T-1180/23
WyrokTSUE2026-02-25CELEX: 62023TJ1180ECLI:EU:T:2026:149
Analiza orzeczenia
Sekcja wygenerowana przez AI na podstawie treści orzeczenia — nie stanowi cytatu.
Zagadnienie prawne
Czy przetwarzanie i przekazywanie danych osobowych uzyskanych z usługi Sky ECC przez Europol, Eurojust oraz państwa członkowskie, w tym przekazanie danych do państwa trzeciego, było zgodne z prawem Unii Europejskiej, w szczególności z przepisami o ochronie danych osobowych i prawami podstawowymi, oraz czy agencje te ponoszą odpowiedzialność odszkodowawczą za ewentualne naruszenia, a także czy zaskarżone akty były zaskarżalne na podstawie art. 263 TFUE?Ratio decidendi
Sąd Generalny uznał, że nie ma jurysdykcji do orzekania o legalności działań władz krajowych (przechwytywanie danych, postępowania karne) ani samej umowy JIT, ponieważ nie są to akty instytucji UE. Większość działań Europolu i Eurojust (udział w spotkaniach, odbiór i przetwarzanie danych) uznano za akty przygotowawcze, niezaskarżalne na podstawie art. 263 TFUE, gdyż nie wywoływały wiążących skutków prawnych. Wyjątkiem było przekazanie danych przez Eurojust do Serbii, które uznano za akt zaskarżalny ze względu na brak skutecznego środka prawnego w prawie UE dla skarżącego w państwie trzecim. Jednakże, to przekazanie uznano za zgodne z prawem, ponieważ było zgodne z zadaniami Eurojust, proporcjonalne i bezpieczne. W zakresie odpowiedzialności odszkodowawczej, Sąd stwierdził, że skarżący nie wykazał wystarczająco poważnego naruszenia prawa przez Europol (w tym w ramach odpowiedzialności solidarnej za przetwarzanie danych przez państwa członkowskie, z wyłączeniem operacji policyjnych) ani przez Eurojust. Podkreślono, że walka z poważną przestępczością uzasadnia ograniczenia praw podstawowych, a Europol i Eurojust nie naruszyły obowiązków w zakresie koordynacji postępowań karnych ani bezpieczeństwa danych.Stan faktyczny
Skarżący BW, obywatel Serbii, jest ścigany w Niderlandach i Serbii za import kokainy i handel narkotykami. Postępowania te wynikają z dochodzeń prowadzonych przez władze belgijskie, niderlandzkie i francuskie w sprawie usługi szyfrowanej komunikacji „Sky ECC”, podejrzanej o ułatwianie przestępstw. Władze francuskie przechwyciły dane komunikacyjne (w tym dane skarżącego) z serwerów Sky ECC. W 2019 r. Belgia, Francja i Niderlandy utworzyły wspólny zespół dochodzeniowo-śledczy (JIT). Europol przechowywał, analizował i udostępniał przechwycone dane, a Eurojust wspierał współpracę sądową i koordynował spotkania między państwami członkowskimi oraz między Niderlandami, Francją a Serbią.Rozstrzygnięcie
1. Skarga zostaje oddalona.
2. BW pokrywa własne koszty oraz koszty poniesione przez Agencję Unii Europejskiej ds. Współpracy Organów Ścigania (Europol) i Agencję Unii Europejskiej ds. Współpracy Wymiarów Sprawiedliwości w Sprawach Karnych (Eurojust).
3. Królestwo Belgii, Królestwo Hiszpanii i Królestwo Niderlandów pokrywają własne koszty.Pełny tekst orzeczenia
Provisional text
JUDGMENT OF THE GENERAL COURT (Fifth Chamber)
25 February 2026 (*)
( Cooperation between police authorities and other law enforcement agencies of Member States – Sky ECC encrypted communications service – Alleged unlawful processing of personal data – Action for annulment – Act not subject to review – Preparatory act – Admissibility – Processing of personal data by Member States and transfer of such data to Europol – Transfer of personal data by Europol to a Member State – Transfer of personal data from Eurojust to a third country – Non-contractual liability – Article 50 of Regulation (EU) 2016/794 – Joint and several liability of Europol and the Member States for unlawful processing of data – Sufficiently serious breach of a rule of law conferring rights on individuals – Actual damage – Regulation (EU) 2018/1727 – Insufficient coordination by Eurojust of criminal proceedings between a Member State and a third country – Articles 71, 72, 89, 91 and 92 of Regulation (EU) 2018/1725)
In Case T‑1180/23,
BW, represented by J. Reisinger, lawyer,
applicant,
v
European Union Agency for Law Enforcement Cooperation (Europol), represented by A. Nunzi, acting as Agent, and by G. Ziegenhorn, M. Kottmann, T. Shulman and S. Steinbarth, lawyers,
and
European Union Agency for Criminal Justice Cooperation (Eurojust), represented by J. Carmona-Bermejo and M. Castro Granja, acting as Agents, and by Kottmann, Ziegenhorn, Shulman and Steinbarth,
defendants,
supported by
Kingdom of Belgium, represented by M. Jacobs, M. Van Regemorter and C. Jacob, acting as Agents,
by
Kingdom of Spain, represented by A. Gavela Llopis, acting as Agent,
and by
Kingdom of the Netherlands, represented by J. Langer and M. Bulterman, acting as Agents,
interveners,
THE GENERAL COURT (Fifth Chamber),
composed, at the time of the deliberations, of J. Svenningsen (Rapporteur), President, J. Martín y Pérez de Nanclares and M. Stancu, Judges,
Registrar: L. Ramette, Administrator,
having regard to the written part of the procedure,
further to the hearing on 9 September 2025,
gives the following
Judgment
1 By his application, the applicant, BW, seeks, in essence, first, on the basis of Article 263 TFEU, the annulment of the agreement establishing a joint investigation team (‘JIT’) relating to the Sky ECC encrypted communications service (‘the JIT agreement’) and of the processing, analysis and sharing of data by the European Union Agency for Law Enforcement Cooperation (Europol), the European Union Agency for Criminal Justice Cooperation (Eurojust) and the Member States involved in the investigation of that service, of data relating to him obtained from that service and, secondly, on the basis of Article 268 TFEU, compensation for the material and non-material damage he suffered as a result of the acts and conduct of Europol, Eurojust and the Member States concerned.
I. Background to the dispute
2 The applicant is a Serbian national who has been prosecuted and imprisoned in the Netherlands since 8 May 2023 for importing 743 kilograms of cocaine into that Member State, which was intercepted on 4 August 2020 in Rotterdam (Netherlands). He has also been prosecuted in Serbia since autumn 2023 for, inter alia, drug trafficking.
3 The criminal proceedings brought by the Netherlands and Serbian authorities stem from investigations launched in the late 2010s by the Belgian, Netherlands and French authorities into the ‘Sky ECC organisation’, ECC meaning Elliptic Curve Cryptography, suspected of marketing encrypted communications products and services specifically designed to facilitate the commission of criminal offences.
4 Following those national investigative measures, at the end of 2018, the Kingdom of Belgium and the Kingdom of the Netherlands issued joint investigation decisions requesting the French Republic to create an image of the servers used by the Sky ECC service and located in Roubaix (France). That Member State complied with that request by using a ‘man-in-the-middle attack’ technique to intercept, record and transcribe encrypted communications entering and leaving those servers, including data concerning the applicant.
5 On 13 December 2019, the Belgian, French and Netherlands authorities concluded a JIT agreement on the basis of Article 13 of the Convention established by the Council in accordance with Article 34 TEU on Mutual Assistance in Criminal Matters between Member States of the European Union (OJ 2000 C 197, p. 3) and the Council Framework Decision of 13 June 2002 on joint investigation teams (OJ 2002 L 162, p. 1), thereby establishing the JIT.
6 The JIT agreement provides as follows:
‘The creation of the JIT is aimed at facilitating ongoing investigations in Belgium, France and the Netherlands into the provider(s) and users of the Sky ECC communication service and at sharing technical know-how and resources … The objective of the JIT is the joint preparation, development and implementation of the technique necessary for decrypting past communications and to dismantle the server; the identification and locating of users moving within and between the three countries; the setting up and coordination of a joint action day or days undertaken with the aim of arresting and bringing to justice Sky ECC’s facilitators and users.’
7 The JIT led to the sharing between Europol and the three Member States concerned of the raw intercepted data, which were then to be analysed, as well as the results of that analysis.
8 In the context of that cooperation, which was still ongoing at the time of the hearing in the present case, Europol stored the data in its computer system, carried out cross-checks, produced intelligence reports, generated data visualisation graphics and interpreted multilingual data sets.
9 For its part, Eurojust provided support and advice on the possibilities for judicial cooperation and organised several coordination meetings between the Belgian, French and Netherlands authorities and Europol, and facilitated judicial cooperation between the Republic of Serbia on the one hand and the Kingdom of the Netherlands and the French Republic on the other.
II. Forms of order sought
10 The applicant claims, in essence, that the Court should:
– annul the JIT agreement, the acts of Europol and Eurojust adopted on the basis thereof, and the acts of processing, analysing and sharing by them and the Member States concerned of the data on the Sky ECC server concerning him;
– order Europol and Eurojust to pay him compensation of at least EUR 71 000 for non-material and material damage resulting, first, from ‘his (provisional) detention, his public notoriety, his deficient defence position and the data that are [or] may have fallen into the wrong hands’ and, secondly, ‘legal costs and loss of income’;
– order Eurojust and Europol to pay the costs.
11 Eurojust and Europol contend that the Court should:
– dismiss the action as inadmissible and, in any event, as unfounded;
– order the applicant to pay the costs.
12 The Kingdom of Spain contends that the Court should dismiss the action as inadmissible or, in the alternative, as unfounded, and order the applicant to pay the costs.
13 The Kingdom of the Netherlands contends that the Court should dismiss the action and order the applicant to pay the costs.
III. Law
14 In support of his claims against both Europol and Eurojust, the applicant relies on the same four pleas in law.
15 The first plea in law alleges, in essence, the unlawful and disproportionate nature of the collection and processing of personal data from the Sky ECC service by the Member States concerned and by ‘Europol and/or Eurojust’, from their initial interception in 2019 until the last sharing of the results with other countries.
16 In response to a question from the Court during the hearing, the applicant stated that he was not relying on any act or conduct subsequent to 24 June 2022, the date on which the French authorities sent the Serbian authorities, via Eurojust, a link to a secure download site providing that third country with information concerning certain conversations from the Sky ECC service linked to specifically identified login details, including the applicant’s discussions.
17 The second plea in law alleges, in essence, the infringement by Europol and Eurojust, respectively, of Article 28 of Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on Europol and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ 2016 L 135, p. 53), and Article 71 of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ 2018 L 295, p. 39), and Articles 47 and 48 of the Charter of Fundamental Rights of the European Union (‘the Charter’) and Articles 14 and 15 of the International Covenant on Civil and Political Rights, adopted by the United Nations General Assembly on 16 December 1966 and which entered into force on 23 March 1976 (‘the Covenant’), due to the incomplete nature of the Sky ECC data collected, analysed and transferred, which allegedly impaired the applicant’s ability to defend himself before the Netherlands and Serbian courts.
18 The third plea in law alleges, in essence, a breach by Europol and Eurojust of the JIT agreement, in that they failed in their obligation to coordinate in order to prevent the applicant from being prosecuted twice for the same offences in the Netherlands and in Serbia.
19 The fourth plea in law alleges, in essence, infringement by Europol and Eurojust, respectively, of Article 32 of Regulation 2016/794 and Articles 89 and 92 of Regulation 2018/1725, in that they failed adequately to protect the applicant’s personal data.
A. The facts and acts alleged, and the jurisdiction of the General Court to hear the case
1. Preliminary observations
20 By his heads of claim, the applicant indiscriminately criticises Europol and Eurojust for several unlawful acts or forms of conduct relating to the collection and processing of his personal data in the context of criminal investigations conducted by the Kingdom of Belgium, the French Republic and the Kingdom of the Netherlands in connection with the Sky ECC service, in which Europol and Eurojust participated.
21 In so far as the applicant criticises not only conduct attributable to Europol and Eurojust, but also conduct attributable to the Member States that took part in the JIT and to the Republic of Serbia, it is important to make the following preliminary observations.
22 In the first place, with regard to the head of claim based on Article 263 TFEU, it is clear from that provision that an action for annulment may only be brought against acts adopted by an institution, body, office or agency of the European Union.
23 Thus, in the context of an action brought on the basis of Article 263 TFEU, the EU judicature does not have jurisdiction to rule on the lawfulness of a measure adopted by a national authority (judgment of 3 December 1992, Oleificio Borelli v Commission, C‑97/91, EU:C:1992:491, paragraph 9), and that finding cannot be overturned by the fact that the act in question forms part of an EU decision-making process (judgment of 29 January 2020, GAEC Jeanningros, C‑785/18, EU:C:2020:46, paragraph 27).
24 Similarly, the Court has had occasion to rule that the review, in the context of an action for annulment, of the lawfulness of the transmission to an EU institution, by a national prosecutor or by the authorities, of information gathered under national criminal law is in principle a question covered by the national law governing the conduct of investigations by those national authorities and also, in the case of court proceedings, by the jurisdiction of the national courts (see, to that effect, judgment of 8 July 2004, Dalmine v Commission, T‑50/00, EU:T:2004:220, paragraph 86).
25 It follows that, in so far as the applicant seeks the annulment of the interception operations carried out by the French authorities – with the authorisation of a French judge – the annulment of the ‘conduct of those operations’, the annulment of the transmission to Europol by the French authorities of the documents and information obtained in the course of those operations, the annulment of the transmission to Eurojust and to the Serbian authorities by the French authorities of the documents and information requested by the Serbian authorities in the context of its requests for mutual legal assistance, and the annulment of the criminal proceedings before the Serbian courts, the EU judicature has no jurisdiction to hear the case.
26 The EU judicature also lacks jurisdiction to rule, directly on the basis of Article 263 TFEU, on the legality of the JIT agreement, since that agreement is not a Union act.
27 The JIT agreement was signed and therefore concluded by only three Member States, namely the Kingdom of Belgium, the French Republic and the Kingdom of the Netherlands.
28 That conclusion cannot be called into question by the fact that the JIT agreement is based on a convention concluded by those Member States pursuant to Article 34 TEU and on a framework decision of the Council of the European Union (see, to that effect, judgment of 17 September 2014, Liivimaa Lihaveis, C‑562/12, EU:C:2014:2229, paragraphs 45 to 51).
29 Nor can that conclusion be called into question by the fact that Europol or Eurojust may have been behind the creation of the JIT in question or by the fact that, under point 7 of the JIT Agreement, the Kingdom of Belgium, the French Republic and the Kingdom of the Netherlands agreed to involve Europol and Eurojust as ‘participants’ in the JIT, as permitted by Article 13(12) of the Convention established by the Council in accordance with Article 34 TEU on mutual assistance in criminal matters between Member States of the European Union, read in conjunction with recital 9 of the Council Framework Decision of 13 June 2002 on joint investigation teams, as well as, with regard to Europol, Article 5 of Regulation 2016/794 and, with regard to Eurojust, Article 8(1)(d) of Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on Eurojust and replacing and repealing Council Decision 2002/187/JHA (OJ 2018 L 295, p. 138).
30 The power conferred on Europol or Eurojust by Article 5 of Regulation 2016/794 and Article 8(1)(d) of Regulation 2018/1727 to propose or assist in the establishment of a JIT, just as the right of their officers to take part in a JIT, does not confer on those agencies the status of ‘party’ to the agreement by which the Kingdom of Belgium, the French Republic and the Kingdom of the Netherlands established the JIT concerned.
31 In view of the foregoing, the Court has no jurisdiction to rule, on the basis of Article 263 TFEU, on the authorisation by the French court of the interception operations carried out by the French authorities, the conduct of those operations, the transmission to Europol by the French authorities of the documents and information obtained in the course of those operations, the transmission to Eurojust and the Serbian authorities by the French authorities of the documents and information requested by the Serbian authorities in the context of its requests for mutual legal assistance, the regularity of the criminal proceedings before the Serbian courts and the JIT agreement.
32 In the second place, with regard to the head of claim based on Articles 268 and 340 TFEU, it should be noted that the EU judicature has jurisdiction to hear an action for damages based on those provisions only if the alleged illegality on which the claim for damages is based does indeed originate from an institution, body or agency of the European Union and cannot be regarded as attributable to a national authority (see, to that effect, judgment of 16 December 2020, Council v K. Chrysostomides & Co. and Others, C‑597/18 P, C‑598/18 P, C‑603/18 P and C‑604/18 P, EU:C:2020:1028, paragraphs 80, 106 and 107).
33 Furthermore, where the European Union is liable on account of an act or conduct of one of its institutions or one of its organs or bodies, it is represented before the Court by the institution, organ or body against which the matter giving rise to liability is alleged (judgment of 13 November 1973, Werhahn Hansamühle and Others v Council and Commission, 63/72 to 69/72, EU:C:1973:121, paragraph 7).
34 Thus, the European Union cannot be held liable on the basis of Articles 268 and 340 TFEU by an EU institution, body, office or agency other than that against which the matter giving rise to liability is alleged, unless the EU legislature has expressly provided for a derogating regime of joint and several liability either between one of those EU institutions, bodies, offices or agencies and one or more Member States, or even one or more third countries, or between several EU institutions, bodies, offices or agencies (see, by analogy, judgment of 5 March 2024, Kočner v Europol, C‑755/21 P, EU:C:2024:202, paragraphs 62 and 63).
35 In the present case, it must be noted that neither Regulation 2018/1727 nor any other act invoked by the applicant provides for a derogation from joint and several liability between Eurojust and the Member States or between Eurojust and the Republic of Serbia.
36 Similarly, in response to a question from the Court during the hearing, the applicant stated that the head of claim was not based on any joint and several liability of Europol on account of Eurojust or of Eurojust on account of Europol, but solely on the joint and several liability of Europol on account of the Member States.
37 As the Court of Justice has ruled, a derogatory regime of joint and several liability of Europol on account of the Member States must be inferred from a combined reading of recital 57 and Article 49(3) and (4) and Article 50 of Regulation 2016/794 (see, to that effect, judgment of 5 March 2024, Kočner v Europol, C‑755/21 P, EU:C:2024:202, paragraphs 62 and 63).
38 Under that system, a natural person may seek, before the EU judicature, to hold Europol liable for any unlawful processing of data that occurred in the context of cooperation under Regulation 2016/794 between that person and a Member State and which caused that person harm (see, to that effect, judgment of 5 March 2024, Kočner v Europol, C‑755/21 P, EU:C:2024:202, paragraphs 62 and 63).
39 In the present case, it should be noted that cooperation on the Sky ECC service began in May 2019 and, as Europol indicated in response to a question from the Court during the hearing, was still ongoing at the time of the hearing.
40 Furthermore, the applicant relies on the fact, confirmed by Europol in response to a question from the Court at the hearing, that personal data relating to him obtained from the Sky ECC service were, first, exchanged in the context of that cooperation between Europol and the Belgian, French and Netherlands authorities and, secondly, remain in Europol’s possession.
41 In view of the foregoing, the Court has no jurisdiction to hear the second head of claim in so far as it seeks to establish the liability of Eurojust on the basis of the actions of the Kingdom of Belgium, the French Republic, the Kingdom of the Netherlands or the Republic of Serbia, or even on the basis of the actions of Europol.
42 By contrast, the Court has jurisdiction to hear the second head of claim in so far as it seeks to establish the liability of Eurojust for its own conduct and the liability of Europol for conduct attributable both to itself and to the Member States that took part in the cooperation relating to the Sky ECC service.
43 With regard to Europol’s joint and several liability for the conduct attributable to the Belgian, French or Netherlands authorities, on the one hand, it should be noted that, given the date of the last act alleged by the applicant against Europol and Eurojust – namely the exchange of his personal data on 24 June 2022 – only the joint and several liability regime provided for in Regulation 2016/794 in its initial version, in force until 27 June 2022, is applicable to the present dispute (see, to that effect, judgment of 10 September 2019, HTTS v Council, C‑123/18 P, EU:C:2019:694, paragraph 39).
44 Secondly, it follows from Article 276 TFEU that, in exercising its powers in relation to the provisions of Chapters 4 and 5 of Title V of Part Three of the TFEU, relating to the area of freedom, security and justice, the EU judicature does not have jurisdiction to review the validity or proportionality of operations carried out by the police or other law enforcement agencies in a Member State.
45 Thus, despite the joint and several liability regime provided for in Article 50(1) of Regulation 2016/794, Europol cannot be held jointly and severally liable for any damage resulting from the unlawful processing of personal data of a natural person in the course of operations carried out by the police or other law enforcement authorities of a Member State, even if such processing took place in the context of cooperation based on that regulation (see, by analogy, judgment of 10 September 2024, KS and Others v Council and Others, C‑29/22 P and C‑44/22 P, EU:C:2024:725, paragraph 91).
46 Despite its jurisdiction to hear the second head of claim concerning Europol’s joint and several liability for conduct attributable to the French authorities in particular, the Court therefore lacks jurisdiction to hear the applicant’s allegations of damage allegedly caused to him by the interception of his personal data in the course of police operations carried out by the French authorities.
47 In those circumstances, and before examining the objections of inadmissibility raised by Europol and Eurojust and the merits of the applicant’s claims, it is necessary to identify the conduct and acts alleged by the applicant which the EU judicature is competent to hear and to determine whether they are attributable to Europol or Eurojust and, if so, the conduct or acts which are not attributable to Europol but which could nevertheless give rise to its liability on the basis of the derogatory regime of joint and several liability provided for in Article 50(1) of Regulation 2016/794.
2. The acts or conduct attributable to Europol or Eurojust
48 The applicant contends that the collection, processing and transmission of his personal data in the context of criminal investigations relating to the Sky ECC service, in which the Belgian, French and Netherlands authorities, as well as Europol and Eurojust, were involved and which led to the criminal proceedings referred to in paragraph 2 above, are contrary to EU law.
49 More specifically, and in the light of the sole information he was able to obtain when consulting the files relating to the criminal proceedings brought against him, the applicant criticises ‘Europol and/or Eurojust’ for processing his personal data ‘since they were first intercepted in 2019’ until 24 June 2022, the date on which Eurojust forwarded to the Serbian authorities an email from the French authorities containing a link to a secure download site containing, in particular, some of his conversations from the Sky ECC service (paragraph 16 above).
50 In that regard, the applicant contends that Europol ‘has provided support for the exercise of investigative powers on the territory of numerous countries, both within and outside the European Union.’ Furthermore, Europol allegedly organised a meeting with the Belgian, French and Netherlands authorities on 27 May 2019, during which metadata from more than 9 000 messages sent to or from users of the Sky ECC service were shared. In June 2019, data obtained by the French authorities during interception operations were reportedly shared with the Belgian and Netherlands authorities via Europol using its secure information exchange system known as the ‘Secure Information Exchange Network Application’ (SIENA).
51 In addition, Europol and Eurojust were allegedly involved, from December 2020 onwards, in an operation to collect the decryption keys for messages obtained since mid-2019, in the storage, decryption and transfer of those messages and, in March 2021, in an ‘operation during which Sky ECC was “taken down”’. The applicant also claims that Europol and Eurojust participated, on 23 and 24 July 2020, in a JIT technical working group in which new encrypted messages were discovered, as well as in meetings held on 28 August 2019, 7 September 2020 and 11 February 2021.
52 With particular regard to the proceedings against him in Serbia, the applicant claims that Eurojust received a request for cooperation from the Serbian authorities on 6 June 2022, which led to the French authorities forwarding, to the Serbian authorities on 24 June via Eurojust, data concerning him from the Sky ECC service (‘the transmission of 24 June 2022’). Furthermore, in June 2022, Europol allegedly informed the Serbian authorities that its analyses had identified the applicant behind a specific ‘Sky ECC identifier’. Finally, other contacts allegedly took place between the Serbian authorities and Europol concerning the criminal group to which the applicant is alleged to belong.
53 Europol and Eurojust deny having taken part in any of the acts referred to by the applicant.
(a) The acts and conduct attributable to Europol
54 In its submissions, Europol states that the JIT led to the sharing between it and the three Member States concerned of data intercepted by the French authorities for analysis purposes, as well as the sharing of the results of those analyses.
55 In that regard, Europol acknowledges that it received metadata relating to more than 9 000 messages exchanged during the meeting of 27 May 2019, referred to by the applicant in paragraph 50 above.
56 Europol also states that, as of 18 March 2021, it had effectively received data from the Sky ECC service transmitted by the French authorities and analysed it, then forwarded the results of its analyses to the Belgian, French and Netherlands authorities, in particular in the form of certain country-specific analyses.
57 Furthermore, Europol does not dispute that it participated in a meeting on 28 August 2019 at which the consequences of a possible dismantling of the Sky ECC service infrastructure were discussed, or in a technical working group of the JIT organised on 23 and 24 July 2020, at which new encrypted messages were discovered.
58 As they are not disputed or even confirmed by Europol, the facts referred to in paragraphs 54 to 57 above must therefore be considered established and attributable to it.
59 By contrast, first, the applicant does not provide any evidence, or at least any prima facie evidence, to establish that Europol participated in or contributed to the interception of data entering and leaving the Sky ECC service’s servers located in France.
60 In addition to Europol’s denial of those facts, the applicant’s assertion is not corroborated either by the fact that Europol may have participated in or initiated the meeting of 27 May 2019, or by the letter rogatory sent by the Serbian authorities to their French counterparts, produced in Annex A.17 and aimed at ‘analysing the data obtained by Europol from the Sky ECC application’. On the contrary, Annex A.6 aims to show that the interception operations were carried out solely by the French authorities, which is also confirmed by Annex A.14.
61 Secondly, although Europol does not dispute that it participated in the meetings of 7 September 2020 and 11 February 2021, it must nevertheless be noted that the document from the rechtbank van eerste aanleg te Antwerpen (Court of First Instance, Antwerp, Belgium), annexed to the application in support of the applicant’s allegation, does indeed mention a forthcoming meeting on 7 September 2020, but specifies only that the French and Netherlands authorities, and not Europol, were to participate in it. Similarly, the request for technical assistance from the cour d’appel de Paris (Court of Appeal, Paris, France), annexed to the application in support of the applicant’s allegation, does not mention any meeting held on 11 February 2021, nor does it mention Europol.
62 Thirdly, the applicant does not provide any evidence, or even a prima facie case, to establish that Europol participated in the ‘“action day” in March 2021 during which Sky ECC was “taken down”’. The transcript of the Belgian Public Prosecutor’s press conference, referred to in the application, does refer to that ‘action day’, but does not mention Europol. Similarly, the exchange of emails annexed to the application merely refers to transfers of data from the Sky ECC service via Europol, without demonstrating that it was involved in that ‘action day’.
63 Fourthly, the applicant does not provide any evidence, or at least prima facie evidence, to establish that Europol passed on to the Serbian authorities the information that he was the person behind the Sky ECC service identifier ‘DFKNBQ’.
64 Annex A.17, on which the applicant relies and which effectively links his name to the Sky ECC service identifier ‘DFKNBQ’ and the username ‘CHE GUEVARA’, is a request submitted by the Public Prosecutor’s Office for Organised Crime of the Republic of Serbia seeking to obtain from the French authorities the disclosure of voice messages, text messages, videos and photographs relating in particular to the applicant and contained on the Sky ECC service’s servers seized by those authorities, without any mention of Europol in any capacity whatsoever.
65 Furthermore, the Serbian Public Prosecutor’s Office states that, ‘through [its] actions and subsequent work by the Ministry of the Interior of the Republic of Serbia, [they] were informed that, during the analysis of data obtained by Europol from the Sky ECC application, [the user of] the PIN DFKNBQ [and] the username CHE GUEVARA [was BW]’, which aims to establish that that information was not provided by Europol.
66 Fifthly, the applicant does not provide any evidence, or at least prima facie evidence, to establish that Europol was involved in the French authorities’ disclosure to the Serbian authorities on 24 June 2022 of documents and information concerning him obtained from the Sky ECC service.
67 As shown in Annex A.15, those documents and that information were sent by Eurojust to the Serbian authorities in response to a request for mutual legal assistance from the latter, by means of an email sent by the French authorities to Eurojust containing links to a secure download site.
68 Consequently, the applicant cannot, in the context of the present action, rely on the unproven facts referred to in paragraphs 59 to 67 above against Europol.
69 In view of the foregoing and taking into account the applicant’s statement recorded in the minutes of the hearing that the last act alleged against Europol and Eurojust took place on 24 June 2022, it must be concluded that only the facts referred to in paragraphs 55 to 57 above and prior to that date – namely the receipt, processing and sharing, from 27 May 2019 onwards, of data from the Sky ECC service intercepted by the French authorities, as well as the participation in the meeting of 28 August 2019 and the working group of 23 and 24 July 2020 – are established and can support the applicant’s claims against Europol.
(b) The acts and conduct attributable to Eurojust
70 In its submissions, Eurojust states that it was involved in two ways in the events referred to by the applicant.
71 First, Eurojust states that, in the context of the JIT relating to the Sky ECC service, it provided support and advice on the possibilities for judicial cooperation and organised several coordination meetings between the Belgian, French and Netherlands authorities and Europol. Those meetings, which took place on 25 April 2019, 7 September 2020 and 11 February 2021, led the authorities of those Member States to present updated information on the progress of their investigations concerning the Sky ECC service and to discuss the best way to move forward with those investigations.
72 Secondly, in relation to requests for assistance submitted by the Serbian authorities in connection with criminal investigations opened in Serbia against a criminal organisation – of which the applicant is allegedly a member – involved in drug trafficking, particularly via Rotterdam, Eurojust states that it has, on the one hand, coordinated Netherlands and Serbian investigations and, on the other hand, facilitated the transmission and execution of requests for mutual legal assistance sent by the Serbian authorities to the French authorities.
73 Regarding cooperation between the Netherlands and Serbian authorities, Eurojust confirms that three coordination meetings were held with the participation of those authorities on 23 May, 16 November and 8 December 2022, during which they exchanged information on the scope and progress of their respective investigations and their respective needs in terms of judicial cooperation, namely to reach agreement on how to continue their cooperation in the exchange of information and evidence and to coordinate their prosecution strategies with a view to preventing conflicts of jurisdiction and parallel prosecutions of the same suspects for the same offences.
74 Eurojust also states that it facilitated the transfer of certain requests for mutual legal assistance between the Republic of Serbia and the Kingdom of the Netherlands, in particular that of 7 October 2022, and that it was informed, first, of the organisation by the Netherlands authorities of a meeting with the Serbian authorities on 3 May 2023 to inform the latter of the planned arrest of the applicant and, secondly, that during that meeting, those authorities had reached a provisional agreement on a coordinated strategy for the applicant's prosecution in relation to the seizure of 4 August 2020, with a view to preventing him from being prosecuted in both States for the same offences.
75 With regard to cooperation between the French and Serbian authorities, Eurojust states that, in response to four requests for mutual legal assistance, it sent the Serbian liaison magistrate, by email, a hyperlink, valid for a limited period, to a secure password-protected download site provided by the French authorities, through which the latter made available exclusively to the Serbian authorities information concerning certain discussions originating from the Sky ECC service and linked to specifically identified login details, including those of the applicant.
76 Moreover, it is apparent from the evidence provided by the applicant that the transmission of 24 June 2022 referred to in paragraph 75 above is recognised by Eurojust.
77 By contrast, first, the applicant does not provide any evidence or, at the very least, any prima facie evidence to establish that Eurojust was invited to or attended the meeting of 27 May 2019, referred to in paragraph 55 above, and that, in that context, it was the recipient of the metadata relating to the 9 000 messages exchanged on that occasion.
78 None of the five annexes mentioned by the applicant in support of his allegation refers to Eurojust, except in a very general manner and without any direct connection to the meeting of 27 May 2019.
79 Secondly, the applicant does not provide any evidence, or at least any prima facie evidence, to establish that Eurojust attended the technical working group of 23 and 24 July 2020 referred to in paragraph 51 above.
80 In addition to the fact that the applicant himself admits that he ‘does not know whether Eurojust staff were present’ at that working group, he maintains that it did not participate in it, and the document on which the applicant relies does not give rise to any doubt in that regard.
81 Thirdly, the applicant does not provide any evidence, or at least any prima facie evidence, to establish that Eurojust participated in the exchange of all data from the Sky ECC service or in national intelligence packages from that service via SIENA, as Eurojust is not mentioned in the document on which the applicant relies.
82 With regard, more specifically, to Eurojust’s alleged participation in an exchange of metadata during February 2022, the fact that, in the email attached by the applicant to the application, a national expert seconded to Eurojust informed a public prosecutor in the Land Hessen (Land of Hesse, Germany) that ‘the geodata from the Netherlands provider will be transmitted by the Netherlands authorities to Europol at the end of February 2022 with a general authorisation for use’ does not allow it to be inferred that that metadata were also communicated to Eurojust.
83 Fourthly, for the same reasons as those given in relation to Europol in paragraphs 64 and 65 above, the applicant has not provided any evidence or, at the very least, any prima facie evidence to establish that Eurojust had transmitted to the Serbian authorities the information that he was the person behind the identifier ‘DFKNBQ’ of the Sky ECC service.
84 Consequently, the applicant cannot, in the context of the present action, rely on the unproven facts referred to in paragraphs 77 to 83 above against Eurojust.
85 In view of the foregoing and taking into account the applicant’s statement recorded in the minutes of the hearing that the last act alleged against Eurojust and Europol took place on 24 June 2022, it must be concluded that only the facts referred to in paragraphs 71 to 76 above and prior to that date – namely Eurojust’s participation in the coordination meetings of the Belgian, French and Netherlands authorities and Europol on 25 April 2019, 7 September 2020 and 11 February 2021, its participation in the coordination meeting of the Netherlands and Serbian investigations on 23 May 2022, the transmission by Eurojust to the Serbian authorities on 24 June 2022 of the email from the French authorities containing a link to a download site of the applicant’s personal data – are established and may support the applicant’s conclusions against Eurojust.
3. The acts or conduct not attributable to Europol, but for which it may nevertheless be held responsible
86 In view of paragraphs 55 to 57 and 71 to 76 above, it must be held that the applicant has established the following facts.
87 First, on 27 May 2019, the Belgian, French and Netherlands authorities participated in a meeting at which metadata from more than 9 000 messages from the Sky ECC service were exchanged between those Member States and Europol.
88 Secondly, from June 2019 onwards, the French Republic transmitted data from the Sky ECC service to Europol, which then processed that data and subsequently transmitted the results to the Belgian, French and Netherlands authorities.
89 Thirdly, the Belgian, French and Netherlands authorities participated in a meeting on 28 August 2019, during which the consequences of a possible dismantling of the Sky ECC service infrastructure were discussed, as well as in a JIT technical working group on 23 and 24 July 2020, at which new encrypted messages were discovered.
90 Fourthly, on 25 April 2019, 7 September 2020 and 11 February 2021, the Belgian, French and Netherlands authorities participated in coordination meetings, during which they presented updated information on the progress of their investigations into the Sky ECC service and discussed the best way to move forward with those investigations.
91 Fifthly, at the meeting on 23 May 2022, the Netherlands authorities provided the Serbian authorities, through Eurojust, with information on the scope and progress of their respective investigations and on their needs in terms of judicial cooperation.
92 Sixthly, on 24 June 2022, the French authorities sent the Serbian authorities, via Eurojust, a link to a secure download site providing that third country with information concerning certain conversations from the Sky ECC service linked to specifically identified login details, including those of the applicant.
93 However, the applicant’s ability to rely on such facts, attributable to Member States, in the context of claims for compensation against Europol on the basis of Article 50(1) of Regulation 2016/794 presupposes that those facts occurred in the context of cooperation under Regulation 2016/794 (see, to that effect, judgment of 5 March 2024, Kočner v Europol, C‑755/21 P, EU:C:2024:202, paragraphs 62 and 63) and concern his personal data.
94 As noted in paragraph 39 above, cooperation on the Sky ECC service began in May 2019, and the information provided by Eurojust and Europol does not allow it to be inferred that the facts or conduct attributable to the Belgian, French or Netherlands authorities referred to in paragraphs 87 to 92 above were not related to that cooperation.
95 On the contrary, the applicant does not provide any evidence or prima facie evidence to establish that the exchange of metadata from more than 9 000 messages on 27 May 2019, the meetings on 25 April and 28 August 2019, 7 September 2020, 11 February 2021 and 23 May 2022, or the JIT technical working group of 23 and 24 July 2020, gave rise to the exchange by the Belgian, French or Netherlands authorities of personal data concerning him within the meaning of Article 50(1) of Regulation 2016/794.
96 Consequently, the Court does not have jurisdiction to hear, in relation to the claim for damages against Europol based on Article 50(1) of Regulation 2016/794, the allegations based on the facts or acts of the Belgian, French or Netherlands authorities referred to in paragraph 95 above.
97 By contrast, the evidence or prima facie evidence provided by the applicant establishes that, during the period from 27 May 2019 to 24 June 2022, personal data concerning him and originating from the Sky ECC service were processed, first, by the French authorities in the context of the transmission to Europol of data intercepted on the Sky ECC service’s servers, secondly, by the Belgian, French and Netherlands authorities in the context of the receipt of that data from Europol before or after processing, and, thirdly, when it was transmitted by the French authorities to the Serbian authorities, via Eurojust, on 24 June 2022.
98 Consequently, only the facts and conduct referred to in paragraph 97 above will be examined in the context of the part of the head of claim against Europol based on Article 50(1) of Regulation 2016/794.
B. The various heads of claim
99 In view of the forms of order sought by the applicant, set out in paragraphs 14 to 19 above, and notwithstanding the fact that the applicant has put forward the same four heads of claim in support of its two forms of order and has relied on the same facts in support thereof, it is necessary to examine in turn the head of claim based on Article 263 TFEU and alleging the unlawfulness of certain acts or conduct of Europol and Eurojust in the context of ‘Operation Sky ECC’, and then the claim for damages in which he seeks an award of damages on the basis of Articles 268 and 340 TFEU, Article 50 of Regulation 2016/794 and Article 46 of Regulation 2018/1727.
100 It should be noted at the outset that Europol and Eurojust raise, jointly or separately, several pleas for inadmissibility, based, first, on the inadmissibility of the action as a whole on the grounds of an abuse of process, second, on the late filing of the action in relation to the claims for annulment, third, on the fact that the processing of data from the Sky ECC service relating to the applicant does not constitute an actionable act, and fourth, the inadmissibility of the claims for compensation on the grounds that the applicant had not sufficiently proved the alleged damage and had circumvented the legal process.
101 In that regard, it should be noted that the EU judicature is entitled to assess, according to the circumstances of each case, whether the proper administration of justice justifies the dismissal of the action on the merits without first ruling on its admissibility (see, to that effect, judgment of 26 February 2002, Council v Boehringer, C‑23/00 P, EU:C:2002:118, paragraphs 51 and 52).
102 In the present case, the Court considers that, in the interests of procedural economy, it is appropriate to examine only the objection of inadmissibility based on the fact that the processing of data from the Sky ECC service relating to the applicant does not constitute an actionable act, without ruling in advance on the other objections of inadmissibility, since the action is, in any event and for the reasons set out below, unfounded.
1. The claims for annulment
103 In support of the first head of claim based on Article 263 TFEU, the applicant alleges, inter alia, that certain acts or conduct of Europol and Eurojust in the context of ‘Operation Sky ECC’ were unlawful on the basis of Article 277 TFEU.
104 Article 263 TFEU allows the legality of acts adopted, in particular by Union agencies, to be challenged, subject to certain conditions of admissibility.
(a) The admissibility of the claims for annulment
105 Europol and Eurojust argue that the processing of data from the Sky ECC service relating to the applicant does not constitute an actionable act, as it does not affect his legal situation.
106 As stated in paragraph 58 above, the applicant criticises Europol for receiving, processing and sharing, as of 27 May 2019, data concerning him from the Sky ECC service intercepted by the French authorities, as well as for its participation in the meeting of 28 August 2019 and in the working group of 23 and 24 July 2020.
107 As is apparent from paragraph 85 above, the applicant criticises Eurojust for its participation in the coordination meetings between the Belgian, French and Netherlands authorities and Europol on 25 April 2019, 7 September 2020 and 11 February 2021, its participation in the coordination meeting between the Netherlands and Serbian investigations on 23 May 2022, and the transmission of 24 June 2022.
108 With the exception of the transmission of 24 June 2022, all of the acts or conduct referred to in paragraphs 106 and 107 above constitute preparatory acts or conduct which are not capable of producing binding legal effects such as to affect the applicant’s interests by significantly altering its legal situation, within the meaning of the Court of Justice’s settled case-law (see, to that effect, judgments of 11 November 1981, IBM v Commission, 60/81, EU:C:1981:264, paragraph 9, and of 30 November 2023, Sistem ecologica v Commission, C‑787/22 P, not published, EU:C:2023:940, paragraph 51).
109 With regard to the participation of Europol and Eurojust in the meetings or working groups concerned, assuming that those meetings and groups gave rise to the processing of the applicant’s personal data, it must be noted that they constitute only stages in ongoing criminal investigations and are limited to creating the conditions for the subsequent conduct of those investigations, without altering the applicant’s rights or acting in breach of any of his procedural rights.
110 Thus, participation in those meetings or working groups does not constitute the final stage of a special procedure separate from that which must enable the criminal courts of the Member States concerned to rule, where appropriate, on the applicant’s criminal liability (see, to that effect, judgment of 11 November 1981, IBM v Commission, 60/81, EU:C:1981:264, paragraph 11, and order of 9 September 2020, IMG v Commission, T‑645/19, not published, EU:T:2020:388, paragraph 48 and the case-law cited).
111 With regard to Europol’s transmission of the applicant’s personal data obtained from the Sky ECC service to the authorities of the Member States, namely the Kingdom of Belgium, the French Republic and the Kingdom of the Netherlands, they are no different from the transmissions by the European Anti-Fraud Office (OLAF) of its final reports and information to Member States, which, according to settled case-law, are not acts that can be challenged (see, to that effect, judgments of 30 November 2023, Sistem ecologica v Commission, C‑787/22 P, not published, EU:C:2023:940, paragraphs 55, 56, 60, 66 and 67; of 12 September 2007, Nikolaou v Commission, T‑259/03, not published, EU:T:2007:254, paragraphs 244 and 245 and the case-law cited, and of 20 May 2010, Commission v Violetti and Others, T‑261/09 P, EU:T:2010:215, paragraph 47 and the case-law cited).
112 Therefore, without it being necessary to determine whether, in the absence of formalisation of the various conduct alleged by the applicant against Europol and Eurojust, the participation of the latter in the meetings or working group referred to in paragraphs 106 and 107 above, as well as the transmission by Europol of the applicant’s personal data from the Sky ECC service to the Belgian, French and Netherlands authorities, can be classified as ‘acts’ within the meaning of Article 263 TFEU, they are not, in any event, open to challenge.
113 By contrast, with regard to the transmission of 24 June 2022, it must be recognised as a challengeable act.
114 It is clear from the case-law referred to in paragraph 111 above that the transmission by OLAF of final reports and information to the Member States does not constitute a challengeable act.
115 However, both the Court of Justice and the General Court had the opportunity to take into consideration, in order to reject the challengeable nature of OLAF’s transmissions, the fact that the applicant had other means at its disposal to ensure the legality of those transmission decisions (see judgment of 20 May 2010, Commission v Violetti and Others, T‑261/09 P, EU:T:2010:215, paragraph 48 and the case-law cited), including the preliminary ruling procedure (see, to that effect, order of 19 April 2005, Tillack v Commission, C‑521/04 P(R), EU:C:2005:240, paragraph 39).
116 The transmission of 24 June 2022 took place between an EU agency and the authorities not of a Member State, but of a third country, in the present case the Republic of Serbia.
117 Thus, since it cannot be challenged in the context of the present action, the legality of the transfer of 24 June 2022 under EU law can no longer be challenged and the personal data it contains can be considered to have been lawfully transferred to the Serbian authorities, without the applicant subsequently being able to obtain from the courts of that third country either an assessment of the validity of that transfer under EU law or a reference to the Court of Justice for a preliminary ruling on the validity of that transfer under EU law. the applicant can obtain from the courts of that third country either an assessment of the validity of that transfer under EU law or a referral to the Court for a preliminary ruling on its validity.
118 In that sense, the transmission of 24 June 2022 constitutes the final stage of a special procedure whereby Eurojust transmits personal data relating to an identified person to the authorities of a third country at their request.
119 Furthermore, only by recognising that the transmission of 24 June 2022 is open to challenge can effective control by a judicial authority or other independent body be guaranteed over the transfer of intercepted personal data and their use for purposes other than those of the criminal proceedings for which they were initially collected (see, to that effect, ECtHR, 1 April 2025, Ships Waste Oil Collector B. V. and Others v. the Netherlands, CE:ECHR:2025:0401JUD000279916, §§ 160 and 183 and the case-law cited).
120 In that regard, the fact, mentioned by Eurojust, that the applicant could bring an action before the French courts or that he could bring a case before the European Court of Human Rights (ECtHR) following a possible conviction by the Serbian criminal courts is irrelevant.
121 First, French courts cannot hear actions for annulment against acts of an EU agency.
122 Secondly, in the absence of the European Union’s accession to the Convention for the Protection of Human Rights and Fundamental Freedoms, signed in Rome on 4 November 1950 (ECHR), the ECtHR cannot find that the European Union has violated that convention, particularly in the context of an application brought against a third country.
123 In view of the foregoing, the objection of inadmissibility raised by Europol and Eurojust should be upheld and the acts or conduct criticised by the applicant should be found to be unchallengeable, except for the transmission of 24 June 2022.
(b) The merits of the head of claim for annulment in so far as it concerns the transmission of 24 June 2022
124 It must be noted that the applicant does not establish the reasons why the transmission of 24 June 2022 would have given rise to unlawful processing of his personal data.
125 In the first place, Article 45(2)(b) of Regulation 2018/1727 provides that responsibility for the accuracy of operational personal data lies with the Member State that supplied the data to Eurojust, where, as in the present case, the data transmitted have not been modified during the processing carried out by Eurojust, which is not disputed by the applicant.
126 In the second place, it must be noted that, with regard to the French authorities’ disclosure of the applicant’s conversations to the Serbian authorities via Eurojust, on the one hand, there is no evidence to suggest that that processing of personal data was not fair, lawful and carried out for specified, explicit and legitimate purposes within the meaning of Article 71(1)(a) and (b) of Regulation 2018/1725.
127 First, that processing was carried out in the context of the performance of Eurojust’s tasks and was necessary for the performance of those tasks. Secondly, there is nothing in the file to suggest that the applicant's personal data were processed for purposes other than those tasks. Thirdly, that processing was carried out at the request of the French authorities and in response to prior requests for mutual legal assistance. Fourthly, the transfer of the applicant’s personal data to the Serbian authorities was based on Article 56(2)(b) of Regulation 2018/1727 and on the cooperation agreement allowing the exchange of operational personal data concluded between Eurojust and the Republic of Serbia on 12 November 2019.
128 On the other hand, the provision of the applicant’s conversations to the Serbian authorities by the French authorities through Eurojust was also proportionate and sufficiently secure within the meaning of Article 71(1)(c), (d) and (e) of Regulation 2018/1725. That was done by providing a link to a download site secured by a password supplied by the French authorities, and there is no reason to question Eurojust’s assertion that it refrained from accessing the data in question and did not download, store or copy it onto its own computer systems.
129 Furthermore, with regard to the applicant’s allegation of an infringement of Articles 47 and 48 of the Charter, Article 6 ECHR and Articles 14 and 15 of the Covenant, the applicant does not explain how the transmission of 24 June 2022 constituted, on the date of that transmission, infringement of those provisions, particularly in the absence of a judgment by the Netherlands or Serbian courts finding him guilty on that date on the basis of the data transmitted.
130 Consequently, the claims for annulment of the transmission of 24 June 2022 must be rejected as unfounded.
(c) The plea of illegality
131 Pursuant to Article 277 TFEU, notwithstanding the expiry of the period laid down in the sixth paragraph of Article 263 TFEU, any party may, in a dispute concerning an act of general application adopted by an institution, body, office or agency of the Union, rely on the grounds set out in the second paragraph of Article 263 TFEU to invoke the inapplicability of that act before the EU judicature.
132 None of the acts or conduct alleged by the applicant against Europol or Eurojust has the characteristics of an act of general application.
133 Consequently, the plea in law based on Article 277 TFEU must be rejected.
2. The heads of claim for damages
134 The European Union may incur non-contractual liability under the second paragraph of Article 340 TFEU only if a number of conditions are fulfilled, namely the existence of a sufficiently serious breach of a rule of law intended to confer rights on individuals, the fact of damage and the existence of a causal link between the breach of the obligation resting on the author of the act and the damage sustained by the injured parties (judgment of 5 March 2024, Kočner v Europol, C‑755/21 P, EU:C:2024:202, paragraph 117 and the case-law cited).
135 If any one of those conditions is not satisfied, the action must be dismissed in its entirety and it is unnecessary to consider the other conditions for non-contractual liability on the part of the European Union. Moreover, the EU judicature is not required to examine those conditions in any particular order (see judgment of 13 December 2018, European Union v Kendrion, C‑150/17 P, EU:C:2018:1014, paragraph 118 and the case-law cited).
136 However, where the EU legislature has provided for a derogation from the rule of joint and several liability between an EU agency and one or more Member States, the Court of Justice has held that, within the scope of that derogation, the liability of that agency did not require proof that the damage for which compensation was sought was attributable to that agency, provided that it was attributable to at least one or more of those Member States (see, to that effect, judgment of 5 March 2024, Kočner v Europol, C‑755/21 P, EU:C:2024:202, paragraphs 125 and 132).
137 In those circumstances, it is necessary to examine separately the acts or conduct for which, respectively, Europol – which alone is subject to such a derogatory regime of joint and several liability with the Member States – and Eurojust may be held liable.
(a) The acts and conduct for which Europol may be held responsible
138 By his first head of damage, presented in the context of his first plea in law, the applicant criticises Europol and the Member States concerned for having processed data from the Sky ECC service – including his own data – unlawfully and unfairly and, as a result, for having infringed, in particular, Article 28(1)(a) of Regulation 2016/794.
139 Due to its undifferentiated nature, the initial processing of data from the Sky ECC service would have been neither necessary, within the meaning of Article 18(1) of Regulation 2016/794, nor proportionate, within the meaning of Article 28(1)(c) thereof, in the absence of sufficient grounds for presuming that all users of the Sky ECC service were involved in criminal offences.
140 Furthermore, the subsequent processing of data from the Sky ECC service would have infringed Article 28(1)(b) of Regulation 2016/794 in that it would have concerned data that were not exclusively related to criminal offences and that had been collected indiscriminately and without specific, explicit and legitimate purposes.
141 In view of that argument, the first head of damage must be interpreted as referring to allegations of incorrect processing of data by Europol and by the Kingdom of Belgium, the French Republic and the Kingdom of the Netherlands, the latter being subject to the derogation regime of joint and several liability referred to in Article 50(1) of Regulation 2016/794.
142 Thus, for the purpose of examining that first head of damage, it is necessary to take into consideration not only the acts or conduct of Europol, under the liability regime arising from Article 49 of Regulation 2016/794, but also those of the three Member States concerned, under the derogatory regime of joint and several liability referred to in Article 50(1) of that regulation.
143 By his second head of damage, presented in the context of his second plea in law, despite the reference in paragraph 68 of the application to Article 28 of Regulation 2016/794, the applicant relies, in essence, solely on a breach of the right to a fair trial due to the impossibility of verifying the ‘usability’ of the data obtained from the Sky ECC service in the national criminal proceedings that followed the investigations in which Europol participated.
144 Thus, in the context of his second plea in law, the applicant does not contest the lawfulness of the processing of his personal data within the meaning of Article 28 of Regulation 2016/794 – the only argument capable of bringing a challenge within the scope of the derogation regime of joint and several liability under Article 50(1) of that regulation.
145 In those circumstances, for the purpose of examining that second head of damage, only Europol’s acts or conduct under the liability regime arising from Article 49 of Regulation 2016/794 should be taken into consideration.
146 By his third head of damage, presented in the context of his third plea in law, the applicant complains of double jeopardy for the same acts, brought against him by the Netherlands and Serbian criminal authorities.
147 The applicant claims, in essence, that Europol failed to comply with the requirement of optimal coordination under the JIT agreement, thereby depriving him of the opportunity properly to defend himself, infringing Articles 47 and 48 of the Charter, Article 6 ECHR and Articles 14 and 15 of the Covenant.
148 While it is true that, in the present case, information held and processed by Europol was made available by it to the Netherlands authorities and was transmitted by the French authorities to the Serbian authorities, the fact remains that, in his third head of damage, the applicant accuses Europol not of a possible ‘incorrect processing of data’ within the meaning of Article 50(1) of Regulation 2016/794, but only of a breach of its obligations under the JIT agreement.
149 Consequently, for the purpose of examining that third head of damage, only the acts or conduct of Europol should be taken into consideration, under the liability regime arising from Article 49 of Regulation 2016/794.
150 By his fourth head of damage, presented in the context of his fourth plea in law, the applicant alleges that Europol and Eurojust did not process his data from the Sky ECC service in a sufficiently secure and compliant manner, as he confirmed in response to a question from the Court at the hearing.
151 His allegations are based on Article 32 of Regulation 2016/794 and Articles 89, 91 and 92 of Regulation 2018/1725.
152 For the facts relied on by the applicant – namely facts prior to 24 June 2022 – only Article 32 of Regulation 2016/794 was applicable ratione temporis to Europol, pursuant to Article 2 of Regulation 2018/1725.
153 In those circumstances, for the purpose of examining that fourth head of damage, only the acts or conduct of Europol should be taken into consideration, and that solely in the light of Article 32 of Regulation 2016/794.
(1) The alleged damage resulting from the acts or conduct of Europol, the Kingdom of Belgium, the French Republic or the Kingdom of the Netherlands, in respect of which compensation is sought from Europol on the basis of the derogatory regime of joint and several liability provided for in Article 50(1) of Regulation 2016/794
154 As noted in paragraphs 138 to 142 above, in relation to his first head of damage, the applicant alleges damage resulting from the incorrect processing of his data from the Sky ECC service by Europol, the Kingdom of Belgium, the French Republic and the Kingdom of the Netherlands.
155 According to the applicant, the data from the Sky ECC service – including his own – were processed indiscriminately, contrary to Articles 17, 18, 28 and 38 of Regulation 2016/794, Articles 7, 8, 10 to 12, 51 and 52 of the Charter, Article 8 ECHR and Article 17 of the Covenant.
156 That data were initially processed by the Member States concerned in breach of the principles of necessity and proportionality, in the absence of a well-founded presumption that all users of the Sky ECC service were involved in any criminal activity. In doing so, that collection violates the case-law of the ECtHR, which only allows the indiscriminate collection of data in exceptional circumstances. Similarly, the collection and processing of metadata could only be carried out with judicial authorisation and in the field of national security or the fight against serious crime, which would not be the case here.
157 In accordance with Article 17(1)(a) of Regulation 2016/794, Europol could only process data processed by Member States in accordance with their national law, which would not have been the case here.
158 Subsequently, that data were processed by Europol without legitimate purpose, in so far as some of the discussions stored were unrelated to any criminal offence. The data were also allegedly processed in an unfair and unlawful manner.
159 In that regard, Europol infringed point 32(h)(i) p) and (q) of the European Parliament’s recommendation of 15 June 2023 to the Council and the Commission following the investigation into allegations of infringement and maladministration in the application of EU law in the use of Pegasus and equivalent surveillance spyware [2023/2500(RSP)], in that it allegedly failed to delete irrelevant data, retained the data in question beyond a specific period and failed to notify the targeted and non-targeted persons.
160 Those infringements are confirmed by the recent decision of Europol by the European Data Protection Supervisor (EDPS) in relation to the storage and deletion of datasets that are not subject to categorisation (EDPS Decision on the retention by Europol of datasets lacking Data Subject Categorisation, Cases 2019-0370 & 2021-0699, 21 December 2021).
161 Europol argues that that head of damage is unfounded.
162 It should be noted at the outset that Europol is wrong to argue that it cannot be held responsible for the acts or conduct of Member States and that the Court cannot assess their legality.
163 While it is true that, under Article 276 TFEU, the EU judicature does not have jurisdiction to review the validity or proportionality of operations carried out by the police or other law enforcement agencies in a Member State, including in the context of actions brought under Articles 268 and 340 TFEU (see paragraphs 44 to 46 above), the fact remains that, outside the scope of those specific operations, the derogatory regime of joint and several liability provided for in Article 50(1) of Regulation 2016/794 necessarily implies that Europol may be held liable for acts or conduct of Member States.
164 It follows equally that, in the context of actions for damages based on Article 50(1) of Regulation 2016/794, the General Court is empowered to assess the legality of acts or conduct of Member States other than those by which their police or other law enforcement services collected the data concerned, whether on the basis of EU law and, in particular, Regulation 2016/794 (see, to that effect, judgment of 5 March 2024, Kočner v Europol, C‑755/21 P, EU:C:2024:202, paragraph 121) or on the basis of the national law of the State concerned.
165 First, with regard to the processing of data collected by the French authorities, the applicant merely states that certain data were processed even though they had no connection with any offence and that, as a result, their processing infringes Article 30(1) of Regulation 2016/794 on the processing of personal data relating to victims of criminal offences, witnesses or other persons who may provide information on criminal offences, or relating to persons under the age of 18.
166 However, it must be noted that the applicant is an adult who, under the national law of the Member State concerned, was suspected of having committed or participated in an offence falling within Europol’s competence, namely drug trafficking, as referred to in Article 3(1) of Regulation 2016/794.
167 Consequently, the applicant cannot validly rely on Article 30(1) of Regulation 2016/794.
168 Furthermore, the applicant does not provide any evidence to cast doubt on the fact that the processing of data from the Sky ECC service, in particular by the national authorities concerned, prior to their transmission to Europol, was carried out for the legitimate purposes for which they were collected, namely the preparation of strategic or thematic analyses and operational analyses, within the meaning of Article 18(2)(b) and (c) of Regulation 2016/794, in the context of the implementation of the joint investigation decisions referred to in paragraph 4 above and the JIT.
169 Secondly, the applicant does not provide any evidence to establish that the transmission of data collected by the French authorities to Europol was carried out in breach of the principles set out in Article 28(1) of Regulation 2016/794.
170 Thirdly, as regards Europol’s activity in relation to the applicant’s data, there is no indication that the receipt, processing and subsequent transmission of the results of the analysis of that data to the Member States concerned were carried out in breach of the principles set out in Article 28(1) of Regulation 2016/794.
171 In the first place, all of those operations were carried out within a defined framework pursuing specific, explicit and legitimate purposes, namely a specific operation relating to the Sky ECC service, aimed in particular at identifying its users for the purposes of prosecution, using a JIT with the same objective, created by means of a specific agreement expressly identifying its objectives by the Kingdom of Belgium, the French Republic and the Kingdom of the Netherlands, and in which Europol was involved (see paragraphs 3 to 6 above).
172 In the second place, there is no indication that Europol’s processing of the applicant’s data was inadequate, irrelevant or excessive in relation to the objective of identifying users of the Sky ECC service, in particular with a view to prosecuting them.
173 In that regard, the fact that Europol may have been the recipient of the EDPS decision referred to in paragraph 160 above is irrelevant. The applicant neither claims nor, a fortiori, demonstrates that his data fell within the scope of that decision, namely data held by Europol and not subject to categorisation.
174 By contrast, it is clear from the information before the Court that the applicant’s data had been linked to a specific investigation relating to the Sky ECC service, aimed in particular at identifying its users (see paragraphs 4 to 6 above), that Europol had linked the applicant’s name to his Sky ECC service ID and username and was thus able to identify his conversations (see paragraphs 64 and 65 above) and had also compiled national packages (see paragraph 81 above).
175 In the third place, it does not appear from the file that the data concerning the applicant and processed by Europol were inaccurate or did not benefit from appropriate security, given that that data were only transmitted to the States or agencies directly or indirectly involved in the JIT and were used solely for the purposes of the criminal proceedings brought by the Kingdom of the Netherlands and the Republic of Serbia against the applicant.
176 In the fourth place, there is no indication that the data belonging to the applicant, whose criminal proceedings were still ongoing on the date that action was lodged, were retained for longer than was necessary, in particular for the proper conduct of those proceedings.
177 In the fifth place, the applicant cannot validly rely on the fact that he was unable to access his data, since, in accordance with recital 41 of Regulation 2016/794 – which must be recognised as having significant interpretative value (see, to that effect, judgment of 5 March 2024, Kočner v Europol, C‑755/21 P, EU:C:2024:202, paragraph 59), Europol may refuse access to a person’s personal data in order to perform properly its tasks, to protect security and public order, to prevent crime or to ensure that a national investigation is not compromised.
178 Fourthly, there is nothing in the evidence before the Court to suggest that Europol acted in breach of the principles relating to the processing of personal data at the meetings of 27 May and 28 August 2019 or at the working group meeting of 23 and 24 July 2020, at which new messages were discovered (see paragraphs 55 and 57 above).
179 Those meetings clearly fell within the scope of Europol’s tasks as set out in Article 4(1)(c) of Regulation 2016/794, particularly in the present case where Europol was participating in a JIT, as provided for in Article 4(1)(d) of that regulation.
180 Fifthly, there is no evidence to suggest that the Kingdom of Belgium, the French Republic or the Kingdom of the Netherlands committed any irregularities in receiving the data transmitted to them by Europol.
181 Sixthly, there is no evidence that the information transmitted by the Netherlands authorities to the Serbian authorities was ever in Europol’s possession, which excludes any joint liability on its part.
182 Seventhly, with regard to the transmission of 24 June 2022, there is no indication that it contravenes Article 28 of Regulation 2016/794.
183 Furthermore, and for reasons similar to those set out in paragraphs 171 to 182 above, no infringement of Articles 7, 8, 10 to 12, 51 and 52 of the Charter, Article 8 ECHR and Article 17 of the Covenant can be attributed to Europol, the Kingdom of Belgium, the French Republic or the Kingdom of the Netherlands.
184 In that regard, it should also be noted that Article 52(1) of the Charter provides for the possibility of limitations on the rights guaranteed by the latter – including the right to respect for private and family life, the protection of personal data, the freedom of thought, conscience and religion, the freedom of expression and information, the freedom of assembly and association – on condition that those limitations are provided for by law, they respect the essence of the rights and freedoms at issue and, in compliance with the principle of proportionality, they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others (see judgment of 4 October 2024, Bezirkshauptmannschaft Landeck (Attempt to access personal data stored on a mobile telephone), C‑548/21, EU:C:2024:830, paragraph 119 and the case-law cited).
185 Furthermore, the fight against serious crime – which includes the fight against drug trafficking – is such as to justify serious interference with the fundamental rights enshrined, in particular, in Articles 7 and 8 of the Charter, such as that involved in the retention of traffic and location data (see, to that effect, judgment of 7 September 2023, Lietuvos Respublikos generalinė prokuratūra, C‑162/22, EU:C:2023:631, paragraph 37).
186 Finally, as regards the applicant’s reliance on the Parliament’s recommendation referred to in paragraph 159 above, it suffices to note that such a document has no binding legal effect.
187 In view of the foregoing, the applicant has not established any sufficiently serious breach of a rule of law intended to confer rights upon him.
188 Since that condition for Europol to be held liable on the basis of Article 50(1) of Regulation 2016/794 is not met, there is no need to examine the other conditions for Europol to be held liable in that regard (see, to that effect, judgment of 13 December 2018, European Union v Kendrion, C‑150/17 P, EU:C:2018:1014, paragraph 118).
189 Consequently, the head of damage raised by the applicant against Europol and based on Article 50(1) of Regulation 2016/794 must be rejected as unfounded.
(2) The alleged damage resulting solely from the acts or conduct of Europol, for which compensation is sought on the basis of its liability for its own acts under Article 49(3) of Regulation 2016/794
(i) The head of damage arising from the breach of the right to a fair criminal trial
190 The applicant claims that he suffered harm as a result of the breach of his right to a fair criminal trial, guaranteed by Articles 47 and 48 of the Charter and Articles 14 and 15 of the Covenant, arising from the impossibility of verifying the truthfulness, authenticity, reliability and legality of the data processed and transferred in the context of cooperation relating to the Sky ECC service or, at the very least, the absence of formal and material safeguards.
191 The ‘more or less absolute principle of inter-state trust’ and ‘secret (State) investigation methods’ would make it impossible to verify formally and materially data from the Sky ECC service as evidence in national criminal proceedings, even though such data would be incomplete and would therefore have been collected and processed in an unfair, unlawful, inadequate manner and contrary to the purpose of the use of evidence in criminal matters.
192 Europol argues that that head of damage is unfounded.
193 First of all, in so far as the applicant claims, in essence, that neither the Netherlands nor the Serbian criminal proceedings allow him to challenge the admissibility or probative value of the data obtained from the Sky ECC service and used in those proceedings, that argument must be rejected, in the absence of joint and several liability on the part of Europol on account of a Member State for acts or conduct other than incorrect processing of data and in the absence of joint and several liability on the part of Europol on account of a third country.
194 Next, if, under that head of damage, the applicant claims that the processing of his data was unlawful, that argument has already been rejected in paragraph 187 above.
195 Consequently, the applicant’s head of damage alleging Europol’s breach of Articles 47 and 48 of the Charter and Articles 14 and 15 of the Covenant must be rejected.
(ii) The head of damage arising from the lack of coordination between the Netherlands and Serbian authorities for the purposes of the criminal proceedings brought against the applicant
196 By his third plea in law, the applicant claims that Europol caused him harm by failing to comply with its obligation to coordinate criminal proceedings, as provided for in the JIT agreement, even though it was involved in sharing its data for the purposes of the proceedings against him.
197 That failure led the applicant to have to defend himself in the Netherlands and Serbia while being imprisoned in the Netherlands, which would have affected his defence in Serbia and infringed Articles 47 and 48 of the Charter, Article 6 ECHR and Articles 14 and 15 of the Covenant.
198 Europol argues that that head of damage is unfounded.
199 In that regard, it suffices to note that the applicant’s argument is based on an erroneous interpretation of the passage of the JIT agreement on which he relies.
200 Under the heading ‘9.1 Agreements on the use of digital data obtained from server monitoring – Exchange of information with countries that are not members of the JIT’, the JIT agreement provides that ‘where … users from different JIT countries or countries not party to the JIT are likely to be involved in similar or related incidents, the JIT parties concerned shall consult without delay, where appropriate also with countries not party to the JIT and Europol’.
201 Thus, in addition to the fact that consultation with Europol on the use of digital data obtained from server monitoring is only optional, it must be noted that, given the title under which the passage mentioned by the applicant is placed, that consultation concerns the use of such data and not the criminal proceedings that could be brought on the basis of such data by Member States that are parties to the JIT agreement, or even by countries that are not parties to it.
202 In addition, no obligation to coordinate prosecutions at national level can be imposed on Europol, since Regulation 2016/794 – and in particular Article 4(1) thereof – does not empower it in any way to decide to prosecute an identified individual in a given country or to coordinate prosecutions in several such countries.
203 Consequently, Europol cannot be held liable for infringements of Articles 47 and 48 of the Charter, Article 6 ECHR and Articles 14 and 15 of the Covenant, which, at the time that action was brought, were entirely hypothetical, since the criminal proceedings against the applicant were still pending.
204 Consequently, the applicant’s head of damage alleging Europol’s infringement of the JIT agreement and Articles 47 and 48 of the Charter, Article 6 ECHR and Articles 14 and 15 of the Covenant must be rejected.
(iii) The head of damage arising from the infringement of Article 32 of Regulation 2016/794
205 By his fourth plea in law, the applicant claims that, even if the collection and processing of his personal data were lawful and fair, Europol caused him harm by failing to fulfil its obligation to ensure an appropriate level of security for his data, infringing Article 32 of Regulation 2016/794.
206 Europol argues that that head of damage is unfounded.
207 It must be noted that the applicant’s allegations concerning Europol’s failure to fulfil its obligation to adopt appropriate technical and organisational measures to ensure a level of security appropriate to the risk are not supported by any evidence or prima facie evidence.
208 The applicant does not establish that, as a result of such a breach, his personal data were subject, in particular, to unauthorised disclosure, alteration or access, or any other form of unauthorised processing.
209 In that regard, it should be noted that the applicant’s allegation that his name was disclosed in the press as a result of Europol’s actions is not supported by any evidence.
210 The applicant’s unsubstantiated fear that a breach of his personal data may have occurred is not sufficient to establish that Europol failed to fulfil its obligations under Article 32 of Regulation 2016/794.
211 Consequently, the applicant’s head of damage alleging Europol’s infringement of Article 32 of Regulation 2016/794 and, accordingly, the claims for compensation against Europol must be rejected.
(b) The acts and conduct for which Eurojust may be held responsible
(1) The head of damage arising from the unlawful processing of the applicant’s personal data
212 By his first plea in law, the applicant claims that he has suffered damage as a result of the processing of his personal data, infringing Articles 71 and 72 of Regulation 2018/1725, Articles ‘(9 and) 26, and 27 of Regulation 2018/1727’, Articles 7, 8 and 10 to 12 of the Charter, in conjunction with Articles 51 and 52 thereof, Article 8 ECHR and Article 17 of the Covenant.
213 In support of his argument, the applicant refers mutatis mutandis to the criticisms levelled at Europol and referred to in paragraphs 154 to 160 above. He adds that Eurojust also acted in breach of the professional secrecy of lawyers.
214 Eurojust argues that that head of damage is unfounded.
215 As a preliminary point, the applicant’s arguments which could be understood as criticising, on the basis of the breach of his personal data, acts or conduct by Eurojust relating to data other than his personal data must be rejected.
216 In order for the European Union to be held liable, the applicant must demonstrate that the damage for which he or she is seeking compensation affects him or her personally (order of 3 September 2021, Löning v Commission, C‑176/21 P, not published, EU:C:2021:697, paragraph 19).
217 The applicant’s criticisms concerning the provision of support and advice on judicial cooperation to the Kingdom of Belgium, the French Republic, the Kingdom of the Netherlands and Europol at three meetings held on 25 April 2019, 7 September 2020 and 11 February 2021 (paragraph 71 above) and the criticisms relating to the coordination of the Netherlands and Serbian investigations at the meeting held on 23 May 2022 (paragraph 73 above), which the applicant neither alleges nor, a fortiori, demonstrates gave rise to the processing of his personal data must therefore be rejected.
218 The same applies to the allegation that Eurojust acted in breach of the professional secrecy of lawyers.
219 The applicant admittedly refers to a complaint by a lawyer from the Rotterdam Bar concerning the processing of his data from the Sky ECC service. However, he does not indicate in any way that that solicitor was or is his representative, that the information allegedly processed by Eurojust relates to his defence and that, as a result, it infringed his right to be advised by a solicitor in legal proceedings, a right enshrined in the second paragraph of Article 47 of the Charter (see, to that effect, judgment of 8 December 2022, Orde van Vlaamse Balies and Others, C‑694/20, EU:C:2022:963, paragraph 53).
220 With regard to the transmission of 24 June 2022 and as noted in paragraphs 124 to 130 above, the applicant does not establish the reasons why it would have given rise to unlawful processing of his personal data.
221 In addition, with regard to the allegation of an infringement of Articles 47 and 48 of the Charter, Article 6 ECHR and Articles 14 and 15 of the Covenant, the applicant does not explain how any unlawful processing of his personal data would constitute an infringement of those provisions.
222 In view of the foregoing, the head of damage relied on by the applicant and based on the unlawful processing of his personal data and the infringement of Articles 47 and 48 of the Charter, Article 6 ECHR and Articles 14 and 15 of the Covenant must be rejected.
(2) The head of damage arising from the breach of the applicant’s right to a fair criminal trial
223 By his second plea in law, the applicant claims that Eurojust caused him harm by acting in breach of his right to a fair criminal trial, guaranteed by Articles 47 and 48 of the Charter and Articles 14 and 15 of the Covenant, as a result of the impossibility of verifying the truthfulness, authenticity, reliability and legality of the data processed and transferred in the context of cooperation relating to the Sky ECC service, or at least the absence of formal and material guarantees.
224 In support of his argument, the applicant relies on the same arguments as those referred to in paragraph 191 above.
225 Eurojust argues that that head of damage is unfounded.
226 In the context of the second plea in law, which relates solely to the rules governing the use of evidence in the domestic criminal proceedings brought against the applicant, it must be noted that Eurojust confined itself to carrying out the transmission of 24 June 2022.
227 The claim for annulment of the transmission of 24 June 2022, based on the same arguments, has already been rejected in paragraphs 128 to 130 above.
228 Furthermore, the applicant does not cite any evidence or arguments to show that, after that transfer, there was any breach of his right to an effective judicial remedy.
229 In any event, it should be noted that Article 52(1) of the Charter provides for the possibility of limitations on the rights guaranteed by the Charter – including the right to an effective judicial remedy – under the conditions set out in paragraph 184 above.
230 In view of the foregoing, the applicant’s head of damage alleging Eurojust’s infringement of Articles 47 and 48 of the Charter, or even Articles 14 and 15 of the Covenant, must be rejected.
(3) The head of damage alleging a lack of coordination between the Netherlands and Serbian authorities for the purposes of the criminal proceedings brought against the applicant
231 By his third plea in law, the applicant claims that Eurojust caused him harm by failing to comply with its obligation to coordinate criminal proceedings, as provided for in Article 4(1)(b) of Regulation 2018/1727 and in the JIT agreement, even though it was involved in sharing its data for the purposes of the proceedings against him.
232 That failure led the applicant to have to defend himself in the Netherlands and Serbia while being imprisoned in the Netherlands, which would have affected his defence in Serbia and infringed Articles 47 and 48 of the Charter, Article 6 ECHR and Articles 14 and 15 of the Covenant.
233 Eurojust argues that that head of damage is unfounded.
234 In that regard, it is important to note that, as already indicated in paragraphs 199 to 201 above, the consultation provided for in the JIT agreement concerns the use of data collected by the States concerned and not the criminal proceedings that may be brought on the basis of such data by Member States that are parties to the JIT agreement, or even by countries that are not parties to it.
235 Furthermore, it should be noted that Article 4(1)(b) of Regulation 2018/1727 provides that Eurojust is to ‘assist the competent authorities of the Member States in ensuring the best possible coordination of investigations and prosecutions’.
236 It follows, as Eurojust rightly argues, that, in the context of that operational function of coordinating investigations and prosecutions, it is bound only by an obligation of means and that the decision to initiate proceedings against a person rests solely with the national authorities concerned, as confirmed by Article 85 TFEU, which constitutes the legal basis for Regulation 2018/1727.
237 Eurojust cannot therefore be held responsible for procedural choices that fall within the sole competence and responsibility of the States concerned.
238 In view of the foregoing, the applicant’s claim for damages alleging Eurojust’s breach of the JIT agreement, infringement of Article 4(1)(b) Regulation 2018/1727 and Articles 47 and 48 of the Charter, Article 6 ECHR and Articles 14 and 15 of the Covenant must be rejected.
(4) The head of damage alleging infringement of Articles 89, 91 and 92 of Regulation 2018/1725
239 By his fourth plea in law, the applicant argues that, even if the collection and processing of his personal data were lawful and fair, Eurojust caused him harm by failing to fulfil its obligation to ensure an appropriate level of security for his data, infringing Article 91 of Regulation 2018/1725.
240 Furthermore, given the novel nature of the methods used to obtain data from the Sky ECC service – namely the use of the ‘man-in-the-middle attack’ technique – Eurojust failed in its obligation to carry out a prior impact assessment relating to the protection of the applicant’s data, as provided for in Article 89 of Regulation 2018/1725.
241 Finally, Eurojust failed in its obligation to notify the EDPS of the breach of the applicant’s personal data, infringing Article 92 of Regulation 2018/1725.
242 Eurojust argues that that head of damage is unfounded.
243 First of all, the applicant’s claims alleging Eurojust’s failure to fulfil its obligation to adopt appropriate technical and organisational measures to ensure a level of security appropriate to the risk, must be rejected on grounds similar to those set out in paragraphs 207 to 210 above.
244 Next, the applicant does not explain why Eurojust failed in its obligation to carry out an impact assessment prior to transmitting to the Serbian authorities the link provided by the French authorities to a secure password-protected site containing his Sky ECC service conversations (see paragraph 75 above).
245 Such a transfer, for which there was no indication that it posed a particular risk to the rights and freedoms of the applicant, or at least a risk greater than other modes of transfer, did not justify the prior impact assessment provided for in Article 89 of Regulation 2018/1725.
246 Finally, since the applicant has failed to demonstrate, in any way, that Eurojust has acted in breach of his personal data, he cannot criticise it for failing to fulfil its obligation under Article 92 of Regulation 2018/1725 to notify the EDPS of such an infringement.
247 In the light of the above, the applicant’s claim for damages alleging infringement of Articles 89, 91 and 92 of Regulation 2018/1725 must be rejected and, consequently, the claims for compensation against Eurojust must also be rejected.
248 In view of all the foregoing, the action must be dismissed in its entirety, without it being necessary to rule on the other pleas of inadmissibility raised by Europol and Eurojust.
IV. Costs
249 Under Article 134(1) of the Rules of Procedure, the unsuccessful party shall be ordered to pay costs if the other party has so requested in its pleadings. Since the applicant has been unsuccessful, he must be ordered to pay the costs, in accordance with the forms of order sought by Europol and Eurojust. Furthermore, pursuant to Article 138(1) of the Rules of Procedure, the Kingdom of Belgium, the Kingdom of Spain and the Kingdom of the Netherlands are to bear their own costs.
On those grounds,
THE GENERAL COURT (Fifth Chamber)
hereby:
1. Dismisses the action;
2. Orders BW to bear his own costs and those incurred by the European Union Agency for Law Enforcement Cooperation (Europol) and the European Union Agency for Criminal Justice Cooperation (Eurojust);
3. Orders the Kingdom of Belgium, the Kingdom of Spain, and the Kingdom of the Netherlands to bear their own costs.
Svenningsen
Martín y Pérez de Nanclares
Stancu
Delivered in open court in Luxembourg on 25 February 2026.
[Signatures]
* Language of the case: Dutch.
© Unia Europejska, źródło: EUR-Lex (eur-lex.europa.eu), pozyskano 13.07.2026. Autentyczne są wyłącznie wersje opublikowane w Dz. Urz. UE. · Źródło