Emilio De Capitani
Photo credit: openclipart,
via Wikimedia
commons
1.Setting the scene: the EU
legal framework on access to documents and to confidential information before
the Lisbon Treaty
To better understand why the
Commission “INFOSEC”
draft legislative proposal (2022/0084(COD) on information security
shall be substantially amended, let’s recall what was before the Lisbon Treaty
and of the Charter, the EU legal framework on access to documents, and notably
of EU classified information. With the entry into force of the Amsterdam Treaty
on May 1999 the EP and the Council have been under the obligation (art.255 TCE)
of adopting in two years’ time new EU rules framing the individual right
of access to documents by establishing at the same time “the general
principles and limits of public interests” which may limit such
right of access. (emphasis added).
Notwithstanding a rather prudent
Commission’s legislative proposal the EP strongly advocated a stronger legal
framework for access to documents, for legislative transparency and even for
the treatment at EU level of information which, because of their content,
should be treated confidentially (so called “sensitive” or “classified
information”).
Needless to say “Sensitive”
or “classified information” at Member States level, are deemed to protect
“essential interests” of the State and, by law, are subject to a special
parliamentary and judicial oversight regime.[1] As
a consequence, at EU level, even after Lisbon, national classified information
are considered an essential aspect of national security which “.. remains
the sole responsibility of each Member State” (art. 4.2 TEU) and “..no
Member State shall be obliged to supply information the disclosure of which it
considers contrary to the essential interests of its security” (art
346.1(a)TFEU).
However, if national classified
information is shared at EU level as it is the case for EU internal or external
security policies it shall be treated as for any other EU policy by complying
with EU rules. The point is on what legal basis these rules should be founded.
This issue came to the fore already in 2000 when the newly appointed Council
Secretary General Xavier SOLANA negotiated with NATO a first interim agreement
on the exchange of classified information. The agreement which mirrored at EU
level the NATO Classification standards (“Confidential”, “Secret” and “Top
Secret”) was founded on the Council internal organizational power
but this “administrative” approach was immediately challenged before the Court
of Justice by the a Member State (NL) [2]
and by the European Parliament itself [3] which
considered that the correct legal basis should had been the new legislation on
access to documents foreseen by art 255 of TEC which was at the time under
negotiation. The Council, at last, acknowledged that art.255 TEC on
access to documents was right legal basis and a specific article (art.9[4])
was inserted in in Regulation 1049/01 implementing art.255 TEC and the EP and
NL withdrew their applications before the CJEU[5].
Point is that Art.9 of Regulation
1049/01 still covers only the possible access by EU citizens and such access
may be vetoed by the “originator” of the classified information. Unlike
national legislation on classified information art.9 didn’t solve,
unfortunately, for the lack of time, the issue of the democratic and judicial
control by the European Parliament and by the Court of Justice to the EUCI.
Art.9(7) of Regulation 1049/01 makes only a generic reference to the fact that
“The Commission and the Council shall inform the European Parliament regarding
sensitive documents in accordance with arrangements agreed between the
institutions.” A transitional and partial solution has then been founded
by negotiating Interinstitutional Agreements between the Council and the EP in
2002 [6]and
in 2014 [7]and
between the European Commission[8] in
2010.
Point is that interinstitutional
agreements even if they may be binding (art.295 TFEU) they can only
“facilitate” the implementation of EU law which, as described above, in
the case of democratic and judicial control of classified information still
does not exists. Not surprisingly, both the Council and the Commission
Interinstitutional agreements consider that the “originator” principle should
also be binding for the other EU institutions such as the European
Parliament and the Court of Justice.
This situation is clearly unacceptable
in an EU deemed to be democratic and bound by the rule of law as it create
zones where not only the EU Citizens but also their Representatives may have no
access because of “originator’s” veto. As result, in these situations the EU is
no more governed by the rule of law but only by the “goodwill” of the former.
To make things even worse, the
Council’s established practice is to negotiate with third Countries and
international organizations agreements [9]covering
the exchange of confidential information by declaring that the other
EU Institutions (such as the EP and the Court of Justice) should be
considered “third parties” subject then to the “originator” principle.
Such situation has become kafkaesque
with the entry into force of the Lisbon treaty which recognizes now at primary
law level the EP right to be “fully and timely” informed also on classified
information exchanged during the negotiation of an international agreement[10].
Inexplicably, fourteen years since the entry into force of the Treaty the
European Parliament has not yet challenged before the Court of Justice these
clearly unlawful agreements.
That Institutional problem kept
apart, fact remains that until the presentation of the draft INFOSEC proposal
none challenged the idea that in the EU the correct legal basis supporting the
treatment also of classified information should be the same of access to
documents which after the entry into force of the Lisbon treaty is now art.15.3
of the TFEU[11].
2 Why the Commission choice of
art 298 TFEU as the legal basis for the INFOSEC proposal is highly
questionable [12]
After the entry into force of the
Lisbon Treaty and of the Charter the relation between the fundamental right of
access to documents and the corresponding obligation of the EU administration
of granting administrative transparency and disclose or not its
information/documents has now been strengthened also because of art. 52 of the
EU Charter.
In an EU bound by the rule of law
and by democratic principles, openness and the fundamental right of access
should be the general rule and “limits” to such rights should be an
exception framed only “by law”. As described above the correct legal
basis for such “law” is art.15 of the TFEU which, as the former art.255 TEC,
states that “General principles and limits on grounds of
public or private interest..” may limit the right of access and the
obligation of disclosing EU internal information / documents. Also from a
systemic point of view “limits” to disclosure and to access are now
covered by the same Treaty article which frames (in much stronger words than
art 255 before Lisbon) the principles of “good governance”(par 1), of
legislative transparency (par 2) and of administrative transparency (par
3).
Such general “Transparency” rule
is worded as following: “1. In order to promote good governance and ensure
the participation of civil society, the Union institutions, bodies, offices and
agencies shall conduct their work as openly as possible.(..) Each
institution, body, office or agency shall ensure that its proceedings are
transparent and shall elaborate in its own Rules of Procedure specific
provisions regarding access to its documents, in accordance with the
regulations referred to in the second subparagraph.”
Bizarrely, the European
Commission has chosen for the INFOSEC regulation art.298 TFEU on an open,
independent and efficient EU administration by simply ignoring art.15 TFEU and
by making an ambiguous reference to the fact that INFOSEC should be implemented
“without prejudice” of the pre-Lisbon Regulation 1049/01 dealing with access to
documents and administrative transparency. How a “prejudice” may not
exist when both Regulations are overlapping and INFOSEC Regulation is upgrading
the Council Internal Security rules at legislative level is a challenging
question.
It is indeed self evident
that both the INFOSEC Regulation and Regulation 1049/01 deal with the
authorized/unauthorised “disclosure” of EU internal information/documents.
Such overlapping of the two
Regulations is even more striking for the treatment EU Classified
information (EUCI) as these information are covered both by art. 9 of
Regulation 1049/01 and now by articles 18 to 58 and annexes II to VI of
the INFOSEC Regulation.
As described above, Art 255 TCE
has since Lisbon been replaced and strengthened by art 15 TFEU so that the Commission
proposal of replacing it with art.298 TFEU looks like a “detournement de
procedure” which may be challenged before the Court for almost the same reasons
already raised in 2000 by the EP and by NL. It would then been sensible
to relaunch the negotiations on the revision of Regulation 1049 in the new
post-Lisbon perspective but the Commission has decided this year to withdraw
the relevant legislative procedure. Submitting a legislative proposal such
INFOSEC promoting overall confidentiality and withdrawing at the same time a
legislative proposal promoting transparency seems a rather strong message to
the public from the Commission.
3 Does the INFOSEC proposal
grant true security for EU internal information?
European Union administrative
transparency is now a fundamental right of the individual enshrined in the
Charter (Article 42). The protection of administrative data is one of the
aspects of the “duty” of good administration enshrined in Article 41 of the
Charter, which stipulates that every person has the right of access to their
file, “with due regard for the legitimate interests of confidentiality and
professional and business secrecy.”
However Art.298 TFEU is not the
legal basis framing professional secrecy. It is only a provision on the
functioning of the institutions and bodies which, “in carrying out their tasks
… [must be based] on an “open” European administration”[13] and
is not an article intended to ensure the protection of administrative
documents.
This objective is better served
by other legal bases in the Treaties.
First of all, protecting the
archives of EU institutions and bodies from outside interference is, even
before being a legitimate interest, an imperative condition laid down by the
Treaties and the related 1965 Protocol on the Privileges and Immunities of
the Union adopted on the basis of the current Article 343 TFEU. Articles 1
and 2 of that Protocol stipulate that the premises and buildings of the
Union, as well as its archives, “shall be inviolable.”
Furthermore, in order to ensure
that, in the performance of their duties, officials are obliged to protect the
documents of their institutions, Article 17 of the Staff Regulations stipulates
that
1. Officials shall
refrain from any unauthorized disclosure of information coming to their
knowledge in the course of their duties, unless such information has
already been made public or is accessible to the public.
Again, (as for Regulation
1049/01), the INFOSEC regulation reinstate that it should be applied
“without prejudice” of the Staff Regulation by so mirroring the second
paragraph of art.298 TFEU which states that itself states that it should be
implemented “in accordance with the Staff Regulations and the rules
adopted on the basis of Article 336.” So, also from this second perspective,
the correct legal basis for INFOSEC could be Articles 339 (on
professional secrecy) and 336 TFEU, with the consequent amendment of the Staff
Regulations by means of a legislative regulation of the Parliament and the
Council.
By proposing a legislative
regulation on the basis of Article 298, the Commission therefore circumvents
both the obligation imposed by Article 336, art 339 (on professional
secrecy) and, more importantly of Article 15(3) TFEU, according to
which each institution or body “..shall ensure (i.e., must ensure) the
transparency of its proceedings [and therefore also their protection from
external interference] and shall lay down in its rules of procedure specific
provisions concerning access to its documents [and therefore also concerning
their protection], in accordance with the regulations referred to in the second
subparagraph.”(NDR currently Regulation 1049/01)
The objectives set out in Article
298 cannot therefore override the requirements of protecting the fundamental
right of access to documents, nor those of Article 15 TFEU which could be
considered the “center of gravity” when several legal bases are competing [14].
The same applies to compliance
with the regulation establishing the Statute and, in particular, compliance
with Article 17 thereof, cited above.
Ultimately, the provisions on the
legislative procedure for Union legislative acts are not at the disposal of the
Commission, given that administrative transparency is a fundamental right
and the protection of documents is a corollary thereof and not a means of
functioning of the institutions. Administrative transparency is a fundamental
right of every person; the protection of administrative data is a legitimate
interest of every administration.
A ”public” interest that can
certainly limit the right of access, but only under the conditions established
by the legislator of art 15 TFEU and only by the latter.
4. Conclusions
If a recommendation may be made
now to the co-legislators is to avoid illusionary shortcuts such as the current
Commission proposal whose real impact on the EU administrative “bubble” is far
to be clear[15].
The EU Legislator, since the entry into force of the Lisbon Treaty more than
fourteen years ago is faced with much more pressing problems.
What is mostly needed is not
inventing several layers of illusionary “protection” of the EU information but
framing the administrative procedures by law as suggested several times by the
European Parliament and by the multiannual endeavour of brilliant scholars
focusing on EU Administrative law[16].
What matters is that the management
and the access to EU information should be framed by law and not depend upon
the goodwill of the administrative author or the receiver as proposed by the
INFOSEC Regulation. Nor is information security strengthened transforming each
one of the 64 EU “entities” covered by the INFOSEC Regulation [17] in
sand-boxes where the information is shared only with the people who, according
to the “originator” has a “need to know” and not a “right to know”.
Moreover the EU should limit and
not generalize the power for each one of the 64 EU entities of create
“classified” information (EUCI). In this perspective art.9 of Regulation
1049/01 needs indeed a true revision but in view of the new EU Constitutional
framework and of the new institutional balance arising from the Lisbon treaty
and of the Charter.
Fourteen years after Lisbon the
democratic oversight of the European Parliament and the judicial control of the
Court of Justice on classified documents, shall be granted by EU law as it
is the case in most of the EU Countries and not by interinstitutional agreements
which maintain the “Originator” against these institutions in violation of the
rule of law principle as well as of the EU institutional balance.
Is it still acceptable fourteen
years after the entry into force of the Lisbon Treaty that the European
Parliament and the Court of Justice are not taken in account in the dozens
of international agreements by which the Council frames the exchange
of EUCI with third countries and international organizations?
Instead of dealing with these
fundamental issues, the European Commission in its 67 page proposal makes no
reference to 24 years of experience in the treatment of classified information
and prefers dragging the co-legislators in Kafkaesque debates dealing with
“sensitive but not classified information” or on the strange idea by
which documents should marked “public” by purpose and not by their nature (by
so crossing the line separating public transparency from public propaganda).
But all that been said, it is not
the Commission which will be responsible before the Citizens (and the European
Court) for badly drafted legislation. It will be the European Parliament and
the Council which shall now take their responsibility. They can’t hide behind
the Commission unwillingness to deal with substantive issues (as well as with
other aspects of legislative and administrative transparency) ; if the Council
also prefer maintain the things as they were before Lisbon it is up to the
European Parliament to take the lead and establish a frank discussion with the
other co-legislator and verify if there is the will of fixing the real growing
shortcomings in the EU administrative “Bubble”.
Continuing with the negotiations
on the current version of the INFOSEC proposal notably on the complex issue of
classified information paves the way to even bigger problems which (better soon
than later) risk to be brought as in 2000 on the CJEU table.
[1] According
to the Venice Commission “.. at International and national level access to
classified documents is restricted by law to a particular group of persons. A
formal security clearance is required to handle classified documents or access
classified data. Such restrictions on the fundamental right of access to
information are permissible only when disclosure will result in substantial
harm to a protected interest and the resulting harm is greater than the public
interest in disclosure. Danger is that if authorities engage in
human rights violations and declare those activities state secrets and thus
avoid any judicial oversight and accountability. Giving bureaucrats new powers
to classify even more information will have a chilling effect on freedom of
information – the touchstone freedom for all other rights and democracy – and
it may also hinder the strive towards transparent and democratic governance as
foreseen since Lisbon by art.15.1 of TFEU (emphasis added) The basic fear
is that secrecy bills will be abused by authorities and that they lead to wide
classification of information which ought to be publicly accessible for the
sake of democratic accountability. Unreasonable secrecy is thus seen as
acting against national security as “it shields incompetence and inaction, at a
time that competence and action are both badly needed”. (…) Authorities must
provide reasons for any refusal to provide access to information. The
ways the laws are crafted and applied must be in a manner that conforms to the
strict requirements provided for in the restriction clauses of the freedom of
information provisions in the ECHR and the ICCPR.”
[2] Action
brought on 9 October 2000 by the Kingdom of the Netherlands against the Council
of the European Union (Case C-369/00) (2000/C 316/37)
[3] Action
brought on 23 October 2000 by the European Parliament against the Council of
the European Union (Case
C-387/00)
[4] Regulation
1049/01 Article 9 ”Treatment of sensitive documents
1. Sensitive
documents are documents originating from the institutions or the agencies
established by them, from Member States, third countries or International
Organisations, classified as “TRÈS SECRET/TOP SECRET”, “SECRET” or
“CONFIDENTIEL” in accordance with the rules of the institution concerned,
which protect essential interests of the European Union or of one or more
of its Member States in the areas covered by Article 4(1)(a), notably public
security, defence and military matters.
2.
Applications for access to sensitive documents under the procedures laid down
in Articles 7 and 8 shall be handled only by those persons who have a right to
acquaint themselves with those documents. These persons shall also, without
prejudice to Article 11(2), assess which references to sensitive documents
could be made in the public register.
3. Sensitive
documents shall be recorded in the register or released only with the consent
of the originator.
4. An
institution which decides to refuse access to a sensitive document shall give
the reasons for its decision in a manner which does not harm the interests
protected in Article 4.
5. Member
States shall take appropriate measures to ensure that when handling
applications for sensitive documents the principles in this Article and Article
4 are respected.
6. The rules
of the institutions concerning sensitive documents shall be made public.
7. The
Commission and the Council shall inform the European Parliament regarding
sensitive documents in accordance with arrangements agreed between the
institutions.
[5] Notice
for the OJ. Removal from the register of Case C-387/00. By order of 22
March 2002 the President of the Court of Justice of the European Communities
ordered the removal from the register of Case C-387/00: European
Parliament v Council of the European Union. OJ C 355 of 09.12.2000.
[6] Interinstitutional
Agreement of 20 November 2002 between the European Parliament and the Council
concerning access by the European Parliament to sensitive information of the
Council in the field of security and defence policy (OJ C 298, 30.11.2002, p.
1).
[7] According
to the Interinstitutional Agreement of 12 March 2014 between the European
Parliament and the Council concerning the forwarding to and handling by the
European Parliament of classified information held by the Council on matters
other than those in the area of the common foreign and security policy (OJ C
95, 1.4.2014, pp. 1–7) “4. The Council may grant the
European Parliament access to classified information which originates in other
Union institutions, bodies, offices or agencies, or in Member States,
third States or international organisations only with the prior written
consent of the originator.”
[8] According
to annex III point 5 of the Framework Agreement on relations between the
European Parliament and the European Commission (OJ L 304, 20.11.2010, pp.
47–62) In the case of international agreements the conclusion of which
requires Parliament’s consent, the Commission shall provide to Parliament
during the negotiation process all relevant information that it also provides
to the Council (or to the special committee appointed by the Council). This
shall include draft amendments to adopted negotiating directives, draft
negotiating texts, agreed articles, the agreed date for initialling the
agreement and the text of the agreement to be initialled. The Commission
shall also transmit to Parliament, as it does to the Council (or to the special
committee appointed by the Council), any relevant documents received from third
parties, subject to the originator’s consent. The Commission shall
keep the responsible parliamentary committee informed about developments in the
negotiations and, in particular, explain how Parliament’s views have been taken
into account.”
[9] SEE
: Agreements
on the security of classified information
[10] Article
218.10 TFUE states clearly that “The European Parliament shall be immediately
and fully informed at all stages of the procedure” when the EU is
negotiating international agreements even when the agreements “relates
exclusively or principally to the common foreign and security policy,” (art.218.3
TFUE).
[11] Interestingly
reference to art.15 of the TFEU is also made in the EP-Council 2014
Interinstitutional Agreement on access to classified information (not dealing
with External Defence) See point 15 : This Agreement is without
prejudice to existing and future rules on access to documents adopted in
accordance with Article 15(3) TFEU; rules on the protection of personal data
adopted in accordance with Article 16(2) TFEU; rules on the European
Parliament’s right of inquiry adopted in accordance with third paragraph of
Article 226 TFEU; and relevant provisions relating to the European Anti-Fraud
Office (OLAF)
[12] However
this legal basis was fit for another legislative proposal, of a more technical
nature, which has now become EU Regulation
2023/2841 layng down measures for a high common level of
cybersecurity for the institutions, bodies, offices and agencies of the Union.
This Regulation applies at EU administrative level the principles established
for the EU Member States by Directive (EU) 2022/2555 (2)
improving the cyber resilience and incident response capacities of public and
private entities. It created an Interinstitutional Cybersecurity Board ( IICB)
and a Computer Emergency Response Team (CERT) which operationalizes the
standards defined by the IICB and interact with the other EU Agencies (such as
the EU Agency dealing with informatic security, Enisa), the corresponding
structures in the EU Member States and even the NATO structures. It may be too
early to evaluate if the Regulation is fit for its purpose ([12]) but the
general impression is that its new common and cooperative system of alert and
mutual support between the EU Institutions, Agencies and bodies may comply with
the letter and spirit of art.298 of the TFEU.
[13] Quite
bizarrely this “open” attribute is not cited in the INFOSEC proposal and, even
more strangely, none of the EU institutions has until now consulted the EU
Ombudsman and/or the Fundamental Rights Agency.
[14] See
Case C-338/01 Commission of the European Communities v Council of the European
Union(Directive 2001/44/EC – Choice of legal basis)“The choice of the legal
basis for a Community measure must rest on objective factors amenable to
judicial review, which include in particular the aim and the content of the
measure. If examination of a Community measure reveals that it pursues a
twofold purpose or that it has a twofold component and if one of these is
identifiable as the main or predominant purpose or component whereas the other
is merely incidental, the act must be based on a single legal basis, namely
that required by the main or predominant purpose or component. By way of
exception, if it is established that the measure simultaneously pursues several
objectives which are inseparably linked without one being secondary and
indirect in relation to the other, the measure must be founded on the
corresponding legal bases…”
[15]
Suffice to cite the following legal disclaimer :”This Regulation is without
prejudice to Regulation (Euratom) No 3/1958 17 ,
Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of
Officials and the Conditions of Employment of other servants of the European
Economic Community and the European Atomic Energy Community 18 , Regulation
(EC) 1049/2001 of the European Parliament and of the Council 19 , Regulation
(EU) 2018/1725 of the European Parliament and of the Council 20 ,
Council Regulation (EEC, EURATOM) No 354/83 21 ,
Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the
Council 22 ,
Regulation (EU) 2021/697 of the European Parliament and of the Council 23 ,
Regulation (EU) [2023/2841] of the European Parliament and of the Council 24 laying
down measures for a high common level of
cybersecurity at the institutions, bodies,
offices and agencies of the Union.
[16]
See ReNEUAL Model Rules
on EU Administrative Procedure. ReNEUAL working groups have developed a set of
model rules designed as a draft proposal for binding legislation
identifying – on the basis of comparative research – best practices in
different specific policies of the EU, in order to reinforce general principles
of EU law
[17] The
Council has listed not less than 64 EU entities (EU Institutions Agencies and
Bodies – EUIBAs) in document WK8535/2023
No comments:
Post a Comment