Dr Joyce de Coninck, University of Ghent
Photo credit: Oseveno
Introduction
The Europol Regulation introduces a shared responsibility framework for the EU concerning unlawful data processing that violates Articles 7 and 8 of the Charter of Fundamental Rights. This developing system of liability is at the center of the Marián Kočner v Europol case, highlighting the need for clarity regarding joint responsibility for human rights violations when EU agencies and Member States collaborate. Similar concerns were raised in the recent WS and others v Frontex case.
The need for clarity arises from the growing collaboration between EU operational agencies and Member States in pursuit of shared objectives. While Frontex’s authority in the EU’s Integrated Border Management is expanding, Europol’s powers in data processing, security-related investment screening, and data acquisition from private companies are also increasing. This growth leads to more public and private actors working together, blurring the lines of responsibility compared to when Member States solely handled such tasks.
This “crowding of the operational field,” or the “many hands” problem, exposes a disconnect between the EU’s liability framework and its practical application in situations where joint actions result in human rights violations. The existing framework wasn’t designed to address joint responsibility for human rights harms arising from collaboration between EU institutions and Member States.
This inadequacy exists on two levels, both stemming from the design of the legal framework itself.
Firstly, the historical development of fundamental rights within the EU, particularly the Charter of Fundamental Rights, was primarily driven by concerns from domestic courts about protecting EU fundamental rights. This reactive approach meant the drafters of the Charter didn’t fully consider scenarios where EU entities and Member States might engage in joint operational conduct. As a result, the Charter lacks clarity on how to translate its state-centric rights into enforceable obligations for the EU, particularly when acting jointly with Member States.
Secondly, the EU’s liability regime wasn’t designed to handle responsibility allocation in cases of unlawful joint conduct leading to human rights violations. The Court of Justice of the European Union (CJEU) has exclusive jurisdiction over EU actions for damages, and existing case law predominantly addresses damages caused by Member States’ implementation of EU law, not joint responsibility scenarios.
The increase in inseparable cooperation between EU entities and Member States leading to human rights concerns necessitates a new approach to liability, one not anticipated by the Charter or the current framework. This issue of joint liability is central to the Marián Kočner v Europol case, which will be examined further alongside Advocate General Rantos’s opinion.
The Case
In 2018, Slovakian authorities investigated Marián Kočner for murder, seizing his mobile phones and a USB drive that were later sent to Europol at their request. Months later, Europol returned the items with reports, including a hard drive containing encrypted data. Leaked content from the devices, including personal conversations and “mafia lists,” became public, allegedly violating Kočner’s right to privacy.
Kočner sued Europol for non-material damages based on unlawful data processing. The General Court dismissed his claim, stating no causal link existed between Europol’s actions and the leaked data, and no evidence proved Europol created the “mafia lists.”
Kočner’s appeal contests the General Court’s ruling on six points, with a key argument concerning the nature of EU liability. He claims the General Court disregarded Europol’s liability under the concept of “joint and several liability” outlined in Recital 57 of the Europol Regulation. This argument contrasts “joint and several liability” with the broader notion of joint responsibility, suggesting different outcomes depending on the approach taken. Kočner argues that disregarding “joint and several liability” renders Recital 57 meaningless.
This case presents the CJEU with its first opportunity to interpret the scope and implications of joint and several liability for Europol. This interpretation could significantly clarify joint responsibility and its allocation between the EU and Member States, especially given the limited case law on this topic.
The Opinion
Advocate General Rantos, after dismissing Europol’s admissibility objection, identifies six grounds for appeal, with four focusing on whether Europol engaged in unlawful data processing. The remaining two concern the nature of Europol’s liability, specifically “joint and several liability.”
The debate on Europol’s responsibility centers around Recital 57 and Article 50 of the Europol Regulation. Recital 57 introduces joint and several liability when “…it may … be unclear for the individual concerned whether damage suffered as a result of unlawful data processing is a consequence of action by Europol or by a Member State.” This applies only to unclear data processing attribution, while Recital 56 reaffirms that general EU liability rules (as established in the CJEU’s Bergaderm ruling) apply to other non-contractual liability issues.
Chapter 7 of the Europol Regulation focuses on remedies and liability, with Article 50 specifically addressing liability for unlawful data processing. Article 50(1) states that anyone suffering damage from unlawful data processing is entitled to compensation from either Europol, following Article 340 TFEU, or the Member State where the processing occurred, following domestic law. Article 50(2) stipulates that if responsibility for compensation is disputed, Europol’s Management Board decides by a two-thirds majority. In essence, the recitals seem to address responsibility allocation between Europol and involved Member States, while Article 50 focuses on the obligation to provide compensation once responsibility is determined.
AG Rantos highlights that while the recitals introduce a solidarity-based responsibility mechanism, Article 50 lacks explicit mention of joint and several liability. This absence led the General Court to conclude that liability, under Article 340 TFEU, couldn’t be established.
After reviewing conditions for establishing EU liability (paras 34-35), AG Rantos analyzes Europol’s liability by considering the wording of relevant provisions, their drafting context, and their objective and purpose, potentially discerned from legislative history and comparative interpretation.
Unlike Europol, AG Rantos acknowledges ambiguity in the recitals (suggesting new joint responsibility modalities) and Article 50 (focusing on compensation without mentioning joint and several liability). He notes that Recital 57 suggests concurrent liability for Europol and Member States, while Article 50 implies either the Member State or Europol bears responsibility. Similarly, the general reference to non-contractual EU liability in Article 340 TFEU, interpreted according to principles common to Member States, allows for interpretation.
Regarding context, AG Rantos notes that while not legally binding, recitals indicate legislative intent. Here, the intent was to prioritize the aggrieved party and eliminate attribution issues. He finds no conflict with Article 50, advocating for interpreting it in light of Recital 57 and joint and several liability.
Finally, analyzing Recital 57’s objectives through legislative history and comparative interpretation reveals that “joint and several liability,” present from the initial Commission proposal, aimed to minimize difficulties for aggrieved parties in attributing unlawful processing. Comparative analysis shows Member States utilize this liability model when attributing unlawful conduct proves challenging. AG Rantos concludes that suspending EU proceedings while domestic proceedings against a Member State are ongoing would render Article 50, interpreted through Recital 57, meaningless, thereby enabling concurrent proceedings.
Analysis
This case involves “many hands” cooperation between a Member State and Europol, raising questions of unlawful data processing potentially violating Articles 7 and 8 of the Charter. Kočner argues for Europol’s responsibility under joint and several liability, while Europol favors assessment under standard joint responsibility rules from the Bergaderm ruling. Essentially, the question is whether to apply the general rule (lex generalis) or a specific rule (lex specialis). AG Rantos recommends re-examining the case under underdeveloped joint and several liability rules, agreeing with Kočner that attributing conduct is unclear.
Francovich and Brasserie du Pêcheur judgments outline conditions for Member State liability under EU law, while Bergaderm outlines conditions for non-contractual liability of EU institutions. These require a sufficiently serious breach of EU law that directly causes damage. Sometimes, the CJEU may also require attributing conduct to the EU actor.
These rules apply to general responsibility and joint responsibility between the EU and Member States but don’t preclude more specific or tailored rules. Data processing under EU law presents an alternative, bifurcated approach. Specific data processing liability rules exist for Member States under the GDPR and for EU institutions under the Data Protection Law Enforcement Directive and Data Processing by the EU Institutions and Bodies Regulation. These apply unless superseded by even more specific rules, as is the case with Europol’s operational data processing (Article 2(3), Data Processing by the EU Institutions and Bodies Regulation).
Therefore, with clear attribution of unlawful data processing (Member State or Europol), standard liability rules apply, either domestic law for Member States or action for damages against Europol (Article 50(1), Europol Regulation). However, with unclear attribution, joint and several liability applies (Recital 57 in conjunction with Article 50(2), Europol Regulation), leaving responsibility for compensation to the Management Board’s decision (Article 50(2), Europol Regulation).
Juxtaposing Joint Liability and Joint and Several Liability
This approach offers procedural advantages for applicants and seemingly relaxes conditions for EU responsibility under the Bergaderm ruling.
Choosing the Judicial Forum
Joint and several liability aim to safeguard applicant rights. Unlike joint EU-Member State responsibility, domestic courts aren’t automatically the primary venue for establishing responsibility and reparations. The aggrieved party can pursue claims through either domestic or EU legal avenues. Upon concluding legal procedures and awarding damages, involved actors can settle any reparation disputes through Europol’s Management Board, whose decision is subject to legal scrutiny. This mechanism offers applicants flexibility in choosing judicial venues and ensures reparation (if responsibility is established) as the default outcome.
Attribution and Causation Revisited
Joint and several liability imply that when both Europol and a Member State are implicated, and conduct attribution is unclear, the attribution requirement becomes moot, with both considered fully responsible. Interestingly, this relaxation of attribution seemingly impacts the causation requirement. Causation, under general EU liability, necessitates an unbroken link between an actor’s unlawful conduct and the resulting damage. Without attributing conduct to either the Member State or the EU, unlawful data processing is considered attributable to both. This raises questions about how causation, requiring an uninterrupted link between damage and an actor’s unlawful conduct, functions in such a scenario.
Lingering Questions for the EU Courts
Despite AG Rantos’s opinion, several questions regarding EU joint responsibility remain unaddressed.
Attribution
A seemingly minor but important question is when Article 50, interpreted through Recital 57 of the Europol Regulation, applies. The assumption is that distinguishing scenarios with definitive attribution from those with unclear attribution is straightforward. However, general EU liability lacks a clear standard for attribution. In practice, attribution rules vary significantly across EU institutions, international relations, and policy areas. This is further complicated by the absence of a common legal forum to address responsibility concerning unlawful data processing involving both the EU and Member States. Attribution rules under domestic regimes might differ from those under EU liability, and it remains unclear which should prevail and how this impacts the application of Europol’s joint and several liability mechanism. This lack of a cohesive and clear approach to attribution might make it easier for applicants to trigger joint and several liability under the Europol Regulation. However, this depends on the burden, standard, and method of proof required to demonstrate unclear attribution.
Joint and Several Liability Beyond Data Processing
Human rights liability for violations by EU operational agencies is a growing concern. Pending actions against Frontex raise the question of whether a CJEU-clarified system of joint and several liability could be a solution. Those familiar with Frontex are likely aware of their typical response to human rights responsibility queries: “Frontex is not responsible; we merely coordinate Member State actions.” While debatable, this highlights that the current liability allocation framework enables blame-shifting at the expense of individual rights. Conversely, the joint and several liability system within the Europol Regulation might offer a way to circumvent blame-shifting, safeguard individual rights, and ensure that one actor doesn’t evade responsibility for reparations. A well-defined system of joint and several liability could have both remedial and deterrent functions, protecting applicants’ rights and disincentivizing EU institutions and agencies from utilizing “many hands” approaches to avoid responsibility. While acknowledging that these institutions might resist clearer responsibility rules, such clarification could encourage them to establish their own internal frameworks for allocating responsibility, especially concerning human rights. While the joint and several liability mechanism in this case is a positive development, whether this approach expands to the broader EU responsibility framework remains to be seen. The CJEU’s interpretation of this matter is eagerly anticipated.