Skip to main content Accessibility help
×
Hostname: page-component-cd9895bd7-dk4vv Total loading time: 0 Render date: 2024-12-22T17:09:07.908Z Has data issue: false hasContentIssue false

Part IV - Testing the Remedies System

Published online by Cambridge University Press:  aN Invalid Date NaN

Melanie Fink
Affiliation:
Leiden University
Type
Chapter
Information
Redressing Fundamental Rights Violations by the EU
The Promise of the ‘Complete System of Remedies'
, pp. 269 - 421
Publisher: Cambridge University Press
Print publication year: 2024
Creative Commons
Creative Common License - CCCreative Common License - BYCreative Common License - NCCreative Common License - ND
This content is Open Access and distributed under the terms of the Creative Commons Attribution licence CC-BY-NC-ND 4.0 https://creativecommons.org/cclicenses/

11 EU Law Enforcement Authorities and Access to Justice

Koen Bovend’Eerdt
Footnote *, Argyro Karagianni , and Miroslava Scholten
11.1 Introduction

In the context of enforcing the law, the rule of law makes demands, inter alia, on both individuals and those who govern or rule over them. In broad terms, the rule of law requires of individuals that they respect and abide by legal norms promulgated by those who govern. To prevent or to respond to (alleged) violations of a prescribed norm – or more generally, to ensure that a norm is effectively respected – those who govern rely on enforcement (i.e., ‘the sword’). Enforcement consists of public action to prevent or respond to a violation of a prescribed norm.Footnote 1

Of those who govern, the rule of law requires that, in enforcing the law, they themselves do not operate beyond, or place themselves above, the law and what this law deems permissible. That is where fundamental rights enter into play: to protect the individual against the arbitrary exercise of power by those who govern.Footnote 2 The role of the rule of law then, in which fundamental rights find their expression, is to concern itself with the way in which power is exercised and to cast it in a constraining harness of public norms that grant, delimit, and control the discretionary exercise of power (‘the shield’).Footnote 3

For an individual to have fundamental rights is one thing; to see them effectively enforced and protected is another. To ensure that their fundamental rights are enforceable, there is a duty incumbent on those who govern to put in place institutions that uphold the individual’s rights and connected to that, to grant the individual whose rights have been infringed access to those institutions. It is this latter component that is generally referred to as ‘access to justice’. As the name suggests, access to justice consists of two elements: ‘access’ and ‘justice’. The first is procedural in nature and serves to ensure that those whose fundamental rights are violated have (equal) access to the means in place that can address these violations. The second element is substantive and more normative in nature; it demands that just outcomes are to be achieved (i.e., that the individual’s rights are adequately protected), yet the definition and perception of what is just may vary in light of individuals’ morality, context, and other pre-existing and emerging factors. The two elements are necessarily connected: the attainment of justice or of a just result presupposes access.Footnote 4 When it comes to ‘access to justice’, one of the core notions in this contribution, we focus primarily (though certainly not exclusively) on the procedural limb of ‘access to justice’. In other words, we are interested in potential pathways or mechanisms for achieving justice, not in justice in the result.

In short, then, as a concept, access to justice takes on a functional role in the perennial rule of law debate and in this contribution is understood as an instrument that allows for the effective protection of the individual’s fundamental rights (‘the shield’) against violations by those who govern in the process of enforcement (‘the sword’).

Against this background, one development is that of an ever-evolving EU polity. The EU has become more than an international organisation where the addressees of international agreements have been predominantly the nation-states. Ever since Van Gend & Loos, individuals have been considered as important actors in enforcing (fundamental) rights with which Union law has endowed them particularly because the Member States have a ‘natural aversion to controlling their own behaviour’.Footnote 5 This has become all the more important in the last two decades with the advent of EU law enforcement authorities: supranational actors created by EU law that have at their disposal enforcement powers and monitor compliance with its laws, investigate suspected violations, and/or sanction non-compliance with the view of stopping, deterring, and/or restoring after undesirable behaviour.Footnote 6

In this contribution, we offer a critical appraisal of the individual’s (in)access to justice when their fundamental rights have been violated during enforcement by EU law enforcement authorities. Direct enforcement by EU law enforcement authorities has been proliferating despite uncertainties that this novel type of public power has brought in terms of control mechanisms, both judicial and non-judicial.Footnote 7 Direct enforcement, and the shared activities and joint decisions of EU and national authorities it entails, have been ‘squeezed’ into the existing system of separated controls between the EU and the Member State legal orders. This brings with it challenges regarding the control over public power that may affect ‘access to’ and ‘justice’, not only from a strictly legal perspective but also from a normative conceptual perspective. To what extent can the law and the obligations that flow from it be foreseeable for the individuals subject to direct enforcement actions? To what extent have different substantive, procedural, and institutional issues been aligned between existing systems of control? What mechanisms of control could bring more ‘justice’ and satisfaction in such a setting and upon which conditions does this depend?

For the remainder of this contribution, we proceed in the following fashion. In Section 11.2, we offer a – perhaps somewhat unorthodox – understanding of the notion of ‘access to justice’ in light of the EU’s powers of direct enforcement by means of EU law enforcement authorities. Access to justice, or so we argue, is more than access to, or effective remedies before, a court that is to enforce the individual’s fundamental rights and hold state authorities accountable (i.e., the judicial pathway), but also encompasses other, non-judicial, mechanisms – both at the national and the Union level and for each separate procedure of enforcement – which provide the individual with means to enforce their rights and ensure that those violating rights are held to account. We start by outlining which fundamental rights are at stake at the various stages of enforcement and how these rights may be interfered with and/or violated by EU law enforcement authorities (Section 11.2.1). Thereafter, in Section 11.2.2, we demonstrate how direct enforcement by EU law enforcement authorities has brought about a shift in the ways in which Union law in particular policy areas is enforced and how this shift has largely not been accompanied by a change in the way in which judicial control is offered in order to remedy violations of fundamental rights suffered by the individual subject to enforcement action. To substitute and/or complement the absence of judicial control, other mechanisms have been put in place that help achieve the individual’s access to justice.Footnote 8 These non-judicial mechanisms are, or so we argue, better suited to ensuring that fundamental rights are effectively protected. This is reflected in socio-legal literatureFootnote 9 in which it is established that access to court and a possible positive outcome does not necessarily equate to the attainment of justice. Enforcement’s success is highly dependent on its preventive function, rather than sanctioning, as it can be more effective from both economic and policy goals perspectives.Footnote 10 In short, the point we wish to drive home is that, in the current EU constellation, courts are – contrary to what is generally assumed – not always, or in any case not necessarily, best-suited for remedying fundamental rights violations and providing the protection the individual needs.

In Section 11.3, we then examine the way in which ‘access to justice’ is given shape in the legal frameworks of three EU enforcement authorities: the European Securities and Markets Authority (ESMA), the European Commission’s Directorate General for Competition (DG COMP), and the European Anti-Fraud Office (OLAF). We look at these three EU enforcement authorities in particular because of the three different ways in which they share their functions with their national counterparts. The first is hierarchically positioned above national authorities (ESMA). The second acts in parallel with national authorities (DG COMP). The third acts mainly in support of national authorities (OLAF). In short, each of the authorities chosen represents one of three ‘families’ or ‘flavours’ of EU law enforcement authorities,Footnote 11 thereby offering a representative sample to discuss.

In Section 11.4, we evaluate the different ways in which the concept of ‘access to justice’ is implemented in the legal frameworks of the three authorities studied. In Section 11.5, we outline recommendations for ways in which the individual’s access to justice can be improved in the legal frameworks of the three agencies subject to study and further (academic) research.

11.2 Access to Justice in Enforcement by EU Enforcement Authorities

In the process of enforcement, three stages are normally distinguished: monitoring compliance with, investigating possible violations of, and sanctioning non-compliance with the applicable law.Footnote 12 In the socio-legal literature and in legislative practice (discussed in Sections 11.2.1 and 11.2.2), one can witness a development of theories and tools aimed at enhancing compliance of individuals with the applicable law. Therefore, such theories and tools aim at ensuring the preventive (rather than the responsive) function of enforcement.Footnote 13 From a law and economics perspective, enforcement can be seen as more effective, including time- and cost-efficient, if individuals’ compliance with the law is achieved at the earliest possible stage of enforcement. In this connection, literature on compliance and better regulation shows the importance of investing in educating those who need to comply with the rules, rather than simply sanctioning them.Footnote 14 Should sanctions ultimately prove necessary, the same literature shows the importance of using an enforcement ladder, that is, escalating from soft enforcement tools, like warnings and dialogues, to hard ones like punitive fines, to enhance effectiveness. We may notice that these theories find application in the existing laws and operation of EU enforcement authorities. For instance, EU enforcement authorities increasingly use soft law guidance whereby they explain how they ought to enforce laws, how certain ambiguous concepts are to be interpreted, and may hold (informal) dialogues as a tool to enhance compliance and thus prevent violations or as soft sanctioning mechanisms.

Access to justice by private actors – natural and legal persons – is of paramount importance when it comes to enforcement actions by public authorities. This is because regulation as such can restrict the rights and freedoms of private actors and in the process of enforcing substantive regulatory norms, such rights and freedoms can be affected further. Think, for instance, about obligations imposed by relevant EU legislation on financial market participants to provide specific information to enforcement authorities on a regular basis.Footnote 15 If an EU enforcement authority concludes that the financial market participant violated the relevant legislation and therefore imposes a fine or even withdraws the participant’s authorisation, the freedom to conduct a business may be restricted even further. To ensure there is no abuse of public power, private actors must have access to justice to question and check the relevant authorities’ enforcement actions and decisions. Access to justice is thus essential at all of the three enforcement stages: monitoring, investigating, and sanctioning. In this section, we distinguish which fundamental rights are relevant at each enforcement stage (Section 11.2.1). Then, in Section 11.2.2, we discuss the evolution of the concept of access to justice in relation to enforcement and the evolution of its meaning to encompass more possibilities to promote fundamental rights than just ‘access to the court’.

11.2.1 Enforcement Stages and Applicable Fundamental Rights
11.2.1.1 Monitoring

Monitoring compliance with substantive norms is an essential first step in the enforcement process. Private parties as such may have an active role in the monitoring stage. For instance, a company that operates in a competitive market may notice wrongdoing by another company and file a complaint with the relevant supervisory authority or even go directly to court. Depending on the legislative setup, an EU enforcement authority may have responsibility to monitor compliance with laws too, without depending on individual complaints. To that effect, relevant legislation may bestow upon an EU enforcement authority such powers as monitoring the proper functioning of financial markets; requesting from market participants information on a regular or ad hoc basis; conducting ad hoc, planned, or risk-based designed on-site inspections; holding (ad hoc) dialogues to promote and ensure compliance; and issuing (soft law) guidance to educate relevant parties and incentivise compliance. For this, an EU enforcement authority needs to have sufficient resources. If resources are limited, the authority may adopt prioritisation policies and conduct risk-based inspections. Often, the monitoring of compliance is organised in a mixed way (private actors’ complaints and public authorities’ public supervision).

At the monitoring stage, the following procedural safeguards are relevant to consider as their affordance will ensure that the fundamental right to good administration and the right to judicial protection will be observed should any dispute arise as a result of the monitoring stage. First, the power of enforcement authorities to ask for (more) information needs to be balanced with the obligation to have a legal basis and state reasons for issuing such requests, which in turn allows supervised entities to assess the scope of the obligation to cooperate. Then, a grey area concerns informal information requests and the issuance of non-binding instruments, like guidance, notices, and recommendations. These have to be done professionally and private parties need to have protection against possible abuses of power in the course of such informal contacts, otherwise disputes based on informal contacts may lead to subsequent legal actions. One such instance is the uncertainty surrounding the formal force and further judicial reviewability of soft law guidance that can be used for ensuring compliance. More specifically, parties may question the binding force of such documents and disagree on their content and the procedure preceding their adoption. Yet such soft law documents could form the basis of enforcement decisions vis-à-vis private actors, including the imposition of fines. While an addressee may question the decision imposing the fine, soft law instruments as such cannot be challenged through an action for annulment (Article 263 of the Treaty on the Functioning of the European Union (TFEU)) (see Chapter 14). In any case, to question the controversial soft law guidance, a private party would need to go through all three stages of the enforcement process, which requires time and resources. Against this background, other channels seem necessary to make sure that the relevant parties are not denied access to justice. Think, for instance, of the right to participate and to be consulted ex ante, when soft law instruments are being adopted. In light of the aforementioned better compliance studies, perhaps even the right to request helpful guidance and/or be educated (by the EU authority) as to how to comply with such documents is required.

11.2.1.2 Investigation

The investigation of potential violations of laws, rules, or norms is the next stage of enforcement after monitoring, though in some cases there may be no public authority role in monitoring as such. When monitoring does take place, ‘day-to-day’ supervision can give rise to a suspicion that a substantive norm has been infringed, which, as a result, can function as a prelude to a subsequent investigation. Investigations are there to gather information/evidence on the basis of which proof can be established that can (help) justify the imposition of a subsequent (punitive) sanction against those to which the substantive norm in question is addressed by either the European law enforcement authority in question or by another EU or national authority.Footnote 16

The fundamental rights that are most often – though by no means exclusively – interfered with during investigations are the right to privacy and the right to a fair trial. According to Article 7 of the Charter of Fundamental Rights of the European Union (CFR), everyone has the right to respect for, among other things, their private and family life, home, and communications.Footnote 17 It is particularly this right’s dimensions of ‘home’ and ‘communications’ that are at issue during investigations. The reason for including the right to a fair trial is that the investigation phase in many ways determines the conditions that allow for or inhibit a future trial from being fair.Footnote 18 An illustrative example in this regard, drawn from the well of case law of the European Court of Human Rights (ECtHR), is not being able to consult with a lawyer during an interrogation by police authorities and the subsequent admissibility of that evidence at trial.Footnote 19 Another example, of particular importance at the interface of non-punitive (EU) and parallel or subsequent punitive proceedings (EU or national), is where an individual is under a duty to cooperate during administrative investigations and this information is later used against them in punitive proceedings, thereby breaching the privilege against self-incrimination.Footnote 20

All in all, in the investigation of potential violations of EU law, EU enforcement authorities may have directly or via relevant national authorities the powers to enter premises, to request information/interview, and to make a production order/require access to information. To ensure that the fundamental rights at stake are adequately protected, investigatory powers must have a ‘sound basis in law’Footnote 21 and investigations must respect defence rights and safeguards such as, among others, the right to have access to a lawyer, the privilege against self-incrimination, the legal professional privilege, the right to be informed, and the right to translation.Footnote 22

11.2.1.3 Sanctioning

If the investigation leads to the conclusion that there is a violation of the law, the sanctioning stage may follow. Sanctions vary greatly across sectors: warnings, fines, periodic penalty payments and interim measures, suspension of voting rights, withdrawals of licences, recommendations, and public notices, to name but a few. There seems to be a development in legislation and in enforcement practice resembling the scholarly ideas of the usefulness of ‘responsive regulation’ and of the ‘enforcement pyramid’.Footnote 23 These theories support the idea that to respond to non-compliance in the most proportionate way, depending on the severity of the violation, the enforcement authority should gradually escalate its enforcement response from the lighter tools (e.g., informal warnings) to the heftier ones (e.g., fines and withdrawal of licences).

As the sanctioning stage has the most intrusive effect upon the ability to exercise certain rights and freedoms, like the right to property or the freedom to conduct a business, it is essential to have in place mechanisms to control potential abuses of enforcement authorities’ sanctioning powers. In the first instance, before the imposition of measures adversely affecting their interests, the relevant private parties must be granted the right to have access to the file and be informed of the allegations against them and be put in a position to respond to such allegations through the effective exercise of their right to be heard. Secondly, addressees of a sanctioning decision must be able to challenge it before a court. Thirdly, the existence of other safeguards and principles, such as the principles of legality and proportionality are essential. Montaldo elaborates in this respect the principle of proportionality, ‘the more intense a public power and its effects on individuals are, the more demanding this principle becomes. This is why proportionality is of a particular significance in the domain of sanctions, where the magnitude of public coercive powers reaches its peak’.Footnote 24 Therefore, as a fourth point, it is important to ensure that the decision-making processes and the bodies determining the type and severity of a sanction are independent, impartial, and transparent. For this, the enforcement authority needs to have its independent operation secured de jure and de facto. Finally, political controls over sanctioning policies and choices of a supervisor may be seen as mechanisms complementing access to justice.

11.2.2 The Evolution of the Concept of Access to Justice in Enforcement Matters: Beyond the Nation-State and beyond the ‘Judge’

Thus far we have looked at the function of fundamental rights within the nation-state and subsequently highlighted the fundamental rights that are at risk of being violated during the three different enforcement stages. In this section, we aim to show that even though an increasing number of EU policy areas are enforced directly at the EU level, this development has largely not been accompanied by a change in which judicial control is offered. In other words, while tasks are shared, controls remain separated.Footnote 25

The traditional method of enforcing EU norms has been that of ‘indirect’ or ‘decentralised’ enforcement: the EU legislator sets out substantive norms and the EU Member States enforce them.Footnote 26 In enforcing EU norms, Member States enjoy enforcement autonomy, a term meant to indicate that where Union law does not lay down enforcement specificities, Member States remain free to lay down national procedural rules for the enforcement of EU rights.Footnote 27 However, indirect enforcement does not always bring about the envisaged results. Relevant literature has attributed problems of non-implementation of and non-compliance with EU policies to such causes as political unwillingness at the Member State level and lack of national resources.Footnote 28

One way of addressing the aforementioned (indirect) enforcement deficit has been the shift towards direct modes of enforcing EU law, notably through the creation of EU law enforcement authorities: supranational actors created by EU law that have at their disposal enforcement powers and monitor compliance, investigate suspected violations, and/or sanction non-compliance with EU law.Footnote 29 In the context of direct enforcement of EU law, various new modes of interaction between the EU and the national level have been instituted. These novel modes of EU administration have been characterised as shared, mixed, multilevel, multijurisdictional, composite, and integrated.Footnote 30 Their common denominator is that, under the umbrella of an EU actor, the different national legal orders of the Member State are brought together.Footnote 31 EU actors are in constant liaison with national counterparts and operate in a functional EU territory.Footnote 32 Direct enforcement of EU law by EU law enforcement authorities challenges the traditional understanding of fundamental rights,Footnote 33 including the right of access to a court and to remedies. We shall illustrate this point by means of three examples.

The first example concerns difficulties pertaining to effectuation of the right of access to a court when an EU binding measure culminates in a national sanction: in the investigative stage of enforcement, an EU authority carries out an on-site inspection at the business premises of a private party and obtains important evidence suggesting that the investigated person violated substantive legal provisions. However, given that the EU authority is not competent to sanction on its own motion, it requests that its national counterpart opens sanctioning proceedings vis-à-vis the aforementioned private party. A sanction is indeed imposed by the EU authority’s national counterpart. The affected party appeals the decision before the competent national court arguing inter alia that the EU authority engaged in a fishing expedition thereby violating their right to privacy. In light of the well-known Foto-Frost doctrine,Footnote 34 national courts are not allowed to invalidate acts of EU organs. The only possibility then left to the reviewing national court is to make use of the preliminary reference procedure (see Chapter 4) and refer a question to the Court of Justice.

A second example concerns national enforcement action leading to EU sanctions and the difficulties surrounding the review – by EU courts – of the national part of such a shared procedure. Think of the following example. A national enforcement authority obtains evidence in the context of an on-site inspection. That evidence is thereafter transferred to the EU authority. Subsequently, based on that evidence, the EU actor imposes on the investigated person a punitive sanction. However, the addressee of the EU sanction argues that, in obtaining the critical piece of evidence, the national authority acted unlawfully. Can the Court of Justice of the European Union (CJEU), which will be called upon to review the final EU decision in accordance with Article 263 TFEU, also review the legality of the acts of the national organs? The CJEU has asserted in that respect that the principle of ‘single judicial review’,Footnote 35 which emanates from the principle of sincere cooperation (Article 4(3) Treaty on European Union (TEU)), demands that the EU courts alone carry out judicial review, that is, they are exclusively competent to review the legality of the acts of national organs. While the reasoning behind the court’s view, namely that single judicial review rules out the possibility of contradictory rulings, is compelling, at the same time, the court has not yet explained on the basis of which standards – EU or national – such national acts shall be reviewed.Footnote 36

A third example concerns the situation in which an EU authority carries out (non- binding) preparatory work that forms the basis for the opening of a national sanctioning procedure. However, according to the CJEU, given that the action of the EU authority was merely preparatory, and therefore did not affect the legal position of the individual, that individual is now unable to question the legality of the act of the EU authority through an action for annulment.Footnote 37

All three examples demonstrate that while we witness a shift in the ways in which Union law in particular policy areas is enforced, this shift has largely not been accompanied by a change in the way in which judicial control is offered to remedy violations of rights suffered by the individual subject to enforcement action. While procedures for the enforcement of EU law are increasingly hybrid/ shared between EU and national actors, judicial review seems to be stuck to dogmas developed within the nation state, according to which a court is only competent to review acts emanating from organs within that court’s own jurisdiction. As a result, effective access to a court might in fact become illusory, seeing as the mechanisms currently foreseen, like the preliminary reference procedure, may be quite lengthy and cumbersome for an individual to seek. After all, as has been rightly noted in that respect – ‘justice delayed is justice denied’.Footnote 38 Furthermore, EU courts reviewing the legality of national measures may not always be well placed to carry out a full review of national questions of law and fact.Footnote 39 In other circumstances, decisive preparatory acts of EU authorities are not subject to any review as they do not change the legal position of the concerned party. This is precisely the reason why the main argument that we wish to bring forward in this contribution is that access to justice is (or must be) more than access to a court. As access to a court may – in the multijurisdictional EU law enforcement setting – know certain limitations, it is essential that judicial mechanisms are complemented or accompanied by sufficient non-judicial control mechanisms.

The other important argument here is that enforcement features certain characteristics that necessitate other forms of control, from a functional perspective. Establishing enforcement priorities as to how to allocate scarce human, financial, and technological resources and equipment in enforcement, which clearly can affect private parties’ access to justice, is an area where political accountability normally plays an essential role. Access to non-judicial control mechanisms may then allow many more possibilities, actors, and procedures to make sure that rights and freedoms are being ensured. At the end of the day, justice means solving the problem at stake and ensuring the effectiveness of policies in a legitimate way, including with the protection of fundamental rights. Achieving ‘justice beyond the judge’ could be done, for instance, through the availability of mechanisms of direct complaint procedures before public authorities (administrative bodies and other dispute resolution tools), contacting members of parliament (political accountability), quasi-legal routes (Ombudsman), mechanisms of external review, or even informal channels. This is especially the case if the enforcement authority lacks independence in its enforcement operations, that is, the ability to withstand pressures from the political sphere and the supervised sector. How could one ensure their fundamental rights if the enforcement authority were dependent on a political will or an industry lobby when making such essential and far-reaching choices as whether to investigate a case or not or to impose a sanction or not? Enforcement action can only ensure fundamental rights and be legitimate if the enforcer (institution, staff, procedures) can be organised in an impartial way. To do this, independence should be guaranteed. In light of rich academic literature on this concept, one can distil the necessity of having relevant de jure obligations (institutional, personnel, financial dimensions to protect functional discretion)Footnote 40 brought to life de facto, thanks to having relevant institutional and contextual culture.

In Section 11.3, we will follow the distinction between the judicial and non-judicial remedies for the enforcement actions of the three selected EU law enforcement authorities and touch upon the question of independence of relevant authorities and their staff.

11.3 Implementation of Access to Justice in the Legal Frameworks of EU Law Enforcement Authorities: The Case of ESMA, DG COMP, and OLAF

In this section, we look at the legal frameworks of three EU enforcement authorities – ESMA, DG COMP, and OLAF. These three have been selected in light of the three types of division of competences between EU and national authorities distinguished earlier – hierarchical, parallel, and supportive.Footnote 41 The first refers to a hierarchical positioning of the EU enforcement authority above the national authority. This is so for ESMA. The second division of competences exists where the EU and national authorities operate in parallel. That is the case for DG COMP. The third and last division of competences, which applies to OLAF, is where the EU authority acts mainly in support of national authorities.Footnote 42 The aim of this section is to explore which of these types of division of enforcement competences may be more or less likely to ensure access to justice.

11.3.1 ESMA

ESMA enjoys direct powers in all three stages of enforcement. ESMA contributes to ensuring stability and safety of financial markets by regulating and supervising private actors like credit rating agencies (CRAs) and trade repositories (TRs). At the same time, as ESMA activities interfere with the freedoms of private parties, it has to respect these parties’ fundamental rights and freedoms. How does ESMA do this? First of all, to be able to operate on the EU financial markets, supervised private entities, for example, CRAs, shall receive an authorisation/licence from ESMA. For instance, CRAs assign credit ratings to individual companies and countries. Such ratings may be used by investors to decide whether they wish to invest in debt securities, therefore ESMA supervises these entities together with relevant national counterparts and it ensures that ratings are not based on falsified information. ESMA can delegate some powers to its national counterparts, however, it normally does not do so. The main reason why ESMA carries out supervisory and enforcement tasks by itself is that – by virtue of EU law – it has at its disposal all necessary direct supervisory and enforcement powers. In that sense, unlike other EU enforcement authorities, it does not rely on the powers of national counterparts. For many years, ESMA has had a dedicated supervision department that monitors these entities’ performance and ensures compliance with relevant laws in various ways.

To be specific about its enforcement powers, ESMA can issue a great number of soft law documents clarifying how relevant sectoral laws are to be implemented. For instance, ESMA often issues technical standards that are to be endorsed by the Commission (for instance, Commission Delegated Regulation (EU) No 449/2012 where the terms of application for registration licence for CRAs are clarified, including which information needs to be submitted and through which forms). ESMA can address requests for information to supervised entities and carry out inspections, which are ‘risk-based, proportionate, forward looking and action oriented’.Footnote 43 Finally, financial market participants have the opportunity to pose questions to ESMA through its webpage and ESMA’s answers form additional guidance, the so-called Q&As.

Once the selected private actors are registered/licensed, ESMA monitors them, can investigate possible suspicions of non-compliant behaviour, and can sanction violations via public notices and fines. The law is clear as to the sole responsibility of ESMA over these participants of financial markets. ESMA does not have to share any powers with the relevant authorities at the national level, unless it chooses to delegate some tasks or requires assistance at the national level.

Information gathering is crucial for enforcement in the financial sector. In that respect, ESMA has set a number of requirements as to the information that has to be submitted to its supervisory section on a regular basis. For instance, CRAs have to report rating data to ESMA, which ESMA then analyses. In 2013, ESMA issued Recommendations and Guidelines on the scope of Credit Rating Agency Regulation (CRAR)Footnote 44 addressed to, among others, CRAs. In addition, ESMA can perform on-site inspections to get more evidence-based information in addition to its desk-based analysis and it can also receive complaints to check an element concerning CRAs and their reporting. Article 23 (b–e) CRAR sets detailed rules as to how and when ESMA can request information when it supervises and when an Independent Investigator may investigate issues that have given rise to suspicion of violating the law and lead to sanctioning.

11.3.1.1 ESMA and the Person Concerned’s Judicial Remedies: ‘Access to Court’

Generally speaking, the fact that ESMA is solely responsible for overseeing the relevant private actors and for sanctioning non-compliance makes access to the court a clear-cut issue. ESMA is an EU agency, and its decisions are legally binding for the addressees; the latter can appeal final decisions to ESMA’s Board of Appeal and to the CJEU. Concerning the respect of fundamental rights in relation to CRAs, the relevant legislation (such as CRAR) provides relevant procedural safeguards for all the stages of enforcement. There are rules on how to submit questions for the Q&A guidelines. At the monitoring stage, when ESMA addresses information requests to supervised entities, it must abide by a list of requirements, including the obligation to state reasons and an indication of the possibility to request information (Article 23b). The same applies to general investigations and on-site inspections. Article 23e CRAR provides specific procedures for deciding on a fine, including the observation of the right to be heard, which shall be granted during the investigation by the Independent Investigation Officer (IIO) and before the Board adopts the final decision and determines the amount of the fine, if relevant. The fines are specified in Article 36a and relevant annex III and vary depending on the violation and whether it happened ‘intentionally or negligently’, where the latter would lead to a lower fine. As the enforcement has the most detrimental effect upon the rights and freedoms of private actors, the final decisions and fines can be subject to appeal before the Board of Appeal (BoA), which is a joint BoA for three EU supervisory agencies, and then before the CJEU. Article 36e CRAR states, among others, that the CJEU ‘may annul, reduce or increase the fine or periodic penalty payment imposed’.

There are three instances where one may question the clarity of procedural safeguards and the availability of judicial review. First, ESMA’s guidelines and Q&As fall within the category of so-called soft law (see Chapter 14). The adoption of soft law has been regulated by ESMA’s founding regulation (Articles 10–16 Regulation 1095/2010, as amended in 2019), yet the adoption procedure gives ESMA some discretion whether or not to hold a public consultation. There may be instances where the public and the financial market participants are not consulted. As there is no normative framework regarding the question of the extent to which a public consultation and participatory rights should be there, the CJEU’s restricted possibility to review soft law may be seen as problematic. It seems debatable whether private parties should be under an obligation to comply with soft law de jure if they have not been consulted ex ante as regards the adoption of soft law potentially affecting their operation and supervision over them. This is in part because ESMA is an independent agency lacking fully-fledged input legitimacy itself. If the court is so strict as to the status and review of soft law, one may need to have an obligation to enhance the ex ante participation of private actors in adopting soft law. This comes from the idea of having a more comprehensive system of control.Footnote 45

Secondly, the legal status of the applicable soft law is unclear. Even though recent case-law (FBF) clarifies the possibility to question the validity of soft law through the preliminary reference procedure, the initiation of action against soft law by the addressee is unclear still.Footnote 46

Finally, as recent research shows,Footnote 47 the legislative language of acts regulating ESMA’s enforcement powers and procedures is not always clear and may raise questions. More specifically, it is not clear how terms such as ‘intentional’ or ‘negligent’ violations by private actors shall be interpreted. This includes, for instance, the question as to where to look for guidance – EU and/or national legal systems and in which areas (public, criminal, private, etc.) when one has to respect procedural safeguards and interpret EU law that lacks clarity as to which law should apply. Furthermore, CRAR allows national procedural differences to be part of ESMA’s procedures when it states that ESMA has to respect national laws when going on-site. This may lead to different procedural guarantees, which are defined nationally, for private parties in similar situations. For instance, if ESMA decides to inspect a private actor in a country where a judicial authorisation is required before the inspection, the private actor may experience more protection (judicial check on the inspection decision), than if no such national requirement is imposed on ESMA. The question is whether there is enough of a safeguard to ensure that ESMA is prevented from potential forum shopping among the jurisdictions when choosing where to inspect and, further, whether such divergent standards are allowed.Footnote 48

11.3.1.2 ESMA and the Person Concerned’s Non-judicial Remedies: ‘Access to Justice’

The recently amended 2019 founding regulation of ESMA (Regulation (EU) 2019/2175) includes a new article, a so far unprecedented clause that can be seen as an additional tool to seek ‘justice’. Article 60a establishes a new procedure on how to address acts exceeding ESMA’s competence: ‘Any natural or legal person may send reasoned advice to the Commission if that person is of the opinion that the Authority has exceeded its competence.’ The operation of this provision is as yet unclear. Furthermore, this policy area is one where many private actors, their associations, and lobby organisations operate. Clearly, all these actors and citizens can address relevant MEPs with their concerns about ESMA’s operation, and the European Parliament can exercise political accountability (Article 3 of the founding regulation) through ad hoc hearings and through the submission of annual reports. The EU Ombudsman is available, too, as this is an institution that can be approached by anyone who has experienced maladministration by EU institutions and agencies.

11.3.1.3 The Degree of Independence of ESMA

As mentioned, the protection of fundamental rights in enforcement is tightly interconnected with independence of the supervisor. For this reason, the independence of ESMA has been regulated in secondary law (Articles 42, 46, 49, 52, 59, 62 of the founding regulation) and internal policies and documents available online.Footnote 49 The de jure organisation of independence seems quite advanced. The personnel independence is regulated for both the top-level functions, staff and non-staff, and is based on legal requirements for appointment, sophisticated appointment and removal procedures for the top-level official, and considerations of ethical behaviour and subsequent positions. The set-up of ESMA respects institutional and financial independence (Article 5 – legal personality, Article 62 – independence for contributions to the budget and a mixed composition of the budget). For the enforcement as such, an element of independence is seen in delineating the supervisory, investigation, and sanctioning stages, each of which is exercised by different sections/personnel of ESMA with the possibility to be heard when it comes to investigations and sanctioning.

11.3.2 DG COMP and the European Competition Network

Enshrined in Articles 101 and 102 TFEU, EU antitrust rules are addressed to economic operators. They prohibit agreements between competitors that harm competition and anticompetitive unilateral conduct by dominant firms. In that sense, the individuals whose rights may be interfered with in the course of antitrust proceedings are first and foremost economic operators, commonly known as ‘undertakings’. However, the fundamental rights of other parties, like those of complainants, may also be at stake.Footnote 50 Indeed, third-party complaints play a key role in the public enforcement of antitrust rules, in view of the fact that, through third-party complaints, competition authorities may often become aware of alleged irregularities in the markets.

Regulation 1/2003Footnote 51 has introduced a system of parallel enforcement, meaning that DG COMP and the national competition authorities (NCAs) enforce Articles 101 and 102 TFEU in tandem. To that effect, they are enabled to exchange with each other information and use in evidence any matter of fact or of law.Footnote 52 Given that a system of parallel competences may give rise to parallel proceedings, which is problematic not only from an efficiency perspective but also from a fundamental rights perspective (ne bis in idem), duplication of effort is avoided in at least two ways. First, Article 11(6) of Regulation 1/2003 foresees that the initiation by DG COMP of antitrust proceedings shall relieve the NCAs of their competence to enforce Articles 101 and 102 TFEU. Secondly, the European Competition Network (ECN),Footnote 53 a network that brings together DG COMP and the twenty-seven NCAs, functions as a forum for case allocationFootnote 54 and information exchange, which ultimately contributes to avoiding duplication of efforts and proceedings. The ECN does not, however, possess legal personality, therefore its allocation decisions may not be appealed before a court, which raises important questions concerning the (non-judicial) remedies that concerned undertakings are able to seek vis-à-vis ECN case allocation that may be affecting their legal position. This will be further discussed below.

DG COMP has a plethora of investigative and sanctioning powers. More specifically, it may carry out investigations into sectors of the economy (sector inquiries),Footnote 55 request information from undertakings by simple request or by decision,Footnote 56 interview legal or natural persons who consent to be interviewed,Footnote 57 and carry out on-site inspections at business premisesFootnote 58 and other premises, land, and means of transport.Footnote 59 It is important to note that, with the exception of information requests ordered by simple request, and requests for interviews, all of DG COMP’s powers are of a coercive nature, as refusal to cooperate could result in the imposition of punitive sanctions.Footnote 60 As to sanctioning powers,Footnote 61 where substantive antitrust rules have been violated, DG COMP has the power to impose punitive finesFootnote 62 and periodic penalty payments.Footnote 63

The fundamental rights that are primarily at stake during antitrust investigations are the obligation to state reasons, the right to privacy – particularly during on-site inspections and fair trial rights, such as access to a lawyer, the legal professional privilege, and the privilege against self- incrimination. During the inter partes stage, which follows the investigative stage, the right to good administration (Article 41 CFR) and more specifically the right to have access to the file and the right to be heard are of paramount importance. Regarding the sanctioning stage, the principle of legality, the proportionality of the sanction, and the prohibition against double jeopardy (ne bis in idem) come into play.

11.3.2.1 Safeguards and Defence Rights in DG COMP’s Legal Framework

DG COMP’s legal framework contains various procedural safeguards. Some of these are included in Regulation 1/2003 and in Regulation 773/2004,Footnote 64 while others were initially developed in the case law of the CJEU and were subsequently included in DG COMP’s internal manual of proceduresFootnote 65 and in European Commission soft law instruments.Footnote 66 More specifically, if DG COMP rejects a complaint, they must respect the duty to state reasons.Footnote 67 Information requests ordered pursuant to a decision must also respect the obligation to state reasons, by specifying as a minimum the legal basis, the purpose of the request, and the required information and by fixing time-limits.Footnote 68 Likewise, on-site inspections must be ordered on the basis of a decision specifying the subject matter and purpose of the inspection. If, for the performance of an inspection, national law requires ex ante authorisation by a judicial authority,Footnote 69 national courts are competent to review the arbitrariness and excessiveness of the envisaged coercive measures, while the CJEU is competent to carry out a lawfulness check.Footnote 70 During an investigation, undertakings are allowed to consult their lawyerFootnote 71 and are entitled to a (limited) right to remain silent.Footnote 72 Furthermore, undertakings may invoke the confidentiality of communications between lawyer and client (legal professional privilege).Footnote 73 Following the investigation phase, if DG COMP considers that there are grounds to continue the proceedings, they may either proceed towards the adoption of a statement of objections (SO) or engage in discussion with an eye to a commitment decision.Footnote 74 If an SO is adopted, undertakings must be granted the right to be heardFootnote 75 and to have access to the file.Footnote 76 When imposing sanctions and setting the amount of fines, DG COMP must respect the principle of proportionality.Footnote 77 To that effect, the Commission has published Guidelines on the method of setting fines.Footnote 78

The NCAs’ powers are laid down in national law. Directive ECN+ seeks to harmonise the minimum investigative and sanctioning powers that NCAs must have at their disposal,Footnote 79 admissibility of evidence,Footnote 80 and safeguards.Footnote 81 However, seeing as the ECN+ Directive is a minimum harmonisation instrument, the national standards regarding the protection of defence rights in investigations for the enforcement of EU competition law still differ to a significant extent.Footnote 82

11.3.2.2 DG COMP and the Person Concerned’s Judicial Remedies: ‘Access to Court’

The addressees of final European Commission decisions can appeal them directly before the CJEU by means of an action for annulment.Footnote 83 Final decisions are understood as those that bring about a distinct change in the legal position of their addressee,Footnote 84 such as a decision to perform an on-site inspection, information requests by decision, settlement and commitment decisions, decisions to impose fines and periodic penalty payments, and decisions to reject a complaint.

More problematic in light of judicial accountability is the issue of the ECN’s allocation decisions. Given that the ECN lacks legal personality, such decisions are not open to judicial review. Yet if one considers allocation decisions tantamount to a choice of forum, which may in turn significantly affect the legal position and the content of the defence rights that are available to investigated individuals, the question arises as to how persons affected by allocation decisions can seek effective remedies. Furthermore, DG COMP’s broad margin of discretion in cartel investigations to choose to end a procedure by means of a settlement and not through the imposition of a fine, as well as its discretion to conclude a procedure by means of commitments, also raise questions from the perspective of access to a court. We do not, therefore, refer to the final decision as such, which is subject to the review of the CJEU in any case, but rather to the (interim) decision to choose one path and not another. These discretionary choices and the lack of judicial control thereof should therefore be offset by other non-judicial remedies, which we shall examine below.

11.3.2.3 DG COMP and the Person Concerned’s Non-judicial Remedies: ‘Access to Justice’
Political Accountability

Seeing as DG COMP is a European Commission Directorate, the rules regarding the Commission’s political accountability vis-à-vis the European Parliament (EP)Footnote 85 are applicable. More specifically, the Commission’s president is elected by the EP upon the Council’s proposal.Footnote 86 The Commission must submit to the EP an annual general report, which shall be discussed by the latter in open session.Footnote 87 In terms of rectification, under Article 17(8) TEU, the EP has the power to dismiss the Commission. Furthermore, under Article 226 TFEU, following the request of a quarter of its members, the EP may set up a temporary Committee of Inquiry to investigate alleged contraventions in the implementation of Union law. The European Commission and the EP have concluded a Framework Agreement that governs their relationsFootnote 88 and contains modalities to ‘strengthen the political responsibility and legitimacy of the Commission’.Footnote 89 The picture that emerges if one studies relevant documents of the past decade, such as EP reports and debates regarding Commission annual reports on competition policy is one where the EP repeatedly voices concerns regarding the lengthiness of antitrust investigations;Footnote 90 the lack of involvement of the EP when designing soft law instruments;Footnote 91 the independence of DG COMP; and, more specifically, the need for a strict separation between the internal divisions that draft guidelines and those that enforce them,Footnote 92 the lack of binding legal provisions concerning the setting of fines,Footnote 93 and the lack of comprehensive feedback on DG COMP’s part concerning specific requests made by the EP in the latter’s annual competition report.Footnote 94 All of this shows that the adoption and enforcement of soft law instruments may not be as transparent.

In addition to the EP, the Commission and thus DG COMP are subject to the checks of the ECA. Pursuant to Articles 285–287 TFEU, the ECA checks whether the EU budget was raised and spent lawfully and whether financial management was sound.Footnote 95

The NCAs are accountable vis-à-vis national parliaments with a recital in the ECN+ Directive merely stating that Member States may require NCAs to publish periodic reports on their activities to national parliaments, while the monitoring of their financial expenditure might also be foreseen.Footnote 96

Due to lack of legal personality, the ECN cannot be held accountable vis-à-vis the EP or national parliaments regarding its (allocation) decisions. Interestingly, even though information concerning the ECN’s activities may be indirectly provided to the EP through the Commission’s annual report, it has been noted that ‘the EP’s debates and resolutions on the Commission annual reports reflect a very low level of accountability concerning the ECN’,Footnote 97 with the EP generally endorsing the functioning of the ECN and not raising any concerns regarding transparency and accountability within the ECN.Footnote 98

The Hearing Officers

A Hearing Officer is an independent person whose tasks revolve around safeguarding the effective exercise of procedural rights in DG COMP antitrust proceedings. Hearing Officers are not part of DG COMP but – for administrative purposes – are attached to the Competition Commissioner.Footnote 99 More specifically, undertakings may ask the Hearing Officer to examine claims that a document is covered by the legal professional privilege,Footnote 100 to examine requests related to the applicability of the privilege against self-incrimination,Footnote 101 to grant extension of time-limits,Footnote 102 and – where they find that undertakings have not been properly informed whether they are subject to the investigation, including its purpose and subject matter – to compel DG COMP to inform undertakings of their procedural status.Footnote 103 Moreover, Hearing Officers decide on whether the right to be heard – including an oral hearing – and the right to have access to the file can be granted to third parties, that is, persons other than those to whom the SO is addressed.Footnote 104

11.3.2.4 Independence

In the context of EU antitrust law enforcement, the independence of the European Commission/DG COMP, the NCAs, and the ECN is critical for at least two reasons. First, given that competition authorities are empowered to impose fines of a criminal nature, within the meaning of Article 6 of European Convention on Human Rights (ECHR), it is logically expected that they must also meet the requirements of an ‘independent and impartial tribunal’.Footnote 105 Secondly, it has rightly been noted that, as various Member States may have an interest in national companies, through for instance the holding of shares, having an independent competition authority is instrumental in ensuring that the enforcement authority will not be captured by the industry/State interests.Footnote 106 Additionally, one should not forget that the need for independence transcends the authority to also reach the judiciary. Indeed, assuming that a competition authority is not an ‘independent and impartial tribunal’ within the meaning of Article 6 ECHR, it is of paramount importance that the judiciary reviewing the decisions of the competition authority is independent. Independence is then key for an individual’s access to justice, as the degree of independence of a competition authority may affect the overall fairness of antitrust enforcement proceedings.

With respect to DG Comp’s independence, pursuant to Article 245 TFEU, the members of the Commission shall be independent. In addition, a number of checks and balances aim at ensuring the independence of the decision-making process. More specifically, an Advisory Committee is established, which consists of members of the twenty-seven NCAs, the Hearing Officer, the Commission’s legal service, and a Chief Economist. That committee must always be consulted prior to the adoption of a decision.Footnote 107 As far as the NCAs are concerned, independence requirements are set out in Article 4 of the ECN+ Directive.

Lately, the de facto independence of the Commission, the NCAs, and the ECN have been questioned. As far as the Commission is concerned, it has been noted that, notwithstanding the control exerted by the Advisory Committee, the fact remains that decisions are taken by the College of Commissioners, a decision-making body consisting of twenty-seven politicians prone to political lobbying and external influences.Footnote 108 As regards the NCAs, it is yet to be seen whether and, if so, to what extent the inclusion of quite broadly formulated independence requirements in the ECN+ Directive will bring about the envisaged results. One thing is for sure: at the moment, the rule of law crisis in various EU Member States places the independence of competition authorities and of the courts subsequently reviewing their decision in a state of flux. Considering that the Commission is allowed to reject complaints on the grounds that an NCA is better placed to examine a complaint,Footnote 109 combined with the fact that allocation decisions that take place within the ECN are not subject to any (judicial) control, it becomes evident that some cases may end up being dealt with by NCAs whose independence can be strongly questioned, without the individual having at their disposal any judicial avenue to attain justice.

11.3.3 OLAF

OLAF’s mission is to step up the fight against fraud, corruption, and any other illegal activity affecting the financial interests of the Union.Footnote 110 To that end, OLAF carries out administrative investigations in the Member States (i.e., ‘external investigations’) and in the Union’s institutions, bodies, offices, and agencies (i.e., ‘internal investigations’).Footnote 111 For reasons of clarity, we consider only the first – external – type of investigations. OLAF investigates so-called persons concerned: any natural or legal person suspected of having committed any act that falls within OLAF’s mandate. To be sure, this mandate is very broad and covers potentially any act where Union money is involved, irrespective of the policy area affected and irrespective of where – at the EU or Member State level – the alleged infringement has taken place.

OLAF, as should be clear by now, is an investigatory body. It does not monitor nor does it impose sanctions. OLAF’s Director-General opens an investigation when there is a ‘sufficient suspicion’, which is often based on information that derives from third parties, that may or may not have monitoring functions or anonymous information.Footnote 112 At the end of an investigation, when OLAF wishes to see follow-up to its work – in the form of sanctions or otherwise – its Director-General draws up a report (often) accompanied by recommendations that indicate the action to be taken by the Member State concerned: disciplinary, administrative, financial, or judicial (i.e., punitive) action.Footnote 113 OLAF’s reports are admissible as evidence in national proceedings.Footnote 114

The fundamental rights that may be interfered with or violated, considering OLAF’s restricted investigatory task, are limited to those outlined in Section 11.2.1: the right to privacy and the right to a fair trial. With respect to the first, as indicated earlier, OLAF’s on-the-spot checks and inspections interfere with the natural or legal person’s right to respect for the home and their communications, as protected by Article 7 CFR.Footnote 115 The right to a fair trial is not directly at risk in OLAF’s investigations. After all, the (potential) trial before a Member State court only takes place after OLAF has concluded its work. Nevertheless, the way in which OLAF obtains evidence during its investigations – by means of its on-the-spot checks and its interviews – is of importance for the trial and sanctioning phase and what OLAF does ‘often determines the framework in which the offence charged will be considered at the trial’.Footnote 116 OLAF’s legal framework recognises this and, accordingly, provides the person concerned with the necessary procedural guarantees.Footnote 117 The person concerned has the right to avoid self-incrimination even though OLAF exercises no compulsion. In addition, they have the right to be assisted by a ‘person of choice’; a broad denominator that includes lawyers. Once the investigation has been completed and before conclusions referring to a person concerned by name are drawn up, that person shall be given the opportunity to comment on the facts concerning them.Footnote 118 In other words, while OLAF’s legal framework does not say so explicitly, the person concerned has a right to be heard before the report is transmitted for follow-up proceedings. Beyond that, to make the exercise of procedural safeguards effective, the person concerned also has the right to be informed of the safeguards with which OLAF must comply.Footnote 119

11.3.3.1 Safeguards and Defence Rights in OLAF’s Legal Framework

While OLAF’s legal framework offers a host of safeguards, some are notably absent. The legal professional privilege is awarded no particular status in OLAF’s legal framework and is mentioned only in passing in internal guidelines. If during digital forensics operations in the context of an on-the-spot check the person concerned claims that the device in question contains data of a legally privileged nature, the data shall be acquired and placed in a sealed envelope. The representative of the economic operator shall be told that they will be invited for a meeting to resolve the issue before OLAF opens the sealed envelope.Footnote 120 The internal guidelines do not dictate whether the information, if indeed it falls under the scope of the legal professional privilege, may still be used or whether it must be excluded from the case file if OLAF and the person concerned do not come to a resolution on the issue. Additionally, it seems to regulate only those situations in which privileged information is stored digitally; ‘physical’ privileged information – letters and the like – are not accorded protection.

Another safeguard that, until recently, was notably absent is the right to have access to the file. Contrary to other fields of law, such as competition law enforcement by DG COMP, the CJEU refused for a long time to extend the protection of the right to have access to the file to the OLAF. The reasoning that underpinned the Court’s judgment was that no obligation under EU (fundamental rights) law existed to grant the person concerned access to the file, because (i) OLAF’s report – that is, the end-product of its work – does not bind the Member State authorities to which it is addressed; and/or (ii) it is these national authorities that, ultimately, bring about a ‘distinct change’ in the concerned person’s legal position. According to the CJEU, it is incumbent on the authority initiating the follow-up to OLAF’s investigative work to grant access to the file.Footnote 121 In the last few years, the CJEU seemingly has backed down, ever so slightly, from this position. In Homoki v Commission, the CJEU held that OLAF cannot refuse the person concerned access to the investigation report after an investigation has been closed and when such disclosure would no longer prejudice OLAF or its investigations.Footnote 122 In a similar application in Vendrame v Commission, yet to be decided on, Vendrame lodged an action before the CJEU complaining of OLAF’s refusal to grant access to the investigation report.Footnote 123

Because of OLAF’s limited (investigatory) task and the consequent need for national authorities to jump in when follow-up, by means of further investigations and/or ultimately sanctioning, is necessary, there is a division of responsibility (and of labour) when it comes to ensuring access to justice in the case of fundamental rights interferences and violations. In Sections 11.3.3.2 and 11.3.3.3, we highlight how this division features in the person concerned’s quest for access to judicial remedies and non-judicial remedies.

11.3.3.2 OLAF and the Person Concerned’s Judicial Remedies: ‘Access to Court’

OLAF’s investigative acts can interfere with or violate the person concerned’s fundamental rights. Because these acts are imputable to the EU legal order, judicial control – at least in theory – is available at the EU level. The CJEU controls OLAF’s investigations by means of the action for annulment and the action for damages.Footnote 124 Beyond these two direct forms of review before the EU court, a person can indirectly have an OLAF act reviewed when a national court refers a preliminary question on the validity of an OLAF act to the Court of Justice. Our discussion here will focus on the first two forms of (direct) review.

The Court of Justice has consistently qualified whatever OLAF does – its investigative acts as well as its investigation reports – as preparatory in nature, that is, measures that pave the way for a final decision at the national level and that, in and of themselves, do not bring about a distinct change in the legal position of the person concerned.Footnote 125 Such preparatory measures are, according to IBM v Commission, only open to an action for annulment where they themselves are the ‘culmination of a procedure distinct’ from a national decision on the liability of the person concerned.Footnote 126 Because OLAF, at least in external investigations, necessarily depends on national authorities for follow-up on its investigations, the ‘distinct procedure’ criterion poses, in the current OLAF framework, an almost insurmountable hurdle to persons concerned wishing to annul an act attributable to OLAF.Footnote 127

Because actions for annulment are essentially closed off to the person concerned, the only pathway still left open to them is an action for contractual or non-contractual damages because neither of these poses admissibility requirements. Actions for damages have thus far shown poor returns for the person concerned.Footnote 128 The main issue lies in establishing causality between the unlawful act in question and the damage incurred, the latter of which is in most cases ultimately felt at the domestic level.

11.3.3.3 OLAF and the Person Concerned’s Non-judicial Remedies: ‘Access to Justice’

To make up for or complement the individual’s lack of access to court, the EU legislator has put in place non-judicial mechanisms to try and hold OLAF accountable. Many of these mechanisms, put in place before the 2020 revision of OLAF’s legal framework, try to attain a degree of political accountability. The purpose of these political mechanisms is to provide a sense of ex post accountability that ‘helps promote transparency and to avoid arbitrariness in the exercise of OLAF’s functions. It provides for a forum to identify and discuss possible loopholes in the framework for investigations’.Footnote 129 These mechanisms do not, however, provide the person concerned with a pathway to justice because they do not relate to OLAF’s investigations in concreto, but – on the contrary – operate on an ‘investigation-overarching’ level and concern OLAF’s fulfilment of its investigative task in general. Moreover, the person concerned whose rights have been interfered with or violated in the context of an OLAF investigation is not placed in the driving seat and cannot by their own motion initiate actions before or in these fora. In other words, the person concerned is completely at the mercy of OLAF or other institutions. OLAF’s legal framework puts in place the following mechanisms to ensure political accountability: the duty to report to, and exchange views with, EU institutions; the European Court of Auditor’s audits; and supervision by OLAF’s Supervisory Committee.Footnote 130

In addition to forms of political accountability, OLAF’s legal framework has in place a number of internal and external review mechanisms that allow for some means of controlling the legality of OLAF’s investigations: (i) OLAF’s Review Team, (ii) the controller of procedural guarantees, and (iii), the Ombudsman. We discuss each in turn.

Internal Review
OLAF’s Review Team

OLAF’s legal framework obliges the Director-General to put in place an internal advisory and control procedure. This procedure includes a legality check relating, inter alia, to the respect of procedural guarantees and fundamental rights of the persons concerned and of the national law of the Member States concerned.Footnote 131 This legality check is to be carried out by OLAF’s Review Team, which consists of experts in law and investigative procedures.Footnote 132 The end product of a review – both ex ante and ex post – is an opinion that the Review Team provides to OLAF’s DG. The DG, in turn, uses this opinion as a basis for decision-making.

While praiseworthy, there are notable caveats. The first and foremost is that it does not give the person concerned whose fundamental rights have been interfered with or have been violated a means to have their voice heard. The person concerned cannot request that the Review Team assess the legality of a particular investigative act or evaluate interferences with their fundamental rights. Secondly, the Review Team is not independent. The team, while not involved in carrying out investigative acts or writing the report, is part of OLAF’s staff and, in that guise, operates under the authority of the DG.Footnote 133 Thirdly, and already mentioned above, the Review Team does not have decision-making power. Its opinions are advisory only and the DG may deviate from these opinions if they wish to do so.Footnote 134 Fourth, one can question the effectiveness of the review. OLAF’s SC issued an opinion in which it found that that the Review Team’s opinions were not systematically followed-up on.Footnote 135

External Review
The Controller of Procedural Guarantees

OLAF’s legal framework quite recently established the Controller of Procedural Guarantees.Footnote 136 The Controller is appointed by the Commission and is administratively attached to OLAF’s SC.Footnote 137 The Controller’s purpose, as the name already suggests, is to ensure that the person concerned’s procedural guarantees and fundamental rights are protected and complied with.Footnote 138 To that end, OLAF’s legal framework provides for a complaints mechanism that allows the person concerned to lodge a complaint with the Controller regarding OLAF’s compliance with procedural guarantees as well as on the grounds of an infringement of the rules applicable to investigations by the OLAF, in particular, infringements of procedural requirements and fundamental rights.Footnote 139 The Controller, when dealing with complaints, does not interfere with OLAF’s investigation but has access to the necessary case-related documents and may organise and conduct hearings.Footnote 140 The complaint mechanism is adversarial in nature: both OLAF and the person concerned can state their case and have the right to be heard before the Controller completes the assessment.Footnote 141 Where a breach is established, the Controller invites OLAF to take action to resolve the complaint. If the Controller finds the solution provided by OLAF satisfactory, the Controller closes the case; if the Controller does not find the solution satisfactory, they issue a recommendation on how to resolve the complaint.Footnote 142 OLAF’s DG takes appropriate action as warranted by the recommendation. If the DG decides not to follow the Controller’s recommendation, the DG shall communicate to the complainant and to the Controller the main reasons for that decision.Footnote 143

The Controller, in contrast to the Review Team, is completely independent both from OLAF and from the SC to which it is attached. The Controller neither seeks nor takes instructions from anyone in the performance of their duties.Footnote 144 Moreover, the Controller is concerned with inter alia the legality of specific investigative acts. Importantly, the person concerned can motu proprio lodge a complaint before the Controller. The person concerned does not depend on OLAF or other bodies or authorities in their quest to access justice. Notwithstanding all the above, the Controller – when push comes to shove – only has the power to issue recommendations. Although the DG must state reasons if they consider deviation justified, they can decide not to follow the Controller’s recommendation.

The Ombudsman

The European Ombudsman can receive complaints from the person concerned in relation to instances of maladministration by OLAF like it does for all Union institutions, bodies, offices, and agencies in accordance with its constitutional mandate.Footnote 145 Maladministration can include, among other things, the violation of fundamental rights of the person concerned.Footnote 146 On the basis of a complaint – or on their own initiative – the Ombudsman conducts inquiries into the alleged maladministration.Footnote 147 Where the Ombudsman establishes instances of maladministration, they make recommendations to OLAF to address these instances. In relation to OLAF the Ombudsman has, on a number of occasions, dealt with complaints. Many of these complaints have concerned OLAF’s refusal to provide access to the case file or the investigation report by persons concerned and third parties.Footnote 148 Other complaints concerned OLAF’s failure to follow the applicable investigative formalities and not affording the person concerned a reasonable opportunity to respond to the findings.Footnote 149

While the Ombudsman, in a similar fashion to the Controller of Procedural Guarantees, allows the person to file a complaint on their own initiative before an independent authority concerning interferences and violations of fundamental rights, the complaint also suffers from the same defects. At the end of its inquiry, when the Ombudsman closes a case by way of decision, they can only recommend remedial action to OLAF. These recommendations, as the name suggests, are just that: non-binding recommendations.

11.4 Discussion

The aim of this edited volume is to investigate whether private parties have remedies (judicial and non-judicial) available when their fundamental rights are violated by the EU (here: by an EU enforcement authority). From our analysis, we can identify three key, cross-cutting themes where concerns exist in relation to access to remedies when fundamental rights have been violated by EU law enforcement authorities. These are:

  1. 1. the limits of judicial review of non-binding preparatory acts and soft law instruments. As a corollary, the right to access to the court can be undermined;

  2. 2. the principle of national procedural autonomy may lead to different degrees of protection of fundamental rights, which can affect legal certainty and fairness; and

  3. 3. the limits of ex ante judicial remedies and of non-judicial remedies, like political accountability, which could mitigate gaps stemming from the limits of ex post judicial control and hence ensure more comprehensive control over executive discretion.

We briefly discuss these themes here and outline potential solutions to rectify the possible gaps in the protection of fundamental rights.

First, it is important to reiterate the following. During enforcement processes, EU law enforcement authorities, often together with national counterparts, may license private parties, monitor compliance, and investigate and/or sanction violations of the law. As such powers affect the rights and freedoms of private actors, EU law enforcement authorities are bound by the law to respect fundamental rights, such as the right to good administration (Article 41 CFR), the right to privacy (Article 7 CFR), fair trial rights (Articles 47/48 CFR), and the right of access to the court (Article 47 CFR). More specifically, the right to good administration includes the obligation to state reasons, the right to be informed, the right to be heard, and the right to have access to the file. The defence rights include, among others, the right to have access to a lawyer, the privilege against self-incrimination, and the legal professional privilege. In addition to that, sanctions must respect the principles of legality and proportionality of offences and penalties law (Article 49 CFR).

Going back to the first point of the list above, our analysis shows that enforcement by EU enforcement authorities can – by necessity or by design – allow for actions not easily amenable to judicial review, such as soft law and investigations that can (ultimately) result in punitive follow-up at the Member State level, which can nonetheless interfere with, and even violate, fundamental rights of the natural or legal person in question. In many of these instances, there is no possibility to obtain legal protection or to remedy these violations through the judicial avenue leading to Luxembourg. Think, for instance, about ESMA supervising private actors on a daily basis, including through informal conversations and guidance. From an effective enforcement perspective, the deployment of such informal tools seems essential to achieve compliance yet may lead to possible disagreements with the private actors. The private actors may have difficulties in having standing before the court if no de jure binding decision has been issued by ESMA against them or if soft law instruments have no legal force.

Furthermore, when various enforcement stages (monitoring, investigating, sanctioning) are exercised by the EU authority and its national counterparts, this can result in procedural hurdles in ensuring access to the court. A good example is OLAF. Because OLAF merely draws up a report accompanied by recommendations on the punitive follow-up to be taken at the Member State level and does not have the competence to impose sanctions, the CJEU has consistently held that the action for annulment is closed off for the person concerned as OLAF’s work is considered as preparatory and does not bring about change in the legal position of the person concerned (a standing requirement under TFEU Article 263). All the while, national courts do not possess the competence to rule on the validity of OLAF’s investigative acts or the report established as a result thereof, as doing so would violate the heavily guarded division of jurisdictional competences laid down in Foto-Frost. OLAF can, however, interfere with or violate the fundamental rights of the person concerned in the context of its investigations. The multi-jurisdictional legal order of the EU poses similar challenges in the field of enforcement of competition law. Here, too, some decisions by bodies lacking legal personality, like the ECN, seem to be subject to judicial scrutiny. Yet the ECN’s allocation decisions determine the content of the procedural rights that will ultimately be available to the parties subject to EU competition law enforcement proceedings.

The fact that the EU consists of multiple legal orders leads to the challenge of ensuring the protection of fundamental rights in the same fashion. The principle of national procedural autonomy shields national sovereignty and accommodates procedural differences and divergent fundamental rights’ standards across the Union. At the same time, this may come at the expense of legal certainty especially when the legal framework is designed in such a way as to allow EU law enforcement authorities to choose to carry out enforcement actions and obtain evidence in jurisdictions offering the least protection. A good example in that respect is ESMA and on-site inspections. EU law allows ESMA to seek ex ante judicial authorisation before the performance of an on-site inspection only if national law so requires. In the absence of EU law harmonising mandatory ex ante judicial authorisation, an EU enforcement authority may decide to carry out investigative activities in Member States that provide for lesser ex ante legal protection. In a similar vein, the fact that the twenty-seven Member States protect fundamental rights differently, yet evidence obtained on the basis of divergent standards can be exchanged freely between competition authorities and be used for sanctioning in various Member States, may come at the expense of procedural fairness.

To what extent can there be non-judicial remedies to address possible violations of fundamental rights by EU enforcement authorities (EEAs)? Our third point on the list above indicates that while non-judicial remedies may exist, they cannot possibly offer the same kind of protection that judicial remedies can. We have identified the following non-judicial remedies: political accountability, the availability of hearing officers (DG COMP), controllers of procedural guarantees (OLAF), Ombudsman, special mechanisms like a request to the Commission (ESMA), and ex ante forms of control via, for instance, consultation and participation of private parties in certain procedures. These remedies are important and can help those who seek justice for violation of their specific rights. The mechanisms of political accountability and the Ombudsman may address such violations from a structural perspective via, for instance, adjusting the law, which could stop such violations in the future and give the satisfaction of being heard and having one’s complaint taken into consideration. However, the limits of such non-judicial remedies are twofold. For one, unless a recommendation or advice is given by internal mechanisms of review, like the ESMA Board of Appeals or the DG COMP’s hearing officer, non-judicial mechanisms cannot rectify immediately the violation of one’s rights in a specific case. This is because EU enforcement authorities are required by law to carry out supervision and enforcement in an independent manner. No politician should be able to influence the EU authority when they enforce the law against private actors. Hence, we discussed the issue of independence and its importance at the institutional and personnel levels in enforcement. For two, non-judicial remedies do not and cannot possibly offer the same kind of protection that judicial remedies can as they often lack certain qualities that go part and parcel with the judicial authorities and remedies: taking binding decisions, availability of remedies in concreto and not merely in abstracto, and independence within the meaning of Article 6 ECHR/ 47 CFR. At the same time, it may also be the case that the legislative design of non-judicial remedies may not have yet been developed. These are often rather recent changes; future empirical research will hopefully show to what extent these can be effective means to find justice.

11.4.1 What Are the Lessons That We Can Draw from Our Analysis?

First of all, the three types of EEAs that we have considered in our analysis are useful for analytical purposes to see and assess the sources of potential violations of fundamental rights. The clearer the division of competences among EU and national authorities and the lesser the degree of possible de jure joint enforcement action, the clearer the judicial remedy becomes. For instance, if ESMA carries out all the enforcement actions on its own, the private party has only one authority to address and the private party can do so according to the EU standards of fundamental rights and via other non-judicial remedies at the EU level. At the same time, the more divided the enforcement process between EU and national jurisdictions and the greater the degree of mixing supervisors, the more challenges there can be in seeking judicial redress: Which court? Which standard of fundamental rights? Is there a check on an action or decision of an EEA? etc.

Secondly, the legislative design of enforcement responsibilities, tasks, powers, fundamental rights, and controls is of paramount importance to prevent violations of fundamental rights and redress if the violation has happened. However, at the moment of writing, the legislative design of direct EU law enforcement often results in an allocation of responsibility that may not be matched with accompanying (judicial or non-judicial) remedies at the respective national or EU level. While it is true that we are discussing a relatively new development, such a mismatch must be prevented. Relevant procedural guarantees and procedures need to be developed and be clear for both the EU authorities and the supervised parties. For instance, requests for information need to be based on good reasons, especially if they are issued informally. Supervised parties should be heard, especially if ex post controls, such as judicial review, do not cover specific types of acts, which can limit or affect fundamental rights. Judicial dialogue between EU and national courts should be enhanced in order to overcome the strict dichotomy between the EU and the national level when it comes to judicial review of EU law enforcement authorities’ actions.

Finally, as part and parcel of the previous lesson, the coexistence of judicial and non-judicial remedies can complement each other’s gaps and ultimately ensure a fully-fledged protection of fundamental rights if designed properly and aligned with one another, including EU-national alignment. For instance, if effective enforcement in the field of financial markets requires informal supervisory practices, mediation procedures could be envisaged to ensure a mechanism of redress of possible violations of fundamental rights during such informal supervision. If soft law guidance is crucial to enhance compliance, private actors need to be able to ensure they are being heard when the guidance is developed. If the legislator is setting novel types of cooperation, such as shared enforcement, it should be clear which standard of fundamental rights protection should apply, what key terms on the basis of which enforcement authorities base their decisions mean (e.g., violation with intent or negligently), and which jurisdiction(s) should be responsible for the review of all stages of enforcement. Lastly, it is essential that the EU legislator does not attempt to use (non-judicial) remedies, such as internal mechanisms of review by internal units, to fill the gaps in judicial protection in the domain of direct enforcement by EU authorities, but rather seeks to complement the existence of judicial remedies.

11.5 Conclusion

This chapter has discussed the question of the access to justice by private parties during enforcement procedures in the EU, especially EEAs. We have argued that enforcement activities have characteristics showing the necessity of both judicial and non-judicial remedies if one’s fundamental rights have been violated. Enforcement is a process that aims at ensuring policy goals and ensuring core values, where non-compliance should be better prevented, rather than responded to. This implies the importance of having informal, preparatory, ex ante as well as legally binding actions and decisions. These actions and decisions can, however, lead to violations of fundamental rights: rights to good administration, access to the court, privacy, due process, etc. These violations can be challenging to address for a number of reasons, including the multi-jurisdictional legal order of the EU at times lacking legislative clarity as to the scope of certain fundamental rights standards and enforcement responsibilities and the importance of informal actions and guidance enhancing compliance. In this context, we have argued for the importance of developing an alignment between judicial and non-judicial remedies to address violations of fundamental rights in a comprehensive and proportionate way.

12 Legal Protection against Fundamental Rights Breaches through Factual Conduct by the European Union

Florin Coman-Kund
Footnote *
12.1 Introduction

Starting from the premise that factual conduct by European Union (EU) institutions, agencies, and bodies (hereafter referred to generically as ‘EU bodies’ in line with the consistent terminology adopted in this volume) may breach fundamental rights of individuals, this chapter examines what appears to be rather a ‘blind spot’ in EU law and scholarship, namely the legal protection against factual conduct by the EU. In doing so, the chapter engages first with some conceptual clarifications of the term ‘factual conduct’ by reference to the concepts of ‘legally binding act’ and ‘legally non-binding act’ (or soft law) and provides some illustrations of EU factual conduct potentially infringing fundamental rights. Second, the chapter looks at the system of EU legal remedies (both judicial and non-judicial remedies are included within the scope of this investigation) as enshrined in the Treaty on the Functioning of the European Union (TFEU)Footnote 1 and the jurisprudence of the Court of Justice of the European Union (CJEU), as well as in relevant EU secondary legislation, with a view to establishing their potential to address fundamental rights breaches by EU factual conduct. Third, the chapter ends with an assessment of the overall system of legal protection against fundamental rights breaches through factual conduct by the EU, revealing strengths, gaps, and challenges, and suggesting some solutions for improvement, in particular in the form of enhancing, in light of Articles 41 and 47 of the Charter of Fundamental Rights of the EU (CFR),Footnote 2 the array of EU administrative/non-judicial mechanisms and remedies with judicially reviewable outcomes.

12.2 EU Factual Conduct and Fundamental Rights
12.2.1 Conceptual Reflections on EU Factual Conduct

Public administration features as the most prominent form of action legally binding acts, be they of a general or individual application. Yet the bulk of daily public administration also entails a lot of human actions, acts, activities, or conduct that do not amount to formal legally binding acts.Footnote 3 Such administrative acts or conduct, though not intended to produce legal effects like a binding legal act, entail nevertheless (sometimes significant) factual and legal consequences; as such, they may also arguably infringe fundamental rights.Footnote 4

The range of administrative forms of action outside the category of formal legally binding acts is broad and diverse. It includes various acts and operations that lead to the adoptionFootnote 5 or ensure the implementation/enforcementFootnote 6 of a formal legally binding act. It also arguably includes more free-standing acts and factual conduct such as legally non-binding or ‘soft law’ actsFootnote 7 as well as various concrete actions and operations.Footnote 8

From a conceptual point of view, the term ‘factual conduct’ can be understood in two different ways.Footnote 9 In one sense, it can be construed as an act of conduct or as a legal fact in the shape of human behaviour that is not intended per se to produce legally binding effects, but which nevertheless may entail certain legal and practical consequences according to law.Footnote 10 According to this understanding, ‘factual conduct’ would broadly encompass all administrative acts (forms of action) outside the category of formal legally binding acts. In a second sense, ‘factual conduct’ is to be understood as a specific form of administrative action. According to this second, more specific, understanding, it encompasses administrative actions and operations that amount broadly speaking to ‘physical acts’Footnote 11 or measures of a factual nature. Such acts express the conduct of a public authority or its servants in the outside world in a factual manner, their legal relevance (as legally binding acts or mere acts of conduct having some legal relevance) being determined by the applicable legal framework.Footnote 12 Factual conduct can thus include various physical acts and operations, either free-standing or connected to the adoption and implementation/enforcement of a formal legal act (binding or non-binding). Examples include: publishing/handling information, collecting and processing personal data, feeding a database with information or extracting information therefrom, providing an answer to a request or a petition, preparing a draft legal act, preparing and submitting a report or letter, publishing a legal act in the official journal/communicating the legal act to interested persons, entering business premises, searching for information, collecting and sealing documents and other items during an inspection/investigation, and using police executive powers.Footnote 13

Relying mainly on the second sense of the term for the purpose of this chapter, as in our view it analytically depicts more accurately the phenomenon under consideration, we note that factual conduct is very much present in the activity of the EU public administration. All EU bodies handle personal and non-personal data and information, publish and exchange information and various documents, undertake preparatory operations and actions for the purpose of adopting a formal legal act, and carry out various operations and actions for ensuring their implementation. It is less common for EU bodies to carry out physical implementation and enforcement of EU law, as these matters are normally reserved for the Member States’ administrations. Yet there are notable examples of EU bodies doing this (see also Chapter 11). These include the European Commission in competition lawFootnote 14 and, more recently, the European Central Bank (ECB) in its supervisory role within the Single Supervisory Mechanism (SSM),Footnote 15 the European Border and Coast Guard Agency (Frontex) with its new direct operational powers in joint operations at the Union’s external borders,Footnote 16 and the European Public Prosecutor’s Office (EPPO) with its wide-ranging investigation powers.Footnote 17 This trend is likely to continue in view of the ongoing phenomenon of EU administrative integration and hybridisation, with more EU bodies being granted (gradually increasing) direct enforcement and implementing powers, often exercised within rather intricate composite (EU and national) legal frameworks and in complex relationship with national competent authorities.Footnote 18

12.2.2 Risks for Fundamental Rights from EU Factual Conduct

EU factual conduct (understood as acts of ‘physical’ conduct by EU institutions, agencies and bodies, and their staff) may directly or indirectly affect fundamental rights of natural and legal persons. Examples are abundant in this respect. For instance, personal data processing operations by EU bodies may breach directly or indirectly the data protection rights (enshrined in Article 8 CFR and further given substance in Regulation 2018/1725)Footnote 19 as well as the right to respect for private and family life (Article 7 CFR) of the individual. Abusive or inappropriate personal data processing by Europol as regards persons suspected of being involved in serious crime might ultimately result in unlawful arrests and home searches by enforcement authorities in the Member States, in breach of the right to liberty and security of the person (Article 6 CFR) and/or the right to respect for private and family life (Article 7 CFR). Disseminating/publishing abusive defamatory information about individuals and legal persons may affect their reputation and consequently result in a breach of human dignity (Article 1 CFR)Footnote 20 or the freedom to conduct a business (Article 16 CFR).Footnote 21 Irregularities committed by Commission officials implementing EU competition law, officials of the European Anti-Fraud Office (OLAF) under Regulation 883/2013,Footnote 22 or ECB officials in the implementation of the SSM Regulation during an inspection at the premises of an undertaking, might result in a breach of Article 7 CFR (protection of ‘home’, including business premises)Footnote 23 or a breach of the right to property (Article 17 CFR).Footnote 24 Last but not least, the exercise of executive powers by Frontex operational staff during joint operations at sea and/or land bordersFootnote 25 could amount to a breach of the right to life (Article 2 CFR), the right to the integrity of the person (Article 3 CFR), prohibition of torture and inhuman or degrading treatment or punishment (Article 4 CFR), or the right to asylum (Article 18 CFR) and non-refoulement (Article 19 CFR).

The ability of EU factual conduct to directly and indirectly breach fundamental rights raises in turn the issue of ensuring adequate legal protection and remedies against such conduct. Are legal safeguards and remedies necessary and, if so, sufficiently available to address fundamental rights breaches by EU factual conduct?

12.3 Legal Protection against Fundamental Rights Breaches by EU Factual Conduct

Factual conduct by EU bodies is prescribed and confined by law. The relevant legal framework provides rules and principles establishing when, how, under what conditions, and by whom factual conduct can occur in order to conduce to the legal effects assigned to it by legal norms.Footnote 26 In other words, factual conduct, just like formal legal acts, needs to abide by the principle of legality of administrative actionFootnote 27 as a specific reflection of the rule of law underpinning the EU legal order.Footnote 28 According to some, ‘the test of the legality of factual conduct should not differ from that applicable to formal measures taken by the administration’.Footnote 29 In this respect, EU factual conduct must occur within the boundaries of the competence of the relevant EU actor and it must observe all relevant substantive and procedural rules applicable. Moreover, it should meet ‘the standards of the general principles of law which generally govern the legality of EU acts, such as the principles of good administration, proportionality, and the protection of fundamental rights’.Footnote 30 EU factual conduct meeting these legality standards should not in principle result by itself in breaches of fundamental rights. On the contrary, EU factual conduct that does not meet the legality standards mentioned previously could entail breaches of fundamental rights, as already shown earlier in this chapter. In this context, legitimate questions arise as to how legal review of such conduct can be ensured and whether there is adequate legal protection for the person affected against such breaches in light inter alia of the rights to an effective legal remedy enshrined in Article 47 CFR.Footnote 31

The legal protection, and, in this context, also the legal review of EU factual conduct affecting fundamental rights is examined in a more overarching fashion in Sections 12.4 and 12.5, by looking first at available judicial remedies in light of Article 47 CFR and, second, by considering additional EU administrative/non-judicial mechanisms and remedies that might offer redress for fundamental rights breaches.

12.4 Judicial Remedies
12.4.1 The Right to an Effective Judicial Remedy for Fundamental Rights Breaches

Article 47 CFR proclaims the right to an effective remedy before a tribunal for ‘everyone whose rights and freedoms guaranteed by the law of the Union are violated’. This provision does not expressly specify or limit the ways in which rights and freedoms could be violated, which would imply that any type of violation, be it through a formal legal act or factual conduct, should be covered by the right to an effective (judicial) remedy. The view that factual conduct comes within the scope of Article 47 CFR and that, as a result, it should be matched by full legal protection in the form of appropriate judicial remedies, finds support in legal scholarship.Footnote 32 As for the Court of Justice, one may wonder whether its rather restrictive ‘dependent approach’Footnote 33 to Article 47 CFR could entail limitations on judicial review of factual conduct and, implicitly, on the remedies the individual whose fundamental rights have been breached might effectively rely on. More specifically, drawing on the non-binding Explanations relating to the Charter of Fundamental Rights,Footnote 34 the Court affirmed in its landmark Inuit judgment,Footnote 35 that Article 47 CFR ‘is not intended to change the system of judicial review laid down by the Treaties, and particularly the rules relating to the admissibility of direct actions brought before the Courts of the European Union’. As a result, it appears that Article 47 CFR cannot be relied upon to establish new judicial remedies/review avenues or to amend those enshrined in the TFEU.Footnote 36

However, within these confines, it is argued that Article 47 TFEU, giving expression to the principle of effective judicial protection and enshrining it as a fundamental right, could be used creatively by EU courts. It should be relied upon as a canon of interpretation regarding access to the judicial remedies laid down in the Treaties for persons invoking breaches of their fundamental rights by EU acts and measures. Such an approach could arguably offer a quick fix to the potential gaps within the current EU system of judicial remedies regarding violations of fundamental rights, until the more far-reaching solutions suggested by the Court – that is, the use of the formal amendment procedure of the Founding Treaties,Footnote 37 and the Member States’ duties ‘to establish a system of legal remedies and procedures which ensure respect for the fundamental right to effective judicial protection’Footnote 38 – have fully addressed the issue.

Against this background, one needs to consider how far the judicial remedies available for individuals enshrined in the Treaties and carved out through CJEU jurisprudence are effective in addressing the breaches of fundamental rights caused by EU factual conduct. The following judicial remedies are briefly examined for the purpose of this query: action for annulment (Article 263 TFEU), failure to act (Article 265 TFEU), preliminary reference procedure (Article 267 TFEU), action for damages (Article 268 juncto Article 340 TFEU), and plea of illegality (Article 277 TFEU).

12.4.2 The Action for Annulment

The action for annulment appears to raise particular challenges with regard to EU factual conduct in view of its admissibility conditions. Especially the fact that only acts of EU bodies that are ‘intended to produce legal effects vis-à-vis third parties’ are judicially reviewable arguably creates a considerable hurdle for persons willing to challenge before the CJEU EU factual conduct infringing their rights. As recently reconfirmed by the CJEU, ‘it is settled case-law of the Court that actions for annulment, provided for under Article 263 TFEU, are available in the case of all measures adopted by the institutions, bodies, offices and agencies of the European Union, whatever their form, which are intended to have binding legal effects’ (emphasis added).Footnote 39 This means that unless EU factual conduct qualifies as an act or measure intended to have binding legal effects, it cannot be directly challenged under Article 263 TFEU. This observation raises two questions: (1) Could EU factual conduct qualify under certain circumstances as ‘an act or measure intended to have binding legal effects’? and (2) Is there any (indirect) way to review the legality of EU factual conduct that does not qualify as ‘an act or measure intended to have binding legal effects’ under Article 263 TFEU?

The answer to the first question could be positive, especially if Article 263 TFEU is read in light of Article 47 CFR, as suggested earlier. After all, the Court considers reviewable under Article 263 TFEU any EU measures intended to have binding legal effects, whatever their form (emphasis added). In this respect, the Court was quite creative in the past in inferring from a physical act directly affecting the situation of the applicant the existence of a tacit administrative decision that could be reviewed under the annulment procedure.Footnote 40 In such a case, one may wonder whether factual conduct is in itself the expression of the challengeable tacit or implicit legal act or whether it is a mere indication of the existence of a previous tacit administrative decision that is being implemented via the physical act. By referring in Akzo and Akcros to ‘the tacit rejection decision expressed through (emphasis added) the physical act of seizing and placing those documents on the file without placing them in a sealed envelope’,Footnote 41 the CJEU seems to show a slight preference for the first scenario. In this vein, one could consider the factual conduct directly affecting the legal situation of the individual, similarly to a formal legal binding act, as some sort of ‘instant’ implicit decision, whereby the physical act itself amounts to a legally binding act. Such a legal construct, reflecting a more extensive understanding of the concept of ‘act intended to produce legal effects vis-à-vis third parties’ read in light of Article 47 CFR, could capture various situations in which free-standing EU factual conduct directly breaches fundamental rights.Footnote 42 While the concept of ‘instant implicit decision’ might still need to gain ground, EU legal scholars highlight, more in line with the second scenario, that the notion of a tacit or implicit decisionunderpinning [emphasis added] a physical act or factual measure is common in the administrative law of the Member States’, and they argue for its extended application to ensure more effective protection of fundamental rights against EU factual conduct.Footnote 43 In any case, if free-standing factual conduct does not amount somehow to an act intended to have binding legal effects, it cannot be reviewed under Article 263 TFEU.

This brings us to the second question: Is there any (indirect) way to review the legality of EU factual conduct that does not qualify as ‘an act or measure intended to have binding legal effects’? Legal review of factual conduct could in principle be ensured incidentally, in view of the relationship of such conduct with a legal act reviewable under Article 263 TFEU. Most obviously, factual conduct that can be qualified as ‘preparatory acts’ of a legally reviewable act can be reviewed by the Court in the context of the challenge brought to the latter act.Footnote 44 This, however, raises the question whether such legal review does not sometimes come too late, as the relevant factual conduct might have produced legal and practical consequences well before the adoption of the legal act.Footnote 45 Furthermore, if no legally binding act is finally adopted, then any ‘preparatory’ factual conduct carried out prior to that will not be in principle judicially reviewable,Footnote 46 unless such factual conduct represents ‘the culmination of a special procedure … and which produce binding legal effects such as to affect the interests of an applicant, by bringing about a distinct change in his legal position’.Footnote 47 As for the factual conduct that implements legally binding acts, legal review is reserved in principle only to the legally binding act, on the ground that ‘the validity of a decision cannot be affected by acts subsequent to its adoption’.Footnote 48 The only apparent exception seems to be in the case of factual conduct entailing or underpinning an implicit or tacit legal act, but even in that case it is questionable whether the Court actually reviews the implementing physical act itself or rather exclusively the underlying implicit/tacit legally binding act. In this regard, the concept of ‘instant’ implicit decision could perhaps bring some added explanatory value with respect to the legal review of such ‘factual conduct’ by conceptually equating the physical act with a reviewable act under Article 263 TFEU (not with the mere implementation thereof).Footnote 49

12.4.3 Failure to Act

Failure to act is to some extent the mirror image of the action for annulment,Footnote 50 and it could also be of relevance as far as breaches of fundamental rights via EU factual conduct are concerned. Article 265 TFEU, third paragraph enables individuals to go to the CJEU for failure of an EU institution, body, office, or agency to address to them ‘any act’, except for recommendations and opinions. Yet it becomes apparent that individuals can rely on this judicial remedy only where the relevant EU body failed to adopt a legally binding act concerning them,Footnote 51 while being under an obligation to do so.Footnote 52 Hence, similarly to the action for annulment, failure to act does not seem a particularly suitable legal remedy against EU factual conduct, except for those instances in which the factual conduct that should have been enacted by the defaulting EU body would amount to an implicit decision impacting on the legal situation of the individual.Footnote 53 Additionally, for a potential action under Article 265 TFEU to be admissible, the relevant EU body must have ‘been called upon to act’ by the individual and, furthermore, not defined its position on the matter after being called to act.Footnote 54 As a final point, if successful, the action for failure to act results in a court judgment with a rather limited impact: declaring that the failure to act was illegal but without the possibility to impose on the EU body the type, content, and form of the act that should have been taken.Footnote 55

12.4.4 Preliminary Reference Procedure

Arguably, some of the gaps resulting from the limited judicial review of factual conduct under Article 263 TFEU could be covered by the preliminary reference procedure under Article 267 TFEU (see also Chapter 4). As is well known from the CJEU’s jurisprudence, the admissibility of a question for preliminary ruling extends to the interpretation and validity of any acts of EU institutions, bodies, offices, or agencies.Footnote 56 This clearly covers formal acts, be they legally binding or not, but it is less clear if EU factual conduct in the form of a mere physical act also qualifies as an ‘act’ under Article 267 TFEU.Footnote 57 A reading of Article 267 TFEU in light of the fundamental right to an effective legal remedy enshrined in Article 47 CFR offers support for the view that the category of acts of EU bodies ‘without any exception’Footnote 58 encompasses also physical acts representing factual conduct.Footnote 59

Yet, even if this is the case, there are several difficulties with judicial review of EU factual conduct under Article 267 TFEU. First, for a preliminary question on EU factual conduct to be raised before a national court, there must be a decision or measure adopted by a national authority that the person who claims their fundamental rights are being breached by that EU conduct could challenge.Footnote 60 Second, the national measure/act challenged before the national court should be sufficiently linked to the EU factual conduct in such a way that establishing the validity of the latter would enable the national court to decide on the matter.Footnote 61 If the national court does not find the relevant EU factual conduct ‘necessary’ to judge the case before it, the matter will not in principle reach the CJEU.Footnote 62 Third, even if a question for a preliminary ruling regarding the validity of EU factual conduct reaches the CJEU, it has been emphasised that judicial review might often come too late to ensure effective protection of the fundamental rights affected by that conduct.Footnote 63

12.4.5 Action for Damages

In view of the shortcomings highlighted earlier, the action for damages enshrined in Articles 268 juncto 340 TFEU could in principle offer a more reliable remedy against breaches of fundamental rights caused by EU factual conduct.Footnote 64 In any case, prima facie the action for damages has a generous scope as it covers ‘any damage (emphasis added) caused by its institutions or by servants in the performance of their duties’. It thus covers both material and non-material damageFootnote 65 caused by any acts (both formal legal binding acts as well as factual conduct) of the EU ‘institutions’Footnote 66 or EU servants. However, this judicial remedy also displays several shortcomings and difficulties.

First, in spite of the apparently generous, though slightly vague,Footnote 67 formulation in the Founding Treaties, the standards for EU liability are in reality quite high,Footnote 68 as they are interpreted and applied quite strictly by EU courts.Footnote 69 While a breach of fundamental rights via EU factual conduct could relatively easily meet the condition that ‘the rule of law infringed must be intended to confer rights on the individual’, things become more difficult with the requirement that ‘the breach must be sufficiently serious’, as well as with the ‘damage’ and the ‘causal link’. Proving a sufficiently serious breach is in principle easier in the case of an EU measure that does not entail discretionary choices,Footnote 70 and it proves particularly difficult where the EU measure entails the exercise of some degree of discretionary power; in this respect, even an illegal EU measure annulled under Article 263 TFEU is not per se sufficient to meet the threshold for a sufficiently serious breach under Article 340 TFEU.Footnote 71 In our view, Article 47 CFR requires a more lenient reading of the CJEU’s ‘sufficiently serious breach’ condition under Article 340 TFEU, so that EU legally binding acts, including here factual conduct amounting to an instant implicit decision, as well as genuine factual conduct in the form of self-standing physical acts that directly breach fundamental rights, meet the threshold as a matter of principle.Footnote 72 As to the damage suffered as a result of EU factual conduct breaching fundamental rights, this might be difficult to establish and quantify,Footnote 73 especially in view of the non-pecuniary consequences that the breach of some fundamental rights entails.Footnote 74 Last but not least, the causal link between the EU factual conduct and the damage might be difficult to establish, especially when it is embedded into a broader complex framework entailing concomitant or subsequent actions by EU and Member State actors that might interfere with the causation chain.Footnote 75

Second, the monetary compensation that is usually provided within the framework of the action for damages might not fully remedy the situation where redressing a breach of fundamental rights by EU factual conduct would require positive administrative action to end the breach and re-establish the situation before the breach occurred.Footnote 76 Yet this point of critique seems to be at least partly addressed by the fact that EU courts acknowledge that Article 340 TFEU does not in principle exclude compensation in kind ‘if necessary in the form of an injunction to do or not to do something’ if this is in line with the general principles of non-contractual liability common to the laws of the Member States.Footnote 77 However, one may wonder how far EU courts are willing to have recourse to such types of compensation more extensively and especially in cases of fundamental rights breaches by EU factual conduct.Footnote 78 A reading of Article 340 TFEU in light of the right to an effective judicial remedy in Article 47 CFR would, in our view, justify such an approach.

12.4.6 Plea of Illegality

Another judicial remedy provided in the Founding Treaties is the more indirect plea of illegality under Article 277 TFEU. This remedy is limited in three ways: (1) it can be invoked only against an act of general application; (2) only the four grounds for annulment laid down in the second paragraph of Article 263 TFEU may be invoked to establish the illegality of the act; and (3) the illegality of the act only triggers the inapplicability of that act within the direct action before the EU court in which the plea of illegality has been raised.Footnote 79 This remedy seems prima facie of limited relevance in the case of EU factual conduct causing breaches of fundamental rights. Only in the rather unlikely scenario in which EU factual conduct would express an (instant) implicit binding legal act of general application, and on the basis of which individual acts or measures are enacted directly affecting the legal situation of the individual, could Article 277 TFEU be invoked within a direct action against such individual acts or measures.Footnote 80

12.4.7 Incomplete Judicial Protection for Fundamental Rights Breaches by EU Factual Conduct

One may question whether the paradigm of ‘a complete system of legal remedies and procedures designed to ensure judicial review of the legality of European Union acts’ announced by the CJEU in Les VertsFootnote 81 and reaffirmed in InuitFootnote 82 withstands a reality check, as far as EU factual conduct breaching fundamental rights is concerned. Especially if this paradigm is read in light of Article 47 CFR asserting a judicially effective remedy for ‘everyone whose rights and freedoms guaranteed by the law of the Union are violated’. Based on the previous analysis, one may argue that the judicial remedies available in the Founding Treaties reveal shortcomings as to the completeness and effectiveness of judicial protection in such instances.Footnote 83 Solutions to address this could be: (1) an extensive understanding of the concept of ‘reviewable act’ in line with AKZO jurisprudence whereby factual conduct directly affecting the legal situation and fundamental rights of the individual would amount to implicit reviewable legal actsFootnote 84 and (2) a far-reaching interpretation of the action for damages encompassing extensive ways of compensation and a more flexible reading of the conditions for damages that could cover, at least in part, the blind spots of current judicial review of EU factual conduct.Footnote 85 It remains to be seen how far EU Courts will be willing to consider such solutions in their future jurisprudence, but even if they do, gaps will arguably remain in the EU system of judicial remedies (especially as regards the lack of preventive judicial protection against potentially harmful EU factual conduct).Footnote 86 Therefore, it may be opportune to look further afield and also consider other (non-judicial) remedies available in EU law to assess whether they may or could, alone or in combination with available EU judicial remedies, address some of the gaps and shortcomings highlighted earlier

12.5 Non-judicial Remedies
12.5.1 Non-judicial Remedies and the Right/Principle of Good Administration

While discussions on legal review and legal protection usually focus on the availability and sufficiency of judicial remedies, one should not forget that, in a broad sense, the system of legal remedies is not limited to that. While judicial remedies, in view of their importance, could be placed at the forefront of the Union’s system of legal protection, non-judicial remedies also play a role in ensuring review of and redress against EU administrative action. In fact, under certain conditions, non-judicial remedies (i.e., actions and procedures against administrative actions that do not directly involve courts) could arguably be more accessible and effective in addressing fundamental rights breaches of individuals, be they natural or legal persons. Thus, compared to costly, time-consuming, and restrictive judicial remedies, non-judicial internal and external remedies and review mechanisms in the form of complaints,Footnote 87 referrals,Footnote 88 and appeals proceduresFootnote 89 could provide easier access, comprehensive scrutiny, and relatively timely redress against potentially harmful EU administrative measures, including factual conduct.Footnote 90 After all, in light of the commandment of an ‘open, efficient and independent European administration’ in Article 298 (1) TFEU, giving the public administration a chance first to repair its own mistakes and to offer redress via easily accessible non-judicial remedies could largely alleviate the need to have recourse to judicial review.

While access to judicial remedies is enshrined both as a common principle of EU law in CJEU jurisprudence and as a fundamental right under Article 47 CFR, there is no similar explicit constitutional recognition for non-judicial remedies against EU action.Footnote 91 Arguably, access to non-judicial remedies could be considered as a dimension of the multi-sided good or sound administration laid down as a fundamental right in Article 41 CFR and also established as a general principle of law by EU courts.Footnote 92 Following this line of reasoning, the set-up of effective administrative remedies could be seen as an inherent guarantee for the enforcement of the specific rights encompassed within ‘good’ or ‘sound’ administration. It could be arguably incorporated within the scope of ‘the right to have his or her affairs handled impartially, fairly and within a reasonable time’ under Article 41 (1) CFR. To be sure, availability of an administrative remedy against EU measures affecting individuals is not mentioned in the list of specific rights under Article 41 (2) CFR. Yet it has been maintained that Article 41 CFR only provides ‘examples of procedural rights to good administration’, and that it ‘serves to establish a minimum protection of certain elements generally accepted in the existing case law of the European courts as principles of good administration and rights of defence’.Footnote 93 As a result, EU courts could in principle go beyond the rights explicitly listed in Article 41 CFR, though they also warn that ‘the principle of sound administration, does not, in itself, confer rights upon individuals … except where it constitutes the expression of specific rights’ like those enshrined in Article 41 CFR.Footnote 94 Alternatively, the availability of effective administrative remedies could be regarded as an element of the general principle of good/sound administration continuously developed by EU courts. As mentioned previously, it could function as a guarantee for the exercise and enforcement of the specific rights included within the scope of good administration and enshrined in Article 41 CFR; additionally, it would also be an enabling element for the right to claim damages provided in Article 41 (3) CFR, especially if this is seen, separately from Article 340 TFEU, as a right to claim damages directly from the EU administration at fault (without necessarily ending up before the EU courts).Footnote 95

Since there is a lack of clarity in EU primary law and case law regarding the availability and requirements of non-judicial remedies, the landscape of such remedies is quite diverse and eclectic (see also Chapter 5).Footnote 96 In what follows, a few selected non-judicial remedies will be discussed as cases in point as to their applicability to fundamental rights breaches by EU factual conduct. A general observation regarding the mechanisms discussed here is that they are not designed solely to serve as remedies for the individual but to also fulfil other functions pertaining to legal review, scrutiny, and overall accountability of EU public administration (see also Chapter 5).

12.5.2 EU Ombudsman

One obvious horizontal non-judicial remedy available against EU acts and measures consists of the possibility, as well as the fundamental right according to Article 43 CFR, for individuals (natural and legal persons) to lodge complaints with the European Ombudsman.Footnote 97 This remedy is very generous in terms of accessibility and scope. It is open to all EU citizens as well as any natural and legal person residing or having its registered office in a Member State, and it covers any instance of ‘maladministration’ in the activities of EU bodies (except for the CJEU).Footnote 98 Instances or cases (as enshrined in Article 43 CFR) of maladministration are to be interpreted broadly, including legally binding and non-binding acts, formal acts and measures, as well as factual conduct.Footnote 99 This administrative remedy can thus be used by individuals claiming breaches of their fundamental rights by EU factual conduct, such as improper collection or handling of personal data of an individual by an EU body infringing their reputation or privacy and data protection rights, negligent or malevolent physical acts during an investigation resulting in illegal seizure and further disclosure of sensitive documents affecting the legal situation of an individual, or the improper use of physical force by Frontex staff during joint operations at the Union’s external borders endangering the life, physical integrity, or liberty of a person.Footnote 100

While the Ombudsman has a broad competence and is easily accessible for individuals alleging breaches of fundamental rights by EU factual conduct, its major limitation consists of the fact that its findings are not binding on the EU administration. The finding of an instance of maladministration in the examples mentioned above is followed by proposed solutions, suggestions, and recommendations for addressing the act of maladministration, but the EU body concerned remains entirely free to accept or reject them.Footnote 101 Moreover, the CJEU emphasised in Tillack the nature of the Ombudsman as an ‘alternative non-judicial remedy’ and made clear that the classification as an ‘act of maladministration’ by the Ombudsman does not, in itself, interfere with the judicial determination of whether the conduct of an EU body is ‘a sufficiently serious breach of a rule of law’ for the purpose of Article 340 TFEU.Footnote 102 However, the prestige of the EU Ombudsman as a moral figure and epistemic authority, supported by sufficient resources and an adequate framework of dialogue and peer pressure in relation to the EU administration, could make it quite an influential and effective actor in successfully addressing instances of maladministration, including breaches of fundamental rights by EU factual conduct (see also Chapter 5).Footnote 103

12.5.3 Legal Review of EU Executive Agencies’ Acts

Another interesting non-judicial remedy is provided by Regulation 58/2003 regarding specifically the legal review of the acts of EU executive agencies.Footnote 104 Article 22 of Regulation 58/2003 enables any person directly and individually concerned by ‘any act of an executive agency which injures a third party’ to refer that act to the Commission for a review of its legality. While the requirement that the person is directly and individually concerned by the act mirrors the strict standing conditions for non-privileged applicants under Article 263 TFEU, the reference to ‘any act’ of the agency arguably encompasses not only formal legally binding acts but also factual conduct in the form of physical acts liable to directly affect the legal situation of the individual.Footnote 105 Examples of such ‘acts’ in the form of factual conduct could be the provision by the European Research Council Executive Agency (ERCEA) or the European Research Executive Agency (REA) of incorrect information and guidelines regarding calls for proposals under EU research grant programmes that misleads some potential applicants and ultimately precludes them from submitting a grant proposal or the compiling and subsequent dissemination by an EU executive agency of a list of potential applicants for EU grant programmes that are considered ‘undesirable’ because of their perceived ‘problematic’ political views. Pending the review of the act, the Commission ‘may suspend the implementation of the act at issue or prescribe interim measures’.Footnote 106 Finally, the Commission may either ‘uphold the executive agency’s act or decide that the agency must modify it in whole or in part’,Footnote 107 the respective executive agency being under a duty to comply with the Commission’s decision.Footnote 108 Quite importantly in this context, according to Article 22 (5), the explicit or implicit decision of the Commission to reject the administrative appeal filed by the individual against the act of the executive agencyFootnote 109 is subject to judicial review by the CJEU under Article 263 TFEU. In this way, the agency’s act in the form of factual conduct directly breaching the fundamental rights of the applicant could be reviewed indirectly (in the context of the review of the Commission’s decision to reject the appeal against the act) by the CJEU.

12.5.4 Boards of Appeal

Another rather overarching non-judicial remedy available in EU law is the so-called board of appeal (BoA) featured quite prominently within various EU offices and agencies.Footnote 110 Characterised by some as a ‘quasi-judicial’ remedy,Footnote 111 the BoAs are in fact administrative remedies within the structure of the respective EU office or agency that bear certain similarities to courts and court proceedings.Footnote 112 In this respect, they enjoy in principle a high degree of independence within the respective office or agency and the procedures before them are generally of an adversarial nature.Footnote 113 What is more, it appears that overall the EU legal acts establishing BoAs within various offices and agencies followed the model of EU Courts regarding standing and challengeable acts.Footnote 114 Accordingly, in general only decisions of the office or agency that are of direct and individual concern to the individual may be appealed before a BoA.Footnote 115 As administrative review bodies, BoAs in principle can exercise more intensive scrutiny and have more extensive review powers over the contested decision as compared to judicial review, and their binding decisions may be ultimately challenged before EU courts under Article 263 TFEU.Footnote 116 However, in view of its admissibility standards, this quite far-reaching administrative remedy seems to be of little relevance as regards factual conduct breaching fundamental rights, except, just like in the case of judicial review under Article 263 TFEU, for those instances in which such factual conduct could qualify as an (instant) tacit or implicit administrative act directly affecting the fundamental rights and legitimate interests of the individual. However, in view of its apparent advantages both as a legal review mechanism and as a potential legal remedy, one may consider further extending the scope of BoAs review in the future, similarly to the legal review model of EU executive agencies’ acts, to any acts (including factual conduct) of the EU body affecting the legal situation of the individual and making such a BoA model an entrenched feature of the overall EU institutional framework.

12.5.5 Frontex Fundamental Rights Complaint Mechanism

Staying within the sphere of EU agencies, the European Border and Coast Guard Agency (EBCG Agency, Frontex, or ‘the Agency’) features a specific administrative review mechanism, particularly tailored for breaches of fundamental rights by EU factual conduct. This is the (in)famous complaints mechanismFootnote 117 set up on the basis of Article 111 of the EBCG RegulationFootnote 118 for addressing alleged breaches of fundamental rights caused by staff involved in the Agency’s (operational) activities.Footnote 119 Being available free of charge for any person (no matter the age)Footnote 120 directly affected by any actions or failure to act on the part of staff involved in Frontex’s activities,Footnote 121 the complaints mechanism looks prima facie like a remedy genuinely intended to bridge the gap concerning review of as well as redress for potentially harmful factual conduct of the Agency and its staff during external border management operations.Footnote 122

However, the complaints mechanism also features some alleged shortcomings and limitations that have triggered criticism regarding its legal design and practical operation.Footnote 123

First, while the extensive involvement of the Frontex Fundamental Rights Officer (FRO) in handling individual complaints is to be welcomed, questions pertaining to the genuine independence of the FRO vis-à-vis the management of the Agency as well as to the limited powers of the FRO regarding the outcome of the procedure leave a mixed impression as to its effectiveness in addressing fundamental right breaches.Footnote 124 Thus, in the instances in which the FRO finds the existence of concrete fundamental rights violations, for instance in the form of excessive use of force by Frontex staff against individuals attempting to cross the EU external border by land, it draws up a report that includes recommendations for appropriate follow-up by the Frontex Executive Director (ED).Footnote 125 Next, although the EBCG Regulation and the Agency’s rules on the complaints mechanism provide that the ED ‘shall ensure the appropriate follow-up’Footnote 126 … ‘to FRO’s recommendation through measures provided for by the applicable rules’,Footnote 127 the fact remains that the ED has broad discretion in establishing the ‘appropriate follow-up’ and is not formally bound by the FRO’s findings and recommendations.Footnote 128 The obligation stipulated for the ED to report back to the FRO as to ‘the findings, the implementation of disciplinary measures, and follow-up by the Agency in response to a complaint’ does not change this;Footnote 129 in fact, the Agency’s rules on the complaints mechanism provide clearly that a complaint may be declared unfounded by the ED.Footnote 130

Second, it remains unclear what the ‘follow-up’ by the ED may consist of. Both the EBCG RegulationFootnote 131 and the Agency’s rules on the complaints mechanismFootnote 132 merely refer more explicitly to disciplinary measures and referral for initiation of civil and criminal proceedings; for the rest, formulations remain rather vague, such as ‘any follow-up measure’Footnote 133 or ‘undertaking immediate action’ in case of an imminent risk of irreparable harm to the complainant or to the Agency.Footnote 134 One may thus wonder whether the follow-up measures decided by the ED should also include redress for the individual whose rights have been breached by the Agency’s factual conduct, such as putting an end to the infringement, where applicable, and/or various compensatory measures for the harm suffered. If this mechanism and its follow-up are not aimed at properly addressing the breaches of the complainant’s fundamental rights caused by the Agency’s operational activities, one may seriously question whether this procedure represents a genuine remedy for the individual.Footnote 135

Third, one may wonder whether the affected individual can legally challenge the outcome of the complaint procedure; one may consider in particular a decision by the ED to declare a complaint unfounded or an ED decision by which inappropriate follow-up by the Agency is taken on the complaint. Somewhat paradoxically, the legal review of such ED decisions is not clearly stipulated in the EBCG Regulation, prompting the remark that ‘the complaint mechanism is by design not fit to contest decisions of the agency’.Footnote 136 In our view, to the extent that such decisions represent acts of the Agency that directly affect the legal situation of the complainant (and in our view this is the case where they do not properly address complainants’ breaches of fundamental rights), they are covered by Article 98 EBCG Regulation and, as a result, should be challengeable before the CJEU under Article 263 TFEU.Footnote 137 In this respect, the revised Agency rules on the complaints mechanism arguably bring more clarity on this matter as they now stipulate that the ‘decisions adopted by the Executive Director … in relation to an admissible complaint shall contain an indication of the appeal possibilities provided under EU … law available for challenging the decision’.Footnote 138

Last but not least, the effectiveness in practice of the complaints mechanism has been called into question. With a low number of complaints being registered over the years, and no complaints recorded until June 2021 regarding the activities of Agency staff members,Footnote 139 concerns (followed by recommendations for improvement) have been raised inter alia regarding the accessibility, transparency, and proper functioning of this procedure.Footnote 140

12.5.6 The European Data Protection Supervisor (EDPS)

Finally, a horizontal but rather specific non-judicial remedy available in the area of personal data processing by EU institutions, bodies, offices, and agencies deserves closer attention. Regulation 2018/1725 (the so-called General Data Protection Regulation for EU institutions and bodies) entrusts the European Data Protection Supervisor (EDPS) both with an overarching supervisory function regarding the processing of personal data by EU institutions and bodies and with the function of an administrative remedy for data subjects whose rights have allegedly been breached by unlawful data processing.Footnote 141 For certain, unlawful data processing by EU institutions and bodies may entail formal legal acts but also (perhaps in particular) factual conduct in the form of various physical operations (e.g., inadvertent collecting, recording, retrieving, consulting, altering, or deleting personal data in a database such as EURODAC or Europol Information System (EIS); combining, structuring, or analysing personal data for profiling purposes; prohibited disclosure by transmission of personal data to a third party,Footnote 142 including, for instance, exchanges of personal data with third countries by Frontex within the EUROSUR framework; unauthorised dissemination of personal data to the public,Footnote 143 etc.).Footnote 144 The right to lodge a complaint with the EDPS is granted broadly to any data subject who considers that the processing of his/her personal data infringes Regulation 2018/1725.Footnote 145

Further, clear obligations are established for the EDPS in dealing with the complaint. First, the EDPS has a duty of information to the complainant as to the progress and outcome of the complaint, as well as to the availability of a judicial remedy.Footnote 146 Second, the EDPS is under a duty to handle the complaint or inform the data subject about the progress/outcome of the complaint within three months; failure to do so equates to an implicit negative decision by the EDPS.Footnote 147

Next, unlike the EU Ombudsman and the Frontex FRO, the EDPS has quite extensive formal powers vis-à-vis EU institutions and bodies at fault. Within the realm of its so-called corrective powers, the EDPS may inter alia order the controller or the processor to: ‘comply with the data subject’s requests to exercise his or her rights’,Footnote 148 or ‘bring processing operations into compliance [with Regulation 2018/1725] … where appropriate, in a specified manner and within a specified period’,Footnote 149 or further to ensure ‘the rectification or erasure of personal data or restriction of processing’ pursuant to the data subject’s rights under Regulation 2018/1725.Footnote 150 Additionally, and quite notably, the EDPS can effectively enforce the measures mentioned previously by imposing administrative fines for non-compliance by the relevant EU institution or body.Footnote 151 The EDPS seems thus to have effective legal means to properly address breaches of fundamental rights by EU personal data processing operations.

Finally, but quite importantly, the decision of the EDPS concerning a data subject’s complaint, including the implicit negative decision where the EDPS fails to handle the complaint or inform the data subject about the progress or outcome of the complaint, can be challenged before the CJEU by the data subject.Footnote 152 Hence, in the area of personal data processing, the synergy between a strong administrative remedy provided by the EDPS and the judicial review of EDPS ensuing decisions bears the promise, at least on paper, of offering quite effective legal protection as concerns breaches of data subjects’ fundamental rights by EU factual conduct in the form of various physical data processing operations.Footnote 153

12.6 Overall Assessment and the Way Forward: Deploying Effective EU Administrative Remedies with Judicially Reviewable Outcomes

A number of observations are put forward based on the previous analysis in this chapter with regard to the current legal protection landscape regarding breaches of fundamental rights through EU factual conduct. First, the system of judicial remedies in the EU Founding Treaties does not seem to fully ensure the right to an effective judicial remedy for ‘everyone whose rights and freedoms guaranteed by the law of the Union are violated’ through EU factual conduct. Access to EU courts remains quite challenging as far as the admissibility of an annulment action under Article 263 TFEU against EU factual conduct breaching fundamental rights is concerned. Moreover, the high restrictive thresholds regarding the EU liability conditions under Article 340 TFEU arguably entail low chances of success for the individual affected by EU factual conduct to obtain proper compensation. The long delays between the occurrence of the harmful factual conduct and the possibility for judicial intervention under Article 267 TFEU, as well as the uncertainties surrounding this procedure, do not offer an optimistic picture either. A more extensive and flexible approach regarding the concept of ‘reviewable act’ under Article 263 TFEU as well as regarding the EU non-contractual liability under Article 340 TFEU could arguably address these shortcomings to some extent.Footnote 154 But even if this were the case, judicial review still may not offer full satisfaction because of the limited powers of EU Courts, which, besides the possibility of awarding compensation for damages,Footnote 155 are confined to merely annulling or declaring invalid the contested EU measure without being able to by and large issue orders or injunctions against the EU actor at fault.Footnote 156

Second, the brief overview of the diverse non-judicial remedies discussed here also reveals some limitations and shortcomings regarding the capacity to address fundamental rights breaches by EU factual conduct.Footnote 157 Some of these (e.g., EU agency BoAs) do not seem well-suited for challenges against EU factual conduct. Others display problematic legal design and practical operation as regards access, transparency, independence, fair and speedy handling, and offering appropriate redress (e.g., Frontex’s complaints mechanism). Furthermore, the interplay between non-judicial remedies and judicial remedies is not always fully addressed in EU secondary legislation; this might not always be necessary in view of the specific role and features of the non-judicial remedy, such as the EU Ombudsman, but it is striking with respect to Frontex’s complaints mechanism for fundamental rights breaches. On the positive side, it must be noted that non-judicial remedies generally allow for more timely, comprehensive, and insightful review of the relevant EU measures, including redress possibilities, as compared to the limited legal review carried out by EU courts. What is more, EU law features a few non-judicial remedies (e.g., EDPS and the legality review of the acts of EU executive agencies) that seem capable (at least on paper) of offering effective redress for fundamental rights breaches through EU factual conduct and, on top of that, the final outcome of such remedies can be challenged before the EU Courts.

We therefore put forward a number of reflections and recommendations with a view to addressing this apparent blind spot in legal protection concerning fundamental rights breaches through EU factual conduct.

First, in our view, upholding sound administration both as a general principle of EU law and as a right of the individual (Article 41 CFR) requires having in place effective administrative remedies against EU measures. Only in this way may one hope to enforce in a timely manner, if need be, ‘the right to have his or her affairs handled impartially, fairly and within a reasonable time’ laid down in Article 41 (1) CFR. After all, for the individual, it is most important to have a quick, accessible, and effective remedy or mechanism to put an end to the breach and obtain appropriate redress for the harm incurred as soon as possible. This can best be ensured by the EU administration in the first instance. From this viewpoint, judicial review can be seen rather as the ‘last resort’ remedy,Footnote 158 not being particularly advantageous for the individual in view of the high costs involved, time incurred between the breach and the possibility for the court to address it, and difficulty accessing the EU courts, as well as the rather limited review and redress EU courts may be able or willing to offer. In order to be fully effective, such administrative remedies should abide by certain procedural and substantive benchmarks ensuring that they are sufficiently accessible to the individual, independent, prompt, transparent, comprehensive, and thorough,Footnote 159 as well as capable of offering appropriate redress. Therefore, serious consideration should be given in EU administrative law to further developing underlying principles and criteria, as well as to designing effective administrative remedies addressing fundamental rights breaches by any form of EU action, including factual conduct.Footnote 160 Moreover, a more systemic perspective should be taken, by also looking at and clarifying the synergies and complementarity between various non-judicial remedies with a view to avoiding gaps or overlaps in legal protection and bearing in mind the fact that an optimal combination of administrative remedies could better address the situation.Footnote 161

Second, we suggest that a combined reading of the principle of sound administration (enshrined as a right in Article 41 CFR) and the principle of an effective remedy (enshrined as a right in Article 47 CFR) could support a more complete system of legal protection against EU action, featuring easily accessible, comprehensive, and strong administrative remedies with, in principle, judicially reviewable outcomes. This entails that, as a rule, administrative remedies should result in final legally binding decisions that can then be challenged before EU courts under Article 263 TFEU. In this respect, we suggest, as a default approach, extending and adapting, where appropriate, the model of the EDPS when designing administrative remedies against EU action.Footnote 162 In this way, the individual should in principle have the chance to obtain appropriate redress the easier way (via the administrative remedy), with the safeguard that their rights will be ultimately protected by the EU courts if the relevant EU body fails to do so.Footnote 163 Ensuring by default judicial review concerning the final outcomes of administrative remedies could also fulfil a preventive function, in that it would increase the pressure on the EU administration to address properly fundamental rights infringements, once the ‘sword of Damocles’ of judicial review is hanging there. Along the same lines, we also support the idea of the opening up of judicial protection offered by the CJEU, and in particular Rademacher’s view that EU Courts should more generously trigger EU non-contractual liability for damages, in instances of fundamental rights breaches through EU factual conduct.Footnote 164 In this way, one may hope to close the gap of legal protection against harmful EU factual conduct.

12.7 Conclusion

With the focus of inquiry on the legal protection against breaches of fundamental rights through EU factual conduct, this chapter first attempted to provide some clarification on the concept of ‘factual conduct’ and illustrate concretely how such factual conduct may infringe fundamental rights. Favouring an understanding of factual conduct as ‘physical acts and operations’ by EU bodies (and their staff), the chapter looked next into the available legal review and legal protection avenues regarding such EU conduct, in particular when it allegedly breaches fundamental rights of individuals. After examining both judicial and selected non-judicial remedies as elements of an overarching EU system of legal protection premised on the constitutional parameters of sound administration and effective judicial remedies, it highlighted the potential as well as the shortcomings of existing legal remedies to address fundamental rights breaches by EU factual conduct. It detected ‘blind spots’ in legal protection, in particular in the form of insufficient and ineffective judicial review of factual conduct as well as in the form of problematic legal design and practical operation of some of the currently available administrative remedies. To close the gap of legal protection against harmful EU factual conduct, the chapter suggests focusing more on designing a coherent system of strong and effective administrative remedies with final outcomes that can be challenged before the CJEU, along with more opening up of judicial protection by EU courts, in particular under Articles 263 and 340 TFEU.

13 Composite Procedures, the Violation of Fundamental Rights, and the Availability of Sufficient Remedies in the Multi-level EU Judicial Architecture

Mariolina Eliantonio
13.1 Introduction

In contemporary European law, it has become increasingly evident that EU law is not implemented according to the traditional distinction between direct and indirect administration but through various systems and patterns of cooperation between national and EU authorities, as well as between national authorities themselves. These cooperative mechanisms generate so-called composite procedures, that is, administrative decision-making processes that involve administrative authorities belonging to more than one legal system for the implementation of EU law.Footnote 1 While this form of procedural cooperation is now a prevalent mechanism in EU administrative governance, composite procedures lack both an ‘official’ definition and a clear conceptualisation.

This phenomenon has generated increasing scholarly attention and attempts at providing taxonomies, labels, and detailed analyses of composite procedures in ever-growing EU policy fields.Footnote 2 At the same time, because of the separation of jurisdictions both horizontally and vertically (excluding – at least in principle – the possibility for EU courts to review national administrative measures and for national courts to review measures stemming from either another national legal system or the EU legal order), the literature has specifically discussed the question of access to justice in the framework of these composite procedures.Footnote 3 This question has also been tackled by the Court of Justice of the European Union (CJEU) on several occasions, and a body of case law is increasingly emerging on the question of the competent court and the reviewable acts adopted in the context of the composite procedures.Footnote 4

A less explored angle in this debate, however, is the question of the remedies available to redress possible fundamental rights violations occurring in the context of the composite procedures. In light of the above-mentioned separation of jurisdictions between national and EU courts and the partial gap-filling case law of the CJEU, is the current system of remedies sufficient to ensure that, if national or European authorities violate fundamental rights in the context of composite procedures, there is access to a court to control such alleged violations? In turn, this question is linked to the need for the EU multi-level system of protection to ensure respect for the right to an effective remedy enshrined in Article 47 of the Charter of Fundamental Rights (‘the Charter’) whenever rights guaranteed by EU law are allegedly violated.Footnote 5

In order to tackle this question, this chapter proceeds as follows. In Section 13.2, a categorisation of composite procedures is provided together with an examination of possible fundamental rights that might be violated in their context. Far from providing an exhaustive taxonomy of these procedures, the categories discussed in this section have been selected because they give rise to different problems in terms of possible violations of fundamental rights. In this regard, it should also be noted that, for the purposes of this chapter (and in line with the focus of this volume on the EU system of remedies), only those procedures entailing cooperation between EU and national authorities will be examined (so-called vertical composite procedures), to the exclusion of ‘purely’ horizontal procedures, that is, scenarios in which only national authorities cooperate with each other for the implementation of EU law without the involvement of the EU level of administration.Footnote 6 Finally, it is important to note that the focus of the chapter is on situations in which (EU or national) administrative authorities infringe EU fundamental rights, to the exclusion of situations in which these authorities correctly execute laws that, in turn, violate those fundamental rights. This question relates to the review of EU or national legislation against higher parameters and falls outside the scope of this chapter, which is centred around the control of administrative action.

After providing a categorisation of composite procedures and the fundamental rights possibly engaged therein, in Section 13.3, the available remedies in the scenarios outlined in the earlier section will be presented and their possible gaps will be examined. Section 13.4 concludes. The chapter will show that, while composite procedures are capable of violating both substantive and procedural EU fundamental rights, the current system of remedies seems to be ill-suited to provide effective remedies in multi-jurisdictional decision-making processes.

13.2 Vertical Composite Procedures and the Violation of Fundamental Rights
13.2.1 The Universe of Vertical Composite Procedures: A Proposed Division

The universe of composite procedures (and, within it, the galaxy of vertical procedures entailing the cooperation of EU and Member State authorities) is extremely varied and in continuous evolution and, as a consequence, multiple categorisations are possible.Footnote 7 For the purposes of this chapter and in light of the focus of this volume on remedies for fundamental rights violations, in the following, it is submitted that the more or less ‘formalised’ and decisional nature of an administrative action represents a suitable criterion to distinguish different types of composite procedures. From this perspective, one can draw a distinction between procedures that entail various types of factual acts and procedures that instead comprise measures that are not factual in nature (whether binding or not). This distinction is relevant for the purposes of this chapter for two reasons. First, because of the different types of fundamental rights that may be at stake in the course of the decision-making process. In particular, factual conduct is capable of infringing specific fundamental rights regarding domicile and correspondence. Second, because, as will be shown below, the more or less formal nature of the administrative action at stake has implications for the identification of the appropriate judicial forum.

In Section 13.2.2, possible factual conduct scenarios identifiable in the framework of vertical composite procedures will be considered, with a discussion of the fundamental rights that might come into play in those situations. In Section 13.2.3, within the very diverse universe of composite procedures that do not entail factual conduct on the part of the authorities, examples will be provided of different fundamental rights that might be relevant in these procedures. They are not specifically linked to the ‘type’ of procedure (e.g., whether they culminate in limiting the legal sphere of an individual, such as the ban on the import of a product or an order of repatriation, or entail the expansion of the individual’s legal sphere, such as the granting of an authorisation to carry out a certain activity) but on the subject matter of the procedure. Furthermore, fundamental rights that might be relevant in all types of composite procedure (whether decisional or not in nature, or entailing more or less ‘formalised’ administrative measures) are ‘procedural’ in nature (e.g., the right to be heard). These will be examined in Section 13.2.4. As will be shown, these rights display peculiar features in the context of composite procedures and have been subject to fairly extensive scrutiny by the CJEU.

13.2.2 Factual Action, Composite Procedures, and the Infringement of Fundamental Rights

The notion of ‘factual action’ is not a dogmatic category known at the EU level, unlike several national systems.Footnote 8 Yet it is beyond doubt that both national and EU authorities carry out factual actions in the framework of composite procedures for the implementation of EU law and that these actions can have a severe impact on individuals’ fundamental rights (see also Chapter 12).Footnote 9

This can happen, for example, in the framework of inspection procedures: in increasingly more policy fields, composite procedures entail enforcement actions, including inspections.Footnote 10 For example, in the fields of competition law, fisheries, and aviation safety, EU authorities (be it the Commission or the competent European agencies) can carry out inspection activities, including, for example, seizure of documents, confiscation of computer systems, and interrogation of witnesses.Footnote 11 These inspection activities may be part of composite procedures when a subsequent act of the enforcement process, such as the imposition of a sanction, is adopted at the national level. Cooperation in enforcement tasks may also take place at the inspection step itself, when national and EU authorities cooperate in various ways in carrying out an inspection.Footnote 12 Inspections and the actions they entail may be in conflict with Article 7 of the Charter, protecting the right to private life, home, and communications, which corresponds to the first paragraph of Article 8 of the ECHR. That these fundamental rights might be at stake in such cases has also been confirmed by the case law of the CJEU.Footnote 13

Factual action can also go beyond inspection activities and includes the performance of other types of acts. For example, Frontex has been carrying out factual activities (such as the detention or transfer of individuals from one location to another) in support of search and rescue activities performed by national authorities at the EU borders, which may conflict (and indeed have been considered as conflicting) with, amongst others, the fundamental right to asylum and the prohibition of refoulement contained in Articles 18 and 19 of the Charter.Footnote 14 Other fundamental rights contained in the Charter, such as the prohibition of torture contained in Article 4 or the right to liberty enshrined in Article 6, can also be of relevance in this context. The same fundamental rights can be violated in the framework of the cooperation between the national competent authorities and the European Union Agency for Asylum, in the context of which the Agency is tasked with, amongst others, conducting admissibility interviews with migrants.Footnote 15

13.2.3 Other Composite Procedures and ‘Substantive’ Fundamental Rights

Composite procedures of a decisional nature, and which do not involve factual conduct, are present in very diverse policy fields, ranging from competition law to the Common Agricultural Policy, asylum, risk regulation, environmental policy, and data protection. It is therefore fairly straightforward to conclude that a large range of possible fundamental rights can come into play in these very diverse situations. Without any attempt at completeness, in this section, examples of types of composite procedure will be provided to show how and why EU fundamental rights might be violated.

An increasingly common type of composite procedure entails the sharing of data between EU and national authorities.Footnote 16 At the outset, it should be mentioned, with respect to these procedures and the proposed categorisation based on the presence of factual conduct in a vertical composite procedure, that these acts of information, as has been appropriately argued, ‘sit uneasily within [the] legal/factual dichotomy’.Footnote 17

These data sharing procedures often take place through various databases, in which national authorities enter information that, in turn, may be used by other national authorities. In some cases, the role of the EU level of administration can materialise in the facilitation of the sharing of information between authorities of different legal systems. This is the case for the Rapid Exchange of Information System (RAPEX). This is an alert system for unsafe consumer products, established by the General Product Safety Directive.Footnote 18 In this system, Member States share information concerning dangerous products with the Commission. After validation by the Commission, the information is made available to the competent authorities throughout the EU, which can take measures to prevent the circulation of the product, such as a ban on sales or withdrawal from the market. Potentially, in such cases, the composite procedure thereby generated might come into conflict with the freedom to conduct a business protected by Article 16 of the Charter.

In other cases, the EU presence can relate to the creation and management of a database, such as the Schengen Information System (SIS), through which competent national authorities, such as the police and border guards, are able to enter alerts on people and objects in the database, which can be consulted by the competent authorities of all Member States, and which can form the basis of restrictive measures such as removal from the national territory. The involvement of the EU legal system is, however, ‘silent’ in that it is limited, through the EU Agency for large-scale IT systems (eu-LISA), to the operational management of the central IT system and the network on which the system operates. This has implications for the accountability of the EU administrative authorities, and hence for access to justice, since their participation in the decision-making process is unclear.Footnote 19 Regardless of the more or less ‘explicit’ role of the Agency in the procedure, like in the cases of Frontex and the European Union Agency for Asylum examined above, the fundamental right to asylum and the prohibition of refoulement contained in Articles 18 and 19 of the Charter might be violated as a consequence of the actions of public authorities taken on the basis of alerts entered in the SIS system, as well as the right to respect for family life and the rights of the child, as enshrined in Articles 7 and 24 of the Charter.Footnote 20

At the same time, in the examples of both the RAPEX- and the SIS-generated procedures, it is clear that, as certain personal data are shared, the right to data protection contained in Article 8 of the Charter might also come into play.Footnote 21

Other sets of composite procedures entail the authorisation or denial thereof to place on the market a product or a substance. Various types of composite procedures are indeed foreseen for the authorisation to place on the market genetically modified organisms, medicines, pesticides, and so on, entailing the cooperation in various forms and at various stages between national and EU authorities.Footnote 22 In such cases, one could imagine that the freedom to conduct a business protected by Article 16 of the Charter as well as the prohibition of discrimination contained in Article 21 might come into play.

13.2.4 Composite Procedures and Fundamental ‘Procedural’ Rights

All composite procedures, whether entailing enforcement measures or leading to an authorisation or the drafting of a plan or the ban of a product or person from the European administrative space, whether taken in economic or non-economic fields, whether comprising only two or multiple cooperative steps, need to respect several procedural fundamental rights. The starting point here is Article 41 of the Charter, referring to the right to good administration, including the right to be heard and the duty to give reasons. Article 41 is closely linked to the right to an effective remedy under Article 47 of the Charter, because judicial protection cannot be considered effective if the person concerned is unable to ascertain the reasons upon which the decision relating to them is taken.Footnote 23 The obligation to give reasons aims to enable the person concerned to ‘defend his rights in the best possible conditions and to decide, with full knowledge of the relevant facts, whether there is any point in his applying to the court with jurisdiction’.Footnote 24

Early in the case law, it was established that the right to be heard applies to individual decisions, which is a typical outcome of composite procedures (e.g., in the case of authorisation to place a product on the market or the imposition of a sanction).Footnote 25 However, the exercise of this right can be particularly arduous in the case of composite procedures: Quid iuris indeed if the right to be heard was not exercised in one step of the procedure? Can this omission be ‘compensated’ down the line of the decision-making chain, although the following decisional steps might be taken by authorities pertaining to a different legal system from that of the authority that violated the right to be heard in the first place? Can the omission of the authority of one legal system ‘contaminate’ the actions of the authorities belonging to a different legal system? What is the relevant level of administration before which the right to be heard can or must be exercised?Footnote 26

These issues came to the attention of the CJEU in the context of the structural funds in the Lisrestal case, in which the Court considered a cooperative mechanism between the national authorities and the Commission leading to the reduction of the financial assistance received by the applicant.Footnote 27 The right to be heard was considered violated by the Court, and this circumstance led to the invalidity of the final Commission decision. However, interestingly, in the absence of a clear indication in the underlying legislation, the Court did not specify whether the right to be heard had to be afforded by the national or EU authorities, although the national authorities had no discretion to decide on the recovery of the funds. In a later case, Mediocurso, the applicants had been heard by the national authorities but there were indications that the right to be heard could have been infringed as the applicants had been given too little time to submit their observations. The Court of Justice on appeal, reversing the decision of the (then) Court of First Instance, invalidated the final Commission decision.Footnote 28

Also the later case lawFootnote 29 confirms that, while the right to be heard needs to be respected regardless of whether it is specifically mentioned in the applicable rules, it is not required that it be granted before the authority making the ‘real’ determination in the composite procedure.Footnote 30 This line of case law, however, seems to stand in contradiction with another strand of decisions that the CJEU handed down in the field of the repayment of import duties. After confirming the earlier position in France-Aviation,Footnote 31 in a long line of subsequent case law, it held that a person vis-à-vis whom an unfavourable decision is to be adopted must be heard by the authority who has the discretion to take the decision (in the cases at stake, the Commission).Footnote 32

This contradiction in case law of the CJEU did not go unnoticed, with Alonso de León stating that the European courts ‘fail to see the connection between some of the cases’, possibly because they do not recognise composite procedures as a category of their own.Footnote 33 While he proposes that the right to be heard in composite procedures must be afforded before the authority ‘in the driving seat’ of the procedure (i.e., holding the discretionary power with respect to the final decision), he acknowledges that this very solution might present additional complexities in procedures with more complex collaborative structures, such as in the case of authorisation of pesticides or genetically modified organisms, where national and EU authorities intervene at several points of the procedure.Footnote 34 What is however clear from this case law is that, whenever a composite procedure is concluded with an EU measure on which the ‘main’ decision-making power is held by an EU administrative authority, the violation of the right to be heard at the national level is able to ‘contaminate’ the validity of the final EU law. This finding is in line with the division of jurisdictions between the national and EU courts, which will be discussed in Section 13.3.

The duty to give reasons, which undoubtedly also applies to acts of individual scope, resembles to some extent the broader problématique discussed with respect to the challenges of the right to be heard in composite procedures: Which governance level must discharge the duty to give reasons in composite procedures? Can the shortcomings of one authority be compensated by an authority belonging to a different legal system?

While the duty to give reasons, like the right to be heard, is sometimes enshrined in the legislation creating a composite procedure,Footnote 35 the case law has revolved around situations in which this duty is not precisely stated. In particular, as highlighted by Brito Bastos, two situations have been brought to the attention of the Court, both relating to composite procedures where a national preparatory measure is followed by a final EU measure: first, whether EU authorities must include the reasons contained in the relevant national preparatory acts in their statements of reasons; second, whether EU authorities may discharge their duty to give reasons simply by per relationem (i.e., merely by referring back to the national preparatory measures).Footnote 36

With respect to the first point, the ruling in Sweden v Commission (which was confirmed in later case law)Footnote 37 allows the conclusion that if the statement of reasons contained in the preparatory measure contains facts and circumstances that are decisive for the final decision then the EU authority issuing the final measure should include them in its own statement of reasons.Footnote 38

Regarding the possibility for EU authorities to refer to the statement of reasons of the national preparatory measure, the CJEU has been consistent since the Branco ruling that this is possible, provided that the EU measure confirms the preparatory measure adopted by national authorities, which should themselves have issued a sufficiently clear statement of reasons, and that the addressee has been able to take cognisance of the measure.Footnote 39

While this case law solves some of the issues connected to the extent of the duty to give reasons in composite procedures, as with respect for the right to be heard, several doubts still remain: What is the extent of the duty to give reasons if the procedure is reversed and it is the EU authority taking the preparatory measure? To what extent should national preparatory measures be subject to a duty to give reasons? What about composite procedures involving more than two steps or two legal systems?

These questions are not only relevant with respect to the decision-making process itself but also for the question of the competent judicial instance when any of those (procedural or substantive) fundamental rights are violated. It is to this question that the chapter now turns.

13.3 Finding the Competent Court in Composite Procedures: Mission Impossible?Footnote 40
13.3.1 The Separation of Jurisdiction as the Cornerstone of the European Judicial Architecture

As the examples presented above have shown, the variegated universe of composite procedures, as the regulatory manifestation of the increasingly intense cooperation between national and European authorities for the implementation of EU law, are present in virtually all EU policy fields. Despite their capacity to violate fundamental rights protected by the EU legal order, the current judicial framework seems ill-suited to cater for their comprehensive judicial control.

This is because of the traditional approach to the judicial review of administrative action, which is based on the principle of territoriality. On this basis, the jurisdiction of courts is limited to the review of the administrative action stemming from the authorities belonging to the domestic legal system. This approach would make judicial review of a national court on an EU measure, or vice versa of the CJEU on a measure adopted by a national authority, in principle, impossible.

This strict separation of judicial control of administrative action (with the only avenue of procedural integration represented by the preliminary question of validity under Article 267 TFEU,Footnote 41 see Chapter 4) creates difficulties in access to justice. These are likely to arise for two main reasons. First, because the actions of the several national and EU authorities participating in a composite procedure might be so intertwined that it could be difficult to trace the contribution of each authority in the process and, consequently, the attributability of a conduct to a specific level of administrative governance. Second, because, even if an action could be ‘isolated’ and attributed to a specific administrative authority, the several preliminary steps leading to a final decision within a composite procedure might not be reviewable in any legal system. They might not constitute a reviewable act in the legal system to which these steps, acts, or actions belong (in light of their preparatory nature), and, at the same time, they might not be subject to judicial control in the court of the legal system adopting the final decision because of the limitations generated by the principle of territoriality. In Section 13.3.2, the access to justice issues arising from composite procedures entailing factual conduct will be examined. As Section 13.3.2 will show, these issues mostly revolve around the question of attributability of a conduct to a specific level of governance. Section 13.3.3 will then consider the case law of the Court of Justice concerning procedures of a decisional nature. This division mirrors the distinction made in Section 13.2 and is warranted by the different problems arising from these two types of vertical composite procedure. Section 13.3.3 will show that the CJEU has been asked on a number of occasions to determine the extent of its own jurisdiction as well of that of the national courts in composite procedures. However, many questions are still left unanswered and possible gaps in judicial protection might persist.

13.3.2 Factual Action in Composite Procedures and the Problem of Attributability

As introduced in Section 13.2, composite procedures can entail a variety of actions of a factual nature, such as the removal of individuals from the EU territory, the carrying out of interviews, the seizing of documents, and the like. When these acts are carried out in the context of composite procedures, and in particular when the factual action is itself cooperative in nature, it is very difficult to attribute a specific conduct to one or other administrative authority. If, for example, a national inspector and an inspector of the European Central Bank, working together in the so-called Joint Inspection Teams, perform a number of actions on the premises of a financial institution, the actions will be so intertwined as to render attributability of conduct to the national or European level of governance next to impossible.Footnote 42

If this problem is solved and disentangling the EU action from the national action is somehow possible, access to justice will nevertheless not be fully ensured per se in cases of fundamental rights violations.

Where the procedure is concluded with a national measure, the national competent court will be able to send a question concerning the validity of the EU conduct to the CJEU. The latter is, according to its Foto-Frost ruling,Footnote 43 the sole judicial authority in the case of doubt on the validity of acts or actions stemming from an EU authority, able to control it. Furthermore, according to the Grimaldi ruling, preliminary questions of validity are admitted with respect to all measures of EU law.Footnote 44 Hence, for a factual action of an EU authority, the preliminary question of validity seems to be available.Footnote 45

However, even in this – seemingly easy – case, the fact that the use of the preliminary question of validity presupposes the capacity of the national court to ‘discern’ the EU contribution to the national measure might place the national court in a conundrum: Should it – in doubt concerning the attributability of conduct to the EU authority – send a preliminary question of validity, even though the contribution of the EU administrative authority might not be discernible (incurring a risk of the preliminary question being declared inadmissible), or should it accept the indiscernibility of EU and national action and review the measure, possibly in breach of its Foto-Frost obligation?

Furthermore, if the procedure concludes with an EU measure, the competent EU court will be faced with the lack of a ‘reverse’ preliminary ruling, whereby the CJEU could ask a national court to review the validity of the factual conduct of a national authority.Footnote 46 In this situation, the applicant might need to access a national court to have the conduct of the national authorities reviewed. However, whether this claim will be admissible remains to be seen, and it is equally not clear whether the case law concerning composite procedures concluded with an EU measure and entailing ‘formalised’ preliminary national measures (i.e., the Borelli/Berlusconi line of case law examined in Section 13.3.3) can also be applied when factual conduct is at stake.

13.3.3 Composite Procedures, Discretion, and the Quest for the Competent Court

For the myriads of composite procedures where no factual conduct is involved, and the preliminary measures adopted by the competent national and EU authorities materialise in more ‘formalised’ measures (such as an opinion, a plan, an objection, etc.), it is again helpful to differentiate the situations in which the final measure of the decision-making process is adopted by the national or the EU level of administration.

As in the scenarios discussed above with respect to factual conduct, in the case of a composite procedure concluded by a national measure, the preliminary measures of the EU authorities can be challenged through a preliminary question of validity under Article 267 TFEU. For the opposite situation, when a composite procedure ends with an EU measure, the hurdle to access to justice arises from the combined absence of a ‘reverse’ preliminary ruling and the preliminary nature of national measures, which would, in most legal systems, lead to the inadmissibility of a claim against these measures.

In order to ensure access to justice in these situations, the Court has intervened with two landmark rulings that require national preliminary measures to be either autonomously reviewed before the national courts or to be reviewed by the CJEU in the context of a claim against the final EU measure. The first solution was proposed in the Borelli ruling, in which the Court held first that it was not entitled to review acts of national authorities but also, second, that national courts had to admit claims against national preparatory measures, regardless of the limitation posed to that review by the applicable national procedural rules.Footnote 47 After Borelli, the same approach was repeated in a number of cases relating to the field of protected denomination of origins and geographical indications under the applicable EU legislation. In these cases, the Court confirmed, on the basis of Borelli, that national preparatory measures should be reviewed by national courts but only when such a measure ‘constitutes a necessary step in the procedure for the adoption of a[n] [EU] measure, [and in regard to which] the [EU] institutions have only a limited or non-existent discretion’.Footnote 48

The solution envisaged in Borelli therefore only applies if the EU authorities adopting the final measure retain little or no margin of discretion vis-à-vis the preparatory national measure. If, instead, the EU authority retains a margin of discretion in respect of the final measure to be issued vis-à-vis the preparatory measure of the national authorities, the system of judicial protection afforded in such cases is the one proposed by the Berlusconi ruling. In this case, the Court ruled that, for composite procedures where the final decision-making power lies with the EU authorities, the CJEU has jurisdiction to review the entirety of the decision-making chain, including its national component.Footnote 49 Advocating a form of ‘integrated’ judicial review, the CJEU has, at the same time, and in an established line of case law (though limited to date to the banking sector), stripped national courts of their jurisdiction to review certain national preparatory measures that are part of composite procedures.Footnote 50

The combined reading of Borelli and Berlusconi entails that the determining criterion to vest national courts with the jurisdiction (and the duty) to review national preparatory measures is that of the margin of discretion afforded to the final EU decision-maker.Footnote 51

However, the criterion established by the CJEU, based on the margin of discretion afforded to the final EU decision-maker is not without difficulties for those who need to apply it. In Berlusconi, the CJEU uses the notion of ‘discretion’ to refer to the margin of manoeuvre of the EU authorities to decide on the content of a decision (as opposed to a situation in which this content is pre-determined by the content of the national preparatory measure). However, the notion of discretion can also relate, for example, to the question of whether to exercise a power or to which form a decision can take. Furthermore, discretion can relate to policy choices but also the assessment of facts.Footnote 52 This somewhat oversimplified view of discretion is not realistic in light of the variety of legislative scenarios through which composite procedures can be generated. It is also liable to generate further preliminary references and legal uncertainty: Who is to assess whether the legal framework is such to grant ‘exclusive jurisdiction’ to the CJEU or conversely whether a national court must be seized of the review of a preliminary measure? Quid iuris of time limits if the CJEU eventually decides that the preliminary measure needs to be reviewed by the national courts?

The Borelli and Berlusconi rulings also leave a number of further questions unanswered. In particular, the solution proposed by the Borelli ruling still remains unclear from a practical point of view and has only been partially clarified by the Jeanningros ruling.Footnote 53 Indeed, while the obligation for national courts to review national preparatory measures binding on the EU authority taking the final decision was clear after Borelli, the question remained open as to what would happen if a final decision is taken by the Union administration before the national court has had the opportunity to review the binding national preparatory act upon which it is based.

In Jeanningros, the Court clarified that, on the one hand, any pending proceedings against the national preparatory act should continue and, on the other, a national ruling holding that act invalid should lead the EU authority to revoke a decision taken on that basis (upon the assumption that the time limits under Article 263 would be long expired). While this confirms for potential applicants that the national route must remain open even when the EU authority has taken a final decision, it still does not clarify the remedies at their disposal if the Commission were to refuse to or simply does not revoke its final measure after the national proceedings are concluded. Is an action for failure to act under Article 265 TFEU then open to applicants? Given the lack of formalised communication channels between national courts and the Commission, what if the Commission is simply unaware of the fact that the relevant national proceedings are concluded?Footnote 54

If one considers specifically the Berlusconi scenario, the review of the national measure permitted by the CJEU seems to be limited to errors of EU law, to the exclusion, therefore, of flaws in the national preparatory act based on domestic procedural law.Footnote 55 A different solution would entail the CJEU applying national law and would make the determination of the validity of an EU measure indirectly dependent on varying national procedural arrangements. However, the exclusion from the scope of judicial control of these national preparatory measures of errors stemming from national law inevitably creates what has been referred to as an ‘administrative crack in the EU’s rule of law’.Footnote 56

Furthermore, it is unclear how the combined reading of Borelli and Berlusconi can be applied in composite procedures that entail more than two steps. This difficulty is exemplified in the Association Greenpeace France ruling, which concerned the authorisation scheme in the field of GMOs.Footnote 57 In this case, the applicant complained that the actions of the national authority where the procedure had started were irregular and therefore rendered the final Commission decision irregular. The Court could thus still implicitly rely on the Borelli ruling and find that national courts are competent for the review of that preliminary national measure.Footnote 58 However, it is not clear which would be the competent court to review the input of another national authority in the process (e.g., in the form of an objection to the assessment made by the first authority).

A separate and final reflection should be dedicated to the emerging case law concerning a special type of composite procedure that is based on information sharing between the EU and national authorities, such as in the above-mentioned cases of the SIS and RAPEX databases.Footnote 59 The Borelli and Berlusconi cases do not seem to fit the schemes of composite procedures in these scenarios as the final decision-making process does not lie with the EU level, and the existence of the preliminary question of validity does not solve the problem of access to justice. This is because these procedures involve the EU authorities and more than one national authority: they are thus ‘triangular’ in nature in that they are started at one national level, with an intermediate participation of the EU authorities, and concluded at another national level.

The case law in this framework is rather limited and leaves many questions unanswered. Two cases, MalaguttiFootnote 60 and Bowland,Footnote 61 dismissing an action for damages against the EU for sharing allegedly incorrect information (on the basis of which national measures had been adopted), seem to indicate that, according to the CJEU, the EU action within these systems is limited to ‘passing on’ the information, which remains within the full responsibility of the Member State that shared the information in the first place. The ‘triangularity’ in these procedures seems therefore, according to this case law, merely formal.

If these procedures are then to be considered horizontal in substance, where can or should national preparatory measures in these cases be reviewed? The recent Funke ruling seems to indicate that preparatory measures in which the information is shared (in this case, within the RAPEX system) must at least be open to judicial control in the legal system where the measure was taken.Footnote 62 However, in this case, there had not yet been any national measure taken after the alert was shared by the Commission to the Member States. If a subsequent national measure (e.g., determining that a product be banned from the market) is taken by the authority of another Member State, should an applicant initiate two separate proceedings in the course of both legal systems involved in the procedure?Footnote 63

13.4 Conclusions

This contribution has sought to examine the question of the availability of a sufficient system of remedies against fundamental rights violations possibly occurring in the context of the so-called vertical composite procedures, that is, administrative decision-making processes in which national and EU authorities collaborate in the implementation of EU law.

The chapter has shown, first, that the complex web of interactions between national and EU administrative levels, intervening at different moments of administrative procedures, taking a variety of – more or less formalised – forms is capable of affecting a number of EU fundamental rights, both substantive and procedural in nature. In this context, further research should examine the universe of composite procedures, by discovering possible common patterns and notable differences.Footnote 64

Second, the contribution has demonstrated that procedural integration at the level of the decision-making sits uncomfortably with the traditional approach to the judicial review of administrative action, which is based on the principle of territoriality and on the separation of jurisdictions between national and EU courts. As a consequence, there may well be situations in which private parties might be denied the right to challenge acts emanating from composite procedures.

This is notably the case in composite procedures including factual conduct for which it might be extremely difficult to attribute conduct to a specific level of governance. However, even where the contribution of national and EU authorities materialises in more ‘formalised’ measure, the patchwork solution currently in place through the preliminary question of validity, on the one hand, and the combined reading of Borelli and Berlusconi, on the other hand, leaves many questions unanswered and possible gaps in judicial protection open. Even more questions seem to arise in the increasingly more frequent composite procedures entailing the sharing of data between national and EU authorities.

Already since the Les Verts ruling, the CJEU has held that the EU is ‘based on the rule of law, inasmuch as neither its Member States nor its institutions can avoid a review of the question whether the measures adopted by them are in conformity with the basic constitutional charter, the Treaty’.Footnote 65 This statement is embodied in Article 47 of the Charter guaranteeing the right to an effective remedy. The picture described above with respect to access to justice in composite procedures shows that this right does not seem currently to be fully ensured. Further research should be devoted to a comparative analysis of national case law where composite procedures have been at stake, to assess whether and to what extent the Borelli and Berlusconi rulings have been correctly understood and applied at the national level.

While several gaps in access to justice within composite procedures seem to persist, and the CJEU has failed to clarify a number of essential aspects of judicial review in this respect, there are also structural shortcomings that ought to be mentioned. In the absence of a ‘reverse’ preliminary question, which admittedly is not for the CJEU to create, the Court was unable to tackle some of the fundamental shortcomings of access to justice in composite procedures. It is therefore to be hoped that a fundamental reconsideration of how to ensure access to justice in an increasingly ‘integrated’ administration will soon be placed on the agenda of the EU legislator. This reconsideration would not only require that sufficient multi-level procedural mechanisms are in place, such as the creation of the above-mentioned system of ‘reverse’ preliminary questions, but also ideally a truly integrated system of judicial control whereby one judicial instance (in a straightforward fashion the one currently controlling the act which concludes a composite procedure) would be empowered to review the entirety of the decisional chain.Footnote 66

14 Soft Law and Challenges to Access to Justice

Merijn Chamon
Footnote *
14.1 Introduction

This chapter explores the challenges that the informalisation of EU governance, through the reliance on soft law, poses for the possibilities for private parties to challenge EU conduct that may be in violation of their fundamental rights. First, this main research question will be situated in the broader debate on reliance on soft law in EU law. Subsequently, the ontological question of how soft law, given its non-binding nature, may constitute an interference with a fundamental right will be addressed and different examples of the increased reliance on soft law will be used to illustrate recent developments. Having sketched the state of play and the challenges that soft law may pose for fundamental rights, the chapter will then turn to the EU’s system of remedies. The latter has been crafted with a view to providing legal protection against binding governmental action. Soft law undermines that assumption and the difficulty in challenging it through conventional mechanisms of legal protection may itself become a possible interference, this time with the right to an effective legal protection as enshrined in Article 47 of the Charter of Fundamental Rights of the EU (CFR, ‘the Charter’).Footnote 1 After having identified the (conventional) remedies available, the chapter will make some suggestions to adapt the system of remedies addressing the specific challenge posed by soft law.

14.2 Soft Law: What’s in a Name

The final part of this second section of the chapter is devoted to illustrating, through a series of examples, how, in practice, soft law could interfere with fundamental rights. Before presenting these examples, however, some preliminary clarifications need to be made. First, Senden’s definition of soft law will be presented together with a discussion of the different functions that soft law may fulfil, before dealing with the question of how, in theory, soft law may interfere with fundamental rights.

14.2.1 What Is Soft Law and What Makes It Soft?

The study of soft law in the EU legal order is already well established. A seminal work, and one that has advanced an often relied on definition of the notion, was that of Senden. She qualifies soft law as ‘rules of conduct which are laid down in instruments which have not been attributed legally binding force as such, but nevertheless may have certain (indirect) legal effects, and that are aimed at and may produce practical effects’.Footnote 2 This definition remains rather vague, however, and a lot of intellectual effort has since gone into attempts to better understand what kind of practical and/or indirect legal effects are sufficiently relevant in order for non-binding acts to be considered legally significant enough to constitute soft law.Footnote 3 Further research has therefore looked into the question of which precise features makes soft law soft and the types of soft law that exist.

On what makes soft law soft and trying to better capture the notion of soft law, Terpan proposed to understand the phenomenon as a function of two criteria, those being obligation and enforcement. A norm can then be qualified as hard law when it cumulatively prescribes a sufficiently clear obligation that can also be enforced. Conversely, norms that do not prescribe sufficiently clear obligations would constitute soft law as would norms that do prescribe obligations but that are not enforceable. To determine whether a sufficiently clear obligation is being prescribed, Terpan considers the source and the content of the norm in question and, in terms of enforcement, he distinguishes between norms that are subject to judicial (or at least very constraining) control, those subject to non-coercive control (such as mere monitoring), and those subject to no control.Footnote 4

14.2.2 Soft Law’s Different Functions

To better appreciate the dynamics (and interference with fundamental rights) that may flow from soft law, it is useful to distinguish the different functions that soft law acts may fulfil. Here, different authors have elaborated different typologies. Senden and Van den Brink, for instance, distinguish between soft regulatory rule-making and soft administrative rule making. The first has a para-law policy-steering function while the purpose of the other is to give post-legislative guidance.Footnote 5 The classification of soft law adopted specifically for EU agencies as proposed by Rocca and Eliantonio also categorises soft law in light of its position in the policy cycle and can also be integrated in that of Senden and Van den Brink. Rocca and Eliantonio distinguish four types: where soft law is adopted in the form of acceptable means of compliance or technical guidance (categories one and two of Rocca and Eliantonio), it will typically fulfil the function of post-legislative guidance; conversely, technical documents and high quality information (categories four and three of Rocca and Eliantonio) typically fulfil a para-law function.Footnote 6 Just like the origin of a norm’s soft nature above, the conceptual distinction between these two main categories is important because it feeds into the constitutional assessment of the informalisation of EU governance through soft law.

On the one hand, post-legislative soft law may be beneficial to clarify the meaning and scope of legislative provisions. On the other hand, there also exists a risk that in the post-legislative phase, through the soft law guidance, a binding norm is given (slightly) different meaning, thereby also possibly altering fundamental rights interferences flowing from that binding norm. In that case, however, a binding norm still exists that might meet the requirements of Article 52(1) of the Charter. In contrast, soft law fulfilling a para-legislative function does not have such a binding norm to fall back on, raising the question of whether any fundamental rights interferences by such soft law would be ‘prescribed by law’ or whether they would be ipso facto violations.

A final consideration to present at this point is the dual question of the author and the addressee of the soft law. In EU law, perhaps the archetypical form of soft law are the Commission’s guidelines in the field of competition law where the Commission set out its view on how EU competition law is to be applied. This soft law has no specific addressees but helps private parties anticipate the Commission’s practice, since the soft law has self-binding effect on the Commission as the (main) actor responsible for the enforcement of EU competition law.Footnote 7 More recently, a different trend can be seen, as will be further illustrated below, whereby a proliferation in the authors of soft law can be witnessed. In this fairly new constellation,Footnote 8 the rather straightforward link between the author adopting the soft law and the enforcement actor has also been severed, meaning there is no self-binding effect anymore either. Often EU agencies or bodies are called on to adopt soft law, fleshing out legislative provisions that are to be applied by national authorities. While such soft law may still fulfil the clarification function of post-legislative soft law noted above, the fact remains that the fiction of an authority limiting its own (enforcement) discretion can no longer be upheld in these cases. That would mean that the position of private parties is weakened, and the possible interferences with their fundamental rights may become more acute. This since the soft law will still carry in it an expectation of compliance but without being balanced by the legitimate expectation that the enforcement actor has limited its own discretion.

This feature is exacerbated by a further feature of the typical composition of EU agencies or bodies adopting soft law. Unlike the main EU executive (the Commission), the main decision-making entities of EU agencies and bodies are the national authorities responsible for the implementation of EU law. The further risk this poses is illustrated nicely by the recent ThyssenKrupp cases. At issue here was a composite procedure whereby the EU customs expert group (composed of national authorities) could not agree on whether certain conditions to grant an exceptional authorisation to one of ThyssenKrupp’s competitors were met. Still, a majority in the expert group was in favour of granting the authorisation and the Commission concluded that the conditions to do so were indeed met. The Dutch customs authority subsequently formally granted the authorisation and claimed that it was obliged to do so in light of the Commission’s conclusion.Footnote 9 This because a further soft law act adopted by the expert group, ‘the new administrative practice’, provided that such Commission conclusions are binding on the national authorities.Footnote 10 The General Court (GC) ruled that the Commission’s conclusion was not challengeable pursuant to Article 263 TFEUFootnote 11 since the relevant legislation merely prescribed that national authorities ‘shall take it’ into account.Footnote 12 The GC’s findings were upheld by the Court of Justice, which furthermore remarked that the ‘fact that … the competent customs authority took its decision in the belief that it was bound by the contested conclusion does not … have the effect of making that conclusion an act which is legally binding’.Footnote 13 For readers versed in the admissibility requirements of Article 263 TFEU procedures, the Courts’ findings will appear logical and sound. However, a troubling dynamic at play here is that national authorities come together at EU level and de facto limit their own discretion through soft law, obfuscating the available remedies available to private parties. As Eliantonio explains in Chapter 13, where the EU adopts preliminary measures and national authorities adopt the final act, a disentangling of who does what becomes paramount.

14.2.3 Soft Law Interferences with Fundamental Rights in Theory

Having further clarified what makes soft law soft and how soft law may occupy different positions in the policy cycle, it is now possible to look into the implications of soft law from a fundamental rights perspective. Two questions are especially relevant here: First, if soft law is soft because it does not prescribe a hard obligation and/or because any possible obligation prescribed will not be enforced through a ‘constraining’ enforcement mechanism, can it become sufficiently relevant for its fundamental rights implications? Secondly, if a limitation or restriction may result from soft law, under which conditions may those limitations or restrictions be said to be ‘prescribed by law’? Under the Convention, this requirement first refers back to the domestic law of a party but that domestic law must itself also be in conformity with the Convention. While the domestic law need not formally be law, and can be enactments of lower rank than statutes and even unwritten law, it must meet qualitative requirements, including those of accessibility and foreseeability.Footnote 14 While this seems to provide sufficient flexibility to encompass soft law, the flexibility is arguably aimed at accommodating the different legal systems of parties to the Convention.Footnote 15 Given the risks that soft law poses for executive overreach in the EU,Footnote 16 limitations flowing exclusively from soft law might have to be ruled out as being ‘prescribed by law’ regardless of whether the soft law was accessible and its application foreseeable. Most of the time, however, a limitation will not flow exclusively from soft law, the latter instead fulfilling a mediating function. Where soft law is tolerated in such scenarios it becomes crucial to ensure proper remedies, as discussed in Section 14.3.

Returning to the first question, the relevance arguably lies in the practical and indirect effects that soft law may produce. After all, from a fundamental rights perspective, the question is not so much whether the norm prescribing (in)action on the part of the government is valid and/or binding but if and how such (in)action impacts the fundamental rights position of the individual.

The constitutional relevance of soft law is still obscured, however, since the notion of a limitation or restriction (of a fundamental right) has arguably not been properly clarified by either the European Court of Human Rights (ECtHR) or the Court of Justice of the EU (CJEU). For the ECtHR, this might not come as a surprise since the cornerstone of the Convention is the right of individual petition.Footnote 17 The ECtHR thus addresses specific (individual) complaints of concrete (alleged) violations of fundamental rights and not abstract questions relating to possible dubious legislative acts or government policy.Footnote 18 Such a constellation provides less opportunity for theory-crafting compared to the system in which the CJEU operates of which the purpose is not to protect fundamental rights but to oversee the construction of an internal market. In its system of remedies, the cornerstone is the preliminary reference procedureFootnote 19 and an independent Commission can bring infringement actions against Member States. Returning to the ECtHR, Letsas notes that its diagnostic test has five main stages, those being: (i) whether the facts come within the ECHR’s scope, (ii) whether there is an interference with a right, (iii) whether the interference is prescribed by law, (iv) whether a legitimate is aim pursued, and (v) whether the interference is necessary in a democratic society.Footnote 20 While the second stage is conceptually distinct from the others,Footnote 21 in practice it is often subsumed under the fifth stage, which has also meant that the ECtHR has not developed a horizontal approach to the question of which types of governmental action or inaction may amount to an interference.Footnote 22 Since such an approach is lacking, the ECtHR has not articulated a general approach to the potential fundamental rights implications of soft law either.

When the interference question is explicitly addressed by the ECtHR, it is necessarily done in a case-by-case manner. In those cases, it is not exceptional for the ECtHR to simply postulate that there has been no restriction, without elaborating any reasoning in this regard. It thus, for instance, held that ‘in themselves, the security checks to which passengers are subject in airports prior to departure do not constitute a restriction on freedom of movement’.Footnote 23 On other occasions, the finding of a lack of a restriction is more reasoned. In Cha’are Shalom Ve Tsedek v France, the ECtHR held that while ritual slaughter was protected under Article 9 of the Convention, ‘there would be interference with the freedom to manifest one’s religion only if the illegality of performing ritual slaughter made it impossible for ultra-orthodox Jews to eat meat from animals slaughtered in accordance with the religious prescriptions they considered applicable’.Footnote 24 Similarly, in A, B and C v Ireland, the Grand Chamber of the ECtHR ruled that there was no interference with a woman’s right to life by a party’s anti-abortion legislation when the woman in question could go abroad to receive treatment.Footnote 25 As Gerards notes, if the Court were to follow this approach consistently, not many interferences would be found,Footnote 26 since an interference could only be qualified as such when it resulted in the impossibility to enjoy the protection of the right concerned. Linking back to soft law, that threshold might never be met since its soft nature means that non-compliant behaviour remains entirely possible.

On the other hand, in a greater number of cases, the Court links the degree of interference with the intensity of the proportionality review.Footnote 27 As a result, ‘although in some cases the Court pays express attention to the phase of interference, in other cases it implicitly accepts or assumes the existence of an interference, or it merges the test of interference with the test of applicability or that of jurisdiction [or that of the justification of an interference]’.Footnote 28 Linking back again to soft law, this would mean that the existence of an interference will be accepted but that the proportionality review might be lenient. The lack of a clear position on the possible interfering effects flowing from soft law contrasts with the approach of the CJEU, at least in the area of the internal market.Footnote 29 As noted, this can arguably be explained by the different purposes of both Courts and the different procedural avenues to reach them.

In its internal market jurisprudence, it is firmly established case law that where national measures ‘are capable of hindering or rendering less attractive the exercise of the fundamental freedoms guaranteed by the Treaty’ they will constitute interferences.Footnote 30 That non-binding measures may also constitute restrictions on free movement is explicitly established in case law of the CJEU, since the restrictive effect of non-binding measures may be comparable to that of binding measures.Footnote 31 The degree of interference will then only be relevant in the possible assessment of the proportionality of the (national) measure. Of course, this ‘internal market’ logic might not be transposable to the fundamental rights protection offered by the Charter. While the CJEU itself has created a bridge between the two, that bridge does not connect the internal market freedoms with the full scope of material rights in the Charter. Instead, the Court held that where there are interferences with the fundamental freedoms of the internal market, these automatically cover interferences with only a limited subset of Charter rights (notably those laid down in Articles 15 to 17),Footnote 32 amalgamating the assessment of both. Going back to soft law’s effects and as AG Bobek explained, soft law as an imperfect norm may not be coercively enforced but still have the ‘normative ambition of inducing compliance’.Footnote 33 In the law of the internal market, such an ambition is sufficient for the measures to be caught by the free movement rules. Applying the same logic, the possibility of soft law constituting an interference with fundamental rights should be accepted.

The more concrete question of whether this means that the Charter applies to EU soft law further falls apart in two sub-questions, in light of the Charter’s field of application. As Kenner and Peake note, the first is whether EU institutions are bound by the Charter when adopting soft law. For those authors, ‘ideally, when it adopts non-binding policies, it should also be regarded as constrained and empowered by fundamental rights. However, in those contexts, as its output is not legally binding, it would be difficult to enforce this commitment in the courts’.Footnote 34 The second question is whether EU Member States are to be considered as implementing EU law when they adopt binding measures in the wake of EU soft law. As the law currently stands, Kenner and Peake answer this question in the negative but again call for a de facto respect for the Charter in order not to erode the protection offered by the latter.Footnote 35 At this point, it is useful to make a distinction between the different ways in which EU soft law may be followed upon or implemented. Thus, once an EU institution or body adopts soft law, generally four scenarios are possible: (i) the soft law is addressed to private parties (or has no addressee) and is acted upon by them; (ii) a governmental body (EU or national) adopts a binding act further to the EU soft law; (iii) a national body adopts soft law further to the EU soft law; (iv) the EU soft law is acted upon through factual conduct of a governmental body (EU or national). Evidently, the possibility for parties to bring a potential fundamental rights interference before a court will be influenced by which of the four scenarios is at issue.

While the Court has not addressed the first scenario explicitly yet, the dynamics that would be in play have popped up in cases before it. In Bevándorlási és Állgmpolgársági Hivatal, the Court noted that asylum seekers cannot be required to undergo a personality test, since their consent to do so would be required. However, it explicitly accepted that ‘that consent is not necessarily given freely, being de facto imposed under the pressure of the circumstances in which applicants for international protection find themselves’.Footnote 36 The Court thus recognised that an applicant might be indirectly or practically forced, in which case there is an interference with the right to respect for a private life that needs to be justified. In the separate context of EU-induced national austerity programmes, which come under the second of the four scenarios noted above, AG Saugmandsgaard Øe in Associação Sindical dos Juízes Portugueses held that the Council recommendation based on Article 126(7) TFEU at issue ‘did not fix sufficiently specific and precise objectives to support the view that the Portuguese State implemented on the basis of that recommendation requirements of EU law within the meaning of Article 51 of the Charter’.Footnote 37 This suggests, however, that, on the more fundamental preliminary point, the AG did not per se rule out that a Member State could be said to be implementing EU law in the sense of Article 51 of the Charter when acting on EU soft law.

14.2.4 Soft Law Interferences with Fundamental Rights in Practice

To make things more concrete, the present section will look into three distinct areas to illustrate how soft law may result in fundamental rights interferences. The first is the area of economic coordination and the Euro crisis response. To assist Eurozone Member States that are cut off from the international financial markets, the Eurozone Member States established the European Stability Mechanism (ESM) as an international organisation distinct from the EU. The ESM TreatyFootnote 38 confers a number of important tasks on the European Commission and the European Central Bank, which the CJEU accepted in the Pringle case.Footnote 39 The ESM funds made available to the Eurozone Member States are conditional on the negotiation and conclusion of a Memorandum of Understanding (MoU) between the ESM and the Member State concerned. These MoUs, while negotiated and signed by the Commission, follow from the ESM Treaty and therefore do not constitute challengeable acts under Article 263 TFEU.Footnote 40 At the same time, the EU can still be held liable for the Commission’s wrongful acts or omissions, specifically under the Charter (and the right to property, notably of those people affected by the austerity or restructuring measures taken in execution of the MoU), as confirmed by the Court in Ledra Advertising.Footnote 41

The legal nature of the MoUs, negotiated by the Commission under the ESM, is highly disputed. The analogous MoUs agreed between the Commission and non-Eurozone Member States, under EU law, were considered to be ‘mandatory’ by the CJEU,Footnote 42 against the findings of the AG,Footnote 43 but it is unclear whether this can be transposed to the ESM MoUs. AG Wathelet in Mallis suggested they are non-binding,Footnote 44 as does Repasi,Footnote 45 while Poulou suggests they are binding.Footnote 46 The Court in Ledra Advertising did not address this question and focuses on the Commission’s conduct in negotiating the MoU. Distinguishing the negotiation by the Commission from the MoU itself is in part built on a legal fiction however, and it seems difficult to see how the Commission’s conduct as such would constitute an interference in the absence of the MoU itself constituting such an interference. The Court of Justice indeed seems to assume that the MoU (as negotiated by the Commission) interfered with the right to property of the deposit holders at the banks that were put under resolution. Ledra would thus imply either that the CJEU accepts that a non-binding act may have such constraining practical or indirect legal effects that a fundamental rights interference may result from it or, alternatively, that it believed the MoU was binding. While Ledra concerned the right to property of deposit holders (of Cypriot banks), it is useful to flag that the MoU also prescribed an austerity programme with significant fundamental rights implications. For instance, the Cyprus MoU foresaw that Cyprus would reform its pension system, increasing the minimum age for pension entitlements and reducing pensions.Footnote 47

A second set of examples can be seen in the soft law adopted in the Area of Freedom, Security and Justice (AFSJ), for instance, by the EU Agency for Asylum (EUAA). Article 13 of its establishing Regulation provides that its Management Board can adopt operational standards, indicators, guidelines, and best practices to ensure a correct and effective implementation of Union law on asylum.Footnote 48 The agency thus adopts post-legislative guidance fleshing out different provisions of the EU asylum acquis, such as the Asylum Procedures Directive. In its Articles 14 and 15, the latter sets out the rule that applicants are entitled to a personal interview before a decision on their application is made as well as setting out the requirements that such a personal interview must meet.Footnote 49 Under Article 15(3)(c) of the Directive, the ‘communication shall take place in the language preferred by the applicant unless there is another language which he or she understands and in which he or she is able to communicate clearly’. In the EUAA’s Guidance on asylum procedure: operational standards and indicators of September 2019, however, Standard 30 prescribes that ‘the personal interview takes place in a language the applicant understands’.Footnote 50 The ‘good practice’ listed under that standard provides that if no interpreter is available in the language that the applicant understands, another language ‘that the applicant is reasonably expected to understand’ can be used. The guidance that is provided to national authorities to comply with the Directive thus effectively sets a lower (or at least less detailed) standard than the Directive itself. Since the latter is explicitly intended to promote inter alia the right to human dignity and the right to asylum,Footnote 51 it cannot be excluded that the guidance might set the actual standard for the administrative practice of Member States and thereby interfere with these fundamental rights. This despite the Court in Addis ruling that the personal interview is of fundamental importance in the asylum procedure.Footnote 52

A further example in the AFSJ can be found in the EU’s response to Russia’s invasion of Ukraine. Quite quickly this led to calls within the EU of banning Russian tourists from acquiring Schengen visas, although the Schengen Visa CodeFootnote 53 does not explicitly provide for such a ban. Following the EU Council’s suspension of the EU-Russia visa facilitation agreement,Footnote 54 Russian citizens are to be given the default treatment under the Visa Code regulation when applying for visas. When it comes to refusing Russian citizens’ applications, the main relevant provision in the Visa Code on which Member States would rely is Article 21(3)(d), which requires Member States to verify that ‘the applicant is not considered to be a threat to public policy, internal security or public … or to the international relations of any of the Member States’. While the regulation has not been amended, in September 2022 the European Commission did adopt guidance specifically for the issuance of visas to Russian citizens.Footnote 55 These guidelines seem to lower the bar for Member States to refuse applications from Russians: ‘As far as Russian nationals travelling for tourism are concerned, having a very strict approach is justified as it is more difficult to assess the justification for the journey.’Footnote 56 The Commission in its guidance also seems to lower the bar by introducing the notion of a ‘potential threat’, a concept that does not as such appear in the Visa Code or the (general) Visa Handbook.Footnote 57 While there is evidently no fundamental right of Russians to visit the EU, one may well argue that there is a fundamental right for Russian citizens, pursuant to Articles 20 and 21 of the Charter, not to be treated differently from, for example, Kazakh citizens (i.e., citizens of states other than Russia that are also listed in Annex I of Regulation 2018/1806Footnote 58 with which the EU has not concluded a facilitation agreement).Footnote 59 Arguably, the result of the guidance is that Member States are given a basis to routinely reject applications from Russians requesting a visa for touristic purposes.

A third illustration may be found in the digital sphere where the EU has adopted ambitious legislative packages in recent years. Although the General Data Protection RegulationFootnote 60 is not limited in scope to the processing of data through digital means, its importance for the digital information society is self-evident. In 2022, the EU legislator also adopted the Digital Services Act (DSA) and a Data Governance Act (DGA).Footnote 61 Aside from their special relevance for the digital provision of services and the digital processing of data, two further features of these three different legislative instruments are noteworthy for the purposes of this chapter: they contain important enabling clauses foreseeing the adoption of soft law to ensure the proper application of the legislative acts and they rely on a new type of governance mechanism by setting up so-called Boards (the European Data Protection Board [EDPB], the European Board for Digital Services [EBDS], and the European Data Innovation Board [EDIB]) that are to adopt such soft law. While these Boards are heterogeneous in their nature, structure, and functioning,Footnote 62 they have in common that they bring together representatives of the national authorities and that they are given the power to adopt soft law (guidance) on any issue coming under the scope of their respective legislative acts. This is very similar to the constellation at issue in the ThyssenKrupp cases discussed above. When it comes to the actual application of these legislative packages, different fundamental rights are evidently in play. The DSA is especially clear on this as it provides in its Article 34 that providers must make an assessment of how their services and the way they are offered may negatively affect rights, in particular the fundamental rights to human dignity enshrined in Article 1 of the Charter; to respect for private and family life enshrined in Article 7 of the Charter; to the protection of personal data enshrined in Article 8 of the Charter; to freedom of expression and information, including the freedom and pluralism of the media, enshrined in Article 11 of the Charter; to non-discrimination enshrined in Article 21 of the Charter; to respect for the rights of the child enshrined in Article 24 of the Charter; and to a high-level of consumer protection enshrined in Article 38 of the Charter.Footnote 63

How providers are concretely meant to mitigate risks is initially left to self-regulation, but Article 35(3) provides that the Commission ‘may issue guidelines … in relation to specific risks, in particular to present best practices and recommend possible measures, having due regard to the possible consequences of the measures on fundamental rights enshrined in the Charter of all parties involved’. In short, it may be expected that soft law will de facto determine the limits within which fundamental rights may be impacted by providers of very large online platforms and very large online search engines.Footnote 64 Generally, for these three acts, their actual implementation will be significantly steered by acts of soft law, adopted by either the Commission, the Boards, or the regulated entities themselves.

What the examples in these three very diverse policy fields show is, first, a seemingly insatiable appetite for soft law, not just on the part of the executive branch and, second, the very real possibilities for soft law to affect the legal position of natural and legal persons.

14.3 Remedies and Soft Law

The argument was made above that the scope of the Charter could, and in light of soft law’s practical effects should, extend to soft law. If that is indeed the case, the question becomes which remedies are available to challenge soft law’s interferences with fundamental rights. This section will highlight the two main existing judicial mechanisms that are available, as well as one administrative mechanism. The backdrop of this discussion is that soft law, by its nature, precludes the remedy of the action for annulment under Article 263 TFEU.

14.3.1 Unavailability of the Action for Annulment

The Court of Justice shut this door firmly in 2018 in Belgium v Commission,Footnote 65 despite suggestions by AG Bobek to take a more flexible approach. The Court of Justice thereby endorsed the findings of the General Court, which, at first instance, observed that the recommendation does not have and is not intended to have binding legal effects with the result that it cannot be classified as a challengeable act for the purposes of Article 263 TFEU.Footnote 66 The problematic repercussions of Belgium v Commission for effective judicial protection were decried by Arnull in strong terms: ‘[I]n direct actions the Court of Justice and the General Court now sometimes seem content to collude with other institutions to evade the requirements laid down by the Treaty.’Footnote 67 What therefore remains is the action for damages and the preliminary reference procedure, before the Courts, and the different forms of review by administrative bodies as a non-judicial remedy.

14.3.2 The Action for Damages

As the Ledra case discussed above suggests (assuming the CJEU found the MoU to constitute soft law), it is in principle possible to challenge the fundamental rights interferences of soft law through an action for damages. It is established case law of the EU Courts to require three cumulative conditions for the EU to incur non-contractual liability, those being the unlawfulness of the EU’s conduct, the fact of damage, and the existence of a causal link between the conduct and the damage.Footnote 68 In Ledra, the Court dismissed the claim for damages on the first of these conditions by finding that the Commission had not committed a sufficiently serious violation of the fundamental right involved because the restriction of the fundamental right could be justified pursuant to Article 52(1) of the Charter.Footnote 69 Specifically for soft law, the third cumulative condition appears to be the most problematic, however. Under the Court’s established case law, a sufficiently direct causal link means that the conduct must be the determining cause of the damage.Footnote 70 Yet, given its non-binding nature, the indirect legal and practical effects of soft law seem incapable of ever constituting such a determining cause.Footnote 71 This is clear where EU soft law is subsequently implemented by further decisions (binding or non-binding) but also when it results in the first and fourth scenarios noted above in Section 14.2.3. The threshold to show that soft law itself determined a private party’s behaviour or the factual conduct of a government body lies exceptionally high. Where the action for annulment against soft law will be inadmissible, an action for damages might be admissible but would then always fail on the merits.

14.3.3 The Preliminary Reference Procedure

The only judicial remedy practically available will then be the preliminary reference procedure, as evidenced by the FBF case.Footnote 72 In that case, the Court followed up on Belgium v Commission mentioned earlier where it refused to review soft law in an action for annulment but where it noted that ‘Article 267 TFEU confers on the Court jurisdiction to deliver a preliminary ruling on the validity and interpretation of all acts of the EU institutions without exception’.Footnote 73 From a more institutional perspective, the Court’s decision, as also predicted by AG Bobek in his Opinion in FBF,Footnote 74 goes against the current evolution of the judicial system at EU level. In terms of workload, it would have made more sense to allow for a direct review of soft law measures, given the recent expansion of the General Court. That the Court confirmed that there would be a possibility to seize it in order to challenge the validity of soft law was still welcomed by Gündel,Footnote 75 but there are at least three important constraints, inherent to the preliminary reference procedure, that require pointing out. First, the preliminary reference procedure requires a reference point in the national legal order that can be relied on to seize a national judge; second, a procedure must also be available at national level (which may not be self-evident in the realm of soft law); and third, the preliminary reference procedure is not a self-standing remedy but instead depends on the national judge referring questions.

The first two of these constraints are intertwined: concretely, a natural or legal person taking issue with an EU soft law measure will only be able to indirectly challenge this measure before a national judge if there is a national measure or conduct that is challengeable pursuant to a procedure available in national law. In the first scenario noted above in Section 14.2.3, such a reference point may not be available. This puts an acute challenge to the right of natural and legal persons to effective legal protection. The avenue to which the Court directs applicants revives the same problems that resulted from Plaumann and the Court’s response in cases like UPA and Jégo Quéré,Footnote 76 as well as revealing a further challenge to the principle of procedural autonomy.

In the scenario where EU soft law will be followed up on or implemented at national level through further (national) soft law, this may prove problematic. While different national legal systems seem increasingly open to allow such challenges,Footnote 77 this option still does not seem to exist in the majority of national legal systems. In addition, the requirements to be fulfilled by applicants may vary greatly between Member States. Should these differences simply be accepted in light of national procedural autonomy? That is doubtful. While national procedural autonomy should be considered a legal principle, rather than a temporary state of affairs in EU law, it is still to be balanced with other principles such as that to effective legal protection.Footnote 78 In this regard, Arnull has noted that in the post-Lisbon era ‘the venerable principles of national procedural autonomy, equivalence and effectiveness seem to have been absorbed into a more complex matrix of rules and principles which represent a considerable intrusion into fields formerly considered the prerogative of the Member States’.Footnote 79 In line with UPA, Unibet,Footnote 80 and Article 19(1) TEU,Footnote 81 it would instead be up to the Member States to provide adequate remedies. Assuming that the Court will refuse to revisit its Belgium v Commission ruling, it will be up to the Member States courts to fix any resulting lacunae. This is already a significant requirement imposed on those legal systems that have not (yet) accepted the reviewability of national soft law endogenously. However, it will be most acute in those cases under a second scenario, in the vein of Jégo-Quéré, where there is no national measure (not even a soft law measure) to be contested to begin with.

The third constraint of the Court’s solution in FBF is that, under the established case law of the Court of Justice,Footnote 82 the preliminary reference procedure is not a self-standing remedy offered to (private) parties. It is rather an instrument through which national courts may enter into dialogue with the Court of Justice and whether preliminary references are sent to the Court ultimately depends on those national judges, not on the parties appearing before them. FBF therefore means that a genuine remedy against soft law will depend on national judges referring questions on validity to the Court of Justice.

14.3.4 Subjecting Soft Law to Administrative Review

In light of the constraints that come with the preliminary reference procedure identified in Section 14.3.3, it is important to draw attention to other possible remedies. As Jääskinen observed, there are indeed ‘alternative ways of constitutionally legitimised control structures of the use of public powers’ and ‘judicial protection is a societally and economically scarce resource which cannot be light-heartedly allocated to cases that are better dealt with [by] other types of remedies or that do not deserve the attention of courts’.Footnote 83 While the possibility to seize an independent judicial tribunal would appear to be a requirement under Article 47 of the Charter, there may indeed be other (administrative) remedies available that may be more effective. Apart from the general possibility to seize the Ombudsman (when a soft law act is alleged to be vitiated by an instance of maladministration), such administrative remedies arguably ought to bear the brunt of ensuring adequate legal protection, with the judicial remedy acting as a safety valve.

The EU legislator has in the past already experimented with administrative review procedures that potentially allow soft law to be challenged. The typical constellation in which such review procedures have been established is one where an EU agency has been granted certain powers and where the Commission has been identified as the body competent to review its acts at the request of a private party. Pre-Lisbon, such clauses were included to ensure the possibility of at least some review of agency decisions, given the agencies’ unclear passive legal standing in the action for annulment.Footnote 84 Post-Lisbon, such clauses are not strictly needed anymore, which explains why they were deleted in the 2019 revisions of the Eurofound, Cedefop, and EU-OSHA Regulations and in the 2017 European Union Intellectual Property Office Regulation.Footnote 85 Remarkably, the revision in 2022 of the establishing regulation of the European Centre for Disease Prevention and Control (ECDC) revamped this procedure, rather than deleting it from the regulation all together.Footnote 86 Article 28 of the ECDC Regulation now provides:

Article 28

Examination of legality

  1. 1. Member States, members of the Management Board and third parties directly and individually concerned may refer any act of the Centre, whether express or implied, to the Commission for examination of the legality of that act (‘administrative appeal’).

  2. 2. Any administrative appeal shall be made to the Commission within 15 days of the day on which the party concerned first became aware of the act in question.

  3. 3. The Commission shall take a decision within one month. If no decision has been taken within that period, the administrative appeal shall be deemed to have been dismissed.

  4. 4. An action for annulment of the Commission’s explicit or implicit decision referred to in paragraph 3 of this Article to dismiss the administrative appeal may be brought before the Court of Justice of the European Union in accordance with Article 263 TFEU.

Similar mechanisms are still in place for the Community Plant Variety Office (CPVO)Footnote 87 and for the European Food Safety Authority (EFSA).Footnote 88 While part of the administrative appeal is modelled on Article 263 TFEU, notably the requirement that private parties need to be directly and individually concerned, the scope of the appeal seems to be broader, since any act of the agency may be referred to the Commission.Footnote 89

In 2019, the EU legislator further experimented with this type of review mechanism by introducing Article 60a in the three Regulations establishing the European Supervisory Authorities (ESAs) in the financial sector.Footnote 90 The new provision was introduced specifically to allow for a review of some of the soft law that the ESAs adopt.Footnote 91 Article 60a provides: ‘Any natural or legal person may send reasoned advice to the Commission if that person is of the opinion that the Authority has exceeded its competence, including by failing to respect the principle of proportionality referred to in Article 1(5), when acting under Articles 16 and 16b, and that is of direct and individual concern to that person.’Footnote 92 Although it has already been in force for a couple of years, this administrative review procedure has not actually been relied on yet.

For a number of reasons, it is also doubtful whether that procedure offers any genuine remedy against the ESAs exceeding their competences through the adoption of soft law. First, only individually and directly concerned persons may communicate reasoned advice to the Commission per Article 60a. This arguably makes the remedy dependent on similar standing requirements as those under Article 263 TFEU and the earlier administrative review procedures, but it is unclear how these would apply in the given context, as soft law acts cannot in principle be of direct concern to a person. After all, in the Courts’ established case law, direct concern means that a measure ‘must directly affect the legal situation of the individual and, second, it must leave no discretion to its addressees who are entrusted with the task of implementing it, such implementation being purely automatic and resulting from the EU rules alone without the application of other intermediate rules’.Footnote 93 Since the effects of soft law are merely of a practical nature or, at the most, indirect legal effects, it seems a priori impossible for soft law to ever be of ‘direct concern’. In addition, if the Plaumann criteria would also apply mutatis mutandis, it would be almost impossible for a party to demonstrate that they are individually concerned by the ESAs’ guidelines and Q&As since these will be general in scope.Footnote 94 This may be different for the ESAs’ recommendations, as Article 16 of the ESA Regulations provides that they may be addressed ‘to one or more [national] competent authorities or to one or more financial institutions’. Still, since direct and individual concern are cumulative conditions, the standing requirement will never be met for soft law. Unless, of course, ‘direct and individual concern’ is not to be understood in the same way as the analogous notions in Article 263 TFEU.

Second, Article 60a does not provide an actual remedy. Even if an admissible complaint were to be lodged, the Commission cannot, under Article 60a or any other provision of the ESAs Regulations, provide an actual remedy where it finds that an ESA has exceeded its competences. Only ESAs can issue and, in turn, repeal guidelines, recommendations, and Q&As and the Commission cannot give instructions to the ESAs or override the soft law, except where it has been specifically empowered to adopt delegated or implementing acts. Article 60a therefore at best represents an alert mechanism. While the attempt of the legislator to afford private parties protection against the effects of the ESAs’ soft law should be lauded, the effectiveness of Article 60a of the ESAs Regulations will be undermined by the legislator’s failure to recognise that the challenges posed by soft law represent a paradigm shift for the system of remedies. Transplanting admissibility requirements from procedures that aim at the review of hard law ignores the fundamental features characterising soft law. While administrative review of soft law seems an appropriate way forward (see below), it would have to be devised mindful of the specific features of soft law.

14.3.5 A Possible Way Forward

Building on the legislator’s recognition, in the 2019 ESAs Regulations, of the importance of a possibility to review soft law, complementing the existing EU system of remedies with a dedicated administrative review mechanism appears to be the way forward. Special attention should thereby be devoted to three issues: access to the mechanism, the nature of the adjudicating body, and the remedy provided.

As noted in the discussion of Article 60a of the ESAs Regulations, the mechanism’s admissibility requirements should take proper account of soft law’s non-binding nature and therefore not replicate those applicable under Article 263 TFEU. Instead, the mechanism could be open to parties showing an interest.

As regards the body made responsible to review soft law, the 2019 revision of the ESAs Regulations also provides interesting clues. During the legislative negotiations, the European Parliament had proposed to extend the mandate of the ESAs’ Joint Board of Appeal, making it competent to hear challenges to the ESAs’ soft law.Footnote 95 The Parliament’s suggestion did not make it in the end, but it is interesting, nonetheless. Within decision-making EU agencies, there are already specialised and independent boards of appeal that are competent to review (individual) binding decisions.Footnote 96 The 2019 revision thus constituted a missed opportunity to tap this potential and it would be worthwhile to revisit this possibility. For those EU agencies adopting soft law and who are already equipped with a Board of Appeal, the latter’s mandate could be broadened.Footnote 97 Where soft law is adopted by other agencies or bodies of the EU or by the Commission itself, a variant of Article 60a of the ESAs Regulations could be envisaged where the review is entrusted to a functionally independent entity within the Commission. Just like the independent Regulatory Scrutiny Board (unilaterally established by the Commission) double-checks the soundness of the Commission’s proposals and impact assessment, so could an independent review board be entrusted with scrutinising soft law.Footnote 98

Lastly, any mechanism should provide for a clear remedy. Given soft law’s non-binding nature, that remedy need not mimic the remedy under Article 263 TFEU, just like the admissibility requirements need not be mimicked. Instead, a requirement for the original author to reconsider the soft law in light of the reviewing authority’s remarks could also be sufficient.

14.4 Conclusion

The present chapter looked into how the informalisation of governance through the adoption of soft law can affect the fundamental rights position of private parties. After briefly exploring the nature and function of soft law, the primordial question for this chapter to address was how soft law, given its formally non-constraining nature, is relevant from a fundamental rights perspective.

Although the jurisprudence of the ECtHR and the CJEU is not explicit on this point, the chapter argued that the possibility of fundamental rights interferences by soft law (and concomitantly the need for review) should be accepted by drawing an analogy to the CJEU’s case law on the fundamental freedoms in the internal market. To further bring this point home, four examples from three very different policy areas were presented to illustrate possible soft law interferences with fundamental rights.

Subsequently, the chapter looked into the remedies available in the EU in relation to soft law, starting with the judicial remedies. Since the latter are premised on the idea that government acts through binding measures, they do not cater to the review of soft law. Only with the recent FBF case has the Court of Justice left open one avenue to assess the legality of soft law, albeit that the preliminary reference procedure on its own cannot secure a watertight system. As a result, a further fundamental rights interference could result, since the right to an effective remedy may not be guaranteed for all instances where soft law is adopted at EU level.

The chapter then looked into the possibility of relying on non-judicial remedies for challenging soft law, highlighting how the EU legislator has already experimented with this approach. While the legislator’s attempts do not seem to have been fully thought through, they should be supported and built upon, since extra-judicial administrative review of soft law seems more attuned to challenging soft law than going through the judicial avenue of the preliminary reference procedure.

15 The EU’s Artificial Intelligence Laboratory and Fundamental Rights

Simona Demková
15.1 Introduction

This contribution examines the possibilities for individuals to access remedies against potential violations of their fundamental rights by EU actors, specifically the EU agencies’ deployment of artificial intelligence (AI). Presenting the intricate landscape of the EU’s border surveillance, Section 15.2 sheds light on the prominent role of Frontex in developing and managing AI systems, including automated risk assessments and drone-based aerial surveillance. These two examples are used to illustrate how the EU’s AI-powered conduct endangers fundamental rights protected under the EU Charter of Fundamental Rights (CFR).Footnote 1 These risks emerge for privacy and data protection rights, non-discrimination, and other substantive rights, such as the right to asylum. In light of these concerns, Section 15.3 examines the possibilities to access remedies by first considering the impact of AI uses on the procedural rights to good administration and effective judicial protection, before clarifying the emerging remedial system under the proposed AI ActFootnote 2 in its interplay with the EU’s existing data protection framework. Lastly, the chapter sketches the evolving role of the European Data Protection Supervisor (EDPS) in this context, pointing out the key areas demanding further clarifications in order to fill the remedial gaps (Section 15.4).

15.2 EU Border Surveillance and the Risks to Fundamental Rights

As European integration deepens, the need for enhanced security measures has led to modernising the EU’s information systems and other border surveillance capabilities, increasingly involving tools that can be classified as AI systems. The latter refers to ‘a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.’.Footnote 3 Among the AI tools explored for use in the EU’s border surveillance are tools to support the detection of forged travel documents and automated pre-processing of long-stay and residence permit applications for the Schengen Area, as well as the use of AI for risk assessments by way of identification of irregular travelling patterns, high-security risks, or epidemic risks. The design, testing, deployment, and evaluation of these systems is principally entrusted to eu-LISA – the agency responsible for the operational management of the systems in the area of freedom, security, and justice.Footnote 4 This task comes with a not-unimportant caveat that the design of the AI tools to be used in border control is delegated – with expensive tenders – to private developers.Footnote 5 For instance, a €300 million contract was agreed in 2020 with Idemia and Sopra Steria for the implementation of the new, sensitive data processing Biometric Matching System (BMS).Footnote 6 Similarly, EU agencies, such as the EU’s Border and Coast Guard Agency – Frontex,Footnote 7 invest heavily in developing AI-powered border surveillance systems, including aerial and other hardware tools.Footnote 8

Frontex is among the key EU actors whose tasks and powers are pointedly enhanced by the use of AI systems. Several factors are driving the increasing interest in using AI in the EU’s border security context. These include the need to process large amounts of data, the longing for cost and resource efficiency, coupled with the decreasing costs of data storage and processing power, the political democratisation of AI technology, and the resulting influence of EU initiatives embracing the development and deployment of AI.Footnote 9 To illustrate the risks that AI uses pose to fundamental rights, the following discussion zooms in on the Frontex’s AI-powered conduct (Section 15.2.1) before depicting the risks posed by these uses to fundamental rights (Section 15.2.2).

15.2.1 Frontex at the Forefront of Border Surveillance

Frontex is rapidly expanding its AI capabilities. Among those currently explored are AI tools for automated border control (e.g., e-gate hardware), document scanning tools, facial recognition and other biometric verification tools, maritime domain awareness capabilities, unmanned surveillance tools (i.e., ‘towers’ planted in border regions to detect illegal border crossings), and other forms of unmanned autonomous aerial surveillance systems.Footnote 10 Two examples deserve closer inspection to illustrate how the AI uses by EU actors give rise to fundamental rights violations: automated risk assessments and AI-powered aerial surveillance.

15.2.1.1 Automated Risk Assessments

Automated risk assessment (ARA) refers to a process of identifying potential risks by using computer systems, algorithms, or data analysis techniques to evaluate risks in a given context. The ARA relies on extensive datasets that are widely available in the digital age.Footnote 11 Increasing reliance on automated risk assessments in the EU’s border security is not new. It emerges from a long-standing practice of informational cooperation in the EU’s area freedom, security, and justice based on large-scale automated matching of personal data.Footnote 12 Among others, the exchange of detailed alert files occurs among the national competent authorities and the EU agencies via the Schengen Information System (SIS), the Visa Information System (VIS), and Eurodac, and soon also the Entry/Exit System (EES), the EU Travel Information and Authorisation System (ETIAS), and the European Criminal Records Information System (ECRIS-TCN).Footnote 13 In addition, automated exchanges of personal data take place among the national authorities, EU agencies, and third parties, such as airline companies or online communication services, under specially set up frameworks, such as the PNR scheme.Footnote 14 These information exchange frameworks provide for automated assessments of gathered information in order to identify and locate potential security threats. The identification may rely on matches between the alerts containing purely alphanumeric data concerning a specific individual. Generally, however, the data collected within the alerts also include sensitive and genetic data,Footnote 15 such as DNA, fingerprints, or facial images, enabling advanced identification based on pre-defined algorithms embodying the characteristics of AI tools.Footnote 16

EU agencies, including Frontex, employ a range of automated risk assessment tools in the performance of their tasks. Specifically, Frontex will host the ETIAS Central Unit, managing the automated risk analyses in the ETIAS – the European Travel Information and Authorisation System.Footnote 17 From mid-2025, the system will undertake pre-screening of about 1.4 billion people from sixty visa-exempt countries for their travel to the Schengen states.Footnote 18 The pre-screening aims to contribute to a high level of security, prevent illegal immigration, prevent, detect, and investigate terrorist offences or other serious crimes, as well as protect public health.Footnote 19 Beyond the ETIAS Central Unit hosted by Frontex, the ETIAS will operate on the National Units of the thirty European countries and the system itself, which is developed and maintained by eu-LISA.Footnote 20 The fast processing of future travel applications will be guaranteed by an automated risk assessment performed by this ETIAS Central System.Footnote 21

The risk assessment will entail a threefold comparison of travel application data. First, the Central System automatically compares the information submitted by the travel applicant against the alerts stored within the above-mentioned EU information systems, namely the SIS, VIS, Eurodac, and EES, as well as against Europol data and Interpol databases.Footnote 22 Second, the traveller’s application will be compared against a set of risk criteria pre-determined by the ETIAS Central Unit – that is, Frontex.Footnote 23 Lastly, the comparisons will be done against the ETIAS ‘Watchlist’ of persons suspected of involvement in terrorist offences or other serious crimes.Footnote 24 While the first category of ARA in the ETIAS process places the responsibility on the Member States (as primarily responsible for entering alerts into the EU large-scale databases), the latter two categories also directly involve EU agencies, namely Frontex and Europol (due to their role in setting up the ARA criteria or the ‘watchlist’). Given the focus on AI uses by EU actors in this chapter, only the Frontex-defined risk criteria encompassed within the pre-screening algorithm will be further discussed.

The Frontex-operated Central Unit should construe the risk criteria on the basis of risks identified by the EU Commission in corresponding implementing acts. The latter could be drawn from the EES and ETIAS statistics on abnormal rates of overstaying and refusals of entry for a specific group of travellers due to a security, illegal immigration, or high epidemic risk based on the information provided by Member States as well as by the WHO.Footnote 25 Based on this information, the ETIAS Central Unit will define the final screening rules underlying the ETIAS Central System’s algorithm.Footnote 26 Pursuant to Article 33(1) ETIAS Regulation, ‘these screening rules shall be an algorithm enabling profiling’ based on a comparison of the application data with specific risk indicators.

The algorithm will be built on a combination of data concerning the age range, sex, nationality, country and city of residence, level of education (primary, secondary, higher, or none), and current occupation.Footnote 27 These data will serve to evaluate a person’s behaviour, location, or movements based on a detailed history of one’s travels, submitted in the ETIAS application form. This type of practice thus corresponds to the practice of profiling, which, pursuant to the EU data protection rules,Footnote 28 should be prohibited, unless accompanied by strict safeguards.Footnote 29 Pursuant to the jurisprudence of the Court of Justice of the European Union (CJEU), the safeguards must ensure that the criteria used for profiling are targeted, proportionate, specific, and regularly reviewed, as well as not be based solely on the protected categories of age, sex, and others.Footnote 30 The ETIAS algorithm may however be targeting specific country of origin or nationality, which can give rise to concerns of discrimination, as discussed further below. In this respect, it is worth highlighting that ETIAS automated risk assessments will serve to select a rather small group of potential security threats from an ocean of otherwise innocent, law-abiding citizens. As the ETIAS explanatory website states, it is expected that about 97% of applications will be automatically approved. It is expected that the remaining 3% will require further manual verification by the ETIAS Central Unit in cooperation with the National Units.Footnote 31

Every refusal of travel authorisation in ETIAS will have to be notified to the applicant, explaining the reasons for the decision.Footnote 32 The notice email should include information on how the applicant may appeal this decision and details of the competent authorities and the relevant time limits.Footnote 33 The appeals will be handled by the Member State refusing the entry and hence in accordance with that state’s national law.Footnote 34 Individuals without an ETIAS authorisation will be refused boarding at international airports or will be stopped when trying to cross Schengen’s external borders by land. Accordingly, it is of the utmost importance that the system’s AI component embodied within the algorithmic risk assessments does not lead to disproportionate interferences with individuals’ fundamental rights, including the rights to privacy, data protection, and protection from discrimination. Equally, the ETIAS National Unit authorities must be sufficiently trained and equipped to ensure that refusal decisions are not based solely on the automated hit in the system.Footnote 35

15.2.1.2 Aerial Surveillance

In another vein, Frontex employs AI tools to improve situational awareness and early response in pre-frontier areas. This activity is essentially facilitated through the European Border Surveillance System (EUROSUR).Footnote 36 The system is a crucial information resource enabling Frontex to establish situational pictures of the land, sea, and air to identify potential illegal crossings and vessels in distress.Footnote 37 The system contains information collected through aerial (including unmanned drones) surveillance, automated vessel tracking and detection capabilities, software functionalities allowing complex calculations for detecting anomalies and predicting vessel positions, as well as precise weather and oceanographic forecasts enabled by the so-called EUROSUR fusion services deployed by Frontex.Footnote 38 With the help of the most advanced technology, Frontex is thus responsible for establishing the ‘European situational pictures’ and ‘specific situational pictures’ aimed at assisting the national coast guards of the EU and EU-associated states in the performance of border tasks.Footnote 39

The collection of information to be shared via EUROSUR increasingly relies on AI tools. Notably, in recent years, Frontex has significantly expanded its aerial surveillance arsenal.Footnote 40 This expansion required significant investments in advanced technology developed by private companies.Footnote 41 AI-powered drones or satellites enabling monitoring of the situation on land or sea do not directly pose risks to fundamental rights. However, reliance on such AI-powered surveillance tools gives the EU’s border authorities unmatched knowledge about the border situation, permitting the authorities to take actions that may put certain fundamental rights at risk, such as the right to asylum.

Furthermore, as the EU Fundamental Rights Agency states, ongoing development of these technologies and the sharing of the gathered intelligence through EUROSUR is likely to employ algorithms used to track suspicious vessels or extend to the processing of photographs and videos of ships with migrants by maritime surveillance aircraft.Footnote 42 In other words, the AI-powered information exchange will also directly implicate privacy and data protection rights. Therefore, the Frontex AI-powered border surveillance tools must also be subject to close legal scrutiny by independent supervisory authorities and potentially courts when risks to fundamental rights materialise.

The two examples of AI-powered information exchange frameworks examined here facilitate distinct types of border control conduct. On the one hand, the ETIAS automated risk assessments support decision-making by national authorities on whether or not to let someone into the Schengen area.Footnote 43 On the other hand, EUROSUR, accompanied by AI-powered land, sea, and air surveillance equipment, create detailed situational pictures with clear instructions for actions to be taken in the context of joint operations between the Frontex teams and national border guard authorities concerning identified vessels carrying individuals, primarily refugees in need of international protection. The two examples pose distinct risks to the fundamental rights of the individuals concerned.

15.2.2 The Diverse Nature of the Risks to Fundamental Rights

EU law requires that any use of AI, including by EU actors, must comply with fundamental rights enshrined in the EU Charter of Fundamental Rights and protected as general principles of EU law, irrespective of the area of AI use concerned.Footnote 44 This emerges from the requirements of the Union as a legal order based on the rule of law, which, under Article 2 TEU, declares, among others, respect for human dignity and human rights, including the rights of persons belonging to minorities.Footnote 45 With rapid technological progress, the use of AI as a system technologyFootnote 46 brings about an ever greater potential for misuse, which broadly impacts human dignity and various fundamental rights deeply connected to the inviolability of a human being.Footnote 47 This concern is broadly acknowledged within the international community and the EU,Footnote 48 asserting that protection of human values, including fundamental freedoms, equality, fairness, the rule of law, social justice, data protection, and privacy, shall remain at the centre of placing AI into use in modern democratic societies.

Preserving human dignity in the age of AI requires that individuals retain control over their lives, including when and how they are being subjected, without knowledge or informed consent, to the use of AI. Putting humans and human dignity at the centre of the use of AI is necessary to ensure full respect for fundamental rights. It should thus be the starting point in every discussion on the development, deployment, and reliance on AI where human lives are at stake. However, as the Court of Justice repeats, fundamental rights ‘do not constitute unfettered prerogatives’.Footnote 49 They must be viewed in light of their function within society, and, if necessary, they may be limited as long as any interferences with the rights are duly justified.Footnote 50 Accordingly, the deployment of and reliance on AI shall be reviewed with the same set of considerations in mind: it must be legally authorised, respect the essence of specific rights, and be proportionate and necessary under the objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others (Article 52(1) CFR).

The examples of AI use by Frontex examined above exhibit the breadth of cross-cutting fundamental rights concerns occurring in AI-powered border surveillance. Three key concerns can be highlighted: the risks to privacy and data protection (Articles 7 and 8 CFR), discrimination (Article 21 CFR), and risks to other substantive rights, such as the right to asylum (Article 18 CFR).

15.2.2.1 Privacy and Data Protection

Given that the functionality of AI relies on the wide availability of (personal) data, the discussions on the use of AI tend to revolve around the rights of privacy and personal data protection, enshrined in Articles 7 and 8 of the Charter. Although deeply interconnected, these rights are separate, embodying the more traditional right to privacy and the modern right to data protection.Footnote 51 They share a common goal of safeguarding individual autonomy and dignity by providing a personal space to freely develop their identities and thoughts, thus laying the foundation for exercising other fundamental rights, such as freedom of thought, expression, information, and association.Footnote 52

Privacy and data protection will generally be implicated in the examined uses of AI in border surveillance. On the one hand, data protection concerns arise extensively in the context of the large-scale processing of personal data for automated risk assessments. Far beyond the scope of this chapter to examine all,Footnote 53 two risks are particularly worth mentioning. ARAs, such as those envisioned under the ETIAS, risk circumventing fundamental data protection principles, especially the purpose limitation and the related requirements of necessity and proportionality, as well as the prohibition on profiling, including based on discriminatory grounds.Footnote 54 As explained above, the AI-powered ETIAS assessments will be based on a threefold comparison of personal data, including sensitive data, against existing EU databases, against risk criteria pre-defined by the ETIAS Central Unit operated by Frontex, and against the ETIAS Watchlist.

The EU systems’ interoperability will facilitate the comparisons against the EU large-scale databases.Footnote 55 Effectively, interoperabilityFootnote 56 will transform the border surveillance architecture by enabling far-reaching linking of personal information stored in silo-based alerts.Footnote 57 The interlinking of databases will blur the boundaries between law enforcement and intelligence services and between the tasks of the EU and national law enforcement and migration authorities, undermining data protection safeguards.Footnote 58 Specifically, in the ETIAS authorisation process, the purpose limitation principle as a critical data protection safeguard seems to disappear completely, for instance, due to the requirement that the ETIAS Central Unit, hosted by Frontex, shall have access to ‘any linked application files, as well as to all the hits triggered during automated processing’.Footnote 59

Furthermore, the comparison against screening criteria defined by Frontex will employ algorithms to evaluate the risk factor of a specific individual, akin to a practice of profiling, to facilitate decisions about individuals’ lives. According to Article 22(3) of the GDPR, such automated decisions should, in principle, be prohibited unless accompanied by sufficient safeguards, including meaningful human intervention.Footnote 60 Since ETIAS assessments will lead to automatic authorisationsFootnote 61 and quasi-automated refusals of entry,Footnote 62 these decisions will have significant consequences for individuals. Automated risk assessments will not only interfere with the data protection right but also pose a distinct threat of discrimination while making access to remedies ever more difficult, as discussed below.

On the other hand, privacy concerns will feature, for instance, wherever surveillance measures are employed in public places. Aerial surveillance, such as with the help of aircraft or drones that record the situational pictures on the land or seas, is increasingly being used by Frontex and can interfere with individuals’ privacy by closely monitoring their location, behaviour, movements, and other aspects of personal activities without their knowledge or consent. The use of aerial surveillance technologies allows for gathering visual and sometimes audio information from above, which can capture private moments and sensitive information.Footnote 63 This intrusion can violate individuals’ right to privacy and data protection and potentially expose vulnerable persons to unwarranted conduct by surveillance authorities. It is of the utmost importance that whenever such technologies evolve to increasingly sophisticated people-monitoring tools, their deployment is limited to their original purposes with strict legal safeguards in place and effective opportunities to seek redress in case of misconduct.

15.2.2.2 Risk of Discrimination

Article 21 of the Charter guarantees individuals protection against any form of discrimination based on the protected grounds, such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, and others. Discrimination concerns are fundamental to the discussions on subjecting human lives to the uses of artificial intelligence. This is because the very purpose of any computational analysis through algorithmic data processing is to evaluate, categorise, or otherwise discover patterns in the analysed data, including personal data. However, human or machine bias may affect the algorithmic output in many ways.Footnote 64

Risk assessment systems, such as the ETIAS, rely on an algorithmic model, which processes large amounts of personal data to make decisions about individual lives. Pursuant to Article 14 of the ETIAS Regulation, any processing of personal data ‘shall not result in discrimination against third-country nationals’. However, these assessment algorithms are designed and trained on personal data, which includes the protected grounds under the right to non-discrimination, such as sex, age, place of birth, or nationality.Footnote 65 Therefore, to guarantee the right to non-discrimination, the criteria used to train the ETIAS algorithm to evaluate a certain risk behaviour of a specific individual need to be carefully designed to avoid perpetuating or even amplifying existing societal biases.Footnote 66 Indeed, discriminatory misconduct has been found to occur in other administrative contexts, such as in the infamous welfare allocation scandal in the Netherlands.Footnote 67 The data quality and lawfulness of the data stored in the EU large-scale systems used for ETIAS comparisons and the design of the risk criteria to be used in the ETIAS ARA-based authorisations must cautiously balance the non-discrimination requirements of EU data protection rules with the requirements of the Charter right. Namely, the algorithm must be built to ensure that any AI-driven decision-making is not based solely on special categories of data, reflecting the protective grounds under Article 21 of the Charter.Footnote 68 The safeguards, including meaningful transparency for the manual human review following an automated match, must be effective in practice. This includes effective enforcement of compliance with these safeguards, given that such AI tools are powerful in nudging the national competent authorities to decide in a certain way, which may lead to other violations.Footnote 69

Recently, the Court of Justice enumerated the essential guidelines for designing the risk criteria for algorithmic assessments in the security context. In the Ligue des droits humains judgment,Footnote 70 the Court interpreted the EU’s PNR Scheme as requiring that any comparison of passengers’ name records against pre-determined risk criteria demands that such criteria are defined in a way that keeps incorrect identifications to a minimum.Footnote 71 To achieve this aim, any match must be individually reviewed by non-automated means to highlight any false positives and identify discriminatory results.Footnote 72 Furthermore, such review will be effective only where it is clearly established as a requirement in the rules of conduct in the specific context, is well documented, and the officials are sufficiently trained, including to ‘give preference to the result of the individual review conducted by non-automated means’.Footnote 73

This requirement of manual review is especially crucial since confronting direct or indirect discriminatory effects in AI-driven decision-making in legal proceedings is rather difficult for the affected individuals.Footnote 74 Indeed, in this respect, the Court also demands that the affected individuals are informed about the pre-determined assessment criteria so as to enable them to understand and defend themselves,Footnote 75 as discussed in the next section.

15.2.2.3 Risks to Other Substantive Rights

Beyond the rights to privacy, data protection, and non-discrimination, the AI uses in border surveillance might directly or indirectly implicate other substantive fundamental rights. For instance, AI-powered border surveillance may lead to detention of individuals presenting themselves at the land borders without a valid ETIAS authorisation in interference with their liberty and security (Article 6 CFR). In another vein, AI-powered aerial surveillance enabling identification of migrants on the sea might lead to wrongful actions being taken by the Frontex-led operations, possibly leading to violations of individuals’ right to life (Article 2 CFR). Recent investigations by human rights organisations revealed evidence that information gathered from Frontex-operated aerial surveillance has been utilised in facilitating illegal pushbacks of refugees that may contract their right to asylum (Article 18 CFR).Footnote 76

In conjunction with the use of drones, EU Member States have engaged in cooperative agreements with southern Mediterranean countries, such as Libya and Turkey, to intercept and return migrants, thereby externalising the responsibility for these actions.Footnote 77 This approach prevents other vessels from intervening or disembarking rescued individuals in supposedly safe harbours. EU Member States have justified these measures by claiming that search and rescue activities act as a ‘pull factor’ for migrants coming to EU countries. Frontex has often been viewed as a passive bystander in this context, given the division of responsibilities in the EU’s integrated border management (EIBM).Footnote 78 Under the EIBM, the final responsibility still lies with the Member States. Lately, this division has been criticised as it transpired from a classified EU reportFootnote 79 that Frontex knowingly contributed to illegal pushback practices.Footnote 80 These practices violate the right to asylum under Article 18 CFR and the cornerstone of international human rights law – the principle of non-refoulment.Footnote 81

And, as already mentioned above, with the continuing development of aerial surveillance, new risks to fundamental rights will emerge. These risks might arise from the processing of photographs and videos of vessels with migrants on board as well as the potential implications of the algorithms that will be used to track the vessels flagged as suspicious. All these types of AI-powered capacities of the EU’s Frontex-led border surveillance will expand the above risks to privacy, data protection, and discrimination and may continue to indirectly support unlawful practices, such as decisions on whether or not to save the lives of individuals in distress on the seas and those in need of international protection.Footnote 82

15.3 Exploring the Possibilities for Access to Remedies

In the EU legal order, when a person considers that the EU actors have violated their rights, they have the right to seek an effective remedy (Article 47 CFR). The use of AI, however, brings considerable challenges to ensuring that AI-powered conduct is both non-arbitrary and sufficiently reviewable to fulfil the requirements of this constitutional guarantee, which constitutes ‘the essence of the rule of law’.Footnote 83 To assess the properties of the EU remedial architecture, it is therefore necessary to also consider the interrelated impacts of the AI on the exercise of procedural requirements under the rights to good administration and effective judicial protection (Section 15.3.1). The discussion then turns to the construction of remedies based on the scope and interplay of the upcoming AI Act with the EU’s existing data protection framework (Section 15.3.2).

15.3.1 The Impact of AI Use on Individuals’ Access to Remedies

Article 41 CFR guarantees to everyone the right to good administration in decisions or other legal acts adopted by EU actors. Historically, the CJEU interpreted this right as a general principle of EU law,Footnote 84 which expanded its application wherever EU law applies. Under its umbrella,Footnote 85 the right to good administration enshrines rights and obligations, which hold at their core the enabling role for legal accountability in public conduct. On the one hand, the right demands that the authorities act fairly, impartially, and within a reasonable time. On the other hand, it obliges the authorities to present sufficient reasons substantiating their acts vis-à-vis the affected persons. In TUM, the Court formulated the interplay of good administration requirements as ‘the duty of the competent institution to examine carefully and impartially all the relevant aspects of the individual case’ prior to decision-making.Footnote 86 In Nölle, the Court further recognised this duty of care as an individual right arising from the clear, precise, and unconditional obligation in Article 41 CFR.Footnote 87 The authorities’ compliance with their duty of care obligations ensures that the affected person understands the evidentiary basis of the decision in order to decide whether or not to seek remedies against it. As an essential procedural requirement,Footnote 88 failure to comply with the duty of care obligations may lead to the annulment of the decision.Footnote 89

It is in its defence-enabling function that the right to good administration also becomes central to remedial possibilities against the AI-driven EU conduct. In this context, compliance with the good administration requirements faces significant obstacles. The opacity of algorithmic risk assessments, exemplified in the ETIAS authorisation process, poses substantial challenges to the authorities’ ability to reason their decisions and ensure that these are based on factually correct, relevant, and complete information. As explained above, any of the 1.4 billion visa-exempt citizens that apply through the ETIAS website will be automatically screened for any suspicion of posing serious threat to public security. This suspicion will be found to exist whenever an automated processing of the traveller’s application results in a hit against pre-determined risk criteria in conjunction with an automatic comparison with millions of alerts stored in other EU information systems. If the process results in a hit, the competent authorities will have to manually review the data, ensuring the possibility to contradict the automated result, in view of their duty of care obligations. This requirement of human intervention ensures that each rejection of travel authorisation is not a decision based solely on automated processing of personal data (Article 22(3) GDPR).

However, to what extent will the manual review verify the correctness, relevance, and completeness of the information so as to uncover whether or not the hit was, for instance, due to discriminatory profiling by the pre-screening algorithm? This question does not permit an easy answer,Footnote 90 especially considering the context in which the manual reviews will take place: namely, time-pressured (the ETIAS rules estimate a response within a few days where manual verification is required), without sufficient AI expertise of the officials, and facing other constraints, such as well-documented automation and confirmation biases in manual reviews,Footnote 91 coupled with a limited access to the training data underpinning the risk assessment algorithm.

The diminished potential to meet the requirements of good administration in the AI-powered decision-making will have direct implications for the individuals’ access to effective remedies. In fact, in its jurisprudence, the CJEU often equates the requirements of reasoning under the right to good administration to the requirements of an effective remedy under Article 47 CFR.Footnote 92 Their interplay, according to the Court, lies in enabling the person to ascertain the reasons upon which the decision is based, ‘so as to make it possible for him or her to defend his or her rights in the best possible conditions’.Footnote 93 Individuals will only be able to defend themselves when it is indeed possible to understand the relevant decision and the process under which it was taken. Additionally, the Court recognises the significance of reasoning for ability of judges and other supervisory authorities to exercise effective review. Indeed, these concerns are reflected in the regulation of AI – the AI Act, which brings about specific transparency requirements intended to facilitate the AI users’ ability to act with a meaningful human control over AI-generated outputs.

Before turning to the AI Act, it remains to be stressed that judicial remedies are rather limited in the context of AI-powered conduct based on composite administrative procedures involving actors at EU and Member State levels.Footnote 94 The courts’ jurisdiction to review AI-driven decision-making is territorially limited and constrained by the narrow notion of what constitutes a reviewable act.Footnote 95 On the one hand, the former prevents individuals from challenging the conduct of the EU actors directly before the Court of Justice when the responsibility lies with the national authorities, such as in case of refusals to ETIAS applications or illegal pushbacks of migrants.Footnote 96 The staff of the competent ETIAS National Unit will need to manually review the automated refusals, hence exercise final discretion.Footnote 97 Also, where an ETIAS ARA results in a hit with the information entered by Europol, the ETIAS Regulation only establishes a consultation procedure between the Europol and the responsible Member State.Footnote 98 Under this procedure, Europol must provide the responsible Member State with a ‘reasoned opinion on the application’.Footnote 99 Nonetheless, the final decision – hence final discretion – lies with the Member State concerned. Accordingly, complaints against potential discriminatory effects of the ETIAS algorithm in these circumstances might thus only be raised before the courts of that State, without the possibility of uncovering the factual basis of the information supplied by Europol and relied on in the refusal decision.

On the other hand, these potential discriminatory effects of the underlying risk criteria might not be deemed to produce legal effects to trigger justiciability of the ARA. Indeed, pursuant to the requirement of ‘direct and individual concern,’ the impact of the discriminatory effect might not occur for each person whose application had been refused by the ETIAS ARA.Footnote 100 Accordingly, as argued elsewhere,Footnote 101 construing reviewability in a similar context needs to reflect the underlying automation and output biases if we expect EU law to guarantee sufficient legal protection to the affected individuals. Yet, for now, EU law does not recognise the impact of the screening algorithm on the final decisions taken by the Member States.Footnote 102 As such, for now, there seems to be no possibility of direct judicial remedy against the Frontex-based ETIAS Central Unit for its role in the development and deployment of the ETIAS risk criteria algorithm.

15.3.2 Unwrapping the Remedial Possibilities under the Upcoming AI Act

In 2018, EU legislators embarked on the process of designing specific rules governing develoment and use of artificial intelligence systems in the EU, that would ensure, inter alia, full respect for fundamental rights.Footnote 103 The efforts culminated in the proposal for a horizontal regulation of AI – the AI Act.Footnote 104 Central to this is the EU’s self-proclaimed ‘human-centric approach to AI’, which shall ‘strive to ensure that human values are central to the way in which AI systems are developed, deployed, used and monitored, by ensuring respect for fundamental rights’.Footnote 105

That the human-centric Act will mitigate the above-identified risks to fundamental rights should, however, not be taken for granted. With the legal basis set in Article 114 TFEU,Footnote 106 the AI Act will first and foremost ensure safe operation of AI systems on the EU’s internal market (Article 1). The Act’s pledge to guarantee respect for fundamental rights is arguably manifested in its ‘risk-based approach’. On the most basic level, the Act differentiates between ‘prohibitions of certain [AI] practices’ and ‘specific requirements for high-risk AI systems’ (Article 1(2)). The former include systems using subliminal techniques beyond a person’s consciousness (manipulation), uses of AI that may exploit vulnerable individuals (Article 5 (a) and (b)), or the real-time biometric identification systems in publicly accessible spaces for law enforcement purposes, except where duly authorised (Article 5(c)).Footnote 107 According to the latest text, the list of high-risk systems in Annex III should be amended to consider the impact of the AI use on the relevant action or a decision to be taken.Footnote 108 Ultimately, the concept of risk to fundamental rights underpinning the AI Act’s approach is defined as ‘the combination of the probability of an occurrence of harm and the severity of that harm’.Footnote 109

Although far from settled, the final elaboration of the prohibited and high-risk AI uses will determine the extent to which the AI Act can provide some form of fundamental rights protection also in the context of AI uses by the EU actors. Yet, as we await clarity on the AI Act’s final shape, one aspect is clear: the AI Act will need to be applied in conjunction with the existing EU law, including the rules on remedies and existing data protection rules, wherever the system relies on, among others, processing of personal data. Accordingly, the following discussion highlights two key aspects, which will be determinative for the protection of fundamental rights from the risks posed by the EU’s AI uses: first, the scope of application of the AI Act to the EU actors’ use of AI and, second, the interplay and main discrepancies between the AI Act’s substantive rules and the data protection rules.

15.3.2.1 The Scope of Application of the AI Act to Border Surveillance

The Act emerges as the EU’s effort to establish general rules on the development, authorisation, and deployment of AI systems in the Union. Accordingly, its provisions will need to be complied with in their entirety. Pursuant to Article 2 of the AI Act, the rules apply to both ‘providers’ placing on the market or putting into service AI systems, irrespective of their location, and ‘deployers’ of AI systems with the establishment in the Union.Footnote 110 The AI Act will also apply to EU actors when acting as a provider or deployer of an AI system. There are some exceptions, however. For instance, the AI Act will not apply to AI systems developed or used exclusively for military purposes or for purely research purposes.Footnote 111

More worryingly, the initial Commission Proposal excluded from its scope the AI systems that are ‘components of the large-scale IT systems’, such as the SIS, EES, or ETIAS, before the entry into force of this regulation.Footnote 112 This has been revised to require that these systems comply with the AI Act by 31 December 2030.Footnote 113 Nevertheless, both solutions leave out the expansive use of AI systems in the EU border surveillance without immediate rules that could address the above-identified risks of AI uses. As the EDPS and the European Data Protection Board (EDPB) highlighted in their joint opinion, such exclusion ‘risks circumventing the safeguards enshrined in the AI Act’.Footnote 114 It also undermines the broader exercise of powers by the competent supervisory authorities, such as the EDPS, when presented with complaints regarding AI uses and claims of violations of the data protection rules.

15.3.2.2 The Interplay between the AI Act and the EU Data Protection Rules

The new safeguards introduced under the AI Act might only contribute to enhanced fundamental rights protection if crafted carefully on the basis of their interaction with the existing data protection rules is properly considered.Footnote 115 However, a number of discrepancies appear between the two legal frameworks, which may pose difficulties for the EDPS that acts as the first instance avenue for addressing potential fundamental rights violations by EU actors. Three aspects of this interplay specifically affect individuals’ access to remedies.

First, the EU data protection framework is far from homogeneous. The framework essentially consists of the GDPR, Regulation (EU) 2018/1725 (the ‘EU DPR’) governing the processing of personal data by Union institutions, bodies, offices, and agencies, and the so-called Law Enforcement Directive (EU) 2016/680 (the ‘LED’) governing the processing of personal data by national law enforcement authorities.Footnote 116 While it is the EU DPR that governs the use of AI by the EU actors examined in this chapter, we also see that the final legal responsibility in the EU’s integrated border control rests with the national border authorities or law enforcement authorities.Footnote 117 The data processing activities of the EU agencies, such as Frontex, are furthermore governed by the agencies’ own founding regulations. These specialised legal instruments thus embody both the exceptions to the EU DPR and the lex specialis rules of LED.Footnote 118 Accordingly, while the EU DPR/in conjunction with the Frontex and ETIAS Regulations will apply to the AI-powered ETIAS system and the development of its algorithm by eu-LISA and Frontex in their distinct capacities, the LED and/or GDPR will govern the ETIAS searches and reliance on the generated output by the national border and law enforcement authorities.

Second, this fragmentation is problematic for access to remedies in view of against potential violations of fundamental rights in AI-driven conduct of the EU actors, considering the remedial system under the EU data protection framework. The latter is essentially a twofold system. Individuals may lodge a complaint with an independent supervisory authority of the Member State/EDPS.Footnote 119 Furthermore, affected individuals enjoy the right to an effective judicial remedy against a decision of that supervisory authority/EDPS or against a decision of the controller or processor.Footnote 120 The GDPR also provides for the possibility of representative action by civil society organisations on behalf of the data subjects.Footnote 121 Research, however, shows that direct remedies are often not utilised, especially in the security context where collection of personal data within the alerts entered in the EU information systems is rarely known to the data subjects.Footnote 122

Instead, a person that is refused travel authorisation will in most cases be able to appeal the only final refusal decision before the supervisory authority of the refusing Member State. In this context, they will, for instance, be able to file a complaint against the Member State authority for non-compliance with the obligation to manually review the automated hit, pursuant to the requirements of Articles 22 GDPR/11 LED. The Member State authority will, however, lack jurisdiction to review the development and deployment of the ETIAS risk algorithm. Accordingly, the affected person will have to lodge a separate complaint with the EDPS, which is competent to review the acts of the ETIAS Central Unit based in the Frontex agency.

Lastly, in their complaint to the EDPS, the affected person will only be able to invoke their rights as the data subject.Footnote 123 The list of data subjects’ rights develops the substance of the autonomous fundamental right to personal data protection (Article 8 CFR). Via the remedial avenues under EU data protection law, individuals might however be able to bring claims concerning potential violations of other fundamental rights, including, for instance, non-discrimination or the right to an effective remedy. In other words, where the EU data protection rules provides specific safeguards regarding non-discrimination, such as in the context of processing special categories of data,Footnote 124 they integrate many of the Charter rights relevant to the digital context.Footnote 125 Overall, integrating the Charter’s rights in the secondary data subject rights could, however, lead to an inferior legal protection. This is because data protection law guarantees data subjects’ rights with substantial number of exceptions and limitations, which is evident from the long list of exceptions to the general prohibition on processing special categories of personal data in Article 9(2) GDPR. Such a priori exceptions might not be subject to the same proportionality and necessity test as permissible limits to fundamental rights are under Article 52(1) CFR.Footnote 126 Although the Court of Justice does apply a strict review of proportionality and necessity in similar high-risk AI uses as demonstrated in the PNR case, subjecting the safeguards under the PNR to a very strict scrutiny, the same may not be the case for complaints addressed by national supervisory authorities. A strict proportionality review is especially necessary, given that the affected persons might often not have sufficient possibilities to bring claims of violations of the Charter’s rights before the courts, since, as explaine above, enforcement of data-specific rights primarily rests with independent data protection authorities (DPAs). The DPAs’ remedial competence, however, differs substantially from judicial competence. Yet, given their primary role in the digital age, these authorities, increasingly perform quasi-judicial review of claims, which implicate Charter rights, beyond the requirements guaranteed under EU data protection framework.

The last, and key concern arising from the interplay between the AI Act and existing data protection remedies, concerns precisely the designation and cooperation among the variety of supervisory authorities with competences over different parts of an AI-driven conduct that may lead to potential fundamental rights violations. As a product safety regulation, the Commission’s original AI Act Proposal did not include any rights and remedies for the affected persons in relation to the uses of AI systems. Critics found this lacuna highly problematic,Footnote 127 given that the Act’s risk-based approach was envisioned to ensure full respect of fundamental rights and freedoms. Without a right to complain against the AI risks, individuals may be able to subsume their claims under their rights as data subjects. This would, however, prove to be only a partial remedy against the diverse and serious risks posed by the use of AI systems, as demonstrated in this chapter. It is therefore essential that individuals have meaningful access to redress mechanisms. The European Parliament proposed to fill this vacuum with the introduction of Chapter 3a to the AI Act Proposal.Footnote 128 The effort culminated in the addition of Section 4 in the final version of the Act, which provides however only provides a limited consolidation of the calls for enhancing access to justice against the risks of AI. Namely, the remedies under the AI Act are essentially two-fold: (a) a product-related complaint mechanisms before the designated market surveillance authorities; (b) the right to an explanation of individual decision-making when the latter is made on the basis of a high-risk AI output.

Furthermore, the effective enforcement of remedies under the AI Act will be contingent on more substantive discrepancies between the two legal frameworks which are however beyond the scope of this chapter.Footnote 129 For instance, such discrepancies surface with respect to the definitions. The original proposal lacked any recognition of the position of the affected private persons under the AI Act legal framework. Notably, the original notion of the ‘user’ within the AI Act Proposal has been changed to denote the ‘deployer’, meaning any natural or legal person, public authority, agency, or other body using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity.Footnote 130 The AI ‘users’, now called ‘deployers’ thus indicate the data controllers or processors in the GDPR sense.Footnote 131 In another vein, discrepancies arise from the formulations of the scope of various corresponding rules within the two legal frameworks. For instance, pursuant to recital 63 of the AI Act Proposal, classification of an AI system as high-risk, and hence permitting its use, does not automatically mean that the use of that system is lawful under ‘other Union law’, including data protection rules. The Proposal further clarifies that ‘any such use should continue to occur solely in accordance with the applicable requirements resulting from the Charter and from the applicable acts of secondary Union law and national law’. Yet the AI Act provides its own legal basis, for instance, for the processing of special categories of personal data, which shall however not contradict the general prohibition under the data protection rules.Footnote 132 Assuming that these discrepancies will eventually be resolved, the access to effective remedies against the AI-driven conduct of EU actors, such as Frontex, requires specific attention on the role and powers of the EDPS. In order to effectively safeguard fundamental rights of individuals affected by the EU uses of AI, the EDPS will need to divert its role and powers by carefully crafting requirements under EU data protection rules in light of their potential interplay with AI Act requirements.

15.4 Double-hatting the EDPS

The AI Act envisions a central role for the EDPS to oversee AI uses by the EU actors, including Frontex. To appraise the potentials of this role, this section explores how the AI Act, in conjunction with the EU DPR, construe the EDPS’ competence and whether they do so with sufficient clarity so as to contribute to mitigating the above-identified risks to fundamental rights.

As explained above, under the EU DPR, the EDPS is responsible for ensuring that any processing of personal data by EU institutions, bodies, offices, and agencies respects the fundamental rights and freedoms of natural persons (Article 52(2)). To that end, the Supervisor, among others, receives and handles complaints from the data subjects (Article 63 EU DPR). Through this redress mechanism, individuals are given the possibility to take control over their data and seek remedies for any breaches of their rights as data subjects.Footnote 133 However, the mere existence of the possibility to complain about potential breaches of data subjects’ rights under the EU DPR does not necessarily guarantee the EU actors’ compliance with fundamental rights more broadly. Indeed, to that end, pursuant to Article 64 EU DPR, individuals also enjoy the right to an effective judicial remedy before the Court of Justice of the EU, including through direct claims for damages and appeals against the decision of the EDPS.Footnote 134

Under the AI Act, the EDPS’ role in remedying potential violations of fundamental rights is, however, less clear. The definition of ‘national competent authority’ under Article 3(3), specifies that for AI development and uses by EU actors, ‘references to national competent authorities or market surveillance authorities in this Regulation shall be construed as references to the European Data Protection Supervisor.’. For the latter, Article 74(9) further specified that wherever the AI Act applies to the EU actors, the EDPS shall be the designated supervisory authority, ‘except in relation to the [CJEU]acting in its judicial capacity.’. This opens up the question, however: what are the powers and competences of the EDPS as a market surveillace authority in respect of the AI Act as a product safety regulation and what does that mean for the individuals’ access to effective remedies?

Under the AI Act, the EDPS will assume diverse tasks with respect to the enforcement of the AI Act’s obligations. There is at the moment, however, no clear gap in the procedural possibility to lodge complaints with the EDPS under the AI Act. In contrast to the envisioned right to lodge a complaint with the national market surveillance authority under Article 85 AI Act, the AI Act does not afford the same right to lodge a complaint with the EDPS, akin to Article 63 EU DPR. Nor, therefore, does the AI Act grant the right to an effective judicial remedy against the decisions of the EDPS concerning EU actors' deployment of AI systems with the requirements of the AI Act., akin to Article 64 EU DPR (and in light of the requirements of Article 47 of the Charter). Without a direct procedural access to remedies, individuals will thus have to rely on their rights as data subjects under the EU DPR in seeking protection against the potential violations by the EU actors’ use of AI, despite the existence of clear obligations falling on the latter.

Instead, under the AI Act framework, the EDPS will assume a threefold role, as (a) ‘a market surveillance authority’ (Article 74(9)), (b) an “observer” within the new European AI Board (Article 65(2)), and (c) the designer of regulatory sandboxes for EU actors (Article 57(3).).

First, in its capacity as a market surveillance authority, the EDPS will undertake conformity assessments (a form of ex ante compliance mechanism) for the EU actors’ uses of AI and notify the outcomes of these assessments to the Commission.Footnote 135 While on the face of it a clear task, the AI Act requires that deployers of highrisk AI systems that are bodies governed by public law, or private entities providing public services and deployers of certain high-risk AI systems, such as banking or insurance entities, should carry out a fundamental rights impact assessment prior to putting it into use, according to Article 27. without clearly encompassing this within the mandate of the EDPS. As a whole, the conformity assessment procedure with respect to the EU actors’ development and deployment of AI is rather underspecified. This perhaps calls into question the EU legislators’ choice of a single regulatory instrument as opposed to, for instance, a separate, more targeted regulation governing the EU actors’ obligations, akin to the EU DPR.

Second, the EDPS will play a further role within the newly established European Artificial Intelligence Board (hearafter the AI Board).Footnote 136 The AI Board should advise and assist the Commission and the Member States to facilitate the consistent and effective application (Article 66), including by facilitating coordination and harmonisation of practices of national competent authorities, collecting and sharing technical and regulatory expertise and best practices; issuing recommendations and written opinions on any relevant matters related to the implementation of the AI Act; and other advisory and coordinating tasks aimed at improving the implementation of the AI Act as a whole.Footnote 137 Perhaps akin to the role of the European Data Protection Board in its advisory capacity,Footnote 138 by itself this role will not constitute a remedial avenue for individuals to ask for an effective review of EU actors’ uses of AI systems, as the Board will not possess any direct enforcement powers.Footnote 139

Lastly, the EDPS will also participate in the organisation of regulatory sandboxes for the development, testing and validation of innovative AI systems at the Union level, before they are deployed. The policy option of regulatory sandboxes has emerged as experimental regulatory method aim to address the uncertainty of the AI industry and its associated knowledge gaps, with the intention to enable smaller companies to prepare for the necessary conformity assessments.Footnote 140 Pursuant to Article 57, the sandboxes shall provide a, ‘controlled environment that fosters innovation and facilitates the development, training, testing and validation of innovative AI systems for a limited time before their being placed on the market or put into service pursuant to a specific sandbox plan agreed between the providers or prospective providers and the competent authority’ Research in the field of AI and ethics has compared the reliance on regulatory sandboxes to ‘nurturing moral imaginations’.Footnote 141 Pursuant to the third paragraph of Article 53, the AI regulatory sandboxes ‘shall not affect the supervisory and corrective powers of the competent authorities’ and ‘any significant risks to fundamental rights, democracy and rule of law, health and safety or the environment identified during the development and testing of such AI systems shall result in immediate and adequate mitigation’. (Article 57(11)). The EDPS will be tasked with organising such sandboxes at the EU level (Article 57(3)). In this context, the EDPS shall provide guidance and supervision within the sandbox with respect to identifying risks, in particular to fundamental rights, among others, and to demonstrating mitigation measures and their effectiveness to mitigate the identified risks. A relative novelty in EU law, regulatory sandboxes emerge as a form of ‘experimental legal regime’, which, according to Ranchordas, can ‘waive [or] modify national regulatory requirements (or implementation)’ as a way of offering ‘safe testbeds for innovative products and services without putting the whole system at risk’.Footnote 142 As a relatively new legal phenomenon, there is a lack of empirical knowledge about their potential usefulness to improve fundamental rights protection.

In view of the many difficulties in lodging complaints in the digital context,Footnote 143 the fundamental rights–protecting role of the EDPS is much wider under the EU DPR rules.Footnote 144 Beyond ensuring the EU actors’ compliance with the data subjects’ rights, the EDPS’ role entails promoting public awareness, conducting investigations, advising the EU institutions, adopting soft-law guidelines and clarifying the data protection requirements, authorising contractual clauses, and many others. In this respect, the supervisory role of the EDPS is likely to continue in its existing fashion with respect to the EU’s uses of AI applications, making a direct reference to the new AI-specific requirements enumerated under the AI Act in tandem with the data protection requirements. Indeed, for instance, the current EDPS has taken a firm stance on the AI-driven data processing activities of the EU agencies, including Frontex and Europol.Footnote 145

Navigating the landscape of exceptions and derogations with respect to data uses, especially in the law enforcement context, will, however, continue to undermine the EU’s efforts to ensure a human-centred use and deployment of AI meant to ensure full respect for fundamental rights. In light of the ongoing technological empowerment of the EU agencies, as exemplified by the expanding role of Frontex,Footnote 146 more structural adjustments of the EDPS’ powers and tasks vis-a-vis AI-powered EU conduct might be necessary for the effective enforcement of rights under the fragmented legal frameworks, instead of merely introducing more rights and obligations.Footnote 147 For now, direct protection of fundamental rights against the uses of AI by EU actors will remain primarily within the power of the EDPS under the remedial avenues stemming from the EU DPR. Accordingly, the way the Supervisor will apply the new AI-specific rules in conjunction with the individuals’ rights as data subjects will be crucial to furthering the protection of fundamental rights in the AI-driven conduct of the EU actors, such as Frontex.

15.5 Conclusion

Illustrated with the case of EU agencies like Frontex, which have spearheaded the development and deployment of AI for border surveillance purposes, the chapter assessed their risks to fundamental rights and the affected persons’ possibilities to remedy the likely violations. By examining two examples of AI uses by Frontex – automated risk assessments under the new ETIAS system and AI-powered aerial surveillance for border response – the chapter demonstrates diverse risks to fundamental rights, including privacy, personal data protection, non-discrimination, and the right to asylum.

In light of these concerns, the chapter highlighted the challenges for access to remedies against AI uses by the EU actors, including to procedural rights to good administration and effective judicial remedy and in the current remedial set up under the emerging framework for regulating AI – the AI Act. Examining the limis of the AI Act in determining a concrete role of the European Data Protection Supervisor (EDPS) the chapter calls for further restructuring of the EDPS powers with respect to fundamental rights protection in view of its combined mandate under the EU’s data protection and AI frameworks. With the identified gaps still in place, including the lack of a direct remedy against the EU actors’ use of AI under the AI Act, the EDPS will play a central role in guaranteeing the legal protection of fundamental rights in the emerging AI-powered conduct. To undertake this role effectively, the gaps identified in this chapter will need to be carefully addressed.

Footnotes

11 EU Law Enforcement Authorities and Access to Justice

* The views expressed are my own and do not reflect the official position of the Hoge Raad.

1 Volker Röben, ‘The Enforcement Authority of International Institutions’ (2008) 9 German Law Journal 1965, 1966. Note that this definition does not include enforcement by private actors which, though relevant, is outside the ambit of this contribution.

2 This is stated by the ECtHR, in the context of the right to privacy, in Lozovyye v Russia, App no 4587/09 (ECtHR, 24 April 2018) para 36; See also Koen Bovend’Eerdt, ‘The Protection of Fundamental Rights in OLAF Composite Enforcement Procedures (and the EPPO’s Ship Smoke on the Horizon)’ (PhD thesis, Utrecht University 2023) ch 1.5.3.1.

3 Jeremy Waldron, ‘The Concept and the Rule of Law’ (2008) 43 Georgia Law Review 1, 6. While, in the literature, fundamental rights are often considered as both (or either) ‘swords’ and ‘shields’, we favour the latter. In the law enforcement/access to justice context, fundamental rights, as invoked by an individual, enter into play only after there has been an initial interference by enforcement authorities. This is reflected in, for instance, the European Convention on Human Rights (ECHR) Article 13, which states that everyone whose rights and freedoms as set forth in this Convention are violated shall have an effective remedy. We also find support for this position in the relevant law enforcement literature, among many others: John Vervaele, ‘Special procedural measures and the protection of human rights: General Report’ (2009) 80 International Review of Penal Law 75, 83; John Vervaele, ‘Surveillance and Criminal Investigation: Blurring of Thresholds and Boundaries in the Criminal Justice System’ in Serge Gutwirth, Ronald Leenes, and Paul De Hert (eds), Reloading Data Protection. Multidisciplinary Insights and Contemporary Challenges (Springer 2014). See also the recently published liber amicorum for John Vervaele in which the ‘sword versus shield’ matter is discussed in various contributions: Michiel Luchtman and Others (eds), Of Swords and Shields: Due Process and Crime Control in Times of Globalization – Liber Amicorum prof. dr. J.A.E. Vervaele (Eleven 2023).

4 Mauro Cappelletti and Bryant Garth, ‘Access to Justice: The Newest Wave in the Worldwide Movement to Make Rights Effective’ (1978) 27 Buffalo Law Review 181, 182; See also Salvo Nicolosi and Elmin Omičević, ‘The Rise of EU Migration Agencies: Striking a Balance between Enforcement Needs and Access to Justice’ (2022) Jean Monnet Network on EU Law Enforcement Working Paper Series 16/22, 1 <jmn-eulen.nl/wp-content/uploads/sites/575/2022/05/WP-Series-No.-16-22-THE-RISE-OF-EU-MIGRATION-AGENCIES-Striking-a-Balance-Between-Enforcement-Needs-and-Access-to-Justice-Nicolosi-Omicevic.pdf>.

5 Olivier Linden, ‘The Internal Market’ in Miroslava Scholten (ed), Research Handbook on EU Law Enforcement (Edward Elgar 2023) 281.

6 Miroslava Scholten, Michiel Luchtman, and Elmar Schmidt, ‘The Proliferation of EU Enforcement Authorities: A New Development in Law Enforcement in the EU’ in Miroslava Scholten and Michiel Luchtman (eds), Law Enforcement by EU Authorities: Implications for Political and Judicial Accountability (Edward Elgar 2017) 4–5.

7 Miroslava Scholten and Michiel Luchtman, Law Enforcement by EU Authorities: Implications for Political and Judicial Accountability (Edward Elgar 2017).

8 Miroslava Scholten, Béla Strauss, and Alex Brenninkmeijer, ‘Controlling EU Agencies: An Introduction’ in Miroslava Scholten and Alex Brenninkmeijer (eds), Controlling EU Agencies. The Rule of Law in a Multi-jurisdictional Legal Order (Edward Elgar 2020) 5.

9 See, for instance, a thorough overview of relevant studies in Benjamin van Rooi and Adam Fine, The Behavioral Code. The Hidden Ways That the Law Makes Us Better … or Worse (Beacon Press 2021).

10 Miroslava Scholten, ‘Challenges and successes of enforcement of EU law’ in Miroslava Scholten (ed), Research Handbook on the Enforcement of EU Law (Edward Elgar 2023) 524.

11 Miroslava Scholten, ‘Mind the Trend! Enforcement of EU Law Has Been Moving to Brussels’ (2017) Journal of European Public Policy 1348, 1351; Miroslava Scholten, Martino Maggetti, and Esther Versluis, ‘Political and Judicial Accountability in Shared Enforcement in the EU’ in Miroslava Scholten and Michiel Luchtman (eds), Law Enforcement by EU Authorities: Implications for Political and Judicial Accountability (Edward Elgar 2017) 353.

12 John Vervaele (ed), Compliance and Enforcement of European Community Law (Kluwer International 1999).

13 Miroslava Scholten and Leander Stähler, ‘Introduction to the Research Handbook on EU Law Enforcement’ in Miroslava Scholten (ed), Research Handbook on the Enforcement of EU Law (Edward Elgar 2023) 2.

14 Robert Baldwin, Martin Cave, and Martin Lodge, ‘Responsive Regulation’ in Baldwin and Others (eds), Understanding Regulation: Theory, Strategy, and Practice (2nd edn, Oxford University Press 2011).

15 See, for example, Directive (EU) 2014/65 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU [2014] OJ L173/349.

16 Which authority is responsible for the imposition of a sanction depends very much on each and every European law enforcement authority’s legal framework. This will be discussed in greater detail below.

17 Charter of Fundamental Rights of the European Union [2012] OJ C326/02 (CFR) art 7.

18 Ibrahim and Others v the United Kingdom, App nos 50541/08, 50571/08, 50573/08 and 40351/09 (ECtHR, 13 September 2016) para 253.

19 See, among many others dealing with this particular issue, Imbrioscia v Switzerland, App no 13972/88 (ECtHR, 24 November 1993) para 38.

20 Saunders v United Kingdom, App no 19187/91 (ECtHR, 17 December 1996) para 67.

21 Kruslin v France, App no 11801/85 (ECtHR, 24 April 1990) para 30.

22 Michiel Luchtman, ‘Pertinent Issues of Punitive Enforcement in a Composite Legal Order’ in Michiel Luchtman, Katalin Ligeti, and John Vervaele (eds), EU Enforcement Authorities. Punitive Law Enforcement in a Composite Legal Order (Hart 2023) 277–279.

23 Ian Ayres and John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate (Oxford University Press 1992); Robert Baldwin, Martin Cave, and Martin Lodge, Understanding Regulation: Theory, Strategy, and Practice (2nd edn, Oxford University Press 2011), ch 11.

24 Stefano Montaldo, ‘EU Sanctioning Power and the Principle of Proportionality’ in Stefano Montaldo, Francesco Costamagna, and Alberto Miglio (eds), EU Law Enforcement. The Evolution of Sanctioning Powers (Routledge 2021) 115–117.

25 Miroslava Scholten, ‘Shared Tasks, but Separated Controls: Building the System of Control for Shared Administration in an EU Multi-Jurisdictional Setting’ (2019) 10 European Journal of Risk Regulation 538.

26 Mario Chiti, ‘Forms of European Administrative Action’ (2004) 68 Law and Contemporary Problems 37, 47.

27 It is worth noting that enforcement autonomy is delimited by the principles of effectiveness and equivalence. The former means that national rules for the implementation of Union law must not render virtually impossible or excessively difficult the exercise of rights conferred by EU law. The latter means that national rules governing an issue with an EU dimension should not be less favourable than rules governing a similar domestic issue. See, in that respect, Rob Widdershoven, ‘National Procedural Autonomy and General EU Law Limits’ (2019) 12 Review of European Administrative Law 5.

28 Scholten, ‘Mind the Trend!’ (Footnote n 11).

29 Scholten, Luchtman, and Schmidt (Footnote n 6).

30 Mariavittoria Catanzariti and Alexander H. Türk, ‘EU agencies and the rise of a mixed administration in the EU multi-jurisdictional setting: facing the challenges of the rule of law’ in Miroslava Scholten and Alex Brenninkmeijer (eds), Controlling EU Agencies: The Rule of Law in a Multi-Jurisdictional Legal Order (Edward Elgar 2020).

31 Michiel Luchtman, ‘The rise of EU law enforcement authorities’ in Michiel Luchtman, Katalin Ligeti, and John Vervaele (eds), EU Enforcement Authorities – Punitive Law Enforcement in a Composite Legal Order (Hart 2023).

32 Argyro Karagianni, The protection of fundamental rights in composite banking supervision procedures (Europa Law 2022) 30.

33 Frank Meyer, ‘Protection of fundamental rights in a multi-jurisdictional setting of the EU’ in Miroslava Scholten and Alex Brenninkmeijer (eds), Controlling EU Agencies: The Rule of Law in a Multi-Jurisdictional Legal Order (Edward Elgar 2020) 145.

34 Case C-314/85 Foto-Frost v Hauptzollamt Lübeck-Ost [1987] ECLI:EU:C:1987:452, para 15.

35 Case C-219/17 Berlusconi and Fininvest [2018] ECLI:EU:C:2018:1023, para 49.

36 Filipe Brito Bastos, ‘Derivative illegality in European Composite Administrative Procedures’ (2018) 55 Common Market Law Review 101.

37 Case T-193/04 Tillack v Commission [2006] ECLI:EU:T:2006:292, para 68.

38 Katalin Ligeti and Gavin Robinson, ‘Composite Enforcement and Comprehensive Judicial Protection’ in Michiel Luchtman, Katalin Ligeti, and John Vervaele (eds), EU Enforcement Authorities – Punitive Law Enforcement in a Composite Legal Order (Hart 2023) 71.

39 Karagianni (Footnote n 32) 247.

40 Miroslava Scholten, ‘Independence vs. Accountability: Proving the Negative Correlation’ (2014) 21 Maastricht Journal of European and Comparative Law 1.

41 Scholten and Luchtman, Law Enforcement by EU Authorities (Footnote n 7).

42 See Section 11.1.

43 European Securities and Markets Authority, ‘Investigations and Inspections’ <www.esma.europa.eu/esmas-activities/supervision-and-convergence/investigations-and-inspections>.

44 Regulation (EU) 513/2011 of the European Parliament and of the Council of 11 May 2011 amending Regulation (EC) No 1060/2009 on credit rating agencies Text with EEA relevance [2011] OJ L145/30.

45 Miroslava Scholten and Alex Brenninkmeijer (eds), Controlling EU Agencies: The Rule of Law in a Multi-Jurisdictional Legal Order (Edward Elgar 2020).

46 Case C‑911/19 Fédération bancaire française (FBF) v Autorité de contrôle prudentiel et de résolution (ACPR) [2021] ECLI:EU:C:2021:599; Opinion of AG Bobek [2021] ECLI:EU:C:2021:294.

47 Jonathan Foster, ‘A power to fine: Establishing negligence and intent in infringements by credit rating agencies and trade repositories’ in Miroslava Scholten (ed), Research Handbook on the Enforcement of EU Law (Edward Elgar 2023) 265.

48 Marloes van Rijsbergen and Miroslava Scholten, ‘ESMA Inspecting: The Implications for Judicial Control under Shared Enforcement’ (2016) 7 European Journal of Risk Regulation 3.

49 Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 as amended by Regulation (EU) 2019/2175; European Securities and Markets Authority, ‘Ethichs and Conflicts Interest’ <www.esma.europa.eu/about-esma/governance-structure/ethics-and-conflicts-interest>.

50 See, critically, Malgorzata Kozak and Jacek Mainardi, ‘Rights of Complainants before the European Commission – a Critical Analysis’ (2023) 14 Journal of European Competition Law & Practice 3.

51 Council Regulation (EC) 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty [2003] OJ L1/1 (Regulation 1/2003).

52 Footnote Ibid art 12.

53 EC, ‘European Competition Network’ (competition-policy.ec) <competition-policy.ec.europa.eu/european-competition-network_en>.

54 The rules for case allocation within the ECN are included in the Commission Notice on cooperation within the Network of Competition Authorities [2004] OJ C101/43 (ECN Notice). In short, the overarching principle is that the authority receiving a complaint or starting an ex officio investigation will remain in charge of the case. Reallocation will occur only if the initial authority is not well-placed to act or other authorities are better placed to act. A ‘well-placed’ authority is one on whose territory an agreement or anticompetitive practice is implemented, who can gather the evidence required to prove the infringement, and who is able to bring an infringement to an end.

55 Regulation 1/2003 (Footnote n 51) art 17.

56 Footnote Ibid art 18.

57 Footnote Ibid art 19.

58 Footnote Ibid art 20.

59 Footnote Ibid art 21.

60 Footnote Ibid art 23(1).

61 It is important to note that alongside punitive administrative fines, DG COMP may also terminate an investigation through a settlement procedure or through a decision to accept commitments on the part of investigated parties. However, due to space constraints and seeing as the imposition of punitive administrative fines and penalties, as a traditional ‘command and control’ enforcement tool, interferes with various fundamental rights, it is for this reason that our discussion revolves only around punitive administrative fines and periodic penalty payments.

62 Regulation 1/2003 (Footnote n 51) art 23(2).

63 Footnote Ibid 24(1).

64 Commission Regulation (EC) 773/2004 of 7 April 2004 relating to the conduct of proceedings by the Commission pursuant to Articles 81 and 82 of the EC Treaty [2004] OJ L123/18 (Regulation 773/2004).

65 EC, ‘Antitrust Manual of Procedures’ (Competitionpolicy.ec, November 2019) <competition-policy.ec.europa.eu/system/files/2023-02/antitrust_manproc_11_2019_en.pdf>.

66 Commission notice on best practices for the conduct of proceedings concerning Articles 101 and 102 TFEU [2011] OJ C308/6 (Commission Notice Articles 101 and 102 TFEU).

67 Regulation 773/2004 (Footnote n 64) art 7.

68 See Regulation 1/2003 (Footnote n 51) arts 18(3) and 20(4).

69 Footnote Ibid art 20(7).

70 Case C-94/00 Roquette Frères [2002] ECLI:EU:C:2002:603.

71 Case C-136/79 National Panasonic v Commission [1980] ECLI:EU:C:1980:169.

72 Case C-374/87 Orkem v Commission [1989] ECLI:EU:C:1989:387.

73 Case C-550/07 P Akzo Nobel Chemicals and Akcros Chemicals v Commission [2010] ECLI:EU:C:2010:512; Case C-155/79 AM & S v Commission [1982] ECLI:EU:C:1982:157.

74 Commission Notice Articles 101 and 102 TFEU (Footnote n 66) para 75.

75 Regulation 1/2003 (Footnote n 51) art 27(1).

76 Footnote Ibid art 27(2).

77 Case T704/14‑ Marine Harvest v Commission [2017] ECLI:EU:T:2017:753, para 580.

78 Guidelines on the method of setting fines imposed pursuant to Article 23(2)(a) of Regulation No 1/2003 [2006] OJ C210/2.

79 Directive (EU) 2019/1 of the European Parliament and of the Council of 11 December 2018 to empower the competition authorities of the Member States to be more effective enforcers and to ensure the proper functioning of the internal market [2019] OJ L11/3, chs IV and V.

80 Footnote Ibid art 32.

81 Footnote Ibid art 3.

82 Malgorzata Kozak, ‘ECN+ Directive – A missed opportunity for strengthening the rights of parties?’ in Catalin S. Rusu and Others (eds), New Directions of Antitrust Enforcement (Wolf Legal 2020).

83 Consolidated Version of the Treaty on the Functioning of the European Union [2016] OJ C202/47, art 263.

84 Tillack v Commission (Footnote n 37) para 67.

85 Consolidated Version of the Treaty on European Union [2016] OJ C202/13, arts 14(1) and 17(7).

86 Footnote Ibid art 17(7).

87 TFEU (Footnote n 83) art 233.

88 Framework Agreement on relations between the European Parliament and the European Commission [2010] OJ L304/47.

89 Footnote Ibid art 1.

90 European Parliament resolution of 18 June 2020 on competition policy – annual report 2019 [2021] OJ C362/22, para 40.

91 Footnote Ibid para 88.

92 Footnote Ibid para 155.

93 Footnote Ibid para 159.

94 Footnote Ibid para 156.

95 TFEU (Footnote n 83) art 287(2).

96 Directive (EU) 2019/1 of the European Parliament and of the Council of 11 December 2018 to empower the competition authorities of the Member States to be more effective enforcers and to ensure the proper functioning of the internal market [2019] OJ L11/3, recital 22.

97 Katalin Cseres and Annalies Outhuijse, ‘Parallel enforcement and accountability: EU competition law’ in Miroslava Scholten and Michiel Luchtman (eds), Law Enforcement by EU Authorities: Implications for Political and Judicial Accountability (Edward Elgar 2017) 107.

99 Decision 2011/695 of the President of the European Commission of 13 October 2011 on the function and terms of reference of the hearing officer in certain competition proceedings [2011] OJ L275/29, art 2.

100 Footnote Ibid art 4(2)(a).

101 Footnote Ibid art 4(2)(b).

102 Footnote Ibid arts 4(2)I and 9.

103 Footnote Ibid art 4(2)(d).

104 Footnote Ibid arts 5–7.

105 It is worth noting, however, that the ECtHR has recognised that even if the administrative authority is not independent in itself, that does not amount to a violation of the right to a fair trial, so far as the decision of the administrative authority is later reviewed by a judicial authority that has ‘full jurisdiction’, namely ‘the power to quash in all respects, on questions of fact and law, the decision of the body below’, see Menarini Diagnostics S.r.l. v Italy, App no 43509/08 (ECtHR, 27 September 2011).

106 Rubén Perea Molleda, ‘The Ecn+ Directive and the Next Steps for Independence in Competition Law Enforcement’ (2020) 12 Journal of European Competition Law & Practice 167.

107 Regulation 1/2003 (Footnote n 51) art 14(1).

108 Perea Molleda (Footnote n 106).

109 Case T-791/19 Sped-Pro S.A. v Commission [2022] ECLI:EU:T:2022:67.

110 Regulation (EU, Euratom) 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 [2013] OJ L248/1 (Regulation (EU, Euratom) 883/2013), art 1(1).

111 Footnote Ibid arts 2(4), 3, and 4.

112 Regulation (EU, Euratom) 883/2013 (Footnote n 110) art 5.

113 Regulation (EU, Euratom) 883/2013 (Footnote n 110) arts 11(1) and (2). The distinction as drawn here is not so strict in reality. It is also possible that OLAF, in an external investigation, finds sufficient reasons to (also) transmit its investigation report and accompanying recommendations to EU institutions, bodies, offices, and agencies (i.e., not only to the Member State concerned).

114 Though the conditions under which they are admissible differ, depending on the nature of the proceedings (punitive or other). See Regulation (EU, Euratom) 883/2013 (Footnote n 110) art 11(2).

116 Ibrahim and Others v the United Kingdom (Footnote n 18) para 253.

117 For an in-depth overview, see Katalin Ligeti, ‘The Protection of the Procedural Rights of the Person Concerned by OLAF Administrative Investigations and the Admissibility of OLAF Final Reports as Criminal Evidence’ (2017) <www.europarl.europa.eu/RegData/etudes/IDAN/2017/603790/IPOL_IDA(2017)603790_EN.pdf>.

118 Regulation (EU, Euratom) 883/2013 (Footnote n 110) art 9(4). Note, however, that, in duly justified cases, where necessary to preserve the confidentiality of the investigation or an ongoing or future criminal investigation by the EPPO or a national judicial authority, the Director-General may, where appropriate after consulting the European Public Prosecutor’s Office or the national judicial authority concerned, decide to defer the fulfilment of the obligation to invite the person concerned to comment.

119 Regulation (EU, Euratom) 883/2013 (Footnote n 110) art 9(2).

120 Guidelines on Digital Forensic Proceedings for OLAF Staff 2016, art 6.3.

121 Case T-215/02 Gomez Reino [2003] ECLI:EU:T:2003:352 para 65; Case T-259/03 Nikolaou v Commission [2007] ECLI:EU:T:2007:254; Case T-48/05 Franchet and Byk v Commission [2008] ECLI:EU:T:2008:257; Case T-447/11 Catinis v Commission [2014] ECLI:EU:T:2014:267 paras 63–64. This reasoning has been criticised in the literature. See, among others, Jan Inghelram, ‘Fundamental Rights, the European Anti-Fraud Office (OLAF) and a European Public Prosecutor’s Office (EPPO): Some Selected Issues’ (2012) 1 Kritische Vierteljahresschrift für Gesetzgebung und Rechtswissenschaft 67, 73–74; Simone White, ‘Rights of Defence in Administrative Investigations: Access to the File in EC Investigations’ (2009) 1 Review of European Law 57, 63.

122 Case T-517/19 Homoki v Commission [2021] ECLI:EU:T:2021:529.

123 Case T-379/21 Vendrame v Commission [2021] ECLI:EU:T:2023:399.

124 This Section borrows heavily from Bovend’Eerdt, ‘The Protection of Fundamental Rights in OLAF Composite Enforcement Procedures’ (Footnote n 2) ch 2.6.

125 Case C-60/81 IBM v Commission [1981] ECLI:EU:T:1981:264, para 10.

126 Footnote Ibid para 11.

127 See, in greater detail, Katalin Ligeti and Gavin Robinson, ‘Composite Enforcement and Judicial Protection’ in Michiel Luchtman, Katalin Ligeti, and John Vervaele (eds), EU Enforcement Authorities. Punitive Law Enforcement in a Composite Legal Order (Hart 2023) 88–92.

128 In fact, damages have only been awarded in internal investigations.

129 European Union Committee, Strengthening OLAF, the European Anti-Fraud Office. Report with Evidence (Hour of Lords 2003–2004, 139) 18–20; Michiel Luchtman and Martin Wasmeier, ‘The Political and Judicial Accountability of OLAF’ in Miroslava Scholten and Michiel Luchtman (eds), Law Enforcement by EU Authorities: Implications for Political and Judicial Accountability (Edward Elgar 2017) 232–233.

130 Luchtman and Wasmeier (Footnote n 129) 230–236.

131 The purpose of the latter, of course, is to ensure the admissibility of OLAF’s investigation report in national (punitive) proceedings.

132 Regulation (EU, Euratom) 883/2013 (Footnote n 110) art 17(7).

133 Jan Inghelram, ‘Fundamental Rights, the European Anti-Fraud Office (OLAF) and a European Public Prosecutor’s Office (EPPO): Some Selected Issues’ (2012) 1 Kritische Vierteljahresschrift für Gesetzgebung und Rechtswissenschaft 67, 70.

135 OLAF Supervisory Committee, ‘Opinion No 2/2015. Legality Check and Review in OLAF’ 14.

136 The Controller of Procedural Guarantees was introduced by way of Regulation (EU, Euratom) 2020/2223 of the European Parliament and of the Council of 23 December 2020 amending Regulation (EU, Euratom) No 883/2013, as regards cooperation with the European Public Prosecutor’s Office and the effectiveness of the European Anti-Fraud Office investigations [2020] OJ L437/49 (Regulation (EU, Euratom) 2020/2223).

137 Regulation (Eu, Euratom) 883/2013 (Footnote n 110) art 9a(1).

138 Regulation (EU, Euratom) 2020/2223 (Footnote n 136) recital (32).

139 Footnote Ibid recital (32) and art 9b.

140 Decision of the Controller of Procedural Guarantees Adopting Implementing Provisions for the Handling of Complaints [2022] OJ C494/17 (Decision 494/17) arts 8 and 9.

141 Footnote Ibid art 7(1).

142 Footnote Ibid arts 10 and 11.

143 Regulation (Eu, Euratom) 883/2013 (Footnote n 110) art 9b(7); Decision 494/17 (Footnote n 140) art 13(2).

144 Regulation (EU, Euratom) 883/2013 (Footnote n 110) art 9a(6).

145 TFEU (Footnote n 83) art 228(1); see also Regulation (EU, Euratom) 2021/1163 of the European Parliament of 24 June 2021 laying down the regulations and general conditions governing the performance of the Ombudsman’s duties (Statute of the European Ombudsman) and repealing Decision 94/262/ECSC, EC, Euratom [2021] OJ L253/1 (Regulation (EU, Euratom) 2021/1163), art 2(1).

146 European Ombudsman, Fundamental Rights (ombudsman.europa.eu) <www.ombudsman.europa.eu/en/areas-of-work/fundamental-rights>.

147 Statute of the European Ombudsman (Footnote n 145) art 3.

148 See, for instance, European Ombudsman Case 598/2013/OV European Anti-Fraud Office (16 December 2013) <europa.eu/!7XrxPP>.

149 See, for instance, European Ombudsman Case 1560/2010/FOR European Anti-Fraud Office (6 September 2010) <europa.eu/!PHngCh>; European Ombudsman Cases 723/2005/OV and 790/2005/OV European Anti-Fraud Office (18 December 2009) <europa.eu/!q3C9Px>.

12 Legal Protection against Fundamental Rights Breaches through Factual Conduct by the European Union

* This chapter is dedicated to the memory of my father, Dr Liviu Coman-Kund. The author would like to thank Melanie Fink for the feedback and suggestions on this chapter; the usual disclaimer applies. All websites and electronic sources were last accessed on 25 August 2023.

1 Consolidated Version of the Treaty on the Functioning of the European Union [2016] OJ C202/47 (TFEU).

2 Charter of Fundamental Rights of the European Union [2016] OJ C202/389.

3 The term ‘formal legally binding act’ refers in this context to legal instruments that are explicitly enshrined as acts with binding effects in the relevant legal framework and that normally must meet specific procedural and formal criteria to come into being and produce their binding effects (e.g., regulations, directives, and decisions enshrined in Article 288 TFEU are illustrative of this category); this allows drawing a distinction between such formal binding acts, whereby their form and substance are in principle fully consistent in indicating their binding nature, and genuine legally binding acts identified on the basis of the ‘substance prevails over form’ test used by the Court of Justice of the European Union (CJEU) since ERTA to determine whether a certain action, no matter the label and form, is in fact genuinely producing legal effects vis-à-vis third parties, see Case 22/70 Commission v Council. European Agreement on Road Transport (ERTA) [1971] EU:C:1971:32, para. 42. In the latter case, administrative actions, including factual conduct (as discussed later in this chapter), that meet the criteria of the ERTA test would amount to genuine legally binding acts even if their form does not correspond to that of a legally binding act; if this is the case, such ‘factual conduct’ qua form expressing a legally binding act qua nature would be subject to the system of legal review and remedies put in place for legally binding acts.

4 See Timo Rademacher, ‘Factual Administrative Conduct and Judicial Review in EU Law’ (2017) 29 (2) European Review of Public Law 399, 401.

5 E.g., various preparatory documents, proposals, draft rules, reports, and opinions.

6 E.g., the concrete actions to enter the premises of an undertaking, as well as searching and collecting relevant information and documents following a formal inspection decision adopted by the European Commission under the EU competition rules according to Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty [2003] OJ L1/1; checking identity of persons, body searches, confiscation of goods/items in the implementation of an operational decision during a joint operation at the Union’s external borders.

7 E.g., recommendations and opinions based on Article 288 TFEU, communications, white papers, green papers, letters, resolutions, guidelines, codes of conduct, etc.

8 E.g., data collection and processing operations, accessing and searching an EU database, drawing up the agenda and minutes of an official meeting, publication of notices of information, questions and answers, ‘naming and shaming’ practices, for instance, by the so-called European Supervisory Authorities (ESAs) in the context of the implementation and enforcement of the EU financial governance framework (for a recent example of such practices regarding the European Banking Authority, see European Banking Authority, Regulatory Technical Standards on a central database on AML/CFT in the EU (European Banking Authority, 20 December 2021) <www.eba.europa.eu/regulation-and-policy/anti-money-laundering-and-countering-financing-terrorism/regulatory-technical-standards-central-database-amlcft-eu#pane-new-ed8f3c99-9589-454a-a87e-37f2578a1783>; and The Compliance Lady, European Banking Authority’s “Name & Shame” Database To Be Operational In January 2022 (Compliance Lady, 21 December 2021) <https://thecompliancelady.com/2021/12/21/european-banking-authoritys-name-shame-database-to-be-operational-in-january-2022/>.

9 For an interesting conceptual framework regarding EU factual conduct and its potential legal effects, see Napoleon Xanthoulis, ‘Administrative Factual Conduct: Legal Effects and Judicial Control in EU Law’ (2019) 12 Review of European Administrative Law 39, 45–56.

10 Rademacher (Footnote n 4) 399–400; see also Herwig C H Hofmann, Gerard C Rowe, and Alexander H Türk, Administrative Law and Policy of the European Union (Oxford University Press 2011) 667–672.

11 See Case 53/85 AKZO Chemie BV and AKZO Chemie UK Ltd v Commission [1986] ECLI:EU:C:1986:256, para 17.

12 Hence, factual conduct does not cover formal legally binding acts or formal non-binding acts and instruments adopted by the EU administration according to prescribed procedures and formats (the latter being also called ‘soft law’). As to the latter, though they have no binding force, formal recommendations and opinions adopted by the EU institutions (in particular the Council and the Commission) based on Article 288 TFEU are technically included in the category of ‘legal acts of the Union’; the same seems to apply, at least according to scholarly and some official sources, for communications, guidelines, notices, resolutions, etc. that are not listed under Article 288 TFEU, and therefore are labelled as ‘atypical acts’, see Florin Coman-Kund and Corina Andone, ‘Persuasive Rather than ‘Binding’ EU Soft Law? Towards an Argumentative Template for European Commission’s Recommendations’ in Petra Láncos, Napoleon Xanthoulis, and Luis Arroyo Jiménez (eds), The Legal Effects of EU Soft Law: Theory, Language and Sectoral Insights into EU Multi-level Governance (Edward Elgar 2023) 150; and Opinion of Advocate-General Bobek in Case C-16/16P Belgium v Commission [2017] ECLI:EU:C:2017:959, paras 55–62.

13 E.g., operating an arrest, use of firearms, body and identity checks, placing a visa stamp in a passport, operating a patrol vessel during a joint operation at EU external borders, using physical force to prevent crossing of borders, etc.

14 See Regulation 1/2003.

15 Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions [2013] OJ L287/63 (SSM Regulation).

16 Regulation (EU) 2019/1896 of the European Parliament and of the Council of 13 November 2019 on the European Border and Coast Guard and repealing Regulations (EU) No 1052/2013 and (EU) 2016/1624 [2019] OJ L295/1 (EBCG Regulation).

17 Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’) [2017] OJ L283/1 (EPPO Regulation).

18 See generally Deirdre Curtin, Executive Power of the European Union. Law, Practices and the Living Constitution (Oxford University Press 2009) 65–66; regarding EU law enforcement, see Miroslava Scholten and Michiel Luchtman (eds), Law Enforcement by EU Authorities. Implications for Political and Judicial Accountability (Edward Elgar 2017) 19; regarding specifically physical conduct in EU composite procedures, see Xanthoulis (Footnote n 9) 69–71.

19 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC [2018] OJ L295/39.

20 See, for instance, the so-called Tillack judgments, Case T-193/04 Tillack v Commission [2006] ECLI:EU:T:2006:292; and Case C-521/04 PR Tillack v Commission [2005] ECLI:EU:C:2005:240.

21 For instance, EBA’s ‘naming and shaming’ register in the AML/CFT database, see European Banking Authority, Final report on draft regulatory technical standards under Article 9a (1) and (3) of Regulation (EU) No 1093/2010 setting up an AML/CFT central database and specifying the materiality of weaknesses, the type of information collected, the practical implementation of the information collection and the analysis and dissemination of the information contained therein (European Banking Authority, 20 December 2021).

22 Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 as amended by Regulation (EU, Euratom) 2016/2030 of the European Parliament and of the Council of 26 October 2016 amending Regulation (EU, Euratom) No 883/2013, as regards the secretariat of the Supervisory Committee of the European Anti-Fraud Office (OLAF) [2016] OJ L317/1.

23 See Case C-94/00 Roquette Frères SA v Directeur général de la concurrence, de la consommation et de la répression des fraudes, and Commission of the European Communities [2002] ECLI:EU:C:2002:603; and Case C-583/13 P Deutsche Bahn AG and Others v Commission [2015] ECLI:EU:C:2015:404.

24 E.g., if during the inspection certain belongings (e.g., computers, hardware, furniture, etc.) of the company investigated are damaged.

25 E.g., use of firearms, the use of force with a view to immobilising persons crossing the Union’s external borders or to preclude persons from entering the EU territory, the forced confinement of a person within a specific area, or the refusal to offer support to persons in distress.

26 E.g., Regulation 1/2003 provides detailed rules according to which the Commission’s investigations and inspections of undertakings suspected of breaches of Articles 101–102 TFEU are to take place; similarly, Regulation 2018/1725, and more specific legal acts, such as the EPPO Regulation, Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA [2016] OJ L135/53 (Europol Regulation); and Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU [2018] OJ L312/56 (SIS Regulation), as regards, for instance, access by Europol to the ‘SIS’ database (Article 48), lay down detailed rules and safeguards pertaining to the exercise of processing data operations by EU bodies as controllers and processors.

27 See Hofmann, Rowe, and Türk (Footnote n 10) 151–153; and Xanthoulis (Footnote n 9) 72–73.

28 Case C-294/83 Les Verts v Parliament [1986] ECLI:EU:C:1986:166, para 23.

29 Hofmann, Rowe, and Türk (Footnote n 10) 672.

30 Footnote Ibid; see also Case C‑583/11 P. Inuit Tapiriit Kanatami and Others v Parliament and Council [2013] ECLI:EU:C:2013:625, para 91.

31 Though legal review of EU administrative action (focusing on the question of whether the conduct of administration takes place in accordance with applicable law, without being necessary per se that that conduct also results in breaches of fundamental rights) is an important means to ensure effective protection of fundamental rights, it is not to be equated, however, with legal protection/remedies enabling a person to prevent or remedy a breach of his/her rights.

32 Rademacher (Footnote n 4) 419–421.

33 Footnote Ibid 412–413.

34 Explanations relating to the Charter of Fundamental Rights [2007] OJ C303/17, 29.

35 Inuit (Footnote n 30) para 97.

36 In particular, TFEU arts 263 (action for annulment), 265 (action for failure to act), 267 (preliminary reference), 277 (plea of illegality), and 268 juncto 340 (action for damages); for a view criticising the Court’s reading of Article 47 CFR, and further suggesting creative judicial remedies and review mechanisms with regard to the factual conduct by EU administration, see Rademacher (Footnote n 4) 421–424.

37 Case C-50/00 P Unión de Pequeños Agricultores (UPA) [2002] ECLI:EU:C:2002:462, para 45.

38 Inuit (Footnote n 30) paras 100–104. Regarding the Member States’ duty to ensure respect for the fundamental right to effective judicial protection, Rademacher carefully concluded, based on a comparative overview of four national legal systems (Germany, France, Austria, and the UK, as a former EU Member State) that there is a trend in the EU Member States to increasingly extend judicial protection to factual conduct, see Rademacher (Footnote n 4) 426–428. Yet it is difficult to see how legal remedies in the Member States could be effective against factual conduct by EU bodies, whose actions can in principle be reviewed only by EU courts.

39 Case C-911/19 Fédération bancaire française (FBF) v Autorité de contrôle prudentiel et de résolution (ACPR) [2021] ECLI:EU:C:2021:599, para 36; this judgment largely confirms the CJEU’s long-standing view on acts challengeable under the annulment procedure, see, for instance, Joined Cases T-125/03 and T-253/03 Akzo Nobel Chemicals Ltd, and Akcros Chemicals Ltd v Commission [2007] ECLI:EU:T:2007:287, para 45; and Case C-60/81 IBM v Commission [1981] ECLI:EU:C:1981:264, para 9.

40 See Akzo and Akcros (Footnote n 39) paras 49 and 52.

41 Footnote Ibid para 52.

42 In Rademacher’s view, the CJEU’s AKZO line of case law – AKZO (Footnote n 11) and Akzo and Akcros (Footnote n 39) – marks a more flexible approach to the admissibility conditions for annulment, underpinned by the concern to offer judicial protection against breaches of fundamental rights and legal interests by EU actions, and entailing that ‘any act capable of violating an applicant’s right or legally protected interest was considered to be – for this very reason – binding on him or her or it’, see Rademacher (Footnote n 4) 407.

43 Hofmann, Rowe, and Türk (Footnote n 10) 669.

44 IBM (Footnote n 39) para 12; see also Koen Lenaerts and Others, EU Procedural Law (Oxford University Press 2014) 273–274.

45 See Rademacher (Footnote n 4) 423–424.

46 See Hofmann, Rowe, and Türk (Footnote n 10) 667–668.

47 See Akzo and Akcros (Footnote n 39) para 45.

48 Case 85/87 Dow Benelux NV v Commission [1989] ECLI:EU:C:1989:379, para 49; see also Lenaerts and Others (Footnote n 44) 277.

49 This would bring us back to the scenario discussed earlier under the first question, i.e., free-standing factual conduct that amounts to an act intended to have binding legal effects.

50 Some call the two actions ‘two sides of the same coin’, Lenaerts and Others (Footnote n 44) 426.

51 Footnote Ibid 425 and 430–431, and the case law cited there.

52 Footnote Ibid 422–424.

53 Examples of such ‘failures’ could be, e.g.: the failure to rectify within a reasonable deadline personal data in an EU database at the legitimate request of the data subject; failure by an EU official to remove from the website of the relevant EU body personal data posted there in breach of the relevant EU data protection legislation; failure by a Frontex official to intervene to stop an ongoing infringement of fundamental rights of an individual during a joint operation; failure of an EU Commission official to take specific actions to ensure appropriate protection of the documents and items collected during an investigation taking place at the premises of an undertaking, potentially leading to the loss or destruction of the respective documents and items.

54 TFEU art 265, second paragraph; for a detailed analysis, see Lenaerts and Others (Footnote n 44) 432–435.

55 See Lenaerts and Others (Footnote n 44) 439–440.

56 See Case C-322/88 Salvatore Grimaldi v Fonds des maladies professionnelles [1989] ECLI:EU:C:1989:646, paras 8–9, and subsequent confirmatory CJEU jurisprudence, most recently, Case C-16/16P Belgium v Commission [2018] ECLI:EU:C:2018:79, para 44; FBF v ACPR (Footnote n 39) paras 56–57; and Case C-501/18 BT v Balgarska Narodna Banka [2021] ECLI:EU:C:2021:249, para 82; see also Lenaerts and Others (Footnote n 44) 464.

57 Unless, of course, it expresses a tacit/implicit decision.

58 BT (Footnote n 56) para 82.

59 See, in this vein, Hofmann, Rowe, and Türk (Footnote n 10) 668. Further support for such a conclusion is provided by the Tillack case, in which the General Court highlighted the possibility for the applicant to ask the competent national court to refer a preliminary question to the CJEU on the validity of an ‘act’ of forwarding information to national authorities by OLAF, Tillack (Footnote n 20) para 80.

60 If there is no identifiable national conduct, Article 267 TFEU cannot be triggered, TFEU art 267; see also Rademacher (Footnote n 4) 410.

61 According to Article 267 TFEU, second paragraph, the national court considers that a decision on the preliminary question ‘is necessary’ to judge on the matter before it, TFEU art 267.

62 See Rademacher (Footnote n 4) 410.

63 See Hofmann, Rowe, and Türk (Footnote n 10) 668.

64 See also Melanie Fink, ‘EU Liability for Contributions to Member States’ Breaches of EU Law’ (2019) 56 (5) Common Market Law Review 1227, 1233.

65 See Paul Craig and Grainne de Burca, EU Law. Text, Cases and Materials (7th edn, Oxford University Press 2020) 633, and the case law cited there.

66 To be read broadly, in light of Article 47 CFR, as encompassing also EU bodies, offices, and agencies; such a broad reading is also confirmed in the CJEU’s jurisprudence – see, for instance, Tillack (Footnote n 20) para 97 restating that ‘an action to establish liability seeks compensation for damage resulting from a measure or from unlawful conduct, attributable to a Community institution or body (emphasis added)’.

67 I.e., the generic reference to ‘the general principles common to the laws of the Member States’ entails a lot of leeway for the CJEU in identifying and shaping the conditions and criteria for establishing the existence and extent of the Union’s liability for damages.

68 See Landmark Case C-352/98 P Bergaderm and Goupil v Commission [2000] ECLI:EU:C:2000:361, and subsequent relevant jurisprudence in the footprints of ‘Bergaderm’.

69 See Melanie Fink, ‘The Action for Damages as a Fundamental Rights Remedy: Holding Frontex Liable’ (2020) 21 German Law Journal 532, 547; one obvious consequence of the CJEU’s restrictive approach to EU liability is that, in practice, the likelihood that actions for damages by individuals claiming fundamental rights breaches are successful is fairly small.

70 ‘Where … the institution in question has only considerably reduced, or even no, discretion, the mere infringement of Community law may (emphasis added) be sufficient to establish the existence of a sufficiently serious breach’ Bergaderm (Footnote n 68) para 44.

71 See Case T-212/03 My Travel Group v Commission [2008] ELCI:EU:T:2008:315, paras 41–43; specifically with regard to the situation in which the illegal EU measure annulled by the CJEU does not amount to a sufficiently serious breach, though it also entails a breach of the fundamental rights of the individual, see Case T-341/07 Sison v Council [2011] ECLI:EU:T:2011:687, paras 73–80; and Fink, ‘The Action for Damages’ (Footnote n 69) 542. Whereas the annulment action and the action for damages follow a different rationale and, therefore, feature different criteria and conditions, a reading of Article 340 TFEU in light of Article 47 CFR should entail closer equivalence between an infringement of EU law under Article 263 TFEU and a sufficiently serious breach under Article 340 TFEU, in particular when breaches of fundamental rights are at stake; as a result, the main concern in an action for damages for fundamental rights breaches should be on establishing the damage and the causal link between the breach and the damage.

72 See also Rademacher (Footnote n 4) 434; this author calls for the ‘modernisation’ of Article 340 TFEU, basically in the form of a more lenient reading of the conditions for damages, in particular the sufficiently serious breach (to be understood as any breach of EU law conferring rights on the individual) and the damage (when an injunction or mere symbolic compensation is requested); for a similar view supporting more generally the lowering of the EU liability threshold in case of fundamental rights breaches, see Fink, ‘The Action for Damages’ (Footnote n 69) 543.

73 According to CJEU jurisprudence, ‘actual damage’ must have been suffered entailing that the applicant must prove before the court a ‘real and certain’ loss, see, for instance, Case T-88/09 Idromacchine Srl, Alessandro Capuzzo and Roberto Capuzzo v European Commission [2011] ECLI:EU:T:2011:641, para 25.

74 For instance, breaches of human dignity or the right to liberty and security by factual conduct of Frontex staff during joint operations, breaches of privacy and data protection rights by personal data processing operations, etc. While Article 340 TFEU enshrines the obligation for the EU to ‘make good any damage’, in practice it appears that the CJEU awards damages for non-material damage only exceptionally; and see Craig and de Burca (Footnote n 65) 633; for an instance in which compensation for non-material damage has been awarded, see Idromacchine (Footnote n 73) paras 29–80.

75 Hybrid, composite, or shared administrative procedures/frameworks entailing complex interactions between EU and Member State actors are a case in point; for an example illustrating this point as far as liability for fundamental rights breaches through processing/dissemination of personal data by an EU body is concerned, see Tillack (Footnote n 20) and Rademacher (Footnote n 4) 411; for examples raising the same issue in the context of EU external border management, see Melanie Fink, Frontex and Human Rights: Responsibility in ‘Multi-actor Situations’ under the ECHR and EU Public Liability Law (Oxford University Press 2019) 180–316.

76 Some examples illustrating this are the need to compel the relevant EU body to withdraw, rectify, or delete inaccurate personal data made public and harming the privacy, reputation, or other fundamental rights of the individual; the need to put an end to a ‘pushback’ operation and allow the people subject to such physical actions to cross the EU border and submit an asylum application; and the need to compel the relevant EU body not to use for any purpose and to return documents and information seized illegally during an investigation.

77 See Idromacchine (Footnote n 73) para 81; see also Case T-279/03 Galileo International Technology and Others v Commission [2006] ECLI:EU:T:2006:121, para 63, in which the Court exceptionally granted such compensation in kind in the form of an injunction against the Commission, by prohibiting it from using a trademark (paras 64–73).

78 This seems particularly relevant in the case of factual conduct, as full restitution and compensation might often be more difficult to obtain because of the material consequences deriving from physical acts, as compared to formal legal acts; lacking such compensatory intervention, the victim will be left with financial or symbolic compensation as the sole remedy for the violation of their fundamental rights through EU factual conduct.

79 Lenaerts and Others (Footnote n 44) 453.

80 See, for an instance in which notices for an invitation to tender were qualified as ‘general acts’ reviewable under Article 277 TFEU, Case C-92/78 Simmenthal v Commission [1979] ECLI:EU:C:1979:53.

81 Les Verts (Footnote n 28) para 23.

82 Inuit (Footnote n 30) para 92.

83 See also Jens-Peter Schneider, ‘Information Exchange and Its Problems’ in Carol Harlow, Päivi Leino, and Giacinto della Cananea (eds), Research Handbook on EU Administrative Law (Edward Elgar 2017) 104–105. The fact that, pending a direct action before the CJEU, the Court may suspend the act contested (Article 278 TFEU) and prescribe any interim measures (Article 279 TFEU) does not alter this observation: first, suspension and other interim measures are ancillary to a direct action before the CJEU and normally are granted only after a direct action was brought before the CJEU – see Lenaerts and Others (Footnote n 44) 569 – but bringing such an action against EU factual conduct remains quite difficult to begin with (especially under Article 263 TFEU), TFEU arts 263 and 278–279; second, the principle remains that actions before EU courts do not have suspensory effect, meaning that EU judges will only exceptionally order the suspension of the contested measure or prescribe interim relief measures, Lenaerts and Others (Footnote n 44) 563; third, while Article 279 TFEU refers to ‘any necessary interim measures’, which may also include appropriate injunctions against EU institutions, bodies, offices, and agencies, EU courts seem to be particularly cautious with granting such measures, guided by the concern to avoid exercising powers vested with other EU institutions and thereby disturbing the principle of institutional balance, see Lenaerts and Others (Footnote n 44) 565–566 and 569.

84 See Herwig, C H Hofmann, and Morgane Tidghi ‘Rights and Remedies in Implementation of EU Policies by Multi-Jurisdictional Networks’ (2014) 20(1) European Public Law 147, 155.

85 See Rademacher (Footnote n 4) 430–435 and Fink ‘The Action for Damages’ (Footnote n 69) 543. Rademacher in particular maintains that EU courts should consider granting more extensively non-monetary compensation (including in the form of declaratory and injunctive measures) for breaches of fundamental rights by EU factual conduct, see Rademacher (Footnote n 4) 432.

86 This gap has been acknowledged more broadly also by EU courts as far as potentially harmful EU actions that do not amount to legally binding acts are concerned: ‘although it may seem desirable that individuals should have, in addition to the possibility of an action for damages, a remedy under which actions of the Community institutions liable to prejudice their interests but which do not amount to decisions may be prevented or brought to an end, it is clear that a remedy of that nature, which would necessarily involve the Community judicature issuing directions to the institutions, is not provided for by the Treaty’, Joined Cases T-377/00, 379/00, 380/00, T-260/01 and 272/01 Philip Morris and Others v Commission [2003] ECLI:EU:T:2003:6, para 124; see also Rademacher (Footnote n 4) 434.

87 E.g., complaints to the European Ombudsman, Frontex complaint procedure against fundamental rights breaches.

88 E.g., the referral of ‘any act of an executive agency which injures a third party’ to the Commission for a legality review, Council Regulation (EC) No 58/2003 of 19 December 2002 laying down the statute for executive agencies to be entrusted with certain tasks in the management of Community programmes [2003] OJ L11/1, art 22.

89 E.g., the procedure before the boards of appeal of EU agencies, see for a comprehensive work on this topic, Merijn Chamon, Annalisa Volpato, and Mariolina Eliantonio (eds), Boards of Appeal of EU Agencies: Towards Judicialization of Administrative Review? (Oxford University Press 2022).

90 Especially if such administrative remedies/procedures also provide for possibilities to quickly suspend the application of the measure challenged and/or to impose interim measures.

91 One should note, however, that the EU Ombudsman, as an administrative remedy against maladministration by EU bodies, is enshrined in Article 228 TFEU and Article 43 CFR, TFEU art 228; Charter of Fundamental Rights of the European Union [2016] OJ C202/389 (CFR), art 43.

92 On the use of ‘principle of sound administration’ terminology, see Tillack (Footnote n 20) para 127; on the interchangeable use between ‘sound’ and ‘good’ administration, see Hofmann, Rowe, and Türk (Footnote n 10) 194.

93 Hofmann, Rowe, and Türk (Footnote n 10) 203; see also the explanations of Article 41 CFR in the Explanations relating to the Charter of Fundamental Rights (Footnote n 34) 28.

94 Tillack (Footnote n 20) para 127.

95 In such a case, the availability of an administrative procedure to claim compensation for the damages incurred as a result of an EU administrative measure would be essential. Article 19 of the European Code of Good Administrative Behaviour seems to imply the availability of non-judicial remedies within the scope of Article 41 CFR: ‘A decision of the institution which may adversely affect the rights or interests of a private person shall contain an indication of the appeal possibilities available for challenging the decision (emphasis added). It shall in particular indicate the nature of the remedies, the bodies before which they can be exercised, and the time-limits for exercising them (emphasis added).’ Yet, for the time being, a specific right to an effective administrative remedy cannot be easily spelled out from Article 41 CFR; it will be for the EU courts and/or the EU legislator to do so.

96 For an observation, in the context of legal protection regarding information exchanges, that supervisory mechanisms are organised ‘in very sector specific ways’, see Schneider (Footnote n 83) 111.

97 For comprehensive studies on the EU Ombudsman, see Herwig C H Hofmann and Jacques Ziller (eds), Accountability in the EU: the Role of the European Ombudsman (Edward Elgar 2017); and Michał Krajewski, Relative Authority of Judicial and Extra-Judicial Review: EU Courts, Boards of Appeal, Ombudsman (Hart 2021).

98 TFEU, art 228(1).

99 Maladministration by EU bodies may include (but is not limited to) lack of transparency in decision-making, refusal of access to documents and information, violations of fundamental rights, improper use of discretion, etc., see European Ombudsman, Annual Report 2022 (European Ombudsman, 25 April 2023), 5 and 19.

100 The European Ombudsman may also start an inquiry on its own initiative in such instances, see Footnote ibid 11–12.

101 See TFEU art 228(2) second paragraph and Regulation (EU, Euratom) 2021/1163 of the European Parliament of 24 June 2021 laying down the regulations and general conditions governing the performance of the Ombudsman’s duties (Statute of the European Ombudsman) and repealing Decision 94/262/ECSC, EC, Euratom [2021] OJ L 253/1, arts1–3. Since they are non-binding, EU Ombudsman’s decisions cannot be challenged in principle before the CJEU under Article 263 TFEU.

102 Tillack (Footnote n 20) para 128.

103 This would be the case where EU administration largely accepts and follows the solutions and recommendations of the EU Ombudsman in practice; positive signs that this is indeed the case transpire from the Ombudsman’s annual reports, see, for instance, European Ombudsman, Annual Report 2022 (Footnote n 99) 21.

104 Regulation 58/2003.

105 See, for this argument, Hofmann, Rowe, and Türk (Footnote n 10) 668.

106 Regulation 58/2003, art 22 (3).

107 Footnote Ibid. In our view the modification ‘in whole’ of the act also covers the possibility to revoke or withdraw the act.

108 Footnote Ibid art 22(4).

109 This would normally be coupled with a decision to uphold the agency’s act or to modify it differently from what is requested in the applicant’s administrative appeal.

110 E.g., Community Plant Variety Office (CPVO), European Union Intellectual Property Office (EUIPO), European Union Aviation Safety Agency (EASA), European Chemicals Agency (ECHA).

111 See Case T-133/08 Schräder v CPVO [2012] ECLI:EU:T:2012:430, para 137, and Case C-546/12 P Schräder v CPVO [2015] ECLI:EU:C:2015:332, paras 73–76; see also Marco Lamandini, ‘The ESAs’ Board of Appeal as a Blueprint for the Quasi-Judicial Review of European Financial Supervision’ (2014) 6 European Company Law 290; and Dominique Ritleng, ‘Boards of Appeal of EU Agencies and Article 47 of the Charter: Uneasy Bedfellows?’ in Merijn Chamon, Annalisa Volpato, and Mariolina Eliantonio (eds), Boards of Appeal of EU Agencies: Towards Judicialization of Administrative Review? (Oxford University Press 2022) 305.

112 See Ritleng (Footnote n 111) 301–306.

113 Footnote Ibid 305.

114 Merijn Chamon, Annalisa Volpato, and Mariolina Eliantonio, ‘Conclusion’ in Merijn Chamon, Annalisa Volpato, and Mariolina Eliantonio (eds), Boards of Appeal of EU Agencies: Towards Judicialization of Administrative Review? (Oxford University Press 2022) 328–329.

115 See, for an example, Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91[2018] OJ L212/1 (EASA Regulation) art 109.

116 See Ritleng (Footnote n 111) 301–304.

117 See, for a harsh critique of the Frontex complaint mechanism, Sergio Carrera and Marco Stefan, ‘Complaint Mechanisms in Border Management and Expulsion Operations in Europe. Effective Remedies for Victims of Human Rights Violations?’ (2018) Centre for European Policy Studies (CEPS) Brussels, 22–27 <www.ceps.eu/ceps-publications/complaint-mechanisms-border-management-and-expulsion-operations-europe-effective/>.

118 EBCG Regulation.

119 EBCG Regulation art 111 (2) seems to indicate that the complaints mechanism concerns the operational activities of the Agency (joint operations, pilot projects, rapid border interventions, migration management support team deployment, return operations, return interventions, or an operational activity of the Agency in a third country); yet the recent Management Board Decision 19/2022 revising the Agency’s rules on the complaints mechanism appears to extend the availability of the mechanism more generally to ‘the actions or a failure to act on the part of staff involved in an Agency activity’ (emphasis added), see Frontex – European Border and Coast Guard Agency Management Board Decision 19/2022 of 16 March 2022 adopting the Agency’s rules on the complaints mechanism art 3 (1). However, the fact that the Frontex Management Board decision merely implements Article 111 EBCG Regulation and considering that the Frontex Fundamental Rights Officer (FRO) assesses the admissibility of complaints based on Article 111 (2)–(3) EBCG Regulation, one may conclude that the recently updated complaints mechanism is still aimed at addressing fundamental rights breaches within the framework of the Agency’s operational activities.

120 Frontex Management Board Decision 19/2022 art 3 (1).

121 EBCG Regulation art 111 (2); Frontex Management Board Decision 19/2022 art 3 (1).

122 E.g., ‘pushbacks’ and physical expulsions in the area of the Union’s sea and land borders, body searches, use of force to contain inflows of migrants, apprehension of personal belongings of individuals crossing EU external borders, etc.

123 See, for instance, Marco Stefan and Leonhard den Hertog, ‘Frontex: Great Powers But No Appeals’ in Merijn Chamon, Annalisa Volpato, and Mariolina Eliantonio (eds), Boards of Appeal of EU Agencies: Towards Judicialization of Administrative Review? (Oxford University Press 2022) 151–165; and European Ombudsman Case OI/5/2020/MHZ on the functioning of the European Border and Coast Guard Agency’s (Frontex) complaints mechanism for alleged breaches of fundamental rights and the role of the Fundamental Rights Officer (15 June 2021); this led to the recent revision of the Agency’s complaints mechanism by Frontex Management Board Decision 19/2022.

124 See Stefan and Hertog (Footnote n 123) 162.

125 Frontex Management Board Decision 19/2022 art 7 (4).

126 EBCG Regulation art 111 (6).

127 Frontex Management Board Decision 19/2022 art 10 (1).

128 As such, the FRO’s powers within the complaints procedure resemble those of the EU Ombudsman: making non-binding recommendations and suggestions for improvement.

129 EBCG Regulation art 111 (6).

130 Frontex Management Board Decision 19/2022 art 10 (5).

131 EBCG Regulation art 111 (6).

132 Frontex Management Board Decision 19/2022 art 10 (1).

133 Footnote Ibid art 10 (3).

134 Footnote Ibid art 11 (1).

135 Some take the view that since the complaint mechanism ‘focuses primarily on internal measures’ pertaining ‘to actions in relation to the staff or national authorities involved, and not to the complainant’, it ‘offers no administrative remedy to the affected individual’, Stefan and Hertog (Footnote n 123) 163 and 171. Against this background, the only option left to the individual whose rights have been infringed by factual conduct of the Agency or its staff seems to be the judicial remedy of action for damages, explicitly encompassing, according to Article 97 (3) EBCG Regulation, damages caused by the use of the Agency’s executive powers.

136 Stefan and Hertog (Footnote n 123) 163–164.

137 According to Article 98 (1) EBCG, ‘Proceedings may be brought before the Court of Justice for the annulment of acts of the Agency that are intended to produce legal effects vis-à-vis third parties, in accordance with Article 263 TFEU.’

138 Frontex Management Board Decision 19/2022 art 15 (2). In our view, such ‘appeal possibilities’ should include both follow-up non-judicial review mechanisms (if available) and the possibility to challenge the ED decision before the CJEU under Article 263 TFEU.

139 ‘Between 2016 and January 2021, the FRO had received 69 complaints of which 22 were admissible’, European Ombudsman, Decision in OI/5/2020/MHZ (Footnote n 123) 4.

140 See, in this respect, European Ombudsman, Decision in OI/5/2020/MHZ (Footnote n 123), and the suggestions for improvement listed there. The Agency’s revised rules on the complaints mechanism (2022) can be seen as an attempt to address these shortcomings in light of the increased probability for Frontex’s staff actions to breach fundamental rights in the exercise of the significant operational and executive powers entrusted to the Agency since 2019.

141 Regulation 2018/1725 arts 52 and 57 (1) (a) and (e).

142 E.g., sensitive personal data collected during an EPPO coordinated criminal investigation being transmitted by the EPPO to private persons with whom the suspects entertain close relationships, resulting in the damaging of their reputation.

143 In this respect, the Tillack affair provides an excellent example of a press release published by OLAF, containing allegations of criminal acts having been committed by an identifiable individual, Tillack (Footnote n 20) paras 7–24.

144 Regulation 2018/1725 art 3 (3).

145 Regulation 2018/1725 art 63 (1). In our view, the data processing that can be subjected to the complaint procedure can cover both formal legal binding acts and factual conduct.

146 Footnote Ibid art 63 (2).

147 Footnote Ibid art 63 (3).

148 Footnote Ibid art 58 (2) (d).

149 Footnote Ibid art 58 (2) (e).

150 Footnote Ibid art 58 (2) (h).

151 Footnote Ibid art 58 (2) (i).

152 Footnote Ibid art 64 (2).

153 Footnote Ibid arts 63 (1) and 64 (1) suggest that data subjects can also go directly before the CJEU, without filing a complaint first with the EDPS, for breaches of their rights by EU data processing operations; however, in this scenario, the admissibility requirements pertaining to the actions before the CJEU (action for annulment or actions for damages) must be met; this will likely raise insurmountable obstacles to the action for annulment where the fundamental rights of the individual have been infringed by physical data processing operations, unless the CJEU qualifies them as implicit binding legal acts. Therefore, relying first on the remedy provided by the EDPS with a ‘last resort’ prospect of a judicial challenge against the EDPS decision has several advantages: (1) it would strengthen, through the involvement of the EDPS, the position of the data subject against the faulty EU body; (2) it may lead to timely and proper redress, without a need to have recourse to judicial review; (3) it ensures extensive, indirect, judicial review over any EU data processing operations, through the possibility to challenge the EDPS decisions before the CJEU.

154 Some provisions in EU secondary legislation arguably could be seen as an attempt to broaden judicial review with regard to EU factual conduct; such an example is Regulation 2018/1725 art 64 (1) providing that ‘the Court of Justice shall have jurisdiction to hear all disputes relating to the provisions of this Regulation (emphasis added), including claims for damages’. Yet one may question the validity of such interpretation, entailing that a provision of EU secondary legislation would extend judicial review beyond the scope of the judicial remedies in EU primary law, as interpreted by the CJEU in its jurisprudence (in particular in its Inuit case law), see also Rademacher (Footnote n 4) 428–430.

155 Even if compensation were awarded more generously by EU courts, the fact remains that such compensation might often offer only rather belated and partial redress for the harm incurred by the individual as a result of EU factual conduct that might have produced sometimes irreversible and long-standing consequences, especially if its effects have continued for a long time before being discontinued by proper intervention.

156 See Lenaerts and Others (Footnote n 44) 411–412 and 475.

157 Such limitations could partly be explained by the multi-purpose design of these mechanisms, serving simultaneously the need for legal review, scrutiny, and accountability of EU administrative action and the need to offer a legal remedy to the individual against harmful measures by EU administration.

158 I.e., when the EU administration fails to address and redress properly fundamental rights breaches.

159 For the listing of these standards in the context of the EU Ombudsman’s assessment of Frontex’s complaints mechanism, see Decision in OI/5/2020/MHZ (Footnote n 123) para 16.

160 The Research Network on EU Administrative Law (ReNEUAL) project could be an appropriate forum to achieve this, in particular in view of its previous work on the ReNEUAL Model Rules on EU Administrative Procedure <www.reneual.eu/>.

161 For instance, one should consider the complementarity relationship between the EU Ombudsman and other administrative remedies with different features, such as suspensory effects and legally binding outcomes.

162 For a similar suggestion on the establishment of a centralised EU supervisory authority whose decisions could be challenged by individuals before the CJEU, though limited to the specific sector of information management and exchange within highly complex and integrated hybrid networks and information systems involving EU and Member States’ actors, see ReNEUAL Model Rules on EU Administrative Procedure (2014), Book VI – Administrative Information Management, 258 and 302–306; see also Schneider (Footnote n 83) 109–111; and Hofmann and Tidghi (Footnote n 84) 160–163.

163 In this respect, EU agencies’ BoAs could be aligned to the EDPS model, by extending their jurisdiction to EU factual conduct affecting the legal situation of the individual.

164 See Rademacher (Footnote n 4) 430–435.

13 Composite Procedures, the Violation of Fundamental Rights, and the Availability of Sufficient Remedies in the Multi-level EU Judicial Architecture

1 The term was famously coined by Herwig Hofmann. See Herwig C Hofmann, ‘Composite decision-making procedures in EU administrative law’ in Herwig C Hofmann and Alexander H Türk (eds), Legal Challenges in EU Administrative Law – Towards an Integrated Administration (Edward Elgar 2009) 136.

2 The literature has grown so much in recent years that providing a full account of the scholarly debate would exceed the remit of this chapter. For an up-to-date overview of the phenomenon of composite procedures and an account of the strands of literature examining it, see Mariolina Eliantonio ‘Access to Justice in Composite Procedures for the Implementation of EU Law: The Story so Far’ (2023) <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4373333>.

3 See, in general, Mariolina Eliantonio, ‘Judicial Review in an Integrated Administration: The Case of “Composite Procedures”’ (2014) 7 Review of European Administrative Law 65; Filipe Brito Bastos, ‘Derivative Illegality in the European Composite Administrative Procedures’ (2018) 55 Common Market Law Review 101.

4 See, e.g., Case C-97/91 Oleificio Borelli SpA v Commission [1992] ECLI:EU:C:1992:491; Case C-219/17 Berlusconi and Fininvest [2018] ECLI:EU:C:2018:1023; Case C-785/18 GAEC Jeanningros v Institut national de l’origine et de la qualité (INAO) and Others [2020] ECLI:EU:C:2020:46.

5 Charter of Fundamental Rights of the European Union [2016] OJ C202/389.

6 On this distinction, as well as the peculiar problems of access to justice in horizontal composite procedures, see Paolo Mazzotti and Mariolina Eliantonio, ‘Transnational Judicial Review in Horizontal Composite Procedures: Berlioz, Donnellan, and the Constitutional Law of the Union’ (2020) 5 European Papers 41; and Paolo Mazzotti and Mariolina Eliantonio, ‘Towards a Theory of Transnational Judicial Review in European Administrative Law’ (2021) 13 Italian Journal of Public Law 350 <www.ijpl.eu/wp-content/uploads/2022/10/3.Eliantonio_Mazzotti.pdf>.

7 See, for earlier attempts at categorisations, Sergio Alonso de León, ‘Composite Administrative Procedures in the European Union’ (Doctoral thesis, Universidad Carlos III de Madrid, 2016); Brito Bastos, ‘Derivative Illegality in the European Composite Administrative Procedures’ (Footnote n 3); Giacinto Della Cananea, ‘The European Union’s Mixed Administrative Proceedings’ (2005) 68 Law and Contemporary Problems 197; Eliantonio, ‘Judicial Review in an Integrated Administration’ (Footnote n 3). The most recent one is in Eliantonio, ‘Access to Justice in Composite Procedures for the Implementation of EU Law: The Story so Far’ (Footnote n 2).

8 For a comparative overview, see Chris Backes and Mariolina Eliantonio (eds), Cases, Materials and Text on Judicial Review of Administrative Action (Hart 2019), ch 4; for an examination of factual conduct at the EU level in general, see Timo Rademacher, ‘Factual Administrative Conduct and Judicial Review in EU Law’ (2017) 29 European Review of Public Law 399.

9 Napoleon Xanthoulis, ‘Administrative factual conduct: Legal effects and judicial control in EU law’ (2019) 12 Review of European Administrative Law 39.

10 For an examination of shared enforcement activities between national and EU authorities, see Miroslava Scholten and Michiel Luchtman (eds), Law Enforcement by EU Authorities: Implications for Political and Judicial Accountability (Edward Elgar 2017).

11 Maurizia De Bellis, ‘Multi-level Administration, Inspections and Fundamental Rights: Is Judicial Protection Full and Effective?’ (2021) 22 German Law Journal 416; and extensively Maurizia De Bellis, I poteri ispettivi dell’amministrazione europea (Giappichelli 2021).

12 See further with examples and references to legislation, Eliantonio, ‘Access to Justice in Composite Procedures for the Implementation of EU Law: The Story so Far’ (Footnote n 2).

13 In the pre-Charter times, see Case C-94/00 Roquette Frères [2002] ECLI:EU:C:2002:603.

14 See the EP Briefing ‘Addressing pushbacks at the EU’s external borders’ <www.europarl.europa.eu/RegData/etudes/BRIE/2022/738191/EPRS_BRI(2022)738191_EN.pdf>.

15 See EASO Special Operating Plan To Greece <https://euaa.europa.eu/sites/default/files/easo%20special%20operating%20plan%20to%20greece%202017_%2014122016.pdf>; for the framing of the phenomenon as a composite procedure, see Evangelia L Tsourdi, ‘Bottom-up Salvation? From Practical Cooperation Towards Joint Implementation Through the European Asylum Support Office’ (2016) 3 European Papers 997; Gaia Lisi and Mariolina Eliantonio, ‘The Gaps in Judicial Accountability of EASO in the processing of asylum requests in Hotspots’ (2019) 4 European Papers 589.

16 On these types of procedure, see, amongst others, Deidre M Curtin and Filipe Brito Bastos, ‘Interoperable Information Sharing and the Five Novel Frontiers of EU Governance: A Special Issue’ (2020) 26 European Public Law 59; Diana-Urania Galetta, Herwig C H Hofmann, and Jens-Peter Schneider, ‘Information Exchange in the European Administrative Union: An Introduction’ (2014) 20 European Public Law 65; Mariolina Eliantonio, ‘Information Exchange in European Administrative Law: A Threat to Effective Judicial Protection?’ (2016) 23 Maastricht Journal of European and Comparative Law 531.

17 Simona Demková, Automated Decision-Making and Effective Remedies: The New Dynamics in the Protection of EU Fundamental Rights in the Area of Freedom, Security and Justice (Edward Elgar 2023) 23.

18 Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on general product safety [2002] OJ L11/4.

19 See further on this Niovi Vavoula, ‘Information Sharing in the Dublin System: Remedies for Asylum Seekers In-Between Gaps in Judicial Protection and Interstate Trust’ (2021) 22 German Law Journal 391; Jens-Peter Schneider, ‘Basic Structures of Information Management in the European Administrative Union’ (2014) 20(1) European Public Law 89; Morgane Tidghi and Herwig C H Hofmann, ‘Rights and Remedies in Implementation of EU Policies by Multi-Jurisdictional Networks’ (2014) 20 European Public Law 147; Ferdinand Wollenschläger, ‘Informationssysteme als Herausforderung für den Rechtsschutz im Europäischen Verwaltungsverbund: Das EU-Schnellwarnsystem für Lebens- und Futtermittel (RASFF)’ (2019) 52 Die Verwaltung 1.

20 See, on this point, Case C-193/19 A v Migrationsverket [2021] ECLI:EU:C:2021:168; and Opinion of AG De La Tour [2020] ECLI:EU:C:2020:594.

21 Indeed, in Recital 56, Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) 1987/2006 [2018] OJ L312/56 makes explicit reference to Article 8.

22 See on these procedures, on medical authorisations, Mariolina Eliantonio and Sabrina Röttger-Wirtz, ‘From Integration to Exclusion: EU Composite Administration and Gaps in Judicial Accountability in the Authorisation of Pharmaceuticals’ (2019) 10 European Journal of Risk Regulation 393; on GMOs, Rui Lanceiro and Mariolina Eliantonio, ‘The Genetically Modified Organisms’ Regime: A Playground for Multi-Level Administration and a Nightmare for Effective Judicial Protection?’ (2021) 22 German Law Journal 371; in general on product authorisations: Luca De Lucia, ‘Autorizzazioni transnazionali e cooperazione amministrativa nell’ordinamento europeo’ (2010) 3 Rivista Italiana di Diritto Pubblico Comunitario 759. For a comparison covering composite procedures in the field of chemicals, pesticides, medicines, and food safety, see Emilie Chevalier, ‘Administrative Cooperation in the field of Risk Regulation’, in Emilie Chevalier, Mariolina Eliantonio, and Rui Lanceiro (eds), Administrative Cooperation in the European Union (Bruylant, forthcoming 2024).

23 Case C‑300/11 ZZ v Secretary of State for the Home Department [2013] ECLI:EU:C:2013:363, para 53.

24 Footnote Ibid para 53 and the case law cited.

25 Case C-17/74 Transocean Marine Paint v Commission [1974] ECLI:EU:C:1974:106; Case C-86/76 Hoffmann-La Roche v Commission [1979] ECLI:EU:C:1979:36.

26 Alonso de León (Footnote n 7); Filipe Brito Bastos, ‘Beyond executive federalism: the judicial crafting of the law of composite administrative decision-making’ (PhD thesis, European University Institute 2018).

27 Case C-32/95 P Commission v Lisrestal [1996] ECLI:EU:C:1996:402.

28 Case C-462/98 P Mediocurso v Commission [2000] ECLI:EU:C:2000:480.

29 Case T-189/02 Ente per le Ville vesuviane v Commission [2009] ECLI:EU:C:2009:529; Case T-102/00 Vlaams Fonds v Commission [2003] ECLI:EU:T:2003:192; Case T-158/07 Cofac v Commission [2009] ECLI:EU:T:2009:489.

30 Alonso de León (Footnote n 7) 271.

31 Case T-346/94 France-Aviation v Commission [1995] ECLI:EU:T:1995:187.

32 Case T-42/96 Eyckeler & Malt AG v Commission [1998] ECLI:EU:T:1998:40; Case T-50/96 Primex Produkte Import-Export GmbH & Co. KG, Gebr. Kruse GmbH, Interporc Im- und Export GmbH v Commission [1998] ECLI:EU:T:1998:223; Case T-290/97 Mehibas Dordtselaan BV v Commission [2000] ECLI:EU:T:2000:8. As noted by Alonso de Leon (Footnote n 7), this line of case law culminated in the Wilson Holland case, in which the CJEU stated that the right to be heard had to be guaranteed before the Commission even if the applicants ‘made a declaration that the file which the national authorities transmitted to the Commission was complete and they had nothing to add’. Case T-186/97 Wilson Holland and Others v Commission [2001] ECLI:EU:T:2001:133, para 160.

33 Alonso de León (Footnote n 7) 267.

34 Alonso de León (Footnote n 7) 290–291. For a way to read more coherence in the case law, and the idea that it shows a departure from the notion of ‘executive federalism’ towards a more unitary vision of the European administrative space, see Filipe Brito Bastos, ‘Beyond executive federalism’ (Footnote n 26) ch 4.

35 See, for example, Regulation (EC) No 1829/2003 of the European Parliament and of the Council of 22 September 2003 on genetically modified food and feed [2003] OJ L268/1, art 6(6), which binds the European Food Safety Authority to a duty to substantiate the opinions it issues in the procedures for the authorisation of genetically modified food or feed. The European Medicines Agency is under the same duty when issuing opinions concerning the approval of pharmaceuticals (see Parliament and Directive 2001/83/EC of the European Parliament and of the Council of 6 November 2001 on the Community code relating to medicinal products for human use [2001] OJ L311/67, art 32 (5)).

36 Filipe Brito Bastos, ‘Beyond executive federalism’ (Footnote n 26) 174–175.

37 Case T-344/15 France v Commission [2017] ECLI:EU:T:2017:250; Case T‑653/16 R Malta v Commission [2018] ECLI:EU:T:2018:241; Case C-135/11 P, Internationaler Tierschutz-Fonds gGmbH [2012] ECLI:EU:C:2012:376.

38 Case C-64/05 P Sweden v Commission, [2007] ECLI:EU:C:2007:802.

39 Case T-85/94 Branco I [1995] ECLI:EU:T:1995:4. See, for later case law, e.g., Case T-199/99 Sgaravatti v Commission [2002] ECLI:EU:T:2002:228; Case T-241/00 Azienda Agricola “Le Canne” Srl v Commission [2002] ECLI:EU:T:2002:57; Case T-182/96 Partex v Commission [1999] ECLI:EU:T:1999:171.

40 The arguments made in this section draw from the author’s earlier work, and in particular Eliantonio, ‘Access to Justice in Composite Procedures for the Implementation of EU Law: The Story so Far’ (Footnote n 2).

41 Consolidated Version of the Treaty on the Functioning of the European Union [2016] OJ C202/47.

42 On this, see Laura Vissink, Effective Legal Protection in Banking Supervision (Europa Law 2021), esp. ch 5. For similar problems raised by the ‘hotspots’, see Agostina Pirrello, ‘The European Union Agency for Asylum: legal remedies and national articulations in composite border procedures’ (forthcoming 2024) European Law Journal; similar considerations are expressed in Salvo Nicolosi, ‘Frontex and Migrants’ Access to Justice: Drifting Effective Judicial Protection?’ (Verfassungsblog, 7 September 2022) <https://verfassungsblog.de/frontex-and-migrants-access-to-justice/>; see also Melanie Fink, Frontex and Human Rights: Responsibility in ‘Multi-Actor Situations’ under the ECHR and EU Public Liability Law (Oxford University Press 2018) 97–141, 232–274.

43 Case C-314/85 Foto-Frost v Hauptzollamt Lübeck-Ost [1987] ECLI:EU:C:1987:452.

44 Case C-322/88 Salvatore Grimaldi v Fonds des maladies professionnelles [1989] ECLI:EU:C:1989:646.

45 For the same conclusion, see De Bellis, ‘Multi-level Administration, Inspections and Fundamental Rights: Is Judicial Protection Full and Effective?’ (Footnote n 11) 436.

46 For a thorough discussion on how the introduction of such a mechanism would solve the gaps in judicial protection in such situations, see Torben Ellerbrok, ‘Das umgekehrte Vorabentscheidungsverfahren als Schlussstein im europäischen Rechtsschutzverbund’ (2022) 113 Verwaltungsarchiv 202.

47 See, for an extensive discussion of this case law and its implication for EU administrative law, Filipe Brito Bastos, ‘The Borelli Doctrine revisited: three issues of coherence in a landmark ruling for EU administrative justice’ (2015) 8 Review of European Administrative law 269.

48 Case C-269/99 Carl Kühne GmbH & Co. KG and Others v Jütro Konservenfabrik GmbH & Co. KG [2001] ECLI:EU:C:2001:659. See more recently also Case C-343/07 Bavaria NV and Bavaria Italia Srl v Bayerischer Brauerbund eV [2009] ECLI:EU:C:2009:415.

49 Berlusconi and Fininvest (Footnote n 4).

50 E.g., Case T‑698/16 Trasta Komercbanka and Others v ECB [2022] ECLI:EU:T:2022:737; Case T‑330/19 PNB Banka AS [2022] ECLI:EU:T:2022:775; Cases T‑351/18 and T‑584/18 Ukrselhosprom PCF LLC and Versobank AS, established in Tallinn (Estonia) v European Central Bank (ECB) [2021] ECLI:EU:T:2021:669. See also the Opinion of AG Kokott in Cases C-750/21 P and C-256/22 P Pilatus Bank plc v ECB [2023] ECLI:EU:C:2023:431, in which the AG reiterates this point in connection with the infringement of the right to be heard by a national preparatory measure.

51 For a discussion of the coherence between Borelli and Berlusconi, see Brito Bastos ‘Derivative Illegality in the European Composite Administrative Procedures’ (Footnote n 3) 110–113, who argues that in Borelli a number of constitutional arguments speak against the possibility of derivative illegality (i.e., the capacity of national measures to contaminate final EU measures), which in turn limits the possibility to ‘centralise’ judicial control in the hands of the CJEU over the entirety of the process. See also Paul Dermine and Mariolina Eliantonio, ‘Case Note: CJEU (Grand Chamber), Judgment of 19 December 2018, C-219/17, Silvio Berlusconi and Finanziaria d’investimento Fininvest SpA (Fininvest) v Banca d’Italia and Istituto per la Vigilanza Sulle Assicurazioni (IVASS)’ (2019) 12 Review of European Administrative Law 237.

52 Herwig C H Hofmann, ‘Multi-Jurisdictional Composite Procedures. The Backbone to the EU’s Single Regulatory Space’ (2019) 3 University of Luxembourg Law Working Paper Series 12.

53 Jeanningros (Footnote n 4).

54 See, on these points, Filipe Brito Bastos ‘Judicial Annulment of National Preparatory Acts and the Effects on Final Union Administrative Decisions: Comments on the Judgment of 29 January 2020, Case C-785/18 Jeanningros, EU:C:2020:46’ (2021) 14(2) Review of European Administrative Law 109, 115 et seq.

55 Dermine and Eliantonio, ‘Case Note: CJEU (Grand Chamber), Judgment of 19 December 2018, C-219/17’ (Footnote n 51) 249–250.

56 Filipe Brito Bastos, ‘An Administrative Crack in the EU’s Rule of Law: Composite Decision-making and Nonjusticiable National Law’ (2020) 16 European Constitutional Law Review 63.

57 Case C-6/99 Association Greenpeace France and Others v Ministère de l’Agriculture et de la Pêche and Others [1999] ECLI:EU:C:1999:587.

58 On the point of the coherence between Borelli and Greenpeace, see Filipe Brito Bastos, ‘The Borelli Doctrine revisited: three issues of coherence in a landmark ruling for EU administrative justice’ (2015) 8 Review of European Administrative law 269, 277 et seq.

59 See further on this point, Demková, Automated Decision-Making and Effective Remedies (Footnote n 17); Benjamin Jan, ‘Safeguarding the Right to an Effective Remedy in Algorithmic Multi-Governance Systems: An Inquiry in Artificial Intelligence-Powered Informational Cooperation in the EU Administrative Space’ (2023) 16 Review of European Administrative Law 9; Niovi Vavoula ‘Information Sharing in the Dublin System: Remedies for Asylum Seekers In-Between Gaps in Judicial Protection and Interstate Trust’ (Footnote n 19).

60 Case T-177/02 Malagutti-Vezinhet v Commission [2004] ECLI:EU:T:2004:72.

61 Case T‑212/06 Bowland Dairy Products v Commission [2009] ECLI:EU:T:2009:419.

62 Case C-626/21 Funke Sp. z o.o. v Landespolizeidirektion Wien [2023] ECLI:EU:C:2023:412.

63 Further on this, see Eliantonio, ‘Information Exchange in European Administrative Law: A Threat to Effective Judicial Protection?’ (Footnote n 16).

64 For an attempt, see Emilie Chevalier, Mariolina Eliantonio, and Rui Lanceiro, Administrative Cooperation in the European Space (Bruylant, forthcoming 2024).

65 Case C-294/83 Les Verts v Parliament [1986] ECLI:EU:C:1986:166, para 23.

66 Mariolina Eliantonio, ‘Judicial Review in an Integrated Administration’ (Footnote n 3).

14 Soft Law and Challenges to Access to Justice

* I would like to thank the editor and Dr Joyce De Coninck for comments on an earlier draft. All errors or omissions remain mine.

1 Charter of Fundamental Rights of the European Union [2016] OJ C202/389 (CFR), art 47.

2 Linda Senden, Soft law in European Community Law (Hart 2004) 112; See also Linda Senden and Ton van den Brink, Checks and Balances of Soft EU Rule-Making, European Parliament Directorate General for Internal Policies, PE 462.433, 11.

3 In their standard work, Hofmann, Rowe, and Türk even avoid the term soft law as they find it misleading to describe a plethora of administrative rules. See Herwig Hofmann, Gerald Rowe, and Alexander Türk, EU Administrative Law (Oxford University Press 2011) 536.

4 Fabien Terpan, ‘Soft Law in the European Union – The Changing Nature of EU Law’ (2015) 21 European Law Journal 68.

5 Senden and Van den Brink (Footnote n 2) 12.

6 See Penelope Rocca and Mariolina Eliantonio, ‘European Union soft law by agencies: An analysis of the legitimacy of their procedural frameworks’ in Maurizia de Bellis, Giacinto della Cananea, Martina Conticelli (eds), EU executive governance: Agencies and procedures (Giappichelli 2020) 185–186.

7 See Joined Cases C‑189/02 P, C‑202/02 P, C‑205/02 P to C‑208/02 P and C‑213/02 P Dansk Rørindustri and Others v Commission [2005] ECLI:EU:C:2005:408, para 211.

8 This constellation is not entirely new since precursors to it can be found in EU law decades back. See, for instance, the Administrative Commission for the coordination of social security regimes which was criticised early on by Maas, see Herman Maas, ‘La Commission administrative pour la sécurité sociale des travailleurs migrants’ (1966) 2 Cahiers de droit européen 343. The new aspect to it is that it is becoming a standard feature in EU governance, e.g. through an increasing number of ‘Boards’ that wield soft law powers.

9 See Order in Case T-577/17 ThyssenKrupp v Commission [2018] ECLI:EU:T:2018:411, para 8.

10 Footnote Ibid para 65.

11 Consolidated Version of the Treaty on the Functioning of the European Union [2016] OJ C202/47 (TFEU), art 263.

12 See Order in ThyssenKrupp (Footnote n 9) para 68.

13 Footnote Ibid para 72.

14 See Kafkaris v Cyprus, Application no. 21906/04 (ECtHR, 12 February 2018), paras 139–140.

15 Villiger notes that the inclusion of ‘unwritten law’ results from the need to accommodate common law systems. See Mark Eugen Villiger, Handbook on the European Convention on Human Rights (Brill 2022) 417.

16 Margrit Cohn, A Theory of the Executive Branch (Oxford University Press 2021) 62–64.

17 Mark Eugen Villiger, Handbook on the European Convention on Human Rights (Brill 2022) 19.

18 See Le Mailloux v France, App no 18108/20 (ECtHR, 5 November 2020).

19 Case Opinion 2/13 – Accession of the EU to the ECHR [2014] ECLI:EU:C:2014:2454, para 176.

20 George Letsas, ‘The scope and balancing of rights – Diagnostic or constitutive?’ in Eva Brems and Janneke Gerards (eds), Shaping Rights in the ECHR: The Role of the European Court of Human Rights in Determining the Scope of Human Rights (Cambridge University Press 2014) 54.

21 In this regard, it is telling that the Practical Guide on Admissibility Criteria remarks that the existence of an interference is a separate issue to be tested as part of the admissibility. It does so, however, in a section devoted to the cases where there is ‘no lack of proportionality between the aims and the means’. As Letsas’ test shows, however, it is nonsensical to discuss proportionality before the existence of an interference is found. See Registry of the ECtHR, Practical Guide on Admissibility Criteria, 31 August 2022, para 305.

22 Noting there is little to no jurisprudence on the notions of limitation or restrictions, see Yves Haeck and Clara Burbano Herrera, Procederen voor het Europees Hof voor de Rechten van de Mens (Intersentia 2011) 55 at fn 241.

23 Phull v France, App no 35753/03 (ECtHR, 11 January 2005).

24 Cha’are Shalom Ve Tsedek v France, App no 27417/95 (ECtHR, 27 June 2000) para 80.

25 A, B and C v Ireland, App no 25579/05 (ECtHR, 16 December 2010) paras 158–159.

26 Janneke Gerards, General Principles of the European Convention on Human Rights (Cambridge University Press 2019) 17.

27 Footnote Ibid 17–18.

29 In its review of limitations on Charter rights the CJEU links its review to the approach of the ECtHR. See Joined Cases C‑293/12 and C‑594/12 Digital Rights Ireland [2014] ECLI:EU:C:2014:238, para 47.

30 Case C‑212/06 Flemish care insurance [2008] ECLI:EU:C:2008:178, para 45; see also Joined Cases 177/82 and 178/82 Van de Haar [1984] ECLI:EU:C:1984:144, para 13.

31 See Case C-227/06 Commission v Belgium [2008] ECLI:EU:C:2008:160, paras 54–55; Case 249/81 Commission v Ireland [1982] ECLI:EU:C:1982:402, para 27.

32 Case C-322/16 Global Starnet [2017] ECLI:EU:C:2017:985, para 50.

33 See Opinion of AG Bobek in Case C-16/16 P Belgium v Commission [2017] ECLI:EU:C:2017:959, para 86.

34 Jeff Kenner and Katrina Peake, ‘Art 33 – Family and Professional Life’ in Steve Peers and Others (eds), The EU Charter of Fundamental Rights: A Commentary (Hart 2021) 946–947.

36 Case C‑473/16 F v Bevándorlási és Állampolgársági Hivatal [2018] ECLI:EU:C:2018:36, para 53.

37 Opinion of AG Saugmandsgaard Øe in Case C-64/16 Associação Sindical dos Juízes Portugueses [2017] ECLI:EU:C:2017:395, para 51

38 Treaty Establishing the European Stability Mechanism [2012] T/ESM 2012-LT/en 1 (ESM).

39 Case C-370/12 Pringle [2012] ECLI:EU:C:2012:756, paras 155–169.

40 Joined Cases C-8/15 P to C‑10/15 P Ledra Advertising e.a. v Commission & ECB [2016] ECLI:EU:C:2016:701, para 54. See also Joined Cases C-105/15 P to C‑109/15 P Mallis e.a. v Commission & ECB [2016] ECLI:EU:C:2016:702.

41 Anastasia Poulou, ‘The Liability of the EU in the ESM framework’ (2017) 24 Maastricht Journal of European and Comparative Law 137; See also the decisions of national courts cited by Poulou, where the Greek Supreme Administrative Court held the MoU to be non-binding while the Portuguese Constitutional Court confirmed that the MoU constitutes a binding act.

42 Case C-258/14 Florescu [2017] ECLI:EU:C:2017:448, para 41.

43 Opinion of AG Bot in Case C-258/14 Florescu [2016] ECLI:EU:C:2016:995, para 53.

44 Opinion of AG Wathelet in Joined Cases C‑105/15 P to C‑109/15 P Mallis e.a. v Commission & ECB [2016] ECLI:EU:C:2016:294, para 85. In contrast, in his Opinion in the Ledra case, AG Wahl qualified the MoU as an international agreement, see Opinion of AG Wahl in Joined Cases C‑8/15 P to C‑10/15 P Ledra Advertising e.a. v Commission & ECB [2016] ECLI:EU:C:2016:290, para 98.

45 René Repasi, ‘Judicial protection against austerity measures in the euro area: Ledra and Mallis’ (2017) Common Market Law Review 1123, 1141–1142.

46 Anastasia Poulou, ‘Financial assistance conditionality and human rights protection: What is the role of the EU Charter of Fundamental Rights?’ (2017) 54 Common Market Law Review 991, 1019–1022.

47 See points 2.11 and 3.1 of the Memorandum of Understanding on Specific Economic Policy Conditionality annexed to European Commission, The Economic Adjustment Programme for Cyprus (2013) European Economy Occasional Papers 149.

48 See Regulation (EU) 2021/2303 of the European Parliament and of the Council of 15 December 2021 on the European Union Agency for Asylum and repealing Regulation (EU) No 439/2010 [2021] OJ L468/1 (EUAA), art 13.

49 See Directive (EU) 2013/32 of the European Parliament and of the Council of 26 June 2013 on common procedures for granting and withdrawing international protection [2013] OJ L180/60 (Recast Asylum Procedures Directive), arts 14–15.

50 EASO Guidance on asylum procedure: operational standards and indicators, EASO Practical Guides Series, September 2019, 19.

51 Recast Asylum Procedures Directive (Footnote n 49) recital 60.

52 Case C-517/17 Addis [2020] ECLI:EU:C:2020:579, paras 59 and 66.

53 Regulation (EC) 810/2009 of the European Parliament and of the Council of 13 July 2009 establishing a Community Code on Visas (Visa Code) [2009] OJ L243/1.

54 Council Decision (EU) 2022/1500 of 9 September 2022 on the suspension in whole of the application of the Agreement between the European Community and the Russian Federation on the facilitation of the issuance of visas to the citizens of the European Union and the Russian Federation [2022] OJ L234I/1 (Council Decision 2022/1500).

55 European Commission, Providing guidelines on general visa issuance in relation to Russian applicants following Council Decision 1500/2022 C (2022) 7111 final.

56 Council Decision 1500/2022 (Footnote n 54) para 23.

57 European Commission, ANNEX to the Commission Implementing Decision amending Commission Decision C (2010) 1620 final as regards the replacement of the Handbook for the processing of visa applications and the modification of issued visas (Visa Code Handbook I), C (2020) 395 final.

58 Regulation (EU) 2018/1806 of the European Parliament and of the Council of 14 November 2018 listing the third countries whose nationals must be in possession of visas when crossing the external borders and those whose nationals are exempt from that requirement [2018] OJ L303/39 (Visa Requirement Regulation).

59 While the Court has ruled that third countries do not come within the scope of Article 20 of the Charter, this is different from the citizens of those third countries. See Case C-272/15 Swiss International Air Lines [2016] ECLI:EU:C:2016:993, para 29.

60 Regulation (EU) 679/2016 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L119/1 (GDPR).

61 Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance [2022] OJ L152/1 (Data Governance Act); Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services [2022] OJ L277/1 (DSA).

62 The EDPB, for instance, strongly resembles a proper EU agency since it has legal personality and brings together exclusively representatives of the EU Member States. The EBDS and the EDIB have no legal personality and the latter is also composed of representatives of stakeholders. Only the DGA explicitly prescribes that the EDIB is to be a Commission expert group (in the sense of European Commission, establishing horizontal rules on the creation and operation of Commission expert groups, C (2016) 3301 final).

63 DSA, art 34(1)(b).

64 As highlighted by Mantelero, the DSA’s focus on risk mitigation rather than prevention implies that interferences with fundamental rights are accepted, under the legislative framework, as inevitable costs to access potential technological benefits brought by digital services. See Alessandro Mantelero, ‘Fundamental rights impact assessments in the DSA’ (Verfassungsblog, 1 November 2022) <https://verfassungsblog.de/dsa-impact-assessment/>.

65 Case C-16/16 P Belgium v Commission [2018] ECLI:EU:C:2018:79. For a broader discussion of the problem of challenging soft law through the action for annulment, see Giulia Gentile, ‘Ensuring effective judicial review of EU soft law via the action for annulment before the EU courts: A plea for a liberal-constitutional approach’ (2020) 16 European Constitutional Law Review 466.

66 Case T-721/14 Belgium v Commission [2015] ECLI:EU:T:2015:829, para 37.

67 Anthony Arnull, ‘EU Recommendations and Judicial Review’ (2018) 14 European Constitutional Law Review 609, 621.

68 See Joined Cases C‑447/17 P and C‑479/17 P EU v Guardian Europe & Guardian Europe v EU [2019] ECLI:EU:C:2019:672, para 147.

69 The general threshold is therefore high, since even a non-justifiable restriction of a fundamental right may not be sufficiently serious. See, e.g., Case T-341/07 Sison v Council [2011] ECLI:EU:T:2011:687, para 75; Joyce De Coninck, ‘Effective Remedies for Human Rights Violations in EU CSDP Military Missions: Smoke and Mirrors in Human Rights Adjudication?’ (2023) 24 German Law Journal 353-359.

70 Guardian Europe (Footnote n 68) para 32.

71 See Case T-193/04 Tillack v Commission [2006] ECLI:EU:T:2006:292, paras 122–124.

72 Case C-911/19 Fédération bancaire française (FBF) v Autorité de contrôle prudentiel et de résolution (ACPR) [2021] ECLI:EU:C:2021:599.

73 Belgium v Commission (Footnote n 65) para 44.

74 Opinion of AG Bobek in Case C-911/19 Fédération bancaire française (FBF) v Autorité de contrôle prudentiel et de résolution (ACPR) [2021] ECLI:EU:C:2021:294, para 148.

75 See Jörg Gundel, ‘Rechtsschutz gegen Empfehlungen der EU-Kommission?’ (2018) Europarecht 605.

76 Case C-25/62 Plaumann v Commission [1963] ECLI:EU:C:1963:17; Case C-50/00 P Unión de Pequeños Agricultores (UPA) [2002] ECLI:EU:C:2002:462; Case 263/02 Jégo Quéré [2004] ECLI:EU:C:2004:210.

77 Mariolina Eliantonio, ‘Judicial Review of Soft Law before the European and the National Courts A Wind of Change Blowing from the Member States?’ in Mariolina Eliantonio, Emilia Korkea-aho, Oana Ştefan (eds), EU Soft Law in the Member States Theoretical Findings and Empirical Evidence (Hart 2021) 286.

78 See Markus Ludwigs, ‘Die Verfahrensautonomie der Mitgliedstaaten’ (2018) Neue Zeitschrift für Verwaltungsrecht 1420.

79 Anthony Arnull, ‘Article 47 CFR and national procedural autonomy’ (2020) 45 European Law Review 690.

80 While not at issue as such in that case, the Court did clarify in Unibet that EU law does not create new remedies in the national legal orders unless ‘in the national legal system in question no legal remedy exists which makes it possible to (possibly indirectly) ensure respect for an individual’s rights under EU law’. See Case C-432/05 Unibet [2007] ECLI:EU:C:2007:163, paras 40–41.

81 Consolidated Version of the Treaty on European Union [2016] OJ C202/13 (TEU), art 19.

82 Case 283/81 Cilfit [1982] ECLI:EU:C:1982:335, para 9.

83 Niilo Jääskinen, ‘Final Thoughts’ in Mariolina Eliantonio, Emilia Korkea-aho, Oana Ştefan (eds), EU Soft Law in the Member States Theoretical Findings and Empirical Evidence (Hart 2021) 361.

84 See Merijn Chamon, EU Agencies – Legal and Political Limits to the Transformation of the EU Administration (Oxford University Press 2016) 334–336.

85 See Regulation (EC) on the Community trade mark (codified version) 207/2009, [2009] OJ L78/1, art 122 (not taken over in Regulation 2017/1001, OJ 2017 L 154/1).

86 See Regulation (EU) 2022/2370 of the European Parliament and of the Council of 23 November 2022 amending Regulation (EC) No 851/2004 establishing a European centre for disease prevention and control [2022] OJ L314/1, art 1(30).

87 See Regulation (EC) 2100/94 on Community plant variety rights [1994] OJ L227/1, art 44.

88 See Regulation (EC) 1829/2003 of the European Parliament and of the Council on genetically modified food and feed [2003] OJ L268/1, art 36; Regulation (EC) 1935/2004 of the European Parliament and of the Council on materials and articles intended to come into contact with food and repealing Directives 80/590/EEC and 89/109/EEC [2004] OJ L338/4, art 14.

89 The relevant provisions setting out the administrative appeals against the CPVO and EFSA refer to any acts or any decisions. Furthermore, the administrative appeals against the EFSA also extend to the agency’s failure to act.

90 See Regulations 1093/2010, 1094/2010, and 1095/2010 establishing the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority [2010] OJ L 331/12-48-84 (ESA Regulations).

91 More concretely against the guidelines, recommendations, and Q&As adopted by the ESAs pursuant to Articles 16 and 16b of their establishing Regulations. The opinions that the ESAs may also adopt pursuant to Article 16a are therefore excluded from the scope of the review mechanism.

92 Regulation (EU) 2019/2175 of the European Parliament and of the Council of 18 December 2019 amending Regulation (EU) No 1093/2010 establishing a European Supervisory Authority (European Banking Authority), Regulation (EU) No 1094/2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), Regulation (EU) No 1095/2010 establishing a European Supervisory Authority (European Securities and Markets Authority) [2019] OJ L334/1.

93 See, e.g., Joined Cases C‑622/16 P to C‑624/16 P Scuola Elementare Maria Montessori Srl v Commission [2018] ECLI:EU:C:2018:873, para 42.

94 ESA Regulations, arts 16 and 16b.

95 See Merijn Chamon, ‘The joint board of appeal as an accountability mechanism for the ESAs’ in Carl Fredrik Bergström and Magnus Strand (eds), Legal Accountability in EU Markets for Financial Instruments: The Dual Role of Investment Firms (Edward Elgar 2021) 76.

96 On the Boards of Appeal, see Merijn Chamon, Annalisa Volpato, and Mariolina Eliantonio (eds), Boards of Appeal of EU Agencies – Towards Judicialization of Administrative Review? (Oxford University Press 2022); Paola Chirulli and Luca de Lucia, ‘Specialised adjudication in EU administrative law: the Boards of Appeal of EU agencies’ (2015) 40 European Law Review 832.

97 As the law stands, Boards of Appeal of EU agencies can only review binding measures. This is contrary to the suggestion of AG Campos Sánchez-Bordona in his Opinion in Case C-501/18 BT v Balgarska Narodna Banka [2020] ECLI:EU:C:2020:729, para 81; for a failed attempt to have a Board of Appeal review an act of soft law (in casu an opinion of the European Agency for Energy Regulators), see Case T-63/16 E-Control v ACER [2017] ECLI:EU:T:2017:456, para 37; for arguments in favour of such a broadening, see Carlo Tovo, ‘The Boards of Appeal of Networked Services Agencies: Specialized Arbitrators of Transnational Regulatory Conflicts?’ in Merijn Chamon, Annalisa Volpato, and Mariolina Eliantonio (eds), Boards of Appeal of EU Agencies – Towards Judicialization of Administrative Review? (Oxford University Press 2022) 34; Marco Lamandini, ‘The ESAs’ Board of Appeal as a Blueprint for the Quasi-Judicial Review of European Financial Supervision’ (2014) 11 European Company Law 293.

98 See, for an earlier suggestion, Oliver Streckert, Verwaltungsinterner Unionsrechtsschutz – Kohärenter Rechtsschutz durch Einführung eines Widerspruchskammermodells für die Europäische Kommission (Mohr Siebeck 2016).

15 The EU’s Artificial Intelligence Laboratory and Fundamental Rights

1 Charter of Fundamental Rights of the European Union [2016] OJ C202/389 (CFR).

2 Commission, ‘Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts’ COM (2021) 206 final, (AI Act Proposal). This chapter was finalised in September 2023, and revised in May 2024. Therefore, this contribution takes into account the latest available draft of 16.4.2024 – the Corrigendum to the position of the European Parliament adopted at first reading on 13 March 2024 with a view to the adoption of Regulation (EU) 2024/[…] of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) P9_TA(2024)0138 (COM(2021)0206 – C9-0146/2021 – 2021/0106(COD)).

3 AI Act, art 3(1).

4 Regulation (EU) 2018/1726 of 14 November 2018 and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 [2018] OJ L295/99.

5 Chris Jones, Ana Valdivia, and Jane Kilpatrick, ‘Funds for Fortress Europe: Spending by Frontex and Eu-LISA’ (Statewatch, 28 January 2022) <www.statewatch.org/analyses/2022/funds-for-fortress-europe-spending-by-frontex-and-eu-lisa/>. As the authors report, the total amount spent by eu-LISA on contracts with the private sector between 2014–2020 alone was €1.5 billion.

6 Footnote Ibid. Another contract worth €140 million was agreed with a consortium made up of Atos, IBM, and Leonardo (formerly Finmeccanica) for the additional work on the BMS.

7 Regulation (EU) 2019/1896 of the European Parliament and of the Council of 13 November 2019 on the European Border and Coast Guard and repealing Regulations (EU) No 1052/2013 and (EU) 2016/1624 [2019] OJ L295/1.

8 Jones, Valdivia, and Kilpatrick (Footnote n 5).

9 Frontex, ‘Artificial Intelligence-Based Capabilities for the European Border and Coast Guard: Final Report’ (European Border and Coast Guard Agency 2021) <https://frontex.europa.eu/publications/artificial-intelligence-based-capabilities-for-the-european-border-and-coast-guard-final-report-CYyjoe> s 2.2.

10 Footnote Ibid annex C.

11 Giovanni De Gregorio and Sofia Ranchordás, ‘Breaking down Information Silos with Big Data: A Legal Analysis of Data Sharing’ in Joe Cannataci, Valeria Falce, and Oresto Pollicino (eds), Legal Challenges of Big Data (Edward Elgar 2020).

12 Simona Demková, Automated Decision-Making and Effective Remedies: The New Dynamics in the Protection of EU Fundamental Rights in the Area of Freedom, Security and Justice (Edward Elgar 2023) ch 2.

13 Niovi Vavoula, Immigration and Privacy in the Law of the European Union: The Case of Information Systems (Brill Nijhoff 2022) <https://brill.com/view/title/35886>.

14 The PNR Scheme refers to the EU regime set up by Directive (EU) 2016/681 enabling national law enforcement authorities to process and automatically analyse potential security risks among the passengers on the EU’s external and/or internal flights. Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime [2016] OJ L119/132; see also Julien Jeandesboz, ‘Ceci n’est Pas Un Contrôle: PNR Data Processing and the Reshaping of Borderless Travel in the Schengen Area’ (2021) 23 European Journal of Migration and Law 431.

15 Paul Quinn and Gianclaudio Malgieri, ‘The Difficulty of Defining Sensitive Data – The Concept of Sensitive Data in the EU Data Protection Framework’ (2021) 22 German Law Journal 1583.

16 Laurent Beslay and Javier Galbally, ‘Fingerprint Identification Technology for Its Implementation in the Schengen Information System II (SIS-II)’ [2015] JRC Science for Policy Report EUR 27473, <https://publications.jrc.ec.europa.eu/repository/handle/JRC97779> 100; Joint Research Centre, Study on Fingermark and Palmmark Identification Technologies for Their Implementation in the Schengen Information System (Publications Office of the EU 2019) <http://publications.europa.eu/publication/manifestation_identifier/PUB_KJNA29755ENN>; Niovi Vavoula, ‘Artificial Intelligence (AI) at Schengen Borders: Automated Processing, Algorithmic Profiling and Facial Recognition in the Era of Techno-Solutionism’ (2021) 23 European Journal of Migration and Law 457.

17 Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226, OJ L236/1 (ETIAS Regulation).

18 ‘What Is ETIAS’ (Travel-europe.europa.eu) <https://travel-europe.europa.eu/etias/what-etias_en> .

19 ETIAS Regulation, art 4.

20 Footnote Ibid arts 5–7; See also ‘Eu-LISA – Core Activities’ (eulisa.europa.eu) <www.eulisa.europa.eu/Activities>.

21 ETIAS Regulation, art 20.

22 The latter include the ETIAS Central System, the Interpol Stolen and Lost Travel Document database (SLTD), and the Interpol Travel Documents Associated with Notices database (TDAWN).

23 ETIAS Regulation, art 33.

24 Footnote Ibid art 34.

25 Footnote Ibid art 33(2) and (3).

26 Paulina Jo Pesch, Diana Dimitrova, and Franziska Boehm, ‘Data Protection and Machine-Learning-Supported Decision-Making at the EU Border: ETIAS Profiling Under Scrutiny’ in Agnieszka Gryszczyńska and Others (eds), Privacy Technologies and Policy (Springer International 2022).

27 ETIAS Regulation, art 33(4).

28 GDPR, art 4(4) defines profiling as ‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements’. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1 (GDPR).

29 GDPR, art 22; and its equivalent Regulation (EU) 2018/1725, art 24.

30 Case C-817/19 Ligue des droits humains v Conseil des ministers [2022] ECLI:EU:C:2022:491, para 189 and 196.

31 ‘ETIAS’ (Frontex.europa.eu) <https://frontex.europa.eu/what-we-do/etias/>.

32 ETIAS Regulation, arts 32 and 37.

33 Footnote Ibid art 38(2).

34 Footnote Ibid art 32(3).

35 Footnote Ibid recital (25).

36 Originally Regulation (EU) No 1052/2013 of the European Parliament and of the Council of 22 October 2013 establishing the European Border Surveillance System (EUROSUR) [2013] OJ L295/11, which was repealed by Regulation (EU) 2019/1896 of the European Parliament and of the Council of 13 November 2019 on the European Border and Coast Guard and repealing Regulations (EU) No 1052/2013 and (EU) 2016/1624 [2019] OJ L295/1 (EBCG Regulation), section 3. The use of EUROSUR is governed under the Commission Implementing Regulation (EU) 2021/581 of 9 April 2021 on the situational pictures of the European Border Surveillance System (EUROSUR), C/2021/2361 [2021] OJ L124/3 (EUROSUR Implementing Regulation).

37 EUROSUR Implementing Regulation, arts 1 and 2.

38 EBCG Regulation, art 28.

39 Footnote Ibid art 69.

40 Raluca Csernatoni, ‘Constructing the EU’s High-Tech Borders: FRONTEX and Dual-Use Drones for Border Management’ (2018) 27 European Security 175.

42 European Union Agency for Fundamental Rights, ‘How the Eurosur Regulation Affects Fundamental Rights’ <https://fra.europa.eu/sites/default/files/fra_uploads/fra-2018-eurosur-regulation-fundamental-rights-impact_en.pdf> 4.

43 Simona Demková, ‘The Decisional Value of Information in European Semi-Automated Decision-Making’ (2021) 14 Review of European Administrative Law 29.

44 AI Act, Preamble (1) and art (1)(1).

45 Consolidated Version of the Treaty on European Union [2016] OJ C202/13 (TEU).

46 Haroon Sheikh, Corien Prins, and Erik Schrijvers, Mission AI: The New System Technology (Springer International 2023) <https://link.springer.com/10.1007/978-3-031-21448-6>.

47 Article 1 of the Charter. See, Paola Inverardi, ‘The Challenge of Human Dignity in the Era of Autonomous Systems’ in Hannes Werthner and Others (eds), Perspectives on Digital Humanism (Springer International 2022) <https://doi.org/10.1007/978-3-030-86144-5_4>; Sean Kanuck, ‘Humor, Ethics, and Dignity: Being Human in the Age of Artificial Intelligence’ (2019) 33 Ethics & International Affairs 3.

48 High-Level Expert Group on Artificial Intelligence, Ethics Guidelines for Trustworthy AI, 2019, 39; Closely mirroring the OECD, Recommendation of the Council on Artificial Intelligence, OECD/LEGAL/0449, 2022, 7; and Organisation of Economic Cooperation and Development, ‘OECD Principles on Artificial Intelligence’ <https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0449> accessed 29 November 2021.

49 Case C-4/73 Nold [1977] ECLI:EU:C:1974:51, para 14.

50 Takis Tridimas and Giulia Gentile, ‘The Essence of Rights: An Unreliable Boundary?’ (2019) 20 German Law Journal 794.

51 Plixavra Vogiatzoglou and Peggy Valcke, ‘Two Decades of Article 8 CFR: A Critical Exploration of the Fundamental Right to Personal Data Protection in EU Law’ [2022] Research Handbook on EU Data Protection Law 11; see also Opinion of AG Sharpston in Cases C-92/09 and C-93/02, Volker und Markus Schecke GbR v Land Hessen [2010] ECLI:EU:C:2010:353, para 71.

52 European Union Agency for Fundamental Rights, ‘Getting the Future Right – Artificial Intelligence and Fundamental Rights’ (14 December 2020) <https://fra.europa.eu/en/publication/2020/artificial-intelligence-and-fundamental-rights> 61; Orla Lynskey, ‘Deconstructing Data Protection: The “Added Value” Of A Right To Data Protection In The EU Legal Order’ (2014) 63 International & Comparative Law Quarterly 569.

53 As the secondary rules of EU data protection law that put the right enshrined in Article 8 CFR into use expand the rights of data subjects beyond those explicitly listed in Article 8 CFR (Chapter 3 of the GDPR), Charter of Fundamental Rights of the European Union [2012] OJ C326/02 (CFR) art 8.

54 Evelien Brouwer, ‘Legality and Data Protection Law: The Forgotten Purpose of Purpose Limitation’ in Leonard FM Besselink, F Pennings and Sacha Prechal (eds), The eclipse of the legality principle in the European Union (Kluwer Law International 2011).

55 Interoperability means ‘the ability of information systems to exchange data and to enable the sharing of information. It is about a targeted and intelligent way of using existing data to best effect, without creating new databases or changing the access rights to the existing information systems’. European Commission, ‘Security Union: Closing the Information Gap’ <https://home-affairs.ec.europa.eu/system/files_en?file=2019-04/20190416_agenda-security-factsheet-closing-information-gaps_en.pdf>.

56 Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa [2019] OJ L135/27; and Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration [2019] OJ L135/85 (the Interoperability Regulations). The systems are foreseen to become interoperable in 2024.

57 De Gregorio and Ranchordás (Footnote n 11).

58 Francesca Galli, ‘Interoperable Databases: New Cooperation Dynamics in the EU AFSJ?’ (2020) 26 European Public Law 109; Statewatch, ‘Frontex and Interoperable Databases: Knowledge as Power?’ (Statewatch 2023) <www.statewatch.org/frontex-and-interoperable-databases-knowledge-as-power/>.

59 ETIAS Regulation art 22.

60 Article 29 Data Protection Working Party, ‘Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679, Adopted on 3 October 2017, as Last Revised and Adopted on 6 February 2018, 17/EN WP251rev.01’ <https://ec.europa.eu/newsroom/article29/items/612053>.

61 ETIAS Regulation art 21(1).

62 Footnote Ibid art 22.

63 Luisa Marin and Kamila Krajčíková, ‘Deploying Drones in Policing Southern European Borders: Constraints and Challenges for Data Protection and Human Rights’ in Aleš Završnik (ed), Drones and Unmanned Aerial Systems: Legal and Social Implications for Security and Surveillance (Springer International Publishing 2016) <https://doi.org/10.1007/978-3-319-23760-2_6>; Csernatoni (Footnote n 40).

64 Gianclaudio Malgieri, ‘Automated Decision-Making and Data Protection in Europe’ (2022) Research Handbook on Privacy and Data Protection Law 433.

65 ETIAS Regulation, art 17(2).

66 Malgieri (Footnote n 64).

67 Melissa Heikkila, ‘Dutch Scandal Serves as a Warning for Europe over Risks of Using Algorithms’ (politico.eu, 29 March 2022) <www.politico.eu/article/dutch-scandal-serves-as-a-warning-for-europe-over-risks-of-using-algorithms/>; ‘Boete Belastingdienst voor zwarte lijst FSV’ (Autoriteit Persoonsgegevens, 12 April 2022) <https://autoriteitpersoonsgegevens.nl/actueel/boete-belastingdienst-voor-zwarte-lijst-fsv>.

68 GDPR, art 22(4) in conjunction with art 9.

69 Demková, Automated Decision-Making and Effective Remedies (Footnote n 12) 34–36.

70 Case C-817/19 Ligue des droits humains v Conseil des ministers [2022] ECLI:EU:C:2022:491.

71 Footnote Ibid para 204.

72 Footnote Ibid para 203.

73 Footnote Ibid paras 205–208.

74 European Union Agency for Fundamental Rights, ‘Getting the Future Right’ (Footnote n 52) 69.

75 Ligue des droits humains (Footnote n 70) para 210.

76 ‘MEPs to Grill Frontex Director on Agency’s Role in Pushbacks of Asylum-Seekers’ (European Parliament, 30 November 2020) <www.europarl.europa.eu/news/en/press-room/20201126IPR92509/meps-to-grill-frontex-director-on-agency-s-role-in-pushbacks-of-asylum-seekers>; Judith Sunderland and Lorenzo Pezzani, ‘Airborne Complicity: Frontex Aerial Surveillance Enables Abuse’ (Human Rights Watch, 12 August 2022) <www.hrw.org/node/383557>.

77 Abbas Azimi and Others, ‘The Crotone Cover Up’ (Lighthouse Reports, 2 June 2023) <www.lighthousereports.com/investigation/the-crotone-cover-up/>.

78 Frontex, ‘Technical and Operational Strategy for European Integrated Border Management’ <http://op.europa.eu/en/publication-detail/-/publication/2123579d-f151–11e9-a32c-01aa75ed71a1>; see also the collections in Miroslava Scholten and Michiel Luchtman (eds), Law Enforcement by EU Authorities Implications for Political and Judicial Accountability (Edward Elgar 2017).

79 The 123 page report was published in full by the German freedom of information newspapers Frag Den Staat, Lighthouse Reports, and Der Spiegel, to whom the report was first leaked, available at <https://cdn.prod.www.spiegel.de/media/00847a5e-8604-45dc-a0fe-37d920056673/Directorate_A_redacted-2.pdf>.

80 ‘Frontex Failing to Protect People at EU Borders’ (Human Rights Watch, 23 June 2021) <www.hrw.org/news/2021/06/23/frontex-failing-protect-people-eu-borders>; ‘EU: Frontex Complicit in Abuse in Libya’ (Human Rights Watch, 12 December 2022) <www.hrw.org/news/2022/12/12/eu-frontex-complicit-abuse-libya>.

81 See also Sir Elihu Lauterpacht and Daniel Bethlehem, ‘The Scope and Content of the Principle of Non-Refoulement: Opinion’ in Erika Feller, Volker Türk, and Frances Nicholson (eds), Refugee Protection in International Law (Cambridge University Press 2003); Rebecca M M Wallace, ‘The Principle of Non-Refoulement in International Refugee Law’ in Vincent Chetail and Céline Bauloz (eds), Research Handbook on International Law and Migration (Edward Elgar 2014).

82 European Union Agency for Fundamental Rights, ‘How the Eurosur Regulation Affects Fundamental Rights’ (Footnote n 42).

83 Case C‑72/15 Rosneft [2017] ECLI:EU:C:2017:236, para 73; Case C-216/18 PPU Minister for Justice and Equality v LM [2018] ECLI:EU:C:2018:586, para 51.

84 See Case C-166/13 Mukarubega v Seine-Saint-Denis [2014] ECLI:EU:C:2014:2336, paras 43–49; Case C-521/15 Spain v Council [2017] ECLI:EU:C:2017:982, para 89; Case C-604/12 N [2014] ECLI:EU:C:2014:302, para 49; or the more recent Joined Cases C-225/19 and C-226/19 R.N.N.S., K.A. v Minister van Buitenlandse Zaken [2020] ECLI:EU:C:2020:951, para 34.

85 Herwig C H Hofmann and Bucura Catalina Mihaescu-Evans, ‘The Relation between the Charter’s Fundamental Rights and the Unwritten General Principles of EU Law: Good Administration as the Test Case’ (2013) 9 European Constitutional Law Review 73.

86 Case C-269/90 TUM [1991] ECLI:EU:C:1991:438, para 14.

87 Case C-16/90 Nölle v Hauptzollamt Bremen-Freihafen [1991] ECLI:EU:C:1991:402, para 29.

88 Herwig C H Hofmann, ‘The Duty of Care in EU Public Law – A Principle between Discretion and Proportionality’ (2020) 13 Review of European Administrative Law 87; Demková, Automated Decision-Making and Effective Remedies (Footnote n 12) ch 6.

89 Simona Demková and Herwig C H Hofmann, ‘General Principles of Procedural Justice’ in Katja Ziegler, Päivi Neuvonen, and Violeta Moreno-Lax (eds), Research Handbook on General Principles of EU Law: Constructing Legal Orders in Europe (Edward Elgar 2022).

90 Demková, Automated Decision-Making and Effective Remedies (Footnote n 12) 175–178.

91 Saar Alon-Barkat and Madalina Busuioc, ‘Human–AI Interactions in Public Sector Decision Making: “Automation Bias” and “Selective Adherence” to Algorithmic Advice’ (2023) 33 Journal of Public Administration Research and Theory 153.

92 Demková and Hofmann (Footnote n 89).

93 R.N.N.S., K.A. v Minister van Buitenlandse Zaken (Footnote n 84) para 43.

94 Gloria González Fuster and Others, ‘The Right to Lodge a Data Protection Complaint: OK, but Then What? An Empirical Study of Current Practices under the GDPR’ (Data Protection Law Scholars Network and Access Now, 2022) <www.accessnow.org/cms/assets/uploads/2022/06/Complaint-study-Final-version-before-design-June-15.pdf>.

95 Simona Demková, ‘Enforcing Remedies: The Challenges of Automatisation for Effective Oversight’ in Katalin Ligeti and Kei Hannah Brodersen (eds), Studies on enforcement in multi-regulatory systems (Nomos 2022). See also Eliantonio in this volume, Chapter 13.

96 Case T-600/21 WS and Others v Frontex ECLI:EU:T:2023:492 and the comment by Melanie Fink and Jorrit Rijpma, ‘The EU General Court’s Judgment in the Case of WS and Others v Frontex: Human Rights Violations at EU External Borders Going Unpunished’ (EU Law Analysis, 22 September 2023) <https://eulawanalysis.blogspot.com/2023/09/the-eu-general-courts-judgment-in-case.html> accessed 2 October 2023. For discussion on access to damages, see Fink, Rauchegger, and De Coninck in this volume, Chapter 2.

97 ETIAS Regulation, arts 25 and 26.

98 Footnote Ibid art 29.

99 Footnote Ibid art 29(4).

100 Napoleon Xanthoulis, ‘Administrative Factual Conduct: Legal Effects and Judicial Control in EU Law’ (2019) 12 Review of European Administrative Law 39.

101 Demková, ‘The Decisional Value of Information in European Semi-Automated Decision-Making’ (Footnote n 43) 48.

103 Commission, ‘Artificial Intelligence for Europe’ COM (2018) 237 final.

104 AI Act (Footnote n 2).

105 AI HLEG, Ethics Guidelines for Trustworthy AI, 2019, available at <https://digital-strategy.ec.europa.eu/en/library/ethics-guidelines-trustworthy-ai> 39.

106 Consolidated Version of the Treaty on the Functioning of the European Union [2016] OJ C202/47 (TFEU).

107 Generally, the list used is defined in Article 2(2) of Council Framework Decision 2002/584/JHA or in reference to crimes that are punishable by a custodial sentence or a detention order for a maximum period of at least three years. The classification of high-risk AI uses is provided in Annex III. Council Framework Decision of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States [2002] OJ L190/1 (Council Framework Decision 190/1).

108 AI Act art 6(3) states: ‘[...] an AI system referred to in Annex III shall not be considered to be high-risk where it does not pose a significant risk of harm to the health, safety or fundamental rights of natural persons, including by not materially influencing the outcome of decision making.’

109 AI Act art 3(2). Luca Bertuzzi, ‘AI Act: EU Parliament’s Crunch Time on High-Risk Categorisation, Prohibited Practices’ (www.euractiv.com, 7 February 2023) <www.euractiv.com/section/artificial-intelligence/news/ai-act-eu-parliaments-crunch-time-on-high-risk-categorisation-prohibited-practices/>; see also Council Framework Decision 190/1, preamble (14).

110 AI Act art. 2.

111 AI Act arts 2(3) and (4).

112 AI Act Proposal, art 83(1).

113 AI Act 111(1).

114 European Data Protection Supervisor, ‘EDPS – EDPB Joint Opinion on the Proposal for a Regulation of the European Parliament and of the Council Laying down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act)’ (EDPS.eu, 2021) <https://edps.europa.eu/node/7140_en>.

115 Lilian Edwards, ‘Expert Opinion: Regulating AI in Europe: Four Problems and Four Solutions’ (Ada Lovelace Institute 2022) <www.adalovelaceinstitute.org/report/regulating-ai-in-europe/>. As Lilian Edwards points out, the Proposal takes an ‘essentially individualistic approach to fundamental rights’ lacking instead a more ‘systematic concern for groups’ rights and interests’. The latter, according to Edwards, may differ from the traditional categories of groups under anti-discrimination law. Indeed, algorithmic processing of personal data may lead to new algorithmically constituted categories of groups that deserve greater attention. But see AI Act Proposal, art 10(3) on training data in datasets.

116 Other legal instruments governing personal data processing composing the EU data protection framework include for instance the e-Privacy Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [2002] OJ L201/37 (e-Privacy Directive).

117 Diana Dimitrova, ‘Data Protection within Police and Judicial Cooperation’ in Herwig C H Hofmann, Gerard C Rowe, and Alexander H Türk (eds), Specialized Administrative Law of the European Union: A Sectoral Review (Oxford University Press 2018). As the author reminds, Article 87(2)(a) TFEU laying down the legal basis for police cooperation between the EU Member States mandated the EU to establish rules on ‘relevant information’ processing.

118 Teresa Quintel, Data Protection, Migration and Border Control: The GDPR, the Law Enforcement Directive and Beyond (Bloomsbury 2022) <www.bloomsbury.com/uk/data-protection-migration-and-border-control-9781509959648/>.

119 GDPR, art 77; EU DPR, art 63; Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA [2016] OJ L119/89 (LED) art 52.

120 GDPR, arts 78–79; EU DPR, art 64; LED, arts 53–54.

121 GDPR, art 80; EU DPR, art 67; LED, art 55.

122 Sergio Carrera and Marco Stefan, ‘Complaint Mechanisms in Border Management and Expulsion Operations in Europe: Effective Remedies For Victims of Human Rights Violations?’ (Centre for European Policy Studies 2018) <www.ceps.eu/ceps-publications/complaint-mechanisms-border-management-and-expulsion-operations-europe-effective/>; Fuster and Others (Footnote n 93); Demková, Automated Decision-Making and Effective Remedies (Footnote n 12).

123 GDPR, arts 15–22; EU DPR, arts 14–24; LED, arts 12–18.

124 See, for instance, GDPR, recitals (75) and (85) and arts 9 and 22(4).

125 As the Court reminds us, an act under EU law should ‘be interpreted, as far as possible, in such a way as not to affect its validity and conformity with primary law as a whole, and in particular, with the provisions of the Charter’. See Ligue des droits humains (Footnote n 70) para 86 with reference to Case C-481/19 Consob [2021] ECLI:EU:C:2021:84, para 50 and the case law cited.

126 Any such limits must be established in law, respect the essence of the right, and be necessary and proportionate to the objectives sought.

127 Edwards (Footnote n 115).

128 For an in-depth analysis of the remedial set up under the AI Act from a comparative perspective, see De Gregorio, Giovanni and Demková, Simona, The Constitutional Right to an Effective Remedy in the Digital Age: A Perspective from Europe (January 31, 2024). In van Oirsouw, Ch., de Poorter, J.; Leijten, I.; van der Schyff, G.; Stremler, M.; de Visser, M. (eds), European Yearbook of Constitutional Law (forthcoming, 2024), Available at SSRN: https://ssrn.com/abstract=4712096 or http://dx.doi.org/10.2139/ssrn.4712096

129 Drawing on links and discrepancies between the GDPR and the AI Act identified in the study by Artur Bogucki and Others, ‘The AI Act and Emerging EU Digital Acquis: Overlaps, Gaps and Inconsistencies’ (Centre for European Policy Studies, 2022) CEPS In-Depth Analysis s 2.1.1. <www.ceps.eu/ceps-publications/the-ai-act-and-emerging-eu-digital-acquis/>.

130 AI Act, art 3(4).

131 Bogucki and Others (Footnote n 128) 8.

132 AI Act, art. 10(5).

133 Pieter T J Wolters, ‘The Control by and Rights of the Data Subject Under the GDPR’ (2018) 22 (1) Journal of Internet Law 6.

134 EU DPR, art 64(3).

135 AI Act as per the obligations falling upon national market surveillance authorities under articles 43 and 70.

136 Ibid art 65.

137 Footnote Ibid art 66.

138 Doubts as to this role have also been expressed by the EDPB-EDPS, ‘Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act)’ (Edpb.eu, 18 June 2021) <https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-52021-proposal_en>.

139 AI Act art 66.

140 Jon Truby and Others, ‘A Sandbox Approach to Regulating High-Risk Artificial Intelligence Applications’ (2022) 13 European Journal of Risk Regulation 270.

141 Kristin Undheim, Truls Erikson, and Bram Timmermans, ‘True Uncertainty and Ethical AI: Regulatory Sandboxes as a Policy Tool for Moral Imagination’ (AI and Ethics, 24 November 2022) <https://doi.org/10.1007/s43681–022-00240-x>.

142 Sofia Ranchordás, ‘Experimental Lawmaking in the EU: Regulatory Sandboxes’ (Social Science Research Network, 22 October 2021) SSRN Scholarly Paper ID 3963810 2 <https://papers.ssrn.com/abstract=3963810>.

143 Fuster and Others (Footnote n 94).

144 EU DPR, ch VI.

145 European Data Protection Supervisor, ‘EDPS Takes Legal Action as New Europol Regulation Puts Rule of Law and EDPS Independence under Threat’ (Edps.eu, 22 September 2022) <https://edps.europa.eu/press-publications/press-news/press-releases/2022/edps-takes-legal-action-new-europol-regulation-puts-rule-law-and-edps-independence-under-threat>. See also the EDPS Supervisory Opinion on the Rules on Processing of Operational Personal Data by the European Border and Coast Guard Agency (Frontex), (Case 2022-0147) (Edps.eu, 7 June 2022) <https://edps.europa.eu/data-protection/our-work/publications/supervisory-opinions/edps-supervisory-opinion-rules_en>.

146 Anneliese Baldaccini, ‘Counter-Terrorism and the EU Strategy for Border Security: Framing Suspects with Biometric Documents and Databases’ (2008) 10 European Journal of Migration and Law 31; Sergio Carrera and Valsamis Mitsilegas, ‘Constitutionalising the Security Union’ in Sergio Carrera and Valsamis Mitsilegas (eds), Constitutionalising the Security Union: Effectiveness, rule of law and rights in countering terrorism and crime (Centre for European Policy Studies 2017).

147 Herwig C H Hofmann, Gerard C Rowe, and Alexander H Türk (eds), Specialized Administrative Law of the European Union: A Sectoral Review (Oxford University Press 2018).

Save book to Kindle

To save this book to your Kindle, first ensure [email protected] is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.

Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Available formats
×

Save book to Dropbox

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.

Available formats
×

Save book to Google Drive

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.

Available formats
×