In a judgment dated December 3, 2015[1], the General Court of the European Union (hereinafter "the General Court") ruled on the non-contractual liability of the Parliament. In this case, the Parliament had published the petitioner's personal data online, which had been transmitted when he submitted his petition. The debate thus focused on the protection of personal data.

The petitioner had submitted a petition to the European Parliament concerning the support given to European civil servants who fell ill during their careers. The petition had been submitted via an online form made available on the European Parliament's website.

Having been declared admissible, the petition examination procedure was closed. A communication was published by the Parliament on its website, including the content of the petition and the opinion delivered by the Commission, which included the petitioner's personal data (name, details of his state of health and his son's disability).

On several occasions, the applicant requested the withdrawal of this information. The Parliament stated that it would comply with his request, but that it was under no legal obligation to do so. However, the deletion of the data had still not been carried out when the application was lodged with the Court Registry on November 21, 2013.

The application sought to establish the Parliament's extra-contractual liability for the non-material damage suffered, on the basis of article 340 paragraph 2 of the Treaty on the Functioning of the European Union. The Court examined whether the three cumulative conditions for the liability of a European institution (which are the same for Member States) had been met[2]. These are, according to established case law, a clear and serious breach of a rule conferring rights on individuals, by an institution of the European Union, exceeding its discretionary powers[3].

The Court dismissed the applicant's claim.

As regards the unlawfulness of the Parliament's conduct, the Court found that the first criterion for extra-contractual liability, which presupposes the existence of unlawful conduct on the part of an institution, had not been met. The claimant had failed to demonstrate that the European Parliament had violated either the Convention on the Rights of Persons with Disabilities[4] or the ECHR[5]. Nor did it question the validity of Regulation 45/2001[6] on the protection of personal data. When a petition is submitted online, the petitioner is fully informed of the conditions under which the petition will be publicized by means of a help section for petitioners. The Court concluded that the petitioner had therefore expressed a "free, specific and informed will" to allow his personal data to be processed by the Parliament and disseminated in connection with the examination of a petition by the Parliament.

Moreover, in the case of the disclosure of his son's disability, the claimant was not entitled to bring an action based on the violation of the rights of a third party. Incidentally, the Convention on the Rights of Persons with Disabilities had been ratified by the EU, but it still had to be demonstrated that the text conferred rights on individuals.

Lastly, the Court recalled that the deletion of personal data is a right of the data subject only when its dissemination was unlawful, which was not the case here, unlike the "right to be forgotten" arising from the 2014 Google Spain case[7]. Since Parliament had agreed to delete the disputed data, purely as a courtesy and not under the compulsion of the law, as it had pointed out, the dissemination was lawful, and it was not bound by the time limit which applies to cases of unlawful dissemination.

With regard to the existence of damage and the causal link, the Court recalls that it is up to the applicant to prove real and certain damage, as well as the direct causal link between the damage and the illegality committed by the institution concerned. In this case, the damage was not proven, as the applicant had merely complained of the stress caused by the Parliament's delaying tactics and disdainful behavior.

This ruling demonstrates the limits of the scope of the general principle of the right to protection of personal data. This principle has been particularly developed by the European Court of Justice[8]. However, between 1,500 and 3,000 petitions are submitted to the European Parliament every year. It would therefore appear difficult to change the expression of consent.

Moreover, the judgment reiterates the restrictive nature of non-contractual liability claims against European institutions, a fortiori in the case of non-material damage: it is important that the causal link between the damage suffered and the clear violation of a claimant's right be established precisely by the claimant, at the risk of being denied any compensation.

Aurélien RACCAH/Diane DE CHARETTE

[1] Judgment of the General Court (Sixth Chamber) of December 3, 2015, CN v. European Parliament, T-343/13. EU:T:2015:926.

[2] Judgment of the Court of 5 March 1996, Brasserie du Pêcheur SA v Bundesrepublik Deutschland and The Queen v Secretary of State for Transport, ex parte: Factortame Ltd and others, C-46/93 and C-48/93, EU:C:1996:79.

[3] See, for example, the Court's judgment of September 9, 2008, MyTravelCommission, T-212/03, EU :T :2008 :315, point 35.

[4] United Nations Convention on the Rights of Persons with Disabilities of December 13, 2006, entered into force May 3, 2008.

[5] Convention for the Protection of Human Rights and Fundamental Freedoms of November 4, 1950, entered into force September 3, 1953.

[6] Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.

[7] Court judgment of May 13, 2014, Google Spain SL, C-131/12, EU:C:2014:317.

[8] See, for example, judgment of the Court of 6 October 2015, Maximillian Schrems v Data Protection Commissioner, C-362/14, ECLI:EU:C:2015:650 ;