CJEU - C‑755/21 P - Kočner v Europol

From GDPRhub
Revision as of 12:17, 19 October 2024 by ManTechnologist (talk | contribs) (url)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C‑755/21 P Kočner v Europol
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 82(4) GDPR
Article 82(5) GDPR
Article 340 TFEU
Article 50(1) Regulation 2016/794
Decided: 05.03.2024
Parties: Marián Kočner
Europol
Slovak Republic
Case Number/Name: C‑755/21 P Kočner v Europol
European Case Law Identifier: ECLI:EU:C:2024:202
Reference from:
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: im


The CJEU found that Europol and the Slovak Republic are jointly liable for an unauthorized disclosure of intimate conversations between the data subject and his girlfriend, which were leaked to press. The data subject was granted €2,000 as a compensation for the non-material damage suffered.

English Summary

Facts

Following the murder of a Slovak journalist and his fiancée, Mr Ján Kuciak and Ms Martina Kušnírová, in Slovakia on 21 February 2018, the Slovak authorities (Národná kriminálna agentúra (National Crime Agency, Slovakia; ‘NAKA’)) conducted an extensive investigation. At the request of those authorities, the European Union Agency for Law Enforcement Cooperation (‘Europol’) extracted the data stored on two mobile telephones allegedly belonging to Mr Marian Kočner, the data subject, who was prosecuted as an accomplice to that murder for having ordered the killings, following the investigation.

Europol sent its scientific reports to those authorities and delivered to them a hard disk containing the encrypted data it had extracted. In one of its reports, Europol stated that Mr Kočner had been detained on suspicion of a financial offence since 2018 and that his name was, inter alia, directly linked to the ‘so-called mafia lists’ and the ‘Panama Papers’.

In May 2019, the Slovak press and international network of investigative journalists published a large amount of information relating to Mr Kočner from his mobile telephones, including transcripts of intimate communications exchanged between him and his girlfriend. The conversation was carried by means of encrypted messaging service.

For the reasons stated above, Mr Kočner sent a complaint to Europol seeking compensation in the amount of €100,000 as a reparation for the non-material damage on the bases of Article 50(1) Regulation 2016/794. The sought compensation consisted of €50,000 for the unlawful disclosure of data subject's intimate conversation with his girlfriend and €50,000 for the inclusion of his name on the 'mafia list'.

Europol and Slovak Republic contended that the arguments are unfounded as, firstly, Regulation 2016/794 (setting up the rules for the Europol) does not provide for such joint liability of Europol and the Member State. Secondly, Europol rejects any liability due to the absence of unlawful conduct on its part given that alleged harmful events occurred during storage of the national investigation file. As such, these circumstances do not constitute ‘unlawful data processing operations’ within the meaning of Article 50(1) Regulation 2016/794.

Lastly, Europol stated that even if joint liability was applicable, the absence of any unlawful conduct on its part and of a causal link between such conduct and the damage suffered could not give rise to a liability.

Holding

Firstly, the CJEU ruled that there is no need to establish additionally to which of these two entities - Europol or the Member State - that unlawful processing was attributable. In order for such joint and several liability to be incurred in the first stage, the individual concerned must show only that, in the course of cooperation between Europol and the Member State concerned, unlawful data processing that caused him or her to suffer damage has been carried out.

Secondly, concerning specifically the leak of the 'so-called mafia list', the CJEU found that the data subject had failed to establish that the ‘mafia lists’ on which his name had allegedly been included had been drawn up and kept by Europol. The data subject's claim contradicted the evidence whereby it was apparent that the leaked Europol report containing Mr Kočner’s name on the ‘mafia list’ was subsequent to and, thus, unrelated to Slovak press publications where he was represented as ‘member of the mafia’.

Thirdly, the CJEU rejected the Europol’s argument that it met its obligations and implemented appropriate technical and organizational measures to protect personal data against any form of unauthorized access. The Court observed that the data of such intimate nature bears out the need for its protection to be strictly ensured in cooperation with Member States under Regulation 2016/794. As an unauthorized access took place it constituted a sufficiently serious breach of a rule of EU law intended to confer rights on individuals.

Fourthly, the Court held that European Union can incur non-contractual liability in the present case, as the result of publication of data subject’s intimate conversations. The leak of this information adversely affected his honour and professional reputation, and violated his rights to privacy, family life and respect for his communications guaranteed by Article 7 of the Charter of Fundamental Rights of the European Union.

As a result, the CJEU held Europol and the Slovak Republic jointly and severally liable for the unlawful data processing which caused the data subject to suffer non-material damage. The Court stated that Europol has the possibility to refer the matter to its Management Board so that it can determine who has the ultimate responsibility for the compensation awarded to the data subject. However, this exclusively concerns the internal allocation of responsibilities between the two jointly liable controllers.

The compensation attributed to the data subject for the inclusion of his name on the ‘mafia list’ by Europol was firstly set at €50,000. As this claim was dismissed, the Court only examined the damage regarding the compensation of €50,000 for disclosure of the data subject’s conversation with his girlfriend. The Court decided that the alleged damage resulted solely from the disclosure of transcripts of the conversation and no evidence established that any photographs have been disclosed.

As a result, the CJEU granted Mr Kočner compensation in the amount of €2,000 as reparation for that damage.

Comment

The case refers to the joint and several liability of two controllers under Regulation 2016/794. However, this concept is also relevant under Article 82(4) GDPR and Article 82(5) GDPR.

Further Resources

Share blogs or news articles here!