Non-contractual liability of the EU: Need for a ‘diligent’ administrator test

How should a ‘diligent’ administrator act?

A search of the database of the Court of Justice of the European Union (CJEU) reveals that over the past 25 years, of the 65 or so cases where companies or individuals claimed compensation for damage they allegedly suffered as a result of decisions of EU institutions, EU courts found in their favour in only 10% of such cases. The main reasons for the low rate of success of claimants were the absence of actual damage or the lack of a causal relationship between the decision in question and the damage or the fact that the decisions did not constitute a ‘‘serious’’ enough breach of EU law that the EU institution concerned could incur non-contractual liability. Indeed, it is not easy to prove that a faulty legal act or an administrative mistake constitutes a serious breach of law. In order to appreciate whether the standard of proof of EU liability is too high or not, consider, first, the following mental experiment.

Your boss has put you in charge of a project over which you have decision-making discretion. During the implementation phase, you are confronted with a choice between options A and B. It appears that A is superior to B for achieving the objective of the project, but you are not sure without further investigation. Would you exploit your decision-making discretion and make an easy but random choice or would you opt to assess A in more detail? Time is not a constraint. A diligent person would avoid the predictably wrong choice of B.

Now suppose the boss has also instructed you beforehand to choose option B, were you confronted with a choice between A and B. Your discretion is thus limited. However, you realise, on the basis of newly available evidence, that option B is worse for the project. You cannot communicate with the boss. Would you blindly follow the boss’ instruction or choose A, and then explain why? Bearing in mind the purpose of the project, option A should obviously be preferred.

The important point to bear in mind is that, in both iterations of these hypothetical situations, a diligent person using prudence and foresight would avoid the obviously and predictably wrong option.

When assessing whether the EU is liable for a ‘serious breach of a rule of law’, the CJEU has also referred to the hypothetical ‘diligent’ person or administrator, but it has not spelled out what a diligent person test may entail. Here is a possible definition of such a test: a diligent person takes into account all available and relevant information and acts either to choose the best available option or to avoid any mistake that can be reasonably foreseen.

As the case law on EU liability has evolved, the CJEU has used multiple and not always consistent criteria. Recent judgments have made it more difficult to understand when a breach of law is serious. There is a need for a clearer test explicitly linking liability with failure to act with due diligence.

Conditions under which the EU may incur non-contractual liability

According to Article 340 TEFU, ‘in the case of non-contractual liability, the Union shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by its institutions or by its servants in the performance of their duties.’

It is now well-established in the case law that EU institutions incur non-contractual liability when the following cumulative conditions are satisfied: ¹

There must be an infringement of a law that confers rights to individuals;

Almost 30 years ago, the CJEU ruled that ‘the decisive test for finding that a breach of Community law is sufficiently serious is whether (…) the Community institution concerned manifestly and gravely disregarded the limits on its discretion.’ ³ The factors that may be taken into account for that purpose include ‘the clarity and precision of the rule breached, the measure of discretion left by that rule to the (…) Community authorities, whether the infringement and the damage caused was intentional or involuntary, whether any error of law was excusable or inexcusable, the fact that the position taken by a Community institution may have contributed towards the omission, and the adoption or retention of national measures or practices contrary to Community law.’ ⁴

That a manifest and grave disregard of the limits of discretion is ‘the decisive criterion’ of a serious breach of law has been confirmed by the CJEU in its most recent judgment on this matter on 5 March 2024, in Marián Kočner v Europol. The Court added that ‘where the authority concerned has only considerably reduced, or even no, discretion, the mere infringement of EU law may be sufficient to establish the existence of a sufficiently serious breach of that law (…) In particular, inexcusable mistakes, grave negligence in the exercise of a duty or an obvious lack of care constitute such an infringement’. ⁵ The CJEU first linked reduced or absence of discretion to serious breach in 1996 in the Hedley Lomas case. ⁶ Since then, it has repeated this notion in numerous other judgments. ⁷

Indeed, the other indicators of serious breach are also not new. The CJEU first referred to ‘inexcusable mistakes’ ⁸ in 1961, to ‘gravely neglected the duties of supervision’ ⁹ also in 1961, and to ‘lack of care’ ¹⁰ which was ‘increasingly obvious’ in 1966.

However, these indicators are not necessarily easy to apply in practice. For example, the CJEU has held that the assessment of whether the duty to act with ‘requisite care’ has been breached depends on ‘the circumstances or the context in which that duty’ is imposed and ‘account must, to that end, be taken of all aspects characterising the situation concerned’. ¹¹ In addition, account must also be taken of ‘the complexity of the situation to be regulated and difficulties in the application or interpretation of the legislation’. ¹²

A case in point is the annulment of a judgment of the General Court in April 2017 by the CJEU on the grounds that the General Court presumed that, because the Ombudsman had limited discretion in the processing of information, errors in the assessment of that information necessarily constituted a serious breach, without examining the context in which those errors had been committed. Ultimately, the CJEU still held that a serious breach had occurred because the Ombudsman had failed to confirm the veracity of the relevant information and to substantiate its conclusions. ¹³

In the most recent case on 5 March 2024, in Marián Kočner v Europol, the CJEU did confirm that the ‘obligation to protect any individual against any unlawful form of making personal data concerning him or her available’ leaves no discretion to EU institutions which have to ‘implement appropriate technical and organisational measures for that purpose.’ ¹⁴ Therefore, ‘unlawful processing of (…) data (…) constituted a sufficiently serious breach of a rule of EU law intended to confer rights on individuals.’ ¹⁵

Failure to exercise ordinary care and diligence has been a frequent reason cited by the CJEU for finding a serious breach of a rule of law resulting in non-contractual liability. ¹⁶

Protection of fundamental rights is another oft-cited reason. Not providing undertakings with essential information that is necessary for their defence is a violation of their rights that constitutes a serious breach of law. ¹⁷

A serious breach is also committed in cases where the Council imposes indiscriminate sanctions, because EU institutions must justify any restrictive measures and, as a consequence, they enjoy limited or no discretion in this respect. ¹⁸ The CJEU has held that ‘the rule requiring the Council to substantiate the restrictive measures adopted does not relate to a particularly complex situation and that it is clear and precise and, accordingly, does not give rise to any difficulties as regards its application or interpretation.’ ¹⁹ Therefore, ‘an administrative authority, exercising ordinary care and diligence, would (…) have realised (…) that the onus was upon it to gather the information or evidence substantiating the restrictive measures concerning the applicant in order to be able to establish, in the event of a challenge, that those measures were well founded by producing that information or evidence before the EU judicature.’ Thus, ‘[s]ince it did not act in that way, the Council has incurred liability for a sufficiently serious breach of a rule of law intended to confer rights on individuals’. ²⁰

Multiplication of criteria?

One would have inferred from the statements quoted above that the likelihood of an error becoming a serious breach of law is inversely related to the extent of discretion enjoyed by EU institutions. Indeed, in another very recent case, in January 2024, the CJEU ruled in Dyson v Commission that the test for identifying a serious breach of EU law ‘is satisfied where a breach is established which implies that the institution concerned manifestly and gravely disregarded the limits set on its discretion’. ²¹ However, the CJEU added that ‘the identification of such a breach presupposes that an irregularity is found that would not have been committed in similar circumstances by an administrative authority exercising ordinary care and diligence.’ ²² The latter sentence does not appear to explain the former sentence because the disregard of the limits of discretion and the commitment of irregularities are two different concepts. The CJEU further elaborated that it was necessary to take into account the context, the clarity and precision of the rules, the complexity of the situation and whether the error was inexcusable. ²³ Yet, it is not clear whether these criteria determine whether the disregard of the limits of discretion is grave or whether they stand on their own.

Then, rather confusingly, the CJEU also held that ‘the measure of discretion left by the rule of law breached to the EU authority is only one of the factors to take into consideration in order to determine whether that authority committed a sufficiently serious breach of that rule. While that is a relevant factor, which must be assessed in every case, the fact that the provision breached does not leave any discretion does not necessarily mean that that breach is sufficiently serious.’ ²⁴ In fact, ‘[d]epending on the circumstances of each case, other factors may be taken into account, having regard to the context in which the infringement was found to have been committed. Accordingly, a breach of a rule of law that leaves no discretion to the authority concerned may not appear, in the light of the circumstances, to be manifest and therefore sufficiently serious, in particular if it results from an error of law that may be excused by having regard to difficulties interpreting the legislation containing that rule.’ ²⁵

Multiple criteria create trade-offs that make the case law difficult to understand.

That was not the first time that the CJEU made similar statements. In Dyson v Commission, the CJEU cited case C-337/15 P, Ombudsman v Staelen, paragraph 40, and C-45/15, Safa Nicu Sepahan v Council, paragraph 30.

In Ombudsman v Staelen, the CJEU at paragraph 40 in turn cited C-363/88, Finsider v Commission, paragraph 24, in which ruled that ‘it is necessary to take into account in particular the complexity of the situations which the institution must regulate, the difficulties of applying the legislation and the discretion available to the institution under that legislation.’ So the extent of discretion was just one of several criteria.

In Safa Nicu Sepahan v Council at paragraph 30, the CJEU ruled that ‘the Court has made it clear that that test is satisfied where a breach is established which implies that the institution concerned manifestly and gravely disregarded the limits set on its discretion, the factors to be taken into consideration in that connection being, inter alia, the degree of clarity and precision of the rule breached and the measure of discretion left by that rule to the EU authorities.’ Yet, it is not clear how disregard of the limits of discretion can be grave where there is not much discretion left. Does it mean that where there is much discretion left, disregard of the limits of discretion is not grave?

The need for a test of a ‘diligent’ administrator

The case law on Article 340 TFEU makes a distinction between erroneous decisions or acts that may be annulled and erroneous decisions or acts that not only must be annulled but also constitute a ‘serious breach’ of EU law that may result in non-contractual liability. As the case law currently stands, the extent of discretion of an EU institution is both the decisive test of whether the breach is serious and just one of the factors that is taken into account.

However, bearing in mind the hypothetical mental experiment at the beginning of this article, the important element is not the extent of the discretion but how a diligent administrator would have acted. When there is limited discretion it is normally easier to identify the right course of action. This is because the range of possible options is narrow. However, even when only a few options are available, the decision of a diligent administrator may not be obvious from an ex ante point of view. By contrast, when many options are available, the choice of a diligent administrator may be very obvious from an ex ante point of view. Hence, at a bare minimum, a diligent administrator is not necessarily one that makes no mistakes but one that avoids predictable errors. A diligent administrator would not commit predictable and, therefore, avoidable errors. Such errors should always constitute a serious breach of EU law regardless of the extent of the discretion of the EU institution concerned.

A case in point is the CJEU's conclusion, in the Dyson v Commission case cited above, that the Commission did not commit a serious breach when it chose a different standard than the one prescribed by law for the test of the energy efficiency of vacuum cleaners. The Commission's discretion was limited. Yet, the legally prescribed standard became outdated due to technological advances and new scientific evidence. ²⁶

The problem is that, although in Dyson v Commission, the CJEU, in a long and detailed analysis, agreed with the Commission that the prescribed test was outdated, it did not explicitly explain that a diligent administrator would also have chosen to go beyond the limits of its discretion because what was legally prescribed was not the best means by which to achieve the objective of the law with respect to measuring energy efficiency.

A test based on the expected behaviour of a diligent administrator acting with prudence and foresight would consider both how discretion is exercised and also whether transgressing the limits of that discretion is necessary. Even where the law may not be clear as to what it requires, a diligent administrator would at least try to identify how best to interpret and apply the law and avoid predictable errors.

Such a test may in practice require extensive and complex analysis. This is not an unwelcome outcome. Similar tests — which are simple in their definition but complex in their application — exist in other areas of EU law, such as the ‘market economy investor principle’ in competition policy. The burden of proof lies with those that invoke it. But a test based on the expected behaviour of a diligent administrator who avoids predictable errors would not create trade-offs between different criteria that make legal compliance unpredictable.