooperation between Europol and the Member States for the purposes of criminal prosecution, in which such data are processed without any intervention by the data subjects, most often without their knowledge, and therefore without them being able to intervene in any way in order to prevent any unlawful processing of their data.
130 The intimate nature of the data that may be contained in devices such as those at issue in the present case bears out the need for the protection of those data concerning the appellant to be strictly ensured, especially since those data had no connection with the facts in respect of which the appellant was being prosecuted criminally.
131 In those circumstances, the Court holds, in the light of the findings of the General Court recalled in paragraph 124 of the present judgment, that the unlawful processing of those data in the context of cooperation between Europol and the Slovak authorities under Regulation 2016/794 constituted a sufficiently serious breach of a rule of EU law intended to confer rights on individuals.
132 It should be added that Europol’s argument that it never had the data extracted from the mobile telephones at issue in a decrypted and intelligible format is not such as to call into question the existence itself of such an infringement on account of the unlawful processing of data which occurred in the context of that cooperation. As is apparent from paragraph 80 of the present judgment, Article 50(1) of Regulation 2016/794 establishes rules on joint and several liability under which the victim of such processing is not required to establish to which of the entities involved in such cooperation that processing is attributable. It follows that that argument cannot, in any event, succeed in the context of the present case, without prejudice to the possibility open to Europol to rely on it, where appropriate, in the context of any referral to its Management Board under Article 50(2) of that regulation.
133 As regards the second and third conditions for the European Union to incur non-contractual liability under the second paragraph of Article 340 TFEU, relating to evidence of the damage suffered and the causal link between that damage and the sufficiently serious breach of a rule of EU law, which the processing of unlawful data constitutes in the present case, the appellant submits that the disclosure of his personal data contained in the mobile telephones at issue, as a result of the publication of those data, not only infringed his right to respect for his private life, but also his right to respect for his family life. That disclosure allegedly had a negative impact on the relationship between the appellant and his daughters, who were profoundly affected by the publication of those data, which indicate, inter alia, their father’s intimate relationship with his girlfriend, which was publicly exposed, and set out their intimate conversations. This resulted in a feeling of frustration and injustice and damage to the appellant’s honour and professional reputation. That disclosure also undermined his right to respect for his communications guaranteed by Article 7 of the Charter.
134 Europol has not put forward any specific argument concerning whether the non-material damage alleged by the appellant genuinely occurred and whether there was a causal link between the unlawful processing of data and that damage. It merely maintained that, in the absence of evidence of either an event that gave rise to the damage or evidence of whether it was attributable to Europol, the first head of claim had to be rejected.
135 As regards the conditions relating to whether the damage actually occurred and whether there was a causal link, the European Union can incur non-contractual liability only if the applicant has genuinely suffered actual and certain damage and the damage must flow sufficiently directly from the alleged breach of a rule of EU law. It is for the applicant to adduce evidence before the EU Courts to establish the existence and extent of the damage it alleges and the existence of a sufficiently direct causal nexus between that infringement and the alleged damage (see, to that effect, judgment of 30 May 2017, Safa Nicu Sepahan v Council, C‑45/15 P, EU:C:2017:402, paragraphs 61 and 62 and the case-law cited).
136 In the present case, as has been pointed out in paragraph 124 of the present judgment, the unlawful processing of data constituted by the disclosure to unauthorised persons of data relating to intimate conversations between the appellant and his girlfriend led to those data being made accessible to the public, as evidenced by their publication in the Slovak press. Having regard to the content of those conversations, it must be held that that unlawful processing of data infringed the appellant’s right to respect for his private and family life and his communications, as guaranteed by Article 7 of the Charter, and adversely affected his honour and reputation, which caused him non-material damage.
137 By way of compensation for the damage alleged in the first head of claim, the appellant seeks payment of a sum in the amount of EUR 50 000.
138 However, the General Court took the view that the examination of the first head of claim had to be limited to the alleged damage resulting solely from the disclosure of the transcripts of the conversations of an intimate and sexual nature between the appellant and his girlfriend, since the appellant had not adduced any evidence capable of establishing, directly or indirectly, that the photographs referred to in paragraph 26 of the present judgment had actually been disclosed.
139 Since that rejection in part of the first head of claim has not been challenged in the appeal, the Court need not award any compensation to the appellant in respect of that part of the alleged damage.
140 In those circumstances, the Court holds that the non-material damage suffered by the appellant as a result of the disclosure of the transcripts of the conversations of an intimate nature with his girlfriend will be adequately compensated for by the payment to him of compensation set, on an equitable basis, at EUR 2 000.
Costs
141 Under Article 184(2) of the Rules of Procedure of the Court of Justice, where the appeal is unfounded or where the appeal is well founded and the Court itself gives final judgment in the case, the Court is to make a decision as to the costs.
142 Under Article 138(1) thereof, applicable to appeal proceedings by virtue of Article 184(1), the unsuccessful party is to be ordered to pay the costs if they have been applied for in the successful party’s pleadings. Under the first sentence of Article 138(3) of those rules, where each party succeeds on some and fails on other heads, the parties are to bear their own costs.
143 In the present case, the appellant seeks a decision as to the costs ‘in the main proceedings’. In that regard, it should be noted that although, in the form of order sought at first instance, it requested that Europol be ordered to pay the costs, in its appeal it did not apply for the costs relating to the appeal proceedings.
144 Europol claimed that the appellant should be ordered to pay the costs of both the proceedings at first instance and the appeal proceedings.
145 In those circumstances, since the parties have each been unsuccessful in part at the appeal stage and have each been unsuccessful in part at first instance, each of them must bear its own costs both at first instance and on appeal.
146 In accordance with Article 140(1) of the Rules of Procedure, which applies to appeal proceedings by virtue of Article 184(1) thereof, Member States and institutions which have intervened in the proceedings are to bear their own costs. The Slovak Republic, intervener before the Court, must therefore bear its own costs.
On those grounds, the Court (Grand Chamber) hereby:
1. Sets aside the judgment of the General Court of the European Union of 29 September 2021, Kočner v Europol (T‑528/20, EU:T:2021:631), in so far as it rejects the first head of claim as circumscribed in that judgment;
2. Dismisses the appeal as to the remainder;
3. Orders the European Union Agency for Law Enforcement Cooperation (Europol) to pay compensation in the amount of EUR 2 000 to Mr Marián Kočner;
4. Dismisses the action as to the remainder;
5. Orders Mr Marián Kočner and Europol each to pay their own costs relating to both the proceedings at first instance and the appeal proceedings;
6. Orders the Slovak Republic to bear its own costs.
[Signatures]