26 June 2025 (*)

( Non-contractual liability – Cooperation of the police authorities and other law enforcement agencies of the Member States – Alleged unlawful processing of personal data – Failure to comply with procedural requirements – Article 76(d) of the Rules of Procedure – No non-material damage suffered as a result of acts of Europol – Action in part brought before a court manifestly lacking jurisdiction to hear and determine it, in part manifestly inadmissible and in part manifestly lacking any foundation in law )

In Case T‑484/24,

FF,

represented by J. Reisinger, lawyer,

applicant,

European Union Agency for Criminal Justice Cooperation (Eurojust),

represented by S. van den Brande, S. Raes and P. Van Muylder, lawyers,

European Union Agency for Law Enforcement Cooperation (Europol),

represented by A. Nunzi, acting as Agent, and by G. Ziegenhorn, M. Kottmann and T. Shulman, lawyers,

defendants,

supported by

Kingdom of Spain,

represented by A. Gavela Llopis, acting as Agent,

and by

Kingdom of the Netherlands,

represented by M. Bulterman and J. Langer, acting as Agents,

interveners,

THE GENERAL COURT (Fifth Chamber),

composed of J. Svenningsen (Rapporteur), President, J. Martín y Pérez de Nanclares and M. Stancu, Judges,

Registrar: V. Di Bucci,

having regard to the written part of the procedure,

makes the following

By his action, the applicant, FF, asks the Court, first, to declare ‘inadmissible’ the agreement establishing a joint investigation team relating to the ‘Sky ECC’ encrypted communication service (‘the JIT Agreement’) and, second, on the basis of Article 268 TFEU, to grant him compensation, in the amount of EUR 30 000, for the non-material damage which he claims to have suffered as a result of acts committed by the European Union Agency for Criminal Justice Cooperation (Eurojust), the European Union Agency for Law Enforcement Cooperation (Europol) and by certain Member States.

Background to the dispute

According to his assertions, the applicant is the subject, in Belgium, of criminal proceedings in respect of drug trafficking charges which are based almost exclusively on the use of data from mobile telephones operating under the ‘Sky ECC’ licence; ‘ECC’ means ‘Elliptic Curve Cryptography’.

Those mobile telephones had special software and modified hardware that enabled, via servers installed in Roubaix (France), end-to-end encrypted communication that could not be intercepted by conventional investigative means.

In the late 2010s, investigative measures initiated by the Belgian, Netherlands and French authorities targeted the ‘Sky ECC organisation’, which was suspected of commercialising products and encrypted communications services specifically aimed at facilitating the commission of criminal offences.

Following those national investigative measures, the Kingdom of Belgium and the Kingdom of the Netherlands adopted, at the end of 2018, European Investigation Orders in accordance with Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters (OJ 2014 L 130, p. 1), requesting the French Republic to ‘create an image’ of the servers that were used under the ‘Sky ECC’ licence and located in Roubaix. The French Republic complied with that request by intercepting, recording and transcribing the encrypted communications entering and leaving those servers.

On 13 December 2019, the Belgian, Netherlands and French authorities, by the JIT Agreement, which was adopted on the basis of Article 13 of the Convention established by the Council in accordance with Article 34 of the Treaty on European Union, on Mutual Assistance in Criminal Matters between the Member States of the European Union (OJ 2000 C 197, p. 3) and Council Framework Decision of 13 June 2002 on joint investigation teams (OJ 2002 L 162, p. 1), set up a joint investigation team (‘JIT’).

The JIT Agreement provides, inter alia:

‘2. Tasks of the JIT

‘…

Objective of the JIT

The creation of the JIT is aimed at facilitating ongoing investigations in Belgium, France and the Netherlands into the provider(s) and users of the Sky ECC communication service and at sharing technical know-how and resources.

…

The objective of the JIT is the joint preparation, development and implementation of the technique necessary for decrypting past communications and to dismantle the server; the identification and locating of users moving within and between the three countries; the setting up and coordination of a joint action day or days undertaken with the aim of arresting and bringing to justice Sky ECC’s facilitators and users.

…

The parties to the JIT agree to involve Eurojust and Europol as participants in the JIT. …

…

9.1 Agreements on the use of digital data from listening to servers

Mutual exchange of information

The parties to the JIT agree to share, with each other and with Europol, as soon as possible, all raw data, for the purposes of analysis and use, as well as the results of those analyses and uses.

In addition to evidence against the criminal organisation that develops and commercialises Sky ECC, the raw or analysed data may also contain information that may be relevant for criminal investigations against other perpetrators or groups of perpetrators or for offences in the context of which Sky ECC means of communication have been used.

Europol will provide assistance in the analysis of digital data and will inter alia be responsible for dividing the raw data and the results of the analyses into “national packages” based on the location of the means of communication used.

…’

The JIT led to the sharing, between Europol and the three Member States concerned, of intercepted raw data, which then had to be analysed, as well as the results of that analysis.

In that context, Europol stored the data in its IT system, undertook cross-checking, produced intelligence reports, generated data visualisation graphs and interpreted multilingual data sets.

Eurojust, for its part, organised, on 25 April 2019, 7 September 2020 and 11 February 2021, meetings to coordinate the investigations into the ‘Sky ECC’ activities, with the participation of the Belgian, French and Netherlands authorities and the participation of Europol; during those meetings, first, Eurojust provided support and advice on the possibilities of judicial cooperation and, second, the progress of the investigations of each of those authorities was discussed.

Forms of order sought

The applicant claims that the Court should:

–declare the JIT Agreement ‘inadmissible’;

–order Eurojust and Europol to pay him the sum of EUR 30 000 as compensation for the non-material damage suffered as a result of ‘[his] inability to refute the allegations made against him and the (subsequent) (unjust) (preliminary) detention’, public disclosure, ‘compromised [defence] position’, additional mental burden, and data that ‘has ended up or could have ended up in the wrong hands’;

–order Eurojust and Europol to pay the costs.

Eurojust and Europol contend that the Court should:

–dismiss the action as manifestly inadmissible and, in any event, as manifestly lacking any foundation in law or unfounded;

–order the applicant to pay the costs.

The Kingdom of Spain submits that the Court should dismiss the action as inadmissible or, in the alternative, as unfounded, and order the applicant to pay the costs.

The Kingdom of the Netherlands submits that the Court should dismiss the action and order the applicant to pay the costs.

Under Article 126 of the Rules of Procedure of the General Court, where it is clear that the Court has no jurisdiction to hear and determine an action or where the action is manifestly inadmissible or manifestly lacking any foundation in law, the Court may, on a proposal from the Judge-Rapporteur, at any time decide to give a decision by reasoned order without taking further steps in the proceedings.

In the present case, the Court, taking the view that it has sufficient information from the documents before it, has decided to give a decision without taking further steps in the proceedings.

The first head of claim, seeking a declaration that the JIT Agreement is ‘inadmissible’

Eurojust and Europol submit that the General Court does not have jurisdiction to hear and determine the first head of claim on the grounds that the JIT Agreement is not an act of the European Union and that the applicant is seeking a declaratory judgment.

In the reply, the applicant has not expressed a view on that plea of inadmissibility.

It is apparent from the first head of claim in the application, read in conjunction with paragraph 68 thereof, that the applicant seeks a declaration that the JIT Agreement is ‘inadmissible’ on the basis of Article 277 TFEU.

In that regard, in the first place, it must be stated that neither Article 277 TFEU, nor any other provision of the FEU Treaty, allows the EU judicature to declare an act ‘inadmissible’.

In the second place, and assuming that the applicant intended to ask the Court to declare the JIT Agreement inapplicable, it must be noted that, in the context of a plea of illegality raised on the basis of Article 277 TFEU, as with in an action brought on the basis of Article 263 TFEU, the EU judicature does not have jurisdiction to rule on the lawfulness of a measure adopted by a national authority (see, to that effect, judgment of 3 December 1992, Oleificio Borelli v Commission, C‑97/91, EU:C:1992:491, paragraph 9), even if that national measure forms part of an EU decision-making procedure (judgment of 29 January 2020, GAEC Jeanningros, C‑785/18, EU:C:2020:46, paragraph 27).

In the present case, the JIT Agreement was concluded by only the Belgian, French and Netherlands authorities.

As Eurojust is fully entitled to submit, the fact that it and Europol were associated with the JIT Agreement as ‘participants’ under paragraph 7 of that agreement cannot confer on either of them the status of party to that agreement or confer on that agreement the nature of an act adopted by an institution, body, office or agency of the European Union.

In the light of the foregoing, the first head of claim must be rejected on the ground that the Court manifestly lacks jurisdiction to hear and determine it.

The second head of claim, seeking compensation for the non-material damage allegedly suffered

The applicant’s second head of claim must be understood as meaning that, in his view, Eurojust or Europol and Member States carried out unlawful processing operations in respect of his personal data, which caused him non-material damage which he assesses at EUR 30 000.

In essence, the applicant submits, first of all, that the French authorities unlawfully collected the personal data of users of the ‘Sky ECC’ communication service from servers located in Roubaix, next, that those data were unlawfully transmitted to Eurojust or Europol, in particular for the purposes of storage and analysis, and, lastly, that those data unlawfully served as evidence in criminal proceedings allegedly initiated against him by the Netherlands authorities.

It is in that context that, in the form of order sought in the application, the applicant seeks compensation for the non-material damage resulting from (i) his inability to refute the allegations made against him and from his ‘(subsequent) (unjust) (preliminary) detention’; (ii) public disclosure; (iii) ‘compromised [defence] position’; (iv) additional mental burden; and (v) data that ‘has ended up or could have ended up in the wrong hands’.

The admissibility of the second head of claim in so far as it concerns Eurojust

Eurojust disputes the admissibility of the second head of claim in so far as the latter is directed against it. In support of its plea of inadmissibility, Eurojust submits that the applicant has not demonstrated that the conditions for the admissibility of his second head of claim were satisfied. In particular, the applicant has not identified the allegedly unlawful conduct of Eurojust.

In that regard, Eurojust denies that it contributed to the acquisition of all the data from the ‘Sky ECC’ communication service, that it was one of the recipients of those data, that it participated in the decryption of those data, that it had access to them or that it was involved in the storage or further processing of the data. In addition, it denies that it carried out any processing operation in respect of the applicant’s personal data, in so far as it did not provide any support to the Belgian authorities in the context of the criminal proceedings allegedly brought against him, or receive, from the Kingdom of Belgium or from any other Member State, information concerning any investigations or proceedings brought against him.

The applicant submits, in essence, that Eurojust was involved in the investigative measures against users of the ‘Sky ECC’ communication service, since it organised, inter alia, coordination meetings between the members of the JIT.

Under Article 76(d) of the Rules of Procedure of the General Court, the application must contain the subject matter of the proceedings, the pleas in law and arguments relied on and a summary of those pleas. Those details must be sufficiently clear and precise to enable the defendant to prepare its defence and the Court to rule on the action, if necessary without any other information. In order to guarantee legal certainty and the sound administration of justice it is necessary, if an action is to be admissible, for the basic legal and factual particulars relied upon to be stated coherently and intelligibly in the application itself (see order of 11 March 2021, Techniplan v Commission, T‑426/20, not published, EU:T:2021:129, paragraph 19 and the case-law cited).

In order to satisfy those requirements, an application seeking compensation for damage caused by an EU institution must contain information identifying the conduct which the applicant alleges against the institution, the reasons why he considers that a causal link exists between that conduct and the damage which he claims to have suffered, and the nature and extent of that damage (see judgment of 20 July 2017, ADR Center v Commission, T‑644/14, EU:T:2017:533, paragraph 66 and the case-law cited).

In the present case, the applicant seeks to establish the non-contractual liability of Eurojust on the basis of Articles 268 and 340 TFEU, read in conjunction with Article 46(1) of Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ 2018 L 295, p. 138), under which Eurojust may be held liable for damage caused to an individual which results from the unauthorised or incorrect processing of data ‘carried out by it’.

It follows from the clear and precise wording of Article 46(1) of Regulation 2018/1727 that, contrary to what the applicant claims, Eurojust may incur non-contractual liability only in respect of the processing of personal data carried out by it. By that provision, the EU legislature excluded the possibility of Eurojust being held liable for actions of the Member States or of Europol, contrary to what the legislature provided as regards Europol in Article 50(1) of Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ 2016 L 135, p. 53).

35In that context, it must be noted that the essential facts that would make it possible to identify the processing operations, allegedly carried out by Eurojust in respect of applicant’s personal data, are in no way apparent from the text of the application itself, with the result that the action does not satisfy the requirements set out in paragraphs 31 and 32 above.

36First of all, the applicant has merely asserted, in essence, that Eurojust, as a participant in the JIT, was closely involved in the operations to collect and analyse the data from the ‘Sky ECC’ servers, because it organised several coordination meetings between the parties to the JIT.

37However, the mere fact that Eurojust organised coordination meetings between the parties to the JIT does not permit the inference that it collected, received, stored, transmitted or analysed the applicant’s personal data or, on one of those occasions, carried out unauthorised or incorrect processing of those personal data within the meaning of Article 46(1) of Regulation 2018/1727.

38Next, the applicant merely responded to the line of argument of Eurojust, which expressly denied that it had processed the applicant’s personal data, by stating, in particular in paragraphs 3, 29 or 32 of the reply, that he had provided, in the application, a substantial number of documents supporting his claims to the requisite standard.

39While it is true that the applicant annexed to the application a considerable number of documents, he has not identified the documents which might establish that Eurojust actually processed his personal data during the coordination meetings which it acknowledges having organised, or on any other occasion.

40It is not for the Court to supplement the arguments put forward by the applicant in the application, by searching for and, if necessary, identifying, in one or more of the 26 annexes thereto, evidence capable of substantiating his claims (see, to that effect, judgment of 13 February 2025, Commission and Others v Carpatair, C‑244/23 P to C‑246/23 P, EU:C:2025:87, paragraph 77).

41In the reply, the applicant has also failed to identify more precisely the relevant documents attached to the application that are capable of supporting his allegation; nor has he produced additional evidence to that effect, which he was nevertheless entitled to produce, subject to compliance with Article 85(2) of the Rules of Procedure.

42However, if it was apparent from the file of the Belgian criminal proceedings – of which the applicant claims he is the subject and which, in his view, involved Eurojust – that that agency had actually processed his personal data, it was sufficient for him to produce, in the application, the relevant documents from that file.

43Lastly, the applicant has also not expressed his views on Eurojust’s argument that the only processing operations which it had carried out in connection with the investigations relating to the ‘Sky ECC’ licensed servers concerned the users of that encrypted communication service in respect of whom a request for mutual legal assistance was necessary to enable the national authorities of States not forming part of the JIT to receive the data relating to that service that were collected by the French authorities.

44That argument of Eurojust is supported by the wording of Article 9(1) of the JIT Agreement produced by the applicant, under which the Belgian authorities – as a party to the JIT – were entitled to have direct access to the personal data collected by the French authorities, including, where applicable, the data relating to the applicant, without submitting a request for legal assistance to Eurojust. Moreover, the applicant has neither alleged nor, a fortiori, demonstrated that the Belgian authorities had sent Eurojust a request for mutual legal assistance concerning him in order to gain access to his personal data collected by the French authorities.

45In the light of the foregoing, it must be held that the applicant has not provided the essential facts to make it possible to identify conduct on the part of Eurojust that would be capable of giving rise to the latter’s non-contractual liability in accordance with Articles 268 and 340 TFEU, read in conjunction with Article 46(1) of Regulation 2018/1727.

46Consequently, the second head of claim must be rejected as manifestly inadmissible in so far as it is directed against Eurojust.

The second head of claim in so far as it is directed against Europol

– The admissibility of the second head of claim in so far as it is directed against Europol

47In support of its plea of inadmissibility, Europol submits that the applicant has not provided any explanation, let alone any evidence, concerning the existence or extent of the alleged non-material damage, the unlawful conduct alleged to have been committed by Europol and the causal link between that alleged conduct and that alleged damage.

48The applicant disputes that line of argument.

49In the present case, even though the application is not structured around the three cumulative conditions to which the non-contractual liability of the European Union is subject, it contains the elements from which it is possible to identify the conduct alleged against Europol and against the Member States which were involved in the context of cooperation with Europol, the nature and form of the alleged damage and the reasons why the applicant considers that there is a causal link between that conduct and that damage (see paragraphs 25 to 27 above).

50That information, although brief as regards, inter alia, the alleged non-material damage, can be regarded as sufficient to satisfy the requirements set out in paragraphs 31 and 32 above.

51As regards the circumstance put forward by Europol that the applicant has not produced any conclusive evidence of the extent or existence of the non-material damage which he alleges, that circumstance falls to be considered in the context of the assessment of the merits of the action and not its admissibility (see, to that effect, judgment of 2 July 2003, Hameico Stuttgart and Others v Council and Commission, T‑99/98, EU:T:2003:181, paragraph 30).

52The plea of inadmissibility raised by Europol must, therefore, be rejected.

– The merits of the second head of claim in so far as it is directed against Europol

53The applicant complains, in essence, that the Belgian, French and Netherlands authorities and Europol carried out unlawful processing operations in respect of his personal data, which caused him non-material damage which he assesses in the amount of EUR 30 000.

54Europol disputes that line of argument.

55In accordance with the conditions laid down in Article 340 TFEU, to which Article 50(1) of Regulation 2016/794 refers, where the individual who has suffered damage brings an action against Europol, the European Union may incur non-contractual liability only if a number of conditions are satisfied, namely the conduct alleged against that agency must be unlawful, actual damage must have been suffered and there must be a causal link between that conduct and the damage complained of (see, to that effect, judgment of 5 March 2024, Kočner v Europol, C‑755/21 P, EU:C:2024:202, paragraph 73 and the case-law cited).

56In the present case, it is appropriate to examine, first of all, the condition relating to whether the alleged non-material damage was actually suffered.

57In that regard, according to the case-law, in any event, it is for the party seeking to establish the European Union’s non-contractual liability to adduce conclusive proof as to the existence and extent of the damage it alleges (see judgment of 30 May 2017, Safa Nicu Sepahan v Council (C‑45/15 P, EU:C:2017:402, paragraph 62 and the case-law cited).

58More specifically, it is for the applicant to prove that the damage for which they seek compensation in an action to establish non-contractual liability of the European Union affects them personally (see, to that effect, orders of 3 September 2021, Löning v Commission, C‑176/21 P, not published, EU:C:2021:697, paragraph 19, and of 20 July 2023, Baldan v Commission, T‑276/23, not published, EU:T:2023:411, paragraph 11; see also, to that effect and by analogy, judgment of 9 November 1989, Briantex and Di Domenico v EEC and Commission, 353/88, EU:C:1989:415, paragraph 6), but is also actual and certain (see, to that effect, judgment of 16 July 2009, SELEX Sistemi Integrati v Commission, C‑481/07 P, not published, EU:C:2009:461, paragraph 36 and the case-law cited).

59It follows that the condition relating to the actual damage suffered cannot be regarded as satisfied by invoking the damage suffered by other users of the ‘Sky ECC’ communication service as a result of the data processing operations complained of in the present action.

60As regards the personal damage on which the applicant relies, he merely claims, in paragraphs 3, 4 and 59 of the application, that he suffered non-material damage as a result of acts committed, inter alia, by Europol, without substantiating with any conclusive evidence the five heads of non-material damage referred to in the form of order sought in the application.

61Mere unsubstantiated allegations do not satisfy the conditions laid down by the case-law referred to in paragraphs 57 and 58 above in order for Europol to incur non-contractual liability under the conditions laid down in Article 50(1) of Regulation 2016/794.

62First, as regards the applicant’s provisional detention, referred to only on the first page of the application and in the form of order sought, he has not provided any evidence that he has been detained. Moreover, even if that were the case, he has not provided any evidence capable of establishing in which location and for how long he has been detained or whether that detention was actually ordered in the context of the ‘Sky ECC case’.

63Second, as regards the alleged publicity which he claims his case has received, mentioned only in the form of order sought in the application, the applicant has not provided any evidence to make it possible to assess whether his case has received any publicity or, a fortiori, undue publicity.

64Third, as regards the non-material damage which, he claims, resulted from the fact that it was impossible for him to refute the allegations made against him or from his compromised defence position, the applicant has not produced any evidence capable of substantiating the difficulties that he claims to have encountered in defending himself in the proceedings allegedly initiated against him. In addition, he has also not adduced any evidence to demonstrate that the accusations made in the context of those alleged proceedings were based on his personal data collected from the ‘Sky ECC’ servers.

65Fourth, as regards the non-material damage which, he claims, results from the fact that his personal data ‘ended up or could have ended up in the wrong hands’ – which, in the absence of further details, must be treated as the applicant’s ‘additional mental burden’ – mentioned only in the form of order sought in the application, the following should be noted.

66First, the requirement referred to in paragraph 57 above to prove actual and certain damage precludes Europol from being ordered to pay compensation for damage resulting from the fact that the applicant’s personal data ‘could end up in the wrong hands’, since that damage is future and purely hypothetical and cannot give rise to compensation.

67It is true that the requirement as to the existence of actual and certain damage may be regarded as satisfied where the damage is imminent and foreseeable with sufficient certainty, even if it cannot yet be precisely assessed (see, to that effect, order of 19 May 2008, Transports Schiocchet – Excursions v Commission, T‑227/07, not published, EU:T:2008:156, paragraph 33, and the case-law cited).

68Nevertheless, in the present case, in so far as the applicant relies on the fact that his personal data ‘could end up the wrong hands’, he has neither alleged nor, a fortiori, demonstrated that that damage is imminent and foreseeable with sufficient certainty.

69Furthermore, the applicant has not adduced any evidence capable of proving that he suffered non-material damage as a result of the fact that his personal data, which, moreover, he has failed to produce in the present proceedings, ‘ended up in the wrong hands’.

70It is true that the applicant has produced several annexes, some of which demonstrate the existence of investigative measures stemming from various national authorities concerning communication services and online platforms suspected of being or having been used by criminal networks.

71However, the applicant has not established a link between the annexes produced and the non-material damage alleged. As already recalled in paragraph 40 above, it is not for the Court to supplement the arguments put forward by the applicant in the application, by seeking and identifying, in the annexes thereto, evidence capable of substantiating the existence and extent of the non-material damage which he claims to have suffered.

72In that regard, the Court observes that it is apparent from a footnote to paragraph 75 of the reply that the applicant has an ‘official report’ containing the personal data, concerning him, that were allegedly intercepted, then processed by Europol and by the Member States concerned, but that he does not intend to produce that report in the present proceedings ‘for reasons to be specified later, including the protection of [his] privacy’, reasons which he does not, however, set out subsequently.

73In that regard, first, it must be noted that, according to Article 76(f) of the Rules of Procedure, the application is to contain, where appropriate, any evidence produced or offered. Second, under Article 85(1) and (2) of the Rules of Procedure, evidence produced or offered is to be submitted in the first exchange of pleadings and the main parties may, in reply or rejoinder, produce or offer further evidence in support of their arguments, provided that the delay in the submission of such evidence is justified.

74It follows from Article 85(1) and (2) of the Rules of Procedure that it is not for the Court to request the production of documents or to carry out, of its own motion, an investigation of the file in order to remedy the parties’ omissions in regard to the production of evidence (see, to that effect, judgment of 2 July 2003, Hameico Stuttgart and Others v Council and Commission, T‑99/98, EU:T:2003:181, paragraph 74 and the case-law cited).

75Even if the footnote referred to in paragraph 72 above could be interpreted as evidence offered, the applicant has not justified the delay in submitting that evidence offered in the reply, with the result that that evidence offered is out of time and therefore inadmissible.

76In any event, given that the applicant alleges that Europol carried out unlawful processing operations in respect of his personal data, it cannot be argued that those data are confidential vis-à-vis Europol. Accordingly, nothing indicates that the applicant’s right to protection of his privacy precluded him from producing those data in the application, since those data are not, moreover, confidential vis-à-vis the Court.

77In the light of the foregoing, it must be concluded that the applicant has not discharged his burden of proving the existence and extent of the non-material damage for which he seeks compensation from Europol.

78It is true that, even in the absence of evidence capable of demonstrating the existence and extent of non-material damage, the condition relating to the existence of such damage may be satisfied if the applicant establishes that non-material damage necessarily resulted from the conduct of which he or she complains (judgment of 12 December 2024, DD v FRA, C‑130/22 P, EU:C:2024:1018, paragraph 111). It is, however, for the applicant to establish, at the very least, that the conduct alleged against the institution concerned was such as to cause him or her damage of that kind (judgment of 16 July 2009, SELEX Sistemi Integrati v Commission, C‑481/07 P, EU:C:2009:461, paragraph 38).

79In the present case, that has not been demonstrated.

80The applicant has not produced his own personal data that, in his view, were unlawfully processed and he has not provided any evidence capable of establishing that those data were in the possession of the Belgian, French or Netherlands authorities or Europol.

Europol cannot incur non-contractual liability in the absence of evidence enabling the Court to identify the personal data that were allegedly the subject of unlawful processing operations and to assess whether, and to what extent, the alleged non-material damage necessarily stemmed from those processing operations.

83That conclusion is not invalidated by the applicant’s line of argument based on the judgment of 5 March 2024, Kočner v Europol (C‑755/21 P, EU:C:2024:202).

84Under Article 50(1) of Regulation 2016/794, read in the light of recital 57 of that regulation, any individual who has suffered damage as a result of an unlawful data processing operation has the right to receive compensation for damage suffered, either from Europol in accordance with Article 340 TFEU, or from the Member State in which the event that gave rise to the damage occurred, in accordance with its national law. The individual is to bring an action against Europol before the Court of Justice of the European Union, or against the Member State before a competent national court of that Member State.

85The legislator established this regime of joint and several liability of Europol and the Member States, in particular to address the difficulties which an individual may experience in determining whether the damage suffered as a result of unlawful processing of his or her personal data is a consequence of an action by Europol or a Member State (see, to that effect, judgment of 5 March 2024, Kočner v Europol, C‑755/21 P, EU:C:2024:202, paragraphs 75 and 76).

86However, Article 50(1) of Regulation 2016/794 cannot be read as exempting a person, who considers himself or herself to have been harmed by unlawful processing of his or her personal data, from the conditions arising from Article 340 TFEU, to which that provision refers, in particular the condition relating to the actual damage alleged.

87In the light of all of the foregoing, it must be concluded that the condition relating to the actual damage alleged is not satisfied.

88Accordingly, the second head of claim must be rejected as manifestly lacking any foundation in law in so far as it is directed against Europol, without it being necessary to rule on the other conditions for the European Union to incur non-contractual liability, since those conditions are cumulative (see, to that effect, judgment of 30 November 2022, KN v Parliament, T‑401/21, EU:T:2022:736, paragraph 34 and the case-law cited).

89Consequently, the action must be dismissed in its entirety.

Costs

90Under Article 134(1) of the Rules of Procedure, the unsuccessful party is to be ordered to pay the costs if they have been applied for in the successful party’s pleadings. Since the applicant has been unsuccessful, he must be ordered to pay the costs, in accordance with the forms of order sought by Eurojust and Europol. Furthermore, pursuant to Article 138(1) of the Rules of Procedure, the Kingdom of Spain and the Kingdom of the Netherlands are to bear their own costs.

On those grounds,

hereby orders:

1.The action is dismissed as being brought before a court that manifestly lacks jurisdiction to hear and determine the action in so far as the latter seeks a declaration that the agreement establishing a joint investigation team relating to the ‘Sky ECC’ encrypted communication service is ‘inadmissible’.

2.The action is dismissed as manifestly inadmissible in so far it is directed against the European Union Agency for Criminal Justice Cooperation (Eurojust) and seeks compensation for the non-material damage attributed to Eurojust.

3.The action is dismissed as manifestly lacking any foundation in law in so far it is directed against the European Union Agency for Law Enforcement Cooperation (Europol) and seeks compensation for the non-material damage attributed to Europol.

4.FF shall bear his own costs and shall pay those incurred by Eurojust and Europol.

5.The Kingdom of Spain and the Kingdom of the Netherlands shall bear their own costs.

Luxembourg, 26 June 2025.

Registrar

President

—