07 September 2023
Part 1 of a series /// EU institutions are currently discussing a proposal for a new law "on information security in the institutions, bodies, offices and agencies of the Union." While the objective itself may be legitimate, the proposal as it stands seeks to extend to other EU institutions and agencies the secrecy and opacity that has for so long characterised the work of the Council. It undermines existing legislation on public access to official documents and would fatally undermine the treaty obligation for the institutions, bodies, offices and agencies of the EU "to conduct their work as openly as possible." At the same time, the proposal fails to ensure the interinstitutional and interagecy cooperation necessary to ensure an effective administration.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
Image: Maurits Verbiest, CC BY 2.0
For extensive documentation on this proposal see our Observatory: Regulation on security of EU information (2022 proposal)
The second part of this series is available here: The proposal on security of EU information: how to burst the bubble and open the EU fortress
Information security
The European Parliament's civil liberties committee (EU) and the Council of the EU are currently working on a legislative proposal dealing with information security in the institutions, bodies, offices and agencies of the Union. At first sight, the 76 pages of text appear "technical" - but upon closer inspection it is clear that the law may have a huge impact not just from an organizational point of view, but also politically. If adopted as it stands it may pave the way for the transformation of the "EU bubble" into a sort of (administrative) fortress, and substitute the principle of "transparency by design" with the principle of "confidentiality by design."
In principle the objective, as announced in the title of the proposal, is legitimate: granting a comparable level of protection in all the EU institutions, agencies and bodies, for information and documents, which, according to the law, should be protected. To do so a wide interinstitutional coordination group is proposed, as well as a network of security officials in all the EU entities. A secure information network (TEMPEST) is foreseen, along with the establishment of various authorities (for example, the TEMPEST authority will be responsible for preventing "unintentional electronic emanations" of classified material).
So far so good, and if the content of the proposal was limited to these organizational aspects it could even be seen as an example of administrative cooperation consistent with the chosen legal basis for this Regulation, Article 298 of the Treaty on the Functioning of the European Union (TFEU): "the institutions, bodies, offices and agencies of the Union shall have the support of an open, efficient and independent European administration."
What is worrying is the fact that, in parallel with the definition of the physical security of EU information, this proposal on the one hand redefines the conditions of treatment, access and sharing of all kinds of information and documents produced and handled by the EU institutions, agencies and bodies; and on the other does not frame adequately the conditions of interinstitutional and interagency cooperation.
Undermining transparency: from the "right to know" to the "need to know"
The first problematic aspect the new proposal, contrary to what the Commission states, completely overlaps and modifies the 2001 Regulation on public access to documents. While the principle of that Regulation is to enhance the peoples' right to know by granting that everything is public unless a specific exception is applicable, Chapter 4 of the information security proposal takes the opposite approach. Mirroring the logic of the current Council internal security rules, it requires that almost all internal documents should be protected and shared only with people with a recognized "need to know" unless the document is marked as "public."
By replacing the "right to know" foreseen in the Treaty with the a "need to know" mechanism, the proposed Regulation turns the EU transparency principle on its head. That principle is defined in Article 1 of the Treaty on European Union (TEU) and Article 15(1) of the TFEU. The former states that decisions are to be taken "as openly as possible and as closely as possible to the citizen," while the latter requires that: "In order to promote good governance and ensure the participation of civil society, the Union’s institutions, bodies, offices and agencies shall conduct their work as openly as possible."
Last but not least, the proposed information security framework goes against the notion of openness set out in Article 298 TFEU, which requires that the EU administration should not only be independent and efficient but also "open." By offering each EU institution, agency and body has the possibility to "protect" its internal information and documents by invoking the very fuzzy notion of "harm" - in the words of Article 3(aa) of the proposal, "the potential adverse effect of a given threat... to the legitimate public and private interests, measured as a combination of the likelihood of threats occurring and their impact" - the proposal fundamentally threatens the right to access legislative and non-legislative information as required by the treaties and the Regulation on access to documents.
In short: with this proposal the Commission is hoping to engage in a form of time travel. By the endorsing at legislative level the Council internal security rules, it proposes going back to the pre-Maastricht Treaty era, when it was up to the EU institutions to decide whether or not to grant access to their internal documents. But ever since the Amsterdam Treaty and, even more so, the Lisbon Treaty, this practice is incompatible with an EU bound by the rule of law and where there should not be space for dark zones. It is therefore quite surprising that until now the European Parliament has not proposed substantial amendments to the legislative proposal in order to preserve the transparency principle in the EU institutional framework.
Independent and efficient administration
There is a further way in which the proposal falls short of implementing the principle of an independent and efficient administration, as required by Article 298 TFEU. By transforming each EU institution, agency and body into a sort of "sandbox," it will make it extremely difficult to implement the principle of "mutual sincere cooperation" foreseen by Article 13(2) TEU. Interagency and interinstitutional cooperation is essential to achieve most of the missions foreseen by the treaties and it is therefore highly problematic to insist on the independence of each EU entity without foreseeing, in law, a mechanism of structured interinstitutional and interagency cooperation, beyond the enhanced cooperation on protecting each others' secrets pushed by the proposal.
In failing to provide legal procedures for arbitration and conflict prevention, the proposal paves the way to an administrative framework mired in perpetual conflict. Referring to the fact that the Court of Justice may solve possible problems of interpretation or potential cases of failure to act by any of the entities in question is a poor approach, given that legislation should be guided by the principle of granting legal certainty to EU citizens and the EU administration. It is also quite bizarre that the European Ombudsman has not been associated or consulted on the proposal at stake.
Both the European Parliament and the Council of the EU are still discussing the proposal, prior to entering into negotiations with one another. Is there time to turn this pig's ear into a silk purse?
Author: Emilio de Capitani
For extensive documentation on this proposal see our Observatory: Regulation on security of EU information (2022 proposal)
<p>Documentation relating to the 2022 proposal for a Regulation on information security in the institutions, bodies, offices and agencies of the Union. The proposal threatens to pave the way for the transformation of the "EU bubble" into a sort of (administrative) fortress, and substitute the principle of "transparency by design" with the principle of "confidentiality by design."</p>
Part 2 of a series /// The Commission's proposal on security of EU information threatens to fatally undermine the rules on access to documents, which are essential for transparency, openness and public participation in democratic-decision making. The European Parliament and the Council need to take action to fix the proposal on security of information. At the same time, there are clear steps they could take to improve the access to documents rules, ensuring that legislative deliberations are as open and transparent as required by the treaties.
Part 3 of a series /// The proposal on security of EU information, as introduced, would create a legal framework for classified information with a number of gaps and loopholes that would prevent the European Parliament and the Court of Justice from exercising their roles as set out in the EU treaties. Changes are required to fix these problems.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.