T-587/24
PostanowienieTSUE2026-02-02CELEX: 62024TO0587ECLI:EU:T:2026:86
Analiza orzeczenia
Sekcja wygenerowana przez AI na podstawie treści orzeczenia — nie stanowi cytatu.
Zagadnienie prawne
Czy Sąd jest właściwy do rozpoznania skargi o odszkodowanie za szkody niematerialne, wniesionej na podstawie art. 268 TFUE przeciwko Eurojust i Europol, w związku z zarzucanym bezprawnym przetwarzaniem danych osobowych i innymi działaniami w kontekście międzynarodowej współpracy policyjnej i sądowej, w sytuacji gdy skarga częściowo dotyczy działań państw członkowskich, częściowo jest niedopuszczalna z powodu braku należytego uzasadnienia, a częściowo bezzasadna?Ratio decidendi
Sąd oddalił skargę, ponieważ uznał, że częściowo brakowało mu jurysdykcji, częściowo była ona niedopuszczalna, a częściowo bezzasadna. Brak jurysdykcji dotyczył roszczeń o solidarną odpowiedzialność Eurojust za działania państw członkowskich, Europolu lub państw trzecich, a także roszczeń o solidarną odpowiedzialność Europolu za działania inne niż bezprawne przetwarzanie danych osobowych lub działania Eurojust/państw trzecich, oraz roszczeń dotyczących operacji prowadzonych przez krajowe organy policyjne. Niedopuszczalność wynikała z niezidentyfikowania przez skarżącego konkretnych bezprawnych działań Eurojust lub Europolu, ani nieuzasadnienia szkody i związku przyczynowego. Bezzasadność dotyczyła braku dowodów na poparcie zarzutów skarżącego dotyczących odmowy zeznań byłych pracowników, odmowy dostępu do danych lub nieprzestrzegania przepisów o ochronie danych przez Eurojust i Europol.Stan faktyczny
Skarżący, GE, jest objęty kilkoma postępowaniami karnymi we Włoszech, w tym dotyczącymi handlu narkotykami, gdzie jego tymczasowe aresztowanie opiera się na danych z telefonów Sky ECC. Telefony te wykorzystywały szyfrowaną komunikację. Władze belgijskie, holenderskie i francuskie wszczęły dochodzenia w sprawie organizacji Sky ECC i utworzyły wspólny zespół dochodzeniowo-śledczy (JIT) w celu odszyfrowania komunikacji i identyfikacji użytkowników. Europol przechowywał i analizował dane z JIT, natomiast Eurojust koordynował spotkania i udzielał wsparcia. Skarżący twierdzi, że Eurojust i Europol, wraz z niektórymi państwami członkowskimi, bezprawnie przetwarzały jego dane osobowe, co doprowadziło do szkód niematerialnych, w tym niemożności obalenia zarzutów i niesprawiedliwego aresztowania.Rozstrzygnięcie
1. Skarga zostaje oddalona w zakresie, w jakim jest skierowana przeciwko Agencji Unii Europejskiej ds. Współpracy Wymiarów Sprawiedliwości w Sprawach Karnych (Eurojust).
2. Skarga zostaje oddalona w zakresie, w jakim jest skierowana przeciwko Agencji Unii Europejskiej ds. Współpracy Organów Ścigania (Europol).
3. GE pokrywa własne koszty oraz koszty poniesione przez Eurojust i Europol.
4. Królestwo Niderlandów pokrywa własne koszty.Pełny tekst orzeczenia
ORDER OF THE GENERAL COURT (Fourth Chamber)
2 February 2026 (*)
( Non-contractual liability – Cooperation of the police authorities and other law enforcement services of the Member States – Alleged unlawful processing of personal data – Failure to comply with procedural requirements – Article 76(d) of the Rules of Procedure – Practice Rules for the Implementation of the Rules of Procedure – Clarification of references to the annexes – Action in part brought before a court manifestly lacking jurisdiction to hear and determine it, in part manifestly inadmissible and in part manifestly lacking any foundation in law )
In Case T‑587/24,
GE, represented by J. Reisinger, lawyer,
applicant,
v
European Union Agency for Criminal Justice Cooperation (Eurojust), represented by S. van den Brande, S. Raes, S. Ignat and P. Van Muylder, lawyers,
and
European Union Agency for Law Enforcement Cooperation (Europol), represented by A. Nunzi, acting as Agent, and by G. Ziegenhorn, M. Kottmann and T. Shulman, lawyers,
defendants,
supported by
Kingdom of the Netherlands, represented by M. Bulterman and J. Langer, acting as Agents,
intervener,
THE GENERAL COURT (Fourth Chamber),
composed of G. De Baere, President, J. Svenningsen (Rapporteur) and C. Mac Eochaidh, Judges,
Registrar: V. Di Bucci,
makes the following
Order
1 By his action under Article 268 TFEU, the applicant, GE, seeks compensation for the non-material damage he claims to have suffered as a result of acts committed by the European Union Agency for Criminal Justice Cooperation (Eurojust), by the European Union Agency for Law Enforcement Cooperation (Europol), and by certain Member States.
Background to the dispute
2 According to his statements, the applicant is the subject, in Italy, of several cases relating to criminal offences, in particular concerning drug trafficking.
3 In one of those cases, the criminal proceedings against him and his preliminary detention are based on data contained in mobile telephones operating under the Sky ECC licence; ‘ECC’ means ‘Elliptic Curve Cryptography’. The analysis of those data enabled the police to thwart the applicant’s plan to assassinate two judges.
4 Those telephones had special software and modified hardware that enabled, via servers installed in Roubaix (France), end-to-end encrypted communication that could not be intercepted by conventional investigative means.
5 In the late 2010s, investigative measures initiated by the Belgian, Netherlands and French authorities targeted the ‘Sky ECC organisation’, which was suspected of commercialising products and encrypted communication services specifically aimed at facilitating the commission of criminal offences.
6 Following those national investigative measures, the Kingdom of Belgium and the Kingdom of the Netherlands adopted, at the end of 2018, European Investigation Orders in accordance with Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters (OJ 2014 L 130, p. 1), requesting the French Republic to ‘create an image’ of the servers that were used by Sky ECC and located in Roubaix. That Member State complied with that request by intercepting, recording and transcribing the encrypted communications entering and leaving those servers.
7 On 13 December 2019, the Belgian, Netherlands and French authorities concluded the agreement establishing a joint investigation team (‘the JIT’) relating to the Sky ECC encrypted communication service, on the basis of Article 13 of the Convention established by the Council in accordance with Article 34 of the Treaty on European Union, on Mutual Assistance in Criminal Matters between the Member States of the European Union (OJ 2000 C 197, p. 3) and Council Framework Decision of 13 June 2002 on joint investigation teams (OJ 2002 L 162, p. 1).
8 The agreement referred to in paragraph 7 above provides, inter alia:
‘2. Tasks of the JIT
…
Objective of the JIT
The creation of the JIT is aimed at facilitating ongoing investigations in Belgium, France and the Netherlands into the provider(s) and users of the Sky ECC communication service and at sharing technical know-how and resources.
…
The objective of the JIT is the joint preparation, development and implementation of the technique necessary for decrypting past communications and to dismantle the server; the identification and locating of users moving within and between the three countries; the setting up and coordination of a joint action day or days undertaken with the aim of arresting and bringing to justice Sky ECC’s facilitators and users.
…
7. Participants in the JIT
The parties to the JIT agree to involve Eurojust and Europol as participants in the JIT. …
9.1 Agreements on the use of digital data from listening to servers
Mutual exchange of information
The parties to the JIT agree to share, with each other and with Europol, as soon as possible, all raw data, for the purposes of analysis and use, as well as the results of those analyses and uses.
In addition to evidence against the criminal organisation that develops and commercialises Sky ECC, the raw or analysed data may also contain information that may be relevant for criminal investigations against other perpetrators or groups of perpetrators or for offences in the context of which Sky ECC means of communication have been used.
Europol will provide assistance in the analysis of digital data and will inter alia be responsible for dividing the raw data and the results of the analyses into “national packages” based on the location of the means of communication used.
…’
9 The JIT led to the sharing, between Europol and the three Member States concerned, of intercepted raw data as well as of the results of the analysis of those data.
10 In that context, Europol stored the data in its IT system, undertook cross-checking, produced intelligence reports, generated data visualisation graphs and interpreted multilingual data sets.
11 Eurojust, for its part, organised, on 25 April 2019, 7 September 2020 and 11 February 2021, meetings to coordinate the investigations into the Sky ECC activities, with the participation of the Belgian, French and Netherlands authorities and the participation of Europol; during those meetings, first, Eurojust provided support and advice on the possibilities of judicial cooperation and, second, the progress of the investigations of each of those authorities was discussed.
Forms of order sought
12 The applicant claims that the Court should:
– order Eurojust and Europol to pay him the sum of EUR 50 000 as compensation for the non-material damage suffered as a result of ‘[his] inability to refute the allegations made against him and the (subsequent) (unjust) (preliminary) detention, public notoriety/disclosure, compromised defense position, additional mental burden, and data that has ended up or could have ended up in the wrong hands’;
– order Eurojust and Europol to pay the costs.
13 Eurojust and Europol contend that the Court should:
– dismiss the action as manifestly inadmissible and, in any event, as manifestly lacking any foundation in law or as unfounded;
– order the applicant to pay the costs.
14 The Kingdom of the Netherlands contends that the Court should dismiss the action and order the applicant to pay the costs.
Law
15 Under Article 126 of the Rules of Procedure of the General Court, where it is clear that the Court has no jurisdiction to hear and determine an action or where the action is manifestly inadmissible or manifestly lacking any foundation in law, the Court may, on a proposal from the Judge-Rapporteur, at any time decide to give a decision by reasoned order without taking further steps in the proceedings.
16 In the present case, the Court, considering that it has sufficient information from the documents before it, has decided to give a decision without taking further steps in the proceedings, despite the applicant’s request for a hearing (see, to that effect, order of 16 July 2024, Aeris Invest v SRB, T‑62/18, not published, EU:T:2024:505, paragraph 17).
17 By the present action, the applicant alleges non-material damage resulting from an infringement of (i) Articles 7, 8, 47 and 48 of the Charter of Fundamental Rights of the European Union; (ii) Article 13 of the Convention established by the Council in accordance with Article 34 TEU, on Mutual Assistance in Criminal Matters between the Member States of the European Union; (iii) Article 7 of Directive 2012/13/EU of the European Parliament and of the Council of 22 May 2012 on the right to information in criminal proceedings (OJ 2012 L 142, p. 1); (iv) Article 31 of Directive 2014/41; (v) Articles 18, 28 and 38 of Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on [Europol] and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ 2016 L 135, p. 53); (vi) Articles 71, 72, 89 and 92 of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ 2018 L 295, p. 39); (vii) Articles 26 and 27 of Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on [Eurojust], and replacing and repealing Council Decision 2002/187/JHA (OJ 2018 L 295, p. 138); (viii) Articles 263, 268 and 277 TFEU; (ix) Articles 6 and 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms, signed in Rome on 4 November 1950; (x) Articles 14 and 17 of the International Covenant on Civil and Political Rights, adopted by the General Assembly of the United Nations on 16 December 1966 and entered into force on 23 March 1976; and (xi) Article 32 of the Council of Europe Convention on Cybercrime of 23 November 2001 (European Treaty Series – No 185).
18 In support of those claims, the applicant relies on four pleas in law.
19 The first plea in law alleges a breach, made possible by Europol and/or Eurojust’s assistance, of the applicant’s right to a fair trial and of the principles of equality of arms, fairness and legality before the Italian courts. The second plea in law alleges that the acquisition and processing of personal data by Eurojust, Europol and the Member States concerned were illegal and disproportionate. The third plea in law alleges a ‘lack of possibility to review the admissibility of evidence in criminal cases, or at least the absence of (formal and substantive) safeguards[, in breach of] Article 47 [of the] Charter [of Fundamental Rights]’. The fourth plea in law alleges ‘lack of (proven) adequate security in the (acquisition and) processing of the … data [from the ‘Sky ECC’ service].’
Preliminary observations
The annexes to the application
20 On 14 November 2024, the applicant brought the present action by lodging an application accompanied by 29 annexes, with a total of 484 pages.
21 On 19 November 2024, the Court asked the applicant to regularise the schedule of annexes to the application, which did not comply with point 115(d) of the Practice Rules for the Implementation of the Rules of Procedure of the General Court (OJ L, 2024/2097), according to which the schedule of annexes must indicate, for each annex, the number of the paragraph in which the annex is first mentioned in the application and its relevance described.
22 Despite the failure to comply with the time limit for regularising the application set by the Court, the Court nevertheless added the regularised application to the file.
23 On 22 January 2025, the Court requested the applicant to regularise the annexes to the application, by producing, in accordance with Article 46 of the Rules of Procedure, a version in the language of the procedure (English) of annexes produced in a language other than the language of the procedure, while ensuring that the references to those annexes made in the application keep their accuracy.
24 Despite the failure to comply with the time limit for regularising the application set by the Court, the Court nevertheless added the annexes sent to the file.
25 On 25 March 2025, the Court requested the applicant to produce a new version of the application, updating the references to the annexes, as translated, in the footnotes, according to the consecutive page numbering of the annexes, as had been requested in the context of the previous request for regularisation.
26 By letter of 16 April 2025, the applicant, without producing the requested regularisation, informed the Court as follows:
‘This is now the third time we have received such a letter, despite having reviewed and verified these references carefully and thoroughly. We respectfully submit that the concerns raised are not substantiated upon close examination of the documents.
In each instance, the footnotes refer to the page on which the actual content of the annex begins – not the cover page bearing only the annex number. …
We respectfully urge the Registry to refrain from further returning the documents on these grounds unless a concrete, specific example of an actual incorrect reference can be indicated. At present, the observations appear to derive from a template rather than a tailored assessment of the submission.
The applicant, at this stage, is becoming increasingly discouraged by these repeated procedural hurdles, to the point of seriously questioning whether pursuing this matter is even worthwhile – which, we presume, is not the intended effect of the Court’s procedures (or perhaps it is?). This would be regrettable, especially considering that the Court stands as a guardian of legal certainty and procedural fairness – also in formal matters.’
27 On 16 April 2025, the Court sent a renewed request for regularisation.
28 Despite the failure to comply with the time limit for regularising the application set by the Court, the Court nevertheless added the updated application to the file.
29 In order for an action before the General Court to be admissible, the application must satisfy the requirements laid down by Article 76(d) of the Rules of Procedure and, in particular, the basic matters of law and fact relied on must be indicated, at least in summary form, coherently and intelligibly in the application itself. Whilst the body of the application may be supported and supplemented on specific points by references to extracts from documents annexed thereto, a general reference to other documents, even those annexed to the application, cannot make up for the absence of the essential arguments in law which, in accordance with those provisions, must appear in the application (see judgment of 13 February 2025, Commission and Others v Carpatair, C‑244/23 P to C‑246/23 P, EU:C:2025:87, paragraph 76 and the case-law cited; judgment of 23 July 2025, UBS Group and Others v Commission, T‑84/22, EU:T:2025:752, paragraph 66).
30 Thus, it is not for the General Court to supplement the line of argument put forward by the applicant in his application, by searching for and identifying, in the annexes thereto, evidence capable of supporting that line of argument (see, to that effect, judgment of 13 February 2025, Commission and Others v Carpatair, C‑244/23 P to C‑246/23 P, EU:C:2025:87, paragraph 77).
31 In the present case, it must be stated that most of the references to the annexes in the application are not to a specific page of one of those annexes but to the first page of the annex in question, even where that annex consists of several pages.
32 That is in particular the case with the references made in footnotes 3, 4, 8, 17 to 22, 24, 27, 32, 34 and 57, which, moreover, do not use any alternative method of identifying the relevant passages of the annexes to which they refer.
33 In addition, some references are made by pointing to pages that clearly do not correspond to the annex in question (footnotes 7, 11, 12, 26, 29 and 64) or use unintelligible syntagmas (footnotes 26 and 27).
34 Furthermore, the applicant refers on numerous occasions to documents, scientific or press articles, and judgments, in particular of the European Court of Human Rights, by merely citing references to those documents, without specifying the relevant paragraph(s) supporting his claim, or without producing them in an annex (footnotes 33, 35, 42 to 44, 46 to 49, 51, 52, 55, 60, 61, and 66 to 69).
35 It follows that the references listed in paragraphs 32 to 34 above cannot be taken into consideration for the purpose of examining the present action, in particular for the purpose of identifying the acts that the applicant has alleged on the part of Eurojust and Europol.
The scope of the alleged joint and several liability of Eurojust and Europol and the jurisdiction of the General Court to hear and determine that matter
36 It must be borne in mind that the EU judicature has jurisdiction over an action for damages based on Articles 268 and 340 TFEU only if the unlawful conduct alleged in support of the claim for compensation is truly the responsibility of an EU institution, body, office or agency, and cannot be regarded as attributable to a national authority (see, to that effect, judgment of 16 December 2020, Council v K. Chrysostomides Co. and Others, C‑597/18 P, C‑598/18 P, C‑603/18 P and C‑604/18 P, EU:C:2020:1028, paragraphs 80, 106 and 107).
37 Furthermore, where liability on the part of the European Union is involved on account of an act or conduct of one of its institutions or of one of its bodies, offices or agencies, the European Union is represented before the General Court by the institution(s), body or bodies, office(s) or agency or agencies against which the matter giving rise to liability is alleged (judgment of 13 November 1973, Werhahn Hansamühle and Others v Council and Commission, 63/72 to 69/72, EU:C:1973:121, paragraph 7).
38 Thus, the liability of the European Union on the basis of Articles 268 and 340 TFEU cannot be sought from an EU institution, body, office or agency other than that against which the matter giving rise to liability is alleged, unless the EU legislature has expressly provided for a derogating system of joint and several liability either between one of those EU institutions, bodies, offices or agencies and one or more Member States or one or more third countries, or between several EU institutions, bodies, offices or agencies (see, by analogy, judgment of 5 March 2024, Kočner v Europol, C‑755/21 P, EU:C:2024:202, paragraphs 62 and 63).
39 In the present case, the applicant claims that the Court of Justice established, in the judgment of 5 March 2024, Kočner v Europol (C‑755/21 P, EU:C:2024:202), that ‘Europol and Eurojust can be (jointly and severally) held responsible and liable for damages suffered by an individual as a result of actions for which there is joint responsibility’. The applicant has inferred from that that those two agencies may be held jointly and severally liable for all of the heads of damage on which he relies.
40 It must be stated, however, that the applicant’s assertion is based on a manifestly incorrect reading of the judgment of 5 March 2024, Kočner v Europol (C‑755/21 P, EU:C:2024:202), and of the rules on liability applicable to Europol and Eurojust.
41 First, it is true that, in the judgment of 5 March 2024, Kočner v Europol (C‑755/21 P, EU:C:2024:202, paragraphs 62 and 63), the Court of Justice recognised the existence of joint and several liability on the part of Europol on the basis of a combined reading of Article 49(3) and Article 50 of Regulation 2016/794, read in the light of recital 57 of that regulation.
42 Nevertheless, the joint and several liability recognised in the judgment of 5 March 2024, Kočner v Europol (C‑755/21 P, EU:C:2024:202, paragraphs 62 and 63), applies only between Europol and the Member States and, furthermore, is limited solely to damage arising from unlawful processing of personal data in the context of cooperation under Regulation 2016/794 between that agency and one or more Member States.
43 Second, it is true that it is clear from Article 55(2) of Regulation 2018/1727 and from Article 38(6) of Regulation 2016/794 that Eurojust and Europol may be held jointly and severally liable for an illegal transfer of personal data by Europol to Eurojust at Eurojust’s request or for an illegitimate transfer of operational personal data by Eurojust to Europol at Europol’s request.
44 Nevertheless, the applicant has not relied on the provisions of Article 38(6) of Regulation 2016/794 or of Article 55(2) of Regulation 2018/1727.
45 On the contrary, the applicant has expressly based his claims for compensation on Article 50 of Regulation 2016/794, the scope of which has been recalled in paragraph 42 above, and on Article 46 of Regulation 2018/1727, paragraph 1 of which provides that Eurojust is liable, in accordance with Article 340 TFEU, for any damage caused to an individual which results from the unauthorised or incorrect processing of data carried out by that agency, and paragraph 3 of which provides that each Member State is liable, in accordance with its national law, for any damage caused to an individual which results from the unauthorised or incorrect processing carried out by it of data which were communicated to Eurojust.
46 Furthermore, it is not apparent from the application that the applicant is relying on illegal or illegitimate exchanges of personal data between the defendants.
47 It follows from that that, in the context of the present action, the applicant may seek to establish only, first, liability on the part of Eurojust for its own actions and, second, liability on the part of Europol for damage caused by its departments or by its staff in the performance of their duties, pursuant to Article 49(3) of Regulation 2016/794, and for damage caused by unlawful processing of his personal data that occurred in one of the Member States concerned in the context of cooperation between Europol and those States, pursuant to Article 50 of Regulation 2016/794.
48 Thus, the Court manifestly lacks jurisdiction to hear and determine the present action in so far as that action is seeking a finding, first, that Eurojust is jointly and severally liable for acts on the part of the Member States, of Europol or of third countries, and, second, that Europol is jointly and severally liable for acts other than unlawful processing of personal data or for the acts of Eurojust or of third countries.
49 In the context of the heads of claim for compensation, the Court must therefore reject as having been brought before a court which has no jurisdiction to hear and determine it the part of the first plea in law, as well as the third plea in law in its entirety, alleging a breach of the right to a fair trial by the Italian criminal courts on account of alleged impossibility of becoming acquainted with the evidence adduced against the applicant by those courts and, therefore, of verifying the legality, reliability, authenticity, integrity or admissibility thereof.
50 Such criticisms, even though they have a link with the personal data alleged to have been processed by Eurojust and Europol, do not concern the possibly unlawful processing of those data but rather the procedural rules – and more specifically, the evidentiary rules – applied to those data by the Italian criminal courts. Given that the damage is not the result of unlawful data processing occurring in the context of cooperation involving Europol and a Member State, joint and several liability under Article 50(1) of Regulation 2016/794 is not applicable.
51 The same is true of the criticisms, also set out in the first plea in law, alleging a breach of the right to a fair trial on account of the French authorities’ refusal to authorise officers of the French police to appear before the Italian courts.
The jurisdiction of the General Court to hear and determine the matter of the collection by the Member States concerned of data from the ‘Sky ECC’ service
52 In the context of his second plea in law, the applicant seeks to establish liability on the part of Europol on account, in particular, of the interception of personal data from the ‘Sky ECC’ service by the French and Netherlands police authorities.
53 Nevertheless, it is clear from Article 276 TFEU that, in exercising its powers regarding the provisions of Chapters 4 and 5 of Title V of Part Three of the FEU Treaty, relating to the area of freedom, security and justice, the EU judicature has no jurisdiction to review the validity or proportionality of operations carried out by the police or other law enforcement services of a Member State.
54 Thus, despite the system of joint and several liability laid down in Article 50(1) of Regulation 2016/794, Europol cannot be held jointly and severally liable for any damage resulting from unlawful processing of personal data of a natural person occurring in the course of operations carried out by the police or other law enforcement services of a Member State, even if that processing took place in the context of cooperation based on that regulation (see, by analogy with Article 275 TFEU, judgment of 10 September 2024, KS and Others v Council and Others, C‑29/22 P and C‑44/22 P, EU:C:2024:725, paragraph 91).
55 Therefore, the Court does not have jurisdiction to hear and determine the applicant’s claims alleging damage caused to him as a result of the interception of his personal data in the course of police operations carried out by the French or the Netherlands authorities.
The action in so far as it concerns Eurojust
Admissibility
56 Eurojust disputes the admissibility of the action in so far as it is directed against it. In particular, according to Eurojust, the applicant has failed to identify the allegedly unlawful conduct of which that agency is accused.
57 In that regard, Eurojust disputes that it contributed to the acquisition of all the data from the ‘Sky ECC’ service, that it was one of the recipients of those data, that it participated in their decryption, that it had access to them or that it was involved in the storage or further processing thereof.
58 By contrast, Eurojust acknowledges that it intervened in November 2021 to facilitate the transmission and execution by the French authorities of a European Investigation Order issued by the Italian authorities with a view to obtaining the data linked to the applicant’s Sky ECC identifiers. Eurojust states that, to that end, in particular, it transmitted by email to the Italian authorities a web link provided by the French authorities, which allowed the Italian authorities to download those data for a week. However, Eurojust states that it never accessed the applicant’s chats transmitted in that manner.
59 Furthermore, Eurojust contends that the applicant has not substantiated any of the heads of damage on which he relies.
60 In order to satisfy the requirements recalled in paragraph 29 above, an application seeking compensation for damage alleged to have been caused by an EU agency must state the evidence from which the conduct which the applicant alleges against the agency can be identified, the reasons why the applicant considers there is a causal link between the conduct and the damage he, she or it claims to have suffered, and the nature and extent of that damage (see judgment of 20 July 2017, ADR Center v Commission, T‑644/14, EU:T:2017:533, paragraph 66 and the case-law cited).
61 In the present case, even though the application is not structured around the three cumulative conditions for establishing non-contractual liability on the part of the European Union, it makes it possible to understand that the applicant seeks, in essence, to establish non-contractual liability on the part of Eurojust for a proportion of EUR 50 000, in respect of non-material damage resulting from various types of conduct on the part of that agency.
62 In that regard, the applicant has referred to a refusal by Eurojust to allow former members of staff to appear before an Italian court, to repeated refusals by that agency to act on his requests for access to his personal data held by it, and to a failure on the part of that agency to comply with the obligations laid down in Articles 89 and 92 of Regulation 2018/1725.
63 Such unlawful conduct alleged on the part of Eurojust must be considered sufficiently identifiable.
64 The applicant has further referred to unauthorised or incorrect processing of data carried out by Eurojust, within the meaning of Article 46(1) of Regulation 2018/1727.
65 It is therefore necessary to examine whether the applicant has identified the processing of his personal data for which he criticises Eurojust.
66 In that regard, Eurojust has acknowledged that, in November 2021, it transmitted to the Italian authorities the applicant’s personal data that it had previously received from the French authorities, in the context of a European Investigation Order.
67 That transmission of November 2021 must therefore be considered to be identified and established.
68 By contrast, as regards the applicant’s claims that Eurojust was involved in the processing of data from the ‘Sky ECC’ service other than the transmission of November 2021, the applicant has not indicated the basic matters of fact making it possible to identify conduct on the part of Eurojust capable of giving rise to non-contractual liability on that agency’s part (see paragraph 60 above), in accordance with Articles 268 and 340 TFEU, read in conjunction with Article 46(1) of Regulation 2018/1727.
69 First of all, it must be noted that the applicant claims that the personal data concerning him alleged to have been processed by Eurojust ‘form the core evidence in the charges against him’, which implies that that evidence is available to him. However, he has not disclosed any such evidence in the context of the application.
70 Next, it is true that the applicant has provided evidence in support of his claims. Nevertheless, the general nature of that evidence does not make it possible to identify any processing of his personal data by Eurojust other than the transmission of November 2021.
71 More specifically, the testimony given by a member of Eurojust’s staff in an Italian criminal trial which does not relate to the applicant and in which that member of staff refers, inter alia, to the ‘Sky ECC’ service is not such as to identify processing of the applicant’s personal data by Eurojust, especially where that member of staff has himself acknowledged that he ‘does not know the precise details of the investigations into … Sky ECC’.
72 The same is true of the minutes of a witness hearing in an Italian criminal case which also does not relate to the applicant, and of the applicant’s assertions, supported by a reference to a judgment of the European Court of Human Rights, that ‘Eurojust [had] supported unlawful investigative actions’.
73 Lastly, the mere fact that Eurojust organised coordination meetings between the parties to the JIT does not permit the inference that Eurojust collected, received, stored, transmitted or analysed the applicant’s personal data, or, a fortiori, the identification of any unauthorised or incorrect processing of those personal data, within the meaning of Article 46(1) of Regulation 2018/1727.
74 Consequently, the second plea in law, in so far as it concerns Eurojust, must be rejected as manifestly inadmissible as regards the applicant’s claims that Eurojust was involved in the processing of data from the ‘Sky ECC’ service, except inasmuch as that plea concerns unlawful processing of data resulting from the transmission of November 2021.
75 By contrast, the action against Eurojust is admissible inasmuch as it concerns Eurojust’s alleged refusal to allow former members of staff to appear before an Italian court and that agency’s alleged repeated refusals to act on the applicant’s requests for access to his personal data held by it (first plea in law), the allegedly unlawful processing of the applicant’s data resulting from the transmission of November 2021 (second plea in law), and the alleged failures on the part of that agency to comply with the obligations laid down in Articles 89 and 92 of Regulation 2018/1725 (fourth plea in law).
Substance
76 In the light of the foregoing observations concerning the Court’s lack of jurisdiction to hear and determine a part of the first plea in law and the third plea in law in its entirety and the partial inadmissibility of the second plea in law, the view must be taken that, by his action, the applicant seeks to establish liability on the part of Eurojust on the basis of the following three pleas in law.
77 In the context of his first plea in law, the applicant relies on a breach of his right to a fair trial and of the principles of equality of arms, fairness and legality, on account of a refusal by Eurojust to allow former members of its staff to respond to a summons from the Italian courts and on account of a refusal by agency to act on ‘numerous, insistent requests by [the applicant] for disclosure of documents critical to his … defense’. According to the applicant, that refusal has deprived him of the possibility of obtaining full access to his personal data held by Eurojust and thus of verifying the legality, reliability, authenticity and integrity of the data concerning him held by that agency. Furthermore, the applicant alleges disregard on the part of Eurojust for the refusal of the French authorities to allow two of its members of staff to appear (see paragraph 51 above) and, more generally, for his situation.
78 In his second plea in law, the applicant claims that the processing of his personal data was unlawful and disproportionate. He asserts that Eurojust ‘orchestrated the Sky ECC … operation’, aimed at an indiscriminately targeted group of persons, including lawyers, thereby infringing the obligation of professional secrecy.
79 In his fourth plea in law, the applicant refers to concerns relating to, first, the adoption of appropriate security measures in the processing of his personal data, second, the actual conduct of an impact assessment prior to the processing of those data and, in essence, third, the absence of a notification to the European Data Protection Supervisor (EDPS) of a breach of those data.
80 As regards the first plea in law, it must be stated, as, moreover, Eurojust has asserted, that the applicant has not provided any evidence capable of establishing that he made any request for access to personal data concerning him held by that agency.
81 The applicant cannot therefore legitimately criticise that agency for failing to act on such a request.
82 The applicant has not provided any further evidence capable of establishing that Eurojust refused to allow former staff members to appear in the criminal proceedings to which he claims to be subject in Italy.
83 As Eurojust states, it appears that the summons, to which the applicant refers in Annex A.27 to the application and which, in his submission, was refused by Eurojust, was made in Italian criminal proceedings unrelated to the applicant, as is evident from the list of persons appearing on page 250 of Annex A.15.
84 Lastly, the applicant has not substantiated either the actual existence of the disregard which he alleges on the part of Eurojust or the grounds of its unlawfulness.
85 As regards the second plea in law, the applicant has not established that the transmission of November 2021 gave rise to unlawful processing of his personal data.
86 In the first place, Article 45(2)(b) of Regulation 2018/1727 provides that responsibility for the accuracy of operational personal data lies with the Member State which provided the data to Eurojust where, as in the present case, the data provided have not been altered in the course of processing by that agency, which has not been disputed by the applicant.
87 In the second place, it must be stated that, as regards the making available by the French authorities of the applicant’s data to the Italian authorities via Eurojust, there is nothing to indicate that that processing of personal data was not fair, lawful and carried out for specified, explicit and legitimate purposes, within the meaning of Article 71(1)(a) and (b) of Regulation 2018/1725, applicable to Eurojust by reference to Article 26 of Regulation 2018/1727.
88 First, that processing came within the scope of tasks of Eurojust and was necessary for the performance thereof. Second, it is not apparent from any of the documents in the file that the applicant’s personal data were processed for purposes other than those tasks, as provided also in Article 72 of Regulation 2018/1725, applicable to Eurojust by reference to Article 26 of Regulation 2018/1727. Third, that processing was carried out at the request of the French authorities and in execution of a European Investigation Order issued by the Italian authorities.
89 Furthermore, the making available of the applicant’s chats to the Italian authorities by the French authorities via Eurojust was also proportionate and sufficiently secure, for the purposes of Article 71(1)(c), (d) and (f) of Regulation 2018/1725, applicable to Eurojust by reference to Article 26 of Regulation 2018/1727. That making available took the form of the provision of a web link, by the French authorities, to a password-protected download website, and there is nothing to call into question the assertion that Eurojust refrained from accessing the data in question and did not download, store or copy those data in its IT systems.
90 As regards the fourth plea in law, it must be stated that the applicant’s assertions that Eurojust failed to comply with its obligation to adopt appropriate technical and organisational measures in order to ensure a level of security appropriate to the risk are not supported by any evidence or prima facie evidence.
91 The applicant has not established that, as a result of such a failure, his personal data have been the subject, in particular, of unauthorised disclosure, alteration or access or of any other unauthorised form of processing.
92 The applicant’s mere unsubstantiated concern that a breach of his personal data might have occurred cannot suffice to establish that Eurojust failed to fulfil its obligations.
93 Similarly, the applicant has not explained in what way Eurojust failed to fulfil its obligation to carry out an impact assessment prior to the transmission to the Italian authorities of the web link provided by the French authorities to a secure website containing his chats from the ‘Sky ECC’ service.
94 That transmission, in respect of which there is nothing to indicate that it posed a particular risk to the applicant’s rights and freedoms or at least a higher risk than other means of transmission, did not warrant the conduct of the prior impact assessment provided for in Article 89 of Regulation 2018/1725, applicable to Eurojust by reference to Article 26 of Regulation 2018/1727.
95 Furthermore, having failed to demonstrate, on one ground or other, that Eurojust committed a breach of his personal data, the applicant cannot complain that that agency failed to fulfil its obligation, laid down in Article 92 of Regulation 2018/1725, to notify the EDPS of such a breach, applicable to that agency by reference to Article 26 of Regulation 2018/1727.
96 Since the applicant has failed to demonstrate any infringement of EU law attributable to Eurojust and since the conditions for establishing non-contractual liability on the part of the European Union are cumulative (see judgment of 30 November 2022, KN v Parliament, T‑401/21, EU:T:2022:736, paragraph 34 and the case-law cited), there is no need to examine whether the other conditions laid down by the case-law are satisfied.
97 In the light of the foregoing, the action, in so far as it is directed against Eurojust, must be dismissed, in part on the ground of manifest lack of jurisdiction, in part as manifestly inadmissible, and in part as manifestly unfounded.
The action in so far as it concerns Europol
Admissibility
98 Europol disputes the admissibility of the action in so far as it is directed against it. According to Europol, the applicant has failed to identify the allegedly unlawful conduct of which that agency is accused, nor the damage on which he relies or the link between that conduct and that damage.
99 In the present case, the applicant seeks, in essence, to establish non-contractual liability on the part of Europol for a proportion of EUR 50 000, in respect of non-material damage resulting from various types of conduct on the part of that agency.
100 As regards the acts complained of, the applicant has sufficiently identified a refusal by Europol to allow former members of staff to appear before an Italian court, repeated refusals by that agency to act on his requests for access to his personal data held by it, and a failure on the part of that agency to comply with the obligation laid down in Article 32 of Regulation 2016/794 (see, by analogy, paragraph 63 above).
101 By contrast, as regards the applicant’s claims relating to unlawful processing of his personal data by Europol or by Member States in respect of which Europol could be held jointly and severally liable, it must be stated that the applicant has indeed referred to personal data processing in the context of the investigation relating to the ‘Sky ECC’ service. However, he has not identified any such processing concerning him personally, even though he has evidence of such processing (see, by analogy, paragraphs 68 to 73 above).
102 Consequently, in accordance with the case-law recalled in paragraphs 29 and 60 above, the second plea in law, in so far as it concerns Europol, must be rejected as manifestly inadmissible.
103 By contrast, the action, in so far as it concerns Europol, is admissible inasmuch as it concerns Europol’s alleged refusal to allow former members of staff to appear before an Italian court and that agency’s alleged repeated refusals to act on the applicant’s requests for access to his personal data held by it (first plea in law) as well as the alleged failure on the part of that agency to comply with the obligations laid down by Article 32 of Regulation 2016/794 and Articles 89 and 92 of Regulation 2018/1725 (fourth plea in law).
Substance
104 In the light of the foregoing remarks concerning the Court’s lack of jurisdiction to hear and determine a part of the first plea in law and the third plea in law in its entirety and the inadmissibility of the second plea in law, it must be stated that, by his action, the applicant seeks to establish liability on the part of Europol on the basis of two pleas in law.
105 By his first plea, the applicant relies, as in the case of Eurojust, on a breach of his right to a fair trial and of the principles of equality of arms, fairness and legality, on account of a refusal by that agency to allow former members of its staff to respond to a summons from the Italian courts, a refusal by that agency to act on ‘numerous, insistent requests by [the applicant] for disclosure of documents critical to his … defense’, and disregard on the part of that agency for the applicant’s situation.
106 By his fourth plea in law, the applicant refers to concerns relating to, first, the adoption of appropriate security measures in the processing of his data, second, the actual conduct of an impact assessment prior to that processing, and, in essence, third, the absence of a notification to the EDPS of a breach of those data.
107 As regards the first plea in law, it has already been found that the document on which the applicant relies in order to establish that Europol refused to allow former members of its staff to respond to a summons from the Italian courts concerns Italian criminal proceedings unrelated to him (see paragraphs 82 and 83 above), and that that document does not substantiate either the actual existence of the disregard which he alleges on the part of Europol or the grounds of its unlawfulness (see, by analogy, paragraph 84 above), ruling out the possibility that those criticisms may succeed.
108 As regards Europol’s refusal to act on the applicant’s two requests of 22 March and 2 September 2022, seeking to obtain the personal data concerning him that were in the possession of that agency, it must, first of all, be noted that the applicant has not disputed, inter alia on the basis of Article 47(2) of Regulation 2016/794, at the very least, the negative response provided by that agency on 21 April 2022, to which he refers in his second request.
109 Next, the applicant has neither provided, in the application, Europol’s response to his first request nor claimed that Europol failed to respond to his second request.
110 Lastly, the applicant has not explained why the refusals on which he relies infringe, in particular, Article 36(6) of Regulation 2016/794, according to which the provision of information in response to a request may be refused or restricted if such refusal or restriction constitutes a measure that is necessary in order to enable Europol to fulfil its tasks properly, protect security and public order or prevent crime, guarantee that any national investigation will not be jeopardised, or protect the rights and freedoms of third parties.
111 In those circumstances, the General Court is not in a position to assess the merits of the applicant’s criticisms, with the result that no infringement of EU law by Europol can be found.
112 As regards the fourth plea in law, it should be noted that Article 32 of Regulation 2016/794 imposes on Europol obligations in terms of data security similar to those imposed, in particular, on Eurojust by Article 91 of Regulation 2018/1725.
113 In those circumstances, the applicant’s criticisms relating to the security of his personal data must be rejected on the same grounds as those set out in paragraphs 90 to 92 above.
114 Furthermore, in so far as the applicant has relied on an infringement of provisions of Regulation 2018/1725, it must be stated, first, that that regulation was not applicable to Europol, prior to the amendment of Regulation 2016/794 by Regulation (EU) 2022/991 of the European Parliament and of the Council of 8 June 2022 amending Regulation (EU) 2016/794, as regards Europol’s cooperation with private parties, the processing of personal data by Europol in support of criminal investigations, and Europol’s role in research and innovation (OJ 2022 L 169, p. 1), which entered into force on 28 June 2022, and, second, that the applicant has not criticised that agency for any acts after that date.
115 Since the applicant has failed to demonstrate any infringement of EU law attributable to Europol and since the conditions for establishing non-contractual liability on the part of the European Union are cumulative, there is no need to examine whether the other conditions laid down by the case-law are satisfied.
116 In the light of the foregoing, the action, in so far as it is directed against Europol, must be dismissed, in part on the ground of manifest lack of jurisdiction, in part as manifestly inadmissible, and in part as manifestly unfounded.
Costs
117 Under Article 134(1) of the Rules of Procedure, the unsuccessful party is to be ordered to pay the costs if they have been applied for in the successful party’s pleadings. Since the applicant has been unsuccessful, he must be ordered to pay the costs, in accordance with the forms of order sought by Eurojust and by Europol. In addition, in accordance with Article 138(1) of the Rules of Procedure, the Kingdom of the Netherlands is to bear its own costs.
On those grounds,
THE GENERAL COURT (Fourth Chamber)
hereby orders:
1. The action is dismissed in so far as it is directed against the European Union Agency for Criminal Justice Cooperation (Eurojust).
2. The action is dismissed in so far as it is directed against the European Union Agency for Law Enforcement Cooperation (Europol).
3. GE shall bear his own costs and shall pay those incurred by Eurojust and by Europol.
4. The Kingdom of the Netherlands shall bear its own costs.
Luxembourg, 2 February 2026.
V. Di Bucci
G. De Baere
Registrar
President
* Language of the case: English.
© Unia Europejska, źródło: EUR-Lex (eur-lex.europa.eu), pozyskano 14.07.2026. Autentyczne są wyłącznie wersje opublikowane w Dz. Urz. UE. · Źródło