Misreading the Temporary Protection Directive? The CJEU sets the record straight on access to subsidiary protection in Framholm (C-195/25)

 

Dr Meltem Ineli Ciger, Associate Professor of International Law, Suleyman Demirel University

 

Photo credit: Dietmar Rabich, Münster, Stadtweinhaus, Beflaggung Ukraine und EU -- 2022 -- 0219, CC BY-SA 4.0

Framholm (C-195/25), delivered on 20 November 2025, is the Court of Justice’s third ruling interpreting the Temporary Protection Directive (Council Directive 2001/55/EC, TPD) following Joined Cases C‑244/24 and C‑290/24 (Kaduna) (cf. analysis here), and Case C‑753/23 (Krasiliva) (cf. analysis here). The ruling provides further clarification of Articles 3, 17 and 19 of the TPD and, crucially, confirms that temporary protection does not exclude access to subsidiary protection, ie the type of international protection available for those who do not qualify for refugee status. It therefore marks an important step in aligning the TPD, an instrument drafted in 2001, with the contemporary Common European Asylum System (CEAS).

The reference for a preliminary ruling to the Court of Justice originated in Sweden, where several third-country nationals displaced from Ukraine were granted temporary protection and subsequently applied for subsidiary protection. For years, the Swedish Migration Agency (Migrationsverket) had maintained a practice of automatically rejecting subsidiary protection applications lodged by temporary protection beneficiaries, without any examination on the merits. It interpreted Swedish law as allowing temporary protection beneficiaries to apply only for refugee status and treated all subsidiary protection applications as per se inadmissible. Faced with this restrictive and legally questionable approach, the Göteborg Administrative Court for Immigration Matters asked the CJEU whether EU law really permits a Member State to deny access to subsidiary protection solely because the applicant already enjoys temporary protection. The Court’s answer is unequivocal: No.

1.    What is the case about?

 On 11 March 2025, the Göteborg Administrative Court for Immigration Matters referred questions to the CJEU concerning whether beneficiaries of temporary protection may apply for subsidiary protection under the Qualification Directive (or QD – which defines refugee and subsidiary protection status in the EU) and have that application examined on the merits. All applicants (a Nigerian national holding a permanent residence permit in Ukraine and his Ukrainian family members) had been displaced from Ukraine following the Russian invasion and were granted temporary protection in Sweden. When they applied for international protection, the Migration Agency rejected their refugee status applications but declared their subsidiary protection claims inadmissible solely because they already held temporary protection. No assessment of eligibility under Article 15 of the QD (ie the definition of subsidiary protection) was undertaken. The referring court rightly doubted whether such a blanket exclusion could be reconciled with the development of EU asylum law since 2001, which clearly conceptualises “international protection” as including both refugee status and subsidiary protection. (cf. The Judgment paras 28-37)

2.     The questions referred to and the Court’s short answers

The Göteborg Court referred four questions to the CJEU (OJ C/2025/2651, 19 May 2025), all centred on how temporary protection interacts with the CEAS:

1.    Do the QD and the Asylum Procedures Directive 2013/32/EU (APD) apply to international protection applications lodged by persons already benefiting from temporary protection under the TPD? Yes.

2.    a) Does the term “application for asylum” in Articles 17(1) and 19(2) of the TPD cover applications for both refugee status and subsidiary protection, and must such applications be examined under the QD and APD? Yes.
b) Does Article 3(1) of the TPD prevent Member States from recognising subsidiary protection for persons who are eligible for, or already enjoying, temporary protection? No.

3.    If Articles 17(1) and 19(2) of the TPD also cover the right to apply for subsidiary protection status under the QD, are those articles, in conjunction with Article 10(2) of APD, sufficiently clear and precise to have direct effect?  Yes, and kind of yes (the Court said the QD and APD provisions have direct effect, but did not say that the TPD provisions alone have direct effect)

4.    Is Swedish law, which allows temporary protection beneficiaries to apply only for refugee status (but not subsidiary protection), compatible with EU law? No.

3.    What are Articles 3, 17 and 19 of the TPD about?

Article 3(1) of the TPD makes clear that temporary protection does not prejudge refugee status under the Refugee Convention. It is not a derogation from the Refugee Convention, nor does the grant or expiry of temporary protection affect the substantive assessment of whether an applicant meets the refugee definition.  

Article 17 of the TPD guarantees that beneficiaries of temporary protection may lodge an asylum application at any time and provides that any applications still pending when temporary protection ends must be assessed and decided hereafter.

Article 19 of the TPD regulates the interaction between temporary protection and the asylum procedure: Article 19(1) allows Member States to decide that a person cannot simultaneously hold the status of “asylum seeker” and benefit from temporary protection while their asylum application is being examined. Whereas Article 19(2) ensures continuity of protection: if, after examining an asylum application, the authorities do not grant refugee status or another form of protection, the person must still be allowed to enjoy temporary protection for the rest of the designated duration. (Cf. for a detailed commentary on these articles Skordas’ chapter; Peers’ post; Ch. 5 of my book)

4.    The AG Opinion (which I fully agree with)

The Advocate General’s analysis is worth examining closely, not least because it is carefully constructed and has clear implications for how the TPD must be read today. His reasoning develops along five points.

First, AG interprets Article 17(1) TPD’s reference to an “application for asylum” as an application for international protection, encompassing both refugee status and subsidiary protection. Although the TPD predates the CEAS, it must now be read in light of Article 78(2) TFEU, which is a Treaty provision on asylum (AG Opinion, paras 49-58). He adds “A restrictive understanding of the term ‘asylum’ in Article 17(1) of Directive 2001/55 would fail to take into account the context in which that directive applies following the entry into force of the FEU Treaty, as well as the objectives and scope of the legislation concerning ‘international protection’ which has been adopted in the intervening period.”  (para 50)  

Secondly, the AG stresses that temporary protection does not suspend or exclude access to subsidiary protection. Beneficiaries of temporary protection may lodge applications for refugee or subsidiary protection “at any time,” and the TPD operates as a complement, not an alternative, to the individual assessment required under the Qualification Directive (AG Opinion, paras 43-45, 51-52, 59-61, 66).

Thirdly, he confirms that being a temporary protection beneficiary is not a lawful ground of inadmissibility or exclusion. The exhaustive lists in Articles 12 and 17 of the QD (on grounds for excluding people from refugee or subsidiary protection status) and Article 33(2) APD (grounds for inadmissibility of asylum applications) do not include temporary protection, and national authorities cannot refuse subsidiary protection applications on that basis (AG Opinion, paras 70-72, 78-81).

Fourthly, he accepts that Member States may postpone examination of international protection applications in mass influx situations but makes clear that this administrative flexibility cannot justify a blanket inadmissibility rule for all subsidiary protection applications lodged by temporary protection beneficiaries (AG Opinion, paras 73-80, especially 7-78, 86).

Finally, he concludes that Article 17(1) TPD (not Article 19), read together with the overall CEAS architecture, confers a sufficiently clear and directly effective right to lodge an application for international protection.  

5.    What did the Court say?

The Court’s reasoning proceeds in three clear steps.

First, the Court explains that nothing in Articles 3, 17 or 19 TPD authorises Member States to refuse to examine a subsidiary protection claim simply because the applicant enjoys temporary protection (paras 45-46). Article 19(2) even anticipates the existence of “other kinds of protection,” which must be read today as encompassing subsidiary protection (para 46). The omission of subsidiary protection in the TPD text reflects only the fact that this status did not yet exist in EU law, a point that AG raised. (paras 46-47).

Secondly, the Court turns to the purpose and logic of the TPD. Temporary protection is designed to ensure immediate, time-limited protection while preserving the “effective possibility” of receiving international protection (paras 47–49). Here the Court explicitly follows its reasoning in Joined Cases C‑244/24 and C‑290/24 (Kaduna), where it held that “the purpose of the temporary protection mechanism is, inter alia, to maintain the efficient operation of the international protection system in the Member States” and that the TPD “safeguards, in particular, the effective possibility for third-country nationals and stateless persons benefiting from temporary protection" of obtaining international protection following an appropriate examination of their individual situation” (Kaduna, paras 125 and 127). A national rule excluding subsidiary protection applications as such would therefore contradict the very objective of the TPD (paras 49–50).

Thirdly, and most decisively, the Court relies on the architecture of the CEAS. It emphasises that the QD establishes two forms of international protection – namely, refugee status and subsidiary protection – and that Member States must grant whichever status an applicant qualifies for (paras 51–54). Member States have no discretion to refuse subsidiary protection except on the exclusion grounds exhaustively listed in the Qualification Directive (para 54). The Asylum Procedures Directive reinforces this: an application may be declared inadmissible only on the five grounds set out in Article 33(2) APD, which must be interpreted strictly (paras 58–60). Temporary protection is not among these grounds; national authorities, therefore, cannot reject a subsidiary protection application solely because the applicant enjoys temporary protection (para 61).

Finally, the Court addresses the direct-effect question. The Swedish court had essentially asked whether Articles 17(1) and 19(2) of the TPD, if interpreted as including the right to apply for subsidiary protection, are sufficiently clear and precise, read together with Article 10(2) of the APD, to have direct effect. The CJEU reformulates the issue. Rather than grounding the direct effect in the TPD itself, the Court bases it on two CEAS provisions: Article 18 of the QD, which imposes an unconditional duty to grant subsidiary protection when criteria are met, and Article 33 of the APD, which exhaustively lists the admissibility grounds (paras 71-72). These provisions are both unconditional and sufficiently precise, and thus confer directly effective rights. The consequence is clear: if a national rule conflicts with these obligations and cannot be interpreted in conformity with EU law, domestic courts must disapply the national provision (para 73).

That said, the Court’s approach leaves an important ambiguity unresolved. The referring court had explicitly asked whether Articles 17(1) and 19(2) of the TPD, read together with Article 10(2) APD (which governs the relationship between refugee and subsidiary protection status applications), were sufficiently clear and precise to have direct effect. Instead of answering that question squarely, the Court effectively sidesteps it by grounding direct effect not in the TPD at all, but in Article 18 QD and Article 33 APD. Put simply, the judgment does not tell us whether Articles 17(1) and 19(2) of the TPD are capable of producing direct effect. 

6.    My analysis

The AG’s Opinion and the Court’s judgment reach the same legal outcome, but they do so through markedly different interpretative routes. The Advocate General adopts a more TPD-centred approach, grounding his analysis in Articles 3, 17 and 19 of the TPD and then interpreting these provisions in light of later CEAS instruments. He reads “asylum application” in Article 17 as an application for international protection covering both refugee status and subsidiary protection, emphasises that temporary protection cannot suspend or exclude access to subsidiary protection, and rejects temporary protection as a lawful ground of inadmissibility because it does not appear in the exhaustive list in Article 33(2) of the APD. Although he accepts that Member States may postpone international protection application examinations in mass influx situations, he stresses that a blanket ban on subsidiary protection applications is incompatible with the TPD and the CEAS.

By contrast, the Court relies primarily on the Qualification Directive and the Asylum Procedures Directive, using the CEAS instruments themselves as the main foundation for each key step. It interprets “asylum application” in light of the QD and APD definitions of international protection, derives the duty to grant protection from Article 18 of the QD and the obligation to examine claims (and the limits on inadmissibility) from Articles 10(2) and 33 APD, and treats Article 33(2) of the APD as an exhaustive rule that excludes any TP-based inadmissibility ground (paras 58-60). On the direct effect, the Court bases its analysis on Article 18 of the QD and Article 33 of the APD (paras 70-73), whereas the AG reaches the same conclusion via a combined reading of Article 17 of the TPD with the CEAS provisions.

Compared to the AG’s Opinion, which engages more directly with the wording, structure and logic of the TPD, the Court reaches essentially the same conclusions but grounds its reasoning far more firmly in the QD and APD. Put differently, while the AG reads the TPD through the lens of the CEAS, the Court treats the CEAS instruments themselves as the primary legal basis for explaining why Member States cannot refuse to examine (and, where appropriate, must grant) subsidiary protection to temporary protection beneficiaries.

I must admit that I prefer the AG’s TPD-centred approach: it is more faithful to the architecture of the TPD, and does not treat the TPD as a second-rate asylum instrument because it has never been updated to reflect two decades of CEAS development.

The outcome of the judgment is fully in line with what many of us working on the TPD have long expected. The TPD was never intended to operate as an obstacle to accessing international protection, whether refugee status or subsidiary protection. For over a decade, “international protection” in EU law has included both statuses, and nothing in the Directive suggested a closed or self-standing regime intended to override the CEAS.

The central logic of the TPD has always been pragmatic: to give Member States facing a mass influx breathing space by allowing them to suspend the processing (not lodging) of asylum claims where their systems would otherwise be overwhelmed. It was and never has been designed to bar access to subsidiary protection altogether. Member States with fewer temporary protection beneficiaries, or with sufficiently strong asylum systems, remain entirely free to process claims during temporary protection and examine the merits of their international protection applications.

Interpreting the TPD in the restrictive and literal manner adopted by the Swedish administration, treating “asylum” in the TPD as excluding subsidiary protection and ignoring the subsequent development of EU asylum law, was therefore misguided. It runs counter to the TPD’s objectives, its underlying logic, and the entire evolution of the CEAS. Most importantly, it results in a clear violation of the rights of temporary protection beneficiaries to access international protection.

This judgment matters well beyond Sweden. Even if Sweden appears to be the only Member State to have openly applied such a blanket rule, Framholm makes clear that no Member State may treat temporary protection alone as a ground for declaring subsidiary protection applications inadmissible. Across the EU, temporary protection can never justify a blanket refusal to examine the merits of a subsidiary protection claim.

7.    Conclusion

Framholm matters because it definitively closes the door on any national attempt to use temporary protection as a barrier to subsidiary protection. The judgment also exposes a broader structural problem: the Temporary Protection Directive, drafted in 2001, simply do not reflect the legal architecture of the CEAS in 2025. This is visible not only in Sweden’s misinterpretation but also in the Court’s need to rely so heavily on the QD and APD to reach a decision rather than the TPD’s own articles.

This brings me to a point that, as far as I am aware, no one else has explicitly raised: we know that the TPD remains useful and conceptually sound as a framework for managing mass influx situations, contrary to the Commission’s initial 2020 proposal to repeal it. Temporary protection works. It has proven its value during the Ukrainian displacement and remains a necessary instrument in the EU’s protection toolbox. Even today, 4.3 million non-EU citizens who fled Ukraine have temporary protection status in the EU. Moreover, the adoption of the Crisis and Force Majeure Regulation does not render the TPD unnecessary or obsolete: the two instruments, although they can be invoked in exceptional mass influx situations, operate on different logics. In my opinion, the Crisis and Force Majeure Regulation, which is based on derogations more than anything, cannot fully substitute for the protection mechanism established by the TPD.

Despite the usefulness of the ongoing relevance of the TPD, the judgment also implicitly makes clear that the TPD urgently requires updating. Many of the problematic national practices stem precisely from the fact, highlighted by the AG, that the TPD is an old instrument, never recast and never aligned with two decades of CEAS development. The result is predictable: legal ambiguities that should no longer exist, and litigation over issues that should be obvious.

I wish to conclude with a call to the EU institutions, above all, to the Commission. Once the current temporary protection regime for Ukrainians comes to an end, the Commission should initiate a targeted revision of the TPD, drawing directly on the lessons of its implementation during the mass displacement from Ukraine and the emerging body of CJEU case law, including Kaduna, Krasiliva and Framholm. An updated TPD can significantly narrow the scope for misinterpretation, perhaps introduce a new and clear time limit, align the instrument with the contemporary CEAS architecture, and prevent further unnecessary litigation on matters that ought already to be legally settled.

From COVID-19 to digital well-being: Precaution in the internal market

Daan Bodson, LL.M in European Union Law, Université Panthéon-Assas (Paris 2)

Photo credit: US Dept of Defense, via Wikimedia Commons

 

Introduction

More than two years after the WHO declared COVID-19 no longer a global emergency, its impact is still felt. Remote work has become routine in many sectors, younger generations speak more openly about mental health, and the pandemic has left its mark on EU law. Faced with extraordinary circumstances, Member States adopted extraordinary restrictions, which in turn prompted courts to revisit how fundamental freedoms like free movement are balanced against public health.

Many of the measures aimed at restricting the spread of the virus involved limiting the free movement of individuals, one of the fundamental rules of the EU legal order. When these restrictions were challenged before the EU courts, both the ECJ and the EFTA Court delivered landmark rulings. For the first time, they brought the precautionary principle squarely into free movement case law.

This contribution revisits that jurisprudence and asks what it means beyond the pandemic. Since neither court confined its reasoning to COVID-19, the question arises: can precaution also justify restrictions in other policy fields marked by scientific uncertainty? I argue that Nordic Info (C-128/22, 5 Dec 2023) and LDL (E-5/23, 21 Mar 2024) lowered the threshold for Member States to justify restrictions under the precautionary principle, and that this reasoning can also support measures against mental health risks from social media usage.

 

The case law: Nordic Info and LDL

Setting the stage: National measures aimed at limiting the spread of COVID-19

On December 5th of 2023, the ECJ rendered its Nordic Info judgement, in which it ruled on the legality of a Belgian measure banning all non-essential travel to “red-listed countries”. These red-listed countries were designated based on epidemiological data available at the time. The national measure was challenged by a travel agency specializing in trips to Scandinavia. In the LDL judgement, rendered by the EFTA Court a few months after Nordic Info, the Court ruled on the legality of a Norwegian law requiring individuals travelling from abroad into Norway to subject themselves to a quarantine period spent in a specific “quarantine hotel”.

Both courts readily classified these measures as restrictions on the free movement of persons under the EU Citizens’ Directive (and its extension to the EEA). This legislation, however, allows for restrictions on grounds of public health (Art. 27 & 29), yet sets some safeguards to these limitations, such as a right to an effective remedy, and a proportionality check (Art. 31).

In both cases, the main legal question thus was whether or not the restrictions were considered proportionate. Remarkably, and for the first time in free movement case law, both courts expressly included the precautionary principle into this proportionality test. This novel introduction could significantly reshape the proportionality assessment in situations where the precautionary principle applies.

Understanding the precautionary principle

The precautionary principle is well-established in EU law. It regularly appears in judgments of both the ECJ and the EFTA Court and informs many policy fields. At its core, the principle provides a legal and policy tool for decision-makers faced with scientific uncertainty combined with potential risks. Where evidence of harm is insufficient, inconclusive, or uncertain, but the stakes are significant, legislators may intervene proactively without waiting for full scientific proof. As the ECJ stated in Nordic Info: “if there is uncertainty as to the existence or extent of risks to human health, a Member State must be able, under the precautionary principle, to take protective measures without having to wait until the reality of those risks becomes fully apparent” (para. 79).

In practice, the principle applies when there are indications of risk but no certainty about its precise magnitude, its long-term effects, or the most effective mitigating measures. In such cases, national or EU legislators retain discretion to determine the level of protection they wish to guarantee. The degree of scientific uncertainty will, however, shape the extent of that discretion: the greater the uncertainty, the broader the space for precautionary action.

This principle features in many fields of EU policy. The TFEU explicitly prescribes that the principle shall guide the EU’s environmental policy. ECJ case law (e.g., C-157/96) and legislation (e.g., regulation 178/2002) has further broadened the scope of application of the principle to all types of risks to environmental, human, animal, or plant health.

The European Commission’s 2000 Communication on the precautionary principle further clarified its scope and criteria. The Communication underlined that the precautionary principle doesn’t allow for arbitrary restrictions. Measures must still comply with broader EU law requirements, such as proportionality, non-discrimination, consistency, examination of costs and benefits and dynamic review. These principles ensure that precaution remains balanced and doesn’t overly interfere with the internal market.

The novelty: introduction of the precautionary principle in free movement case law

Whilst the precautionary principle itself is far from new in the EU legal order, its application in free movement case law in the Nordic Info and LDL cases is new. In both cases, the courts were confronted with a situation of scientific uncertainty: at the time, there was no conclusive knowledge about how COVID-19 spread, how lethal it was, or which measures were most effective. Yet Member States had to act to protect public health. Against this background, the courts held that the precautionary principle applied, granting national authorities wider discretion to define their own level of health protection and to adopt restrictive measures to limit contagion.

Ordinarily, the proportionality test for restrictions on free movement follows three steps:

-          Suitability: the measure must be capable of achieving its stated aim.

-          Necessity: there must be no less restrictive measure that is equally effective.

-          Proportionality stricto sensu: the benefits of the measure must outweigh the rights it restricts.

What changed in these cases is that the precautionary principle softened the evidentiary demands at each stage:

-          Suitability: Instead of requiring proof that the measure was demonstrably effective, it was sufficient that, in light of limited scientific knowledge, the measure appeared reasonably capable of achieving its aim.

-          Necessity: Courts did not demand a fully substantiated comparison of alternatives. A measure passed this step unless it was evident that another, less restrictive option would be equally effective (Nordic Info, para. 90).

-          Proportionality stricto sensu: In the balancing of interests, scientific uncertainty itself tipped the scales in favor of public health. Far-reaching restrictions were upheld even without full certainty as to their effectiveness.

In short, the precautionary principle did not replace the proportionality test but recalibrated it: lowering the threshold of proof and granting Member States greater leeway when acting under conditions of scientific uncertainty.

 

Beyond COVID-19: precautionary principle and digital well-being

The case law on COVID-19 restrictions carries implications well beyond the pandemic itself. Crucially, neither the ECJ nor the EFTA Court confined their reasoning to emergency circumstances, and Advocate General Emiliou even stressed in his Opinion in Nordic Info that the case had to be assessed under the “ordinary” rules of EU law. This suggests that the interpretive shift brought by the precautionary principle is not an exceptional tool for crisis management, but part of the general framework for justifying restrictions on free movement.

This raises a broader question: if precaution can justify far-reaching measures in times of scientific uncertainty about public health, could it also apply in other fields where risks are emerging but not yet conclusively proven? One particularly pressing area is digital well-being. With growing evidence of the mental health risks linked to social media and addictive algorithms, especially for young people, the same legal reasoning could potentially empower Member States to adopt preventive measures.

Social media, addictive algorithms and associated mental health risks

Social media platforms rely on algorithms that continuously predict and adapt to user preferences. By generating personalized feeds designed to maximize engagement, these systems keep users online longer and, in turn, increase advertising revenues.

Growing evidence links such addictive algorithms and the use of social media generally to negative mental health outcomes, particularly among children and adolescents. Users are frequently exposed to harmful content, such as unrealistic body images, and research increasingly associates prolonged social media use with depression, anxiety, body dysmorphia, and even suicidal thoughts.

Because social media is a relatively recent phenomenon, the long-term effects are not yet fully known. Scientific studies are emerging, but uncertainty remains inherent: it is difficult, perhaps impossible, to precisely measure the long-term mental health consequences of algorithm-driven platforms, especially for young people.

The EU has begun to acknowledge these risks. The Digital Services Act (“DSA”) of October 2022 introduces obligations for “very large online platforms and search engines,” requiring them to conduct risk assessments, explicitly covering algorithmic systems, and to implement reasonable mitigation measures. This reflects a policy shift toward more stringent obligations for these large platforms, aimed at enhancing, among other things, user well-being.

The precautionary principle: more space for Member States to act?

Despite the DSA, Member States may wish to go further in protecting citizens’ mental health. Insofar as measures do not interfere with harmonized EU law, Member States can determine their desired level of protection and take adequate measures. In practice, this could mean considering specific obligations on tech manufacturers (e.g., better parental control tools) or even on the accessibility of devices to minors.

National measures in this area are likely to restrict the free movement of services, and possibly freedom of establishment or free movement of goods. Ordinarily, such measures would face steep hurdles, since they would need to be justified and proportionate, which typically was a high bar. However, under the Nordic Info and LDL rulings, Member States now enjoy wider leeway to justify such restrictions. The introduction of the precautionary principle into free movement law means that scientific uncertainty no longer necessarily blocks preventive regulation.

For precaution to apply, three conditions must be present:

-          a potential risk, including mental health risks for humans;

-          scientific uncertainty about its scope or effects, and

-          the absence of full proof or consensus related to the extent of the risk and / or the most suitable mitigating measures.

In the case of digital well-being, these conditions seem to be met. Academic research points to a range of mental health risks from social media use, but the extent of the danger and the precise causal links remain unsure. Member States could take precautionary measures in multiple forms. Even though harmonized EU legislation, such as the DSA, bars Member States from introducing measures within this field, some measures are still imaginable. For example, States could require phone manufacturers to include robust parental control tools by default. Alternatively, Member States could consider a ban on design features such as auto-play or endless scroll for under-16s, or even impose an age limit for the sale of smartphones (as considered by the UK government).

The significance of Nordic Info and LDL is that these measures no longer need conclusive scientific proof to survive judicial scrutiny. It is enough that they seem reasonably appropriate, and that no evident less restrictive alternative exists. In balancing fundamental rights, the courts signaled that precaution may tilt the scales in favor of public health, even when other freedoms, such as free movement of services or freedom to conduct business, are affected.

 

Conclusion

The COVID-19 pandemic was not only an unprecedented test for Europe’s health systems, but it also challenged the boundaries of EU law. In Nordic Info and LDL, the courts expanded the role of the precautionary principle in free movement, potentially lowering the evidentiary threshold for Member States to justify restrictive measures. Importantly, this reasoning was not tied to emergency conditions, which opened the door for its application in other contexts.

The growing, though inconclusive, evidence linking social media usage and addictive algorithms to mental health issues raises the question of whether the evolving case law could justify regulatory measures to protect mental health in the digital space. By extending the application of the precautionary principle, the legal precedents set in these cases could pave the way for stronger regulations aimed at safeguarding online well-being, particularly regarding social media platforms and their addictive features.

Why the European Parliament should reject (or substantially amend) the Commission’s proposal on EU Information Security (“INFOSEC”): (1) The issue of “classified information”

 

 

 

Emilio De Capitani, Former EP Official (1985-2011) Secretary of the LIBE parliamentary Committee (1998-2011). Affiliated to the Scuola superiore S.Anna (Pisa).  

Court Cases on Transparency so far: T-540/15 v. European Parliament (Trilogues), T-163/21 v Council (transparency of Council Working Parties), T-590/23 v. Council (EU legislative transparency - to be decided on October 29th). 

Pending cases: T-146/25 v Commission (EC internal rules "clarifying" access to documents), T-621/25 v. Commission (access to national plans implementing the EU Pact on Asylum), T-661/25 v EUAA (mandatory nature of deadlines of Confirmatory Applications)

Photo credit: openclipart, via Wikimedia commons

1.Setting the scene: the EU legal framework on access to documents and to confidential information before the Lisbon Treaty

To better understand why the Commission “INFOSEC” draft legislative proposal (2022/0084(COD) on information security shall be substantially amended, let’s recall what was before the Lisbon Treaty and of the Charter, the EU legal framework on access to documents, and notably of EU classified information. With the entry into force of the Amsterdam Treaty on May 1999 the EP and the Council have been under the obligation (art.255 TCE) of adopting in two years’ time new EU rules framing the individual  right of access to documents by establishing at the same time “the general principles and limits of public interests” which may limit such right of access. (emphasis added).

Notwithstanding a rather prudent Commission’s legislative proposal the EP strongly advocated a stronger legal framework for access to documents, for legislative transparency and even for the treatment at EU level of information which, because of their content, should be treated confidentially (so called “sensitive” or “classified information”). 

Needless to say  “Sensitive” or “classified information” at Member States level, are deemed to protect “essential interests”  of the State and, by law, are subject to a special parliamentary and judicial oversight regime.[1] As a consequence, at EU level, even after Lisbon, national classified information are considered an essential aspect of national security which “.. remains the sole responsibility of each Member State” (art. 4.2 TEU) and “..no Member State shall be obliged to supply information the disclosure of which it considers contrary to the essential interests of its security” (art 346.1(a)TFEU).

However, if national classified information is shared at EU level as it is the case for EU internal or external security policies it shall be treated as for any other EU policy by complying with EU rules. The point is on what legal basis these rules should be founded. This issue came to the fore already in 2000 when the newly appointed Council Secretary General Xavier SOLANA negotiated with NATO a first interim agreement on the exchange of classified information. The agreement which mirrored at EU level the NATO Classification standards (“Confidential”, “Secret” and “Top Secret”) was founded  on the Council internal organizational power  but this “administrative” approach was immediately challenged before the Court of Justice by the a Member State (NL) [2] and by the European Parliament itself [3] which considered that the correct legal basis should had been the new legislation on access to documents foreseen by art 255 of TEC which was at the time under negotiation.  The Council, at last, acknowledged that art.255 TEC on access to documents was right legal basis and a specific article (art.9[4]) was inserted in in Regulation 1049/01 implementing art.255 TEC and the EP and NL withdrew their applications before the CJEU[5].

Point is that Art.9 of Regulation 1049/01 still covers only the possible access by EU citizens and such access may be vetoed by the “originator” of the classified information. Unlike national legislation on classified information art.9 didn’t solve, unfortunately, for the lack of time, the issue of the democratic and judicial control by the European Parliament and by the Court of Justice to the EUCI. Art.9(7) of Regulation 1049/01 makes only a generic reference to the fact that “The Commission and the Council shall inform the European Parliament regarding sensitive documents in accordance with arrangements agreed between the institutions.” A transitional and partial solution has then been founded by negotiating Interinstitutional Agreements between the Council and the EP in 2002 [6]and in 2014 [7]and between the European Commission[8] in 2010.

Point is that interinstitutional agreements even if they may be binding (art.295 TFEU) they can only “facilitate” the implementation of EU law which, as described above,  in the case of democratic and judicial control of classified information still does not exists. Not surprisingly, both the Council and the Commission Interinstitutional agreements consider that the “originator” principle should also be binding for the other EU institutions such as the European Parliament  and the Court of Justice.

This situation is clearly unacceptable in an EU deemed to be democratic and bound by the rule of law as it create zones where not only the EU Citizens but also their Representatives may have no access because of “originator’s” veto. As result, in these situations the EU is no more governed by the rule of law but only by the “goodwill” of the former.

To make things even worse, the Council’s established practice is to negotiate with third Countries and international organizations agreements [9]covering the exchange of confidential information by declaring that the other EU Institutions (such as the EP and the Court of Justice) should be considered “third parties” subject then to the “originator” principle.

Such situation has become kafkaesque with the entry into force of the Lisbon treaty which recognizes now at primary law level the EP right to be “fully and timely” informed also on classified information exchanged during the negotiation of an international agreement[10]. Inexplicably, fourteen years since the entry into force of the Treaty the European Parliament has not yet challenged before the Court of Justice these clearly unlawful agreements.

That Institutional problem kept apart, fact remains that until the presentation of the draft INFOSEC proposal none challenged the idea that in the EU the correct legal basis supporting the treatment also of classified information should be the same of access to documents which after the entry into force of the Lisbon treaty is now art.15.3 of the TFEU[11].

2 Why the Commission choice of art 298 TFEU as the legal basis for the INFOSEC proposal is highly questionable [12]

After the entry into force of the Lisbon Treaty and of the Charter the relation between the fundamental right of access to documents and the corresponding obligation of the EU administration of granting administrative transparency and disclose or not its information/documents has now been strengthened also because of art. 52 of the EU Charter.

In an EU bound by the rule of law and by democratic principles, openness and the fundamental right of access should be the general rule and  “limits” to such rights should be an exception  framed only “by law”. As described above the correct legal basis for such “law” is art.15 of the TFEU which, as the former art.255 TEC, states that  “General principles and limits on grounds of public or private interest..” may limit the right of access and the obligation of disclosing EU internal information / documents. Also from a systemic point of view  “limits” to disclosure and to access are now covered by the same Treaty article which frames (in much stronger words than art 255 before Lisbon) the principles of “good governance”(par 1), of legislative transparency  (par 2) and of administrative transparency (par 3).

Such general “Transparency” rule is worded as following: “1. In order to promote good governance and ensure the participation of civil society, the Union institutions, bodies, offices and agencies shall conduct their work as openly as possible.(..) Each institution, body, office or agency shall ensure that its proceedings are transparent and shall elaborate in its own Rules of Procedure specific provisions regarding access to its documents, in accordance with the regulations referred to in the second subparagraph.”

Bizarrely, the European Commission has chosen for the INFOSEC regulation art.298 TFEU on an open, independent and efficient EU administration by simply ignoring art.15 TFEU and by making an ambiguous reference to the fact that INFOSEC should be implemented “without prejudice” of the pre-Lisbon Regulation 1049/01 dealing with access to documents and administrative transparency.  How a “prejudice” may not exist when both Regulations are overlapping and INFOSEC Regulation is upgrading the Council Internal Security rules at legislative level is a challenging question.

It is indeed  self evident that both the INFOSEC Regulation and Regulation 1049/01 deal with the authorized/unauthorised “disclosure” of EU internal information/documents.

Such overlapping of the two Regulations is even more striking for the treatment  EU Classified information (EUCI) as these information are covered both by art. 9 of Regulation 1049/01 and now  by articles 18 to 58 and annexes II to VI of the INFOSEC Regulation.

As described above, Art 255 TCE has since Lisbon been replaced and strengthened by art 15 TFEU so that the Commission proposal of replacing it with art.298 TFEU looks like a “detournement de procedure” which may be challenged before the Court for almost the same reasons already raised in 2000 by the EP and by NL.  It would then been sensible to relaunch the negotiations on the revision of Regulation 1049 in the new post-Lisbon perspective but the Commission has decided this year to withdraw the relevant legislative procedure. Submitting a legislative proposal such INFOSEC promoting overall confidentiality and withdrawing at the same time a legislative proposal promoting transparency seems a rather strong message to the public from the Commission.

3 Does the INFOSEC proposal grant true security for EU internal information?

European Union administrative transparency is now a fundamental right of the individual enshrined in the Charter (Article 42). The protection of administrative data is one of the aspects of the “duty” of good administration enshrined in Article 41 of the Charter, which stipulates that every person has the right of access to their file, “with due regard for the legitimate interests of confidentiality and professional and business secrecy.”  

However Art.298 TFEU is not the legal basis framing professional secrecy. It is only a provision on the functioning of the institutions and bodies which, “in carrying out their tasks … [must be based] on an “open” European administration”[13] and is not an article intended to ensure the protection of administrative documents.

This objective is better served by other legal bases in the Treaties.

First of all, protecting the archives of EU institutions and bodies from outside interference is, even before being a legitimate interest, an imperative condition laid down by the Treaties and the related 1965 Protocol on the Privileges and Immunities of the Union adopted on the basis of the current Article 343 TFEU. Articles 1 and 2 of that Protocol stipulate that the premises and buildings of the Union, as well as its archives, “shall be inviolable.”

Furthermore, in order to ensure that, in the performance of their duties, officials are obliged to protect the documents of their institutions, Article 17 of the Staff Regulations stipulates that

1. Officials shall refrain from any unauthorized disclosure of information coming to their knowledge in the course of their duties, unless such information has already been made public or is accessible to the public.

Again, (as for Regulation 1049/01), the INFOSEC regulation  reinstate that it should be applied “without prejudice” of the Staff Regulation by so mirroring the second paragraph of art.298 TFEU which states that itself states that it should be implemented  “in accordance with the Staff Regulations and the rules adopted on the basis of Article 336.” So, also from this second perspective, the correct legal basis for INFOSEC could be Articles 339 (on professional secrecy) and 336 TFEU, with the consequent amendment of the Staff Regulations by means of a legislative regulation of the Parliament and the Council.

By proposing a legislative regulation on the basis of Article 298, the Commission therefore circumvents both the obligation imposed by Article  336, art 339 (on professional secrecy)  and, more importantly  of Article 15(3) TFEU, according to which each institution or body “..shall ensure (i.e., must ensure) the transparency of its proceedings [and therefore also their protection from external interference] and shall lay down in its rules of procedure specific provisions concerning access to its documents [and therefore also concerning their protection], in accordance with the regulations referred to in the second subparagraph.”(NDR currently Regulation 1049/01)

The objectives set out in Article 298 cannot therefore override the requirements of protecting the fundamental right of access to documents, nor those of Article 15 TFEU which could be considered the “center of gravity” when several legal bases are competing [14].

The same applies to compliance with the regulation establishing the Statute and, in particular, compliance with Article 17 thereof, cited above.

Ultimately, the provisions on the legislative procedure for Union legislative acts are not at the disposal of the Commission, given that administrative transparency is a fundamental right and the protection of documents is a corollary thereof and not a means of functioning of the institutions. Administrative transparency is a fundamental right of every person; the protection of administrative data is a legitimate interest of every administration.

A ”public” interest that can certainly limit the right of access, but only under the conditions established by the legislator of art 15 TFEU and only by the latter.

4. Conclusions

If a recommendation may be made now to the co-legislators is to avoid illusionary shortcuts such as the current Commission proposal whose real impact on the EU administrative “bubble” is far to be clear[15]. The EU Legislator, since the entry into force of the Lisbon Treaty more than fourteen years ago is faced with much more pressing problems.

What is mostly needed is not inventing several layers of illusionary “protection” of the EU information but framing the administrative procedures by law as suggested several times by the European Parliament and by the multiannual endeavour of brilliant scholars focusing on EU Administrative law[16].

What matters is that the management and the access to EU information should be framed by law and not depend upon the goodwill of the administrative author or the receiver as proposed by the INFOSEC Regulation. Nor is information security strengthened transforming each one of the 64 EU “entities” covered by the INFOSEC Regulation [17] in sand-boxes where the information is shared only with the people who, according to the “originator” has a “need to know” and not a “right to know”.

Moreover the EU should limit and not generalize the power for each one of the 64 EU entities of create “classified” information (EUCI). In this perspective art.9 of Regulation 1049/01 needs indeed a true revision but in view of the new EU Constitutional framework and of the new institutional balance arising from the Lisbon treaty and of the Charter.

Fourteen years after Lisbon the democratic oversight of the European Parliament and the judicial control of the Court of Justice on classified documents, shall be granted by EU law as it is the case in most of the EU Countries and not by interinstitutional agreements which maintain the “Originator” against these institutions in violation of the rule of law principle as well as of the EU institutional balance.

Is it still acceptable fourteen years after the entry into force of the Lisbon Treaty that the European Parliament and the Court of Justice are not taken in account in the dozens of international agreements by which the Council frames the exchange of EUCI with third countries and international organizations?

Instead of dealing with these fundamental issues, the European Commission in its 67 page proposal makes no reference to 24 years of experience in the treatment of classified information and prefers dragging the co-legislators in Kafkaesque debates dealing with “sensitive but not classified information”  or on the strange idea by which documents should marked “public” by purpose and not by their nature (by so crossing the line separating public transparency from public propaganda).

But all that been said, it is not the Commission which will be responsible before the Citizens (and the European Court) for badly drafted legislation. It will be the European Parliament and the Council which shall now take their responsibility. They can’t hide behind the Commission unwillingness to deal with substantive issues (as well as with other aspects of legislative and administrative transparency) ; if the Council also prefer maintain the things as they were before Lisbon it is up to the European Parliament to take the lead and establish a frank discussion with the other co-legislator and verify if there is the will of fixing the real growing shortcomings in the EU administrative “Bubble”.

Continuing with the negotiations on the current version of the INFOSEC proposal notably on the complex issue of classified information paves the way to even bigger problems which (better soon than later) risk to  be brought as in 2000 on the CJEU table.

---

[1] According to the Venice Commission “.. at International and national level access to classified documents is restricted by law to a particular group of persons. A formal security clearance is required to handle classified documents or access classified data. Such restrictions on the fundamental right of access to information are permissible only when disclosure will result in substantial harm to a protected interest and the resulting harm is greater than the public interest in disclosure.  Danger is that if authorities engage in human rights violations and declare those activities state secrets and thus avoid any judicial oversight and accountability. Giving bureaucrats new powers to classify even more information will have a chilling effect on freedom of information – the touchstone freedom for all other rights and democracy – and it may also hinder the strive towards transparent and democratic governance as foreseen since Lisbon by art.15.1 of TFEU (emphasis added) The basic fear is that secrecy bills will be abused by authorities and that they lead to wide classification of information which ought to be publicly accessible for the sake of democratic accountability.  Unreasonable secrecy is thus seen as acting against national security as “it shields incompetence and inaction, at a time that competence and action are both badly needed”. (…) Authorities must provide reasons for any refusal to provide access to information.  The ways the laws are crafted and applied must be in a manner that conforms to the strict requirements provided for in the restriction clauses of the freedom of information provisions in the ECHR and the ICCPR.” 

[2] Action brought on 9 October 2000 by the Kingdom of the Netherlands against the Council of the European Union (Case C-369/00) (2000/C 316/37)

[3] Action brought on 23 October 2000 by the European Parliament against the Council of the European Union (Case C-387/00)

[4] Regulation 1049/01 Article 9 ”Treatment of sensitive documents

1. Sensitive documents are documents originating from the institutions or the agencies established by them, from Member States, third countries or International Organisations, classified as “TRÈS SECRET/TOP SECRET”, “SECRET” or “CONFIDENTIEL” in accordance with the rules of the institution concerned, which protect essential interests of the European Union or of one or more of its Member States in the areas covered by Article 4(1)(a), notably public security, defence and military matters.

2. Applications for access to sensitive documents under the procedures laid down in Articles 7 and 8 shall be handled only by those persons who have a right to acquaint themselves with those documents. These persons shall also, without prejudice to Article 11(2), assess which references to sensitive documents could be made in the public register.

3. Sensitive documents shall be recorded in the register or released only with the consent of the originator.

4. An institution which decides to refuse access to a sensitive document shall give the reasons for its decision in a manner which does not harm the interests protected in Article 4.

5. Member States shall take appropriate measures to ensure that when handling applications for sensitive documents the principles in this Article and Article 4 are respected.

6. The rules of the institutions concerning sensitive documents shall be made public.

7. The Commission and the Council shall inform the European Parliament regarding sensitive documents in accordance with arrangements agreed between the institutions.

[5] Notice for the OJ. Removal from the register of Case C-387/00. By order of 22 March 2002 the President of the Court of Justice of the European Communities ordered the removal from the register of Case C-387/00: European Parliament v Council of the European Union. OJ C 355 of 09.12.2000.

[6] Interinstitutional Agreement of 20 November 2002 between the European Parliament and the Council concerning access by the European Parliament to sensitive information of the Council in the field of security and defence policy (OJ C 298, 30.11.2002, p. 1).

[7] According to the Interinstitutional Agreement of 12 March 2014 between the European Parliament and the Council concerning the forwarding to and handling by the European Parliament of classified information held by the Council on matters other than those in the area of the common foreign and security policy (OJ C 95, 1.4.2014, pp. 1–7) “4.   The Council may grant the European Parliament access to classified information which originates in other Union institutions, bodies, offices or agencies, or in Member States, third States or international organisations only with the prior written consent of the originator.”

[8] According to annex III point 5 of the Framework Agreement on relations between the European Parliament and the European Commission (OJ L 304, 20.11.2010, pp. 47–62) In the case of international agreements the conclusion of which requires Parliament’s consent, the Commission shall provide to Parliament during the negotiation process all relevant information that it also provides to the Council (or to the special committee appointed by the Council). This shall include draft amendments to adopted negotiating directives, draft negotiating texts, agreed articles, the agreed date for initialling the agreement and the text of the agreement to be initialled. The Commission shall also transmit to Parliament, as it does to the Council (or to the special committee appointed by the Council), any relevant documents received from third parties, subject to the originator’s consent. The Commission shall keep the responsible parliamentary committee informed about developments in the negotiations and, in particular, explain how Parliament’s views have been taken into account.”

[9] SEE : Agreements on the security of classified information

[10] Article 218.10 TFUE states clearly that “The European Parliament shall be immediately and fully informed at all stages of the procedure” when the EU is negotiating international agreements even when the agreements “relates exclusively or principally to the common foreign and security policy,” (art.218.3 TFUE).

[11] Interestingly reference to art.15 of the TFEU is also made in the EP-Council 2014 Interinstitutional Agreement on access to classified information (not dealing with External Defence) See point 15 :  This Agreement is without prejudice to existing and future rules on access to documents adopted in accordance with Article 15(3) TFEU; rules on the protection of personal data adopted in accordance with Article 16(2) TFEU; rules on the European Parliament’s right of inquiry adopted in accordance with third paragraph of Article 226 TFEU; and relevant provisions relating to the European Anti-Fraud Office (OLAF)

[12] However this legal basis was fit for another legislative proposal, of a more technical nature, which  has now become EU Regulation 2023/2841 layng  down measures for a high common level of cybersecurity for the institutions, bodies, offices and agencies of the Union. This Regulation applies at EU administrative level the principles established for the EU Member States by Directive (EU) 2022/2555 (2)  improving the cyber resilience and incident response capacities of public and private entities. It created an Interinstitutional Cybersecurity Board ( IICB) and a Computer Emergency Response Team (CERT) which operationalizes the standards defined by the IICB and interact with the other EU Agencies (such as the EU Agency dealing with informatic security, Enisa), the corresponding structures in the EU Member States and even the NATO structures. It may be too early to evaluate if the Regulation is fit for its purpose ([12]) but the general impression is that its new common and cooperative system of alert and mutual support between the EU Institutions, Agencies and bodies may comply with the letter and spirit of art.298 of the TFEU.

[13] Quite bizarrely this “open” attribute is not cited in the INFOSEC proposal and, even more strangely, none of the EU institutions has until now consulted the EU Ombudsman and/or the Fundamental Rights Agency.

[14] See Case C-338/01 Commission of the European Communities v Council of the European Union(Directive 2001/44/EC – Choice of legal basis)“The choice of the legal basis for a Community measure must rest on objective factors amenable to judicial review, which include in particular the aim and the content of the measure. If examination of a Community measure reveals that it pursues a twofold purpose or that it has a twofold component and if one of these is identifiable as the main or predominant purpose or component whereas the other is merely incidental, the act must be based on a single legal basis, namely that required by the main or predominant purpose or component. By way of exception, if it is established that the measure simultaneously pursues several objectives which are inseparably linked without one being secondary and indirect in relation to the other, the measure must be founded on the corresponding legal bases…”

[15]  Suffice to cite the following legal disclaimer :”This Regulation is without prejudice to Regulation (Euratom) No 3/1958 17 , Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of other servants of the European Economic Community and the European Atomic Energy Community 18 , Regulation (EC) 1049/2001 of the European Parliament and of the Council 19 , Regulation (EU) 2018/1725 of the European Parliament and of the Council 20 , Council Regulation (EEC, EURATOM) No 354/83 21 , Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council 22 , Regulation (EU) 2021/697 of the European Parliament and of the Council 23 , Regulation (EU) [2023/2841] of the European Parliament and of the Council 24 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.

[16]  See ReNEUAL Model Rules on EU Administrative Procedure. ReNEUAL working groups have developed a set of model rules designed as a draft proposal for  binding legislation identifying – on the basis of comparative research – best practices in different specific policies of the EU, in order to reinforce general principles of EU law

[17] The Council has listed not less than 64 EU entities (EU Institutions Agencies and Bodies – EUIBAs) in document WK8535/2023