The recent judgment in Kočner v. Europol (C-755/21 P) by the Court of Justice of the EU marks a significant development in data protection law. The case centered on the question of liability for unlawful data processing arising from cooperation between Europol, the EU’s law enforcement agency, and a Member State. The dispute stemmed from a criminal investigation in Slovakia following the murders of a journalist. Slovak authorities requested Europol to extract data from devices belonging to Mr. Kočner, a suspect in the case. This data, including private communications, was subsequently leaked to the press and used to compile reports linking Mr. Kočner to alleged financial crimes and organized crime.

Kočner brought an action before the General Court seeking compensation for the non-material damage caused by the unlawful data processing. However, the GC dismissed the case, citing insufficient evidence. The CJEU overturned the GC’s judgment, siding with the Opinion of Advocate General Rantos. The Court established that the General Data Protection Regulation imposes joint and several liability on Europol and the Member State concerned (Slovakia) for any damage arising from unlawful data processing during their cooperation. Notably, the burden of proof rests solely on the claimant to demonstrate that unlawful processing occurred and resulted in harm. The attribution of fault between Europol and the Member State becomes irrelevant for establishing liability.

In this specific case, the CJEU determined that the data leak constituted unlawful processing, infringing upon Mr. Kočner’s right to privacy and damaging his reputation.

The full press release is available here.