CJEU - C‑755/21 P - Kočner v Europol

From GDPRhub
Revision as of 15:39, 8 March 2024 by Im (talk | contribs) (Created page with "{{CJEUdecisionBOX |Case_Number_Name=C‑755/21 P Kočner v Europol |ECLI=ECLI:EU:C:2024:202 |Opinion_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=DEC3D1757D86F30F7B24F85E4AF74FF9?text=&docid=274650&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=21748532 |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=E7B0DB74BBB1714B85B2E41B7A9584AC?text=&docid=283444&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C‑755/21 P Kočner v Europol
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 82(4) GDPR
Article 82(5) GDPR
Article 340 TFEU
Article 50(1) Regulation 2016/794
Decided: 05.03.2024
Parties: Marián Kočner
Europol
Slovak Republic
Case Number/Name: C‑755/21 P Kočner v Europol
European Case Law Identifier: ECLI:EU:C:2024:202
Reference from:
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: im

Europol and Slovak Republic are held jointly liable for an unauthorized disclosure of intimate conversations of data subject with his girlfriend which were leaked to press. The data subject was grated €2000 as a compensation for the non-material damage suffered.

English Summary

Facts

Following the murder of a Slovak journalist and his fiancée, Mr Ján Kuciak and Ms Martina Kušnírová, in Slovakia on 21 February 2018, the Slovak authorities (Národná kriminálna agentúra (National Crime Agency, Slovakia; ‘NAKA’)) conducted an extensive investigation. At the request of those authorities, the European Union Agency for Law Enforcement Cooperation (‘Europol’) extracted the data stored on two mobile telephones allegedly belonging to Mr Marian Kočner, the data subject who was prosecuted as an accomplice to that murder for having ordered the killings, following the investigation. Europol sent its scientific reports to those authorities and delivered to them a hard disk containing the encrypted data it had extracted. In one of its reports, Europol stated that Mr Kočner had been detained on suspicion of a financial offence since 2018 and that his name was, inter alia, directly linked to the ‘so-called mafia lists’ and the ‘Panama Papers’. In May 2019, the Slovak press and international network of investigative journalists published a large amount of information relating to Mr Kočner from his mobile telephones, including transcripts of intimate communications exchanged between him and his girlfriend. The conversation was carried by means of encrypted messaging service. For the reasons stated above, Mr Kočner sent a complaint to Europol seeking compensation in the amount of €100 000 as a reparation for the non-material damage on the bases of Article 50(1) GDPR. Europol and Slovak Republic contend that the arguments are unfounded as, firstly, Regulation 2016/794 (setting up the rules for the Europol) does not provide for such joint liability of European and the Member State. Secondly, Europol rejects any liability due to the absence of unlawful conduct on its part given that alleged harmful events occurred during storage of the national investigation file. As such, these circumstances do not constitute ‘unlawful data processing operations’ within the meaning of Article 50(1) Regulation 2016/794. Additionally, Europol stated that even if the Article were applicable, the absence of any unlawful conduct on its part and of a causal link between such conduct and the damage suffered does not give rise to a liability.

Holding

Firstly, the CJEU ruled that there is no need to establish additionally to which of these two entities - Europol or the Member State, that unlawful processing is attributable. In order for such joint and several liability to be incurred in the first stage, the individual concerned must show only that, in the course of cooperation between Europol and the Member State concerned, unlawful data processing that caused him or her to suffer damage has been carried out. Secondly, the CJEU found data subject had failed to establish that the ‘mafia lists’ on which his name had allegedly been included had been drawn up and kept by Europol. The claim contradicts the evidence whereby it is apparent that leaked Europol report containing Mr Kočner’s name on the ‘mafia list’ was subsequent to and, thus, unrelated to Slovak press publications where he was represented at as ‘member of mafia’. Thirdly, the CJEU rejected the Europol’s argument that it met its obligations and implemented appropriate technical and organization measures to protect personal data against any form of unauthorized access. The Court observed that the data of such intimate nature bears out the need for its protection to be strictly ensured in cooperation under Regulation 2016/794. As an unauthorized access took place it constituted a sufficiently serious breach of a rule of EU law intended to confer rights on individuals. Fourthly, the Court held that European Union can incur non-contractual liability in the present case, as the result of publication of data subject’s intimate conversations adversely affected his honour and professional reputation, and violated his rights to privacy, family life and respect for his communications guaranteed by Article 7 of the Charter of Fundamental Rights of the European Union. As a result, the CJEU held Europol and Slovak Republic jointly and severally liable for the unlawful data processing which caused the data subject to suffer non-material damage. The Court stated the possibility open to Europol to refer them matter to its Management Board so that it can determine who has the ultimate responsibility for the compensation awarded to the data subject. The compensation attributed to the data subject for the inclusion of his name on the ‘mafia list’ by Europol was firstly set at €50,000. This claim was dismissed by the Court, therefore it only examined the damage alleged in the first head of claim regarding the compensation of €50,000 for disclosure of the data subject’s conversation with his girlfriend. However, the Court decided that the alleged damage resulted solely from the disclosure of transcripts of the conversation and no evidence established that any photographs have been disclosed. As a result, the CJEU granted Mr Kočner compensation in the amount of €2 000 as reparation for that damage.

Comment

The case refers to the joint and several liability of two controllers which stems from the Article 82(4) GDPR and Article 82(5) GDPR.

Further Resources

Share blogs or news articles here!

Retrieved from "https://gdprhub.eu/index.php?title=CJEU_-_C‑755/21_P_-_Kočner_v_Europol&oldid=40286"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki