The European Union and State Secrets: a fully evolving institutional framework…in the wrong direction (2).


In a passionate intervention before the Civil Liberties Committee of the European Parliament (LIBE) on January 8 the European Ombudsman has denounced the fact that:For the first time in its twenty year history, the European Ombudsman was denied its right under Statute to inspect an EU institution document, even under the guarantee of full confidentiality, as part of an inquiry… This power to inspect documents is fundamental to the democratic scrutiny role of the Ombudsman and acts as a guarantor of certain fundamental rights to the EU citizen.”

The case concerned Europol’s refusal to give access to a Joint Surpervisory Body (JSB) report on the implementation of the EU-US Terrorist Finance Tracking Program (TFTP) Agreement (known as “SWIFT” agreement). The JSB consists of representatives of the data protection authorities of the Member States which should ensure that the storage, processing and use of the data held by Europol do not violate fundamental EU rights. To check if  Europol was correctly applying EU law the Ombusdman has asked to inspect the JSB report. ”However”,as stated by Mrs O’Reilly,”..according to Europol, the “technical modalities” agreed between the Commission and the US under Article 4(9) of the TFTP Agreement required Europol to obtain the permission of the US authorities before allowing the Ombudsman, or any other entity, any access, including an Ombudsman confidential inspection, to the record. The US authorities have refused such permission to Europol.” Reportedly the  US authorities refused this permission because the Ombudsman “need to know” requirement for having access to that classified document was not met.

Many LIBE members have considered this statement quite appalling because it allowed the US authorities to be the arbiters of whether or not the Ombudsman may exercise her statutory, democratic power to inspect the document at issue in conformity with EU law. It is worth recalling that art. 3 par. 2 of the Ombusdman statute states that : The Community institutions and bodies shall be obliged to supply the Ombudsman with any information he has requested from them and give him access to the files concerned. Access to classified information or documents, in particular to sensitive documents within the meaning of Article 9 of Regulation (EC) No 1049/2001, shall be subject to compliance with the rules on security of the Community institution or body concerned.” 

To shed some light on this controversy it could be worth recalling some elements which to my opinion have not been developed during the parliamentary debate and I had the occasion to recall in a previous post …five years ago.

The “Originator’s principle” in art. 9 of Regulation 1049/01

First of all it should be noted that art. 9 of Regulation 1049/01 cited in the Ombudsman Statute is the only EU legislative basis which allows the classification of “sensitive documents” which are “..documents are documents originating from the institutions or the agencies established by them, from Member States, third countries or International Organizations, classified as ‘TRÈS SECRET/TOP SECRET’, ‘SECRET’ or ‘CONFIDENTIEL’ in accordance with the rules of the institution concerned, which protect essential interests of the European Union or of one or more of its Member States in the areas covered by Article 4(1)(a), notably public security, defense and military matters.” According to paragraph 3 of the same article “Sensitive documents shall be recorded in the register or released only with the consent of the originator.”

However, according to Regulation 1049/01 the Originator’s consent is an exception to the general rule according to which an Institution when requested for access to a document should be driven by objective criteria and not by the will of the “originator” even when the latter it is an EU Member State (see art. 4 p.4-6 of Regulation 1049/01). The only obligation foreseen by the Regulation is to establish a fair dialogue with the “originator” and the final judge will remain the Court of justice which should assess if Regulation 1049/01 principles and rules have been violated. Not surprisingly this general rule was not easy to agree with the Member States but it was chosen as it was the only possible way out to preserve the autonomy of EU law against the risk of inconsistent decisions at EU level if taken  following national standards which are still extremely diverse (think how different is the approach to transparency in Sweden or in Spain..).

Why then establish an exception in art. 9 ?

The main factor has been the Council reqyest to cover the first 2000 EU-NATO agreement  on exchange of classified information  which, like all similar international agreements was built on the “originator” principle and also because of this was challenged by the European Parliament before the Court of Justice. Mid 2001 a deal was then struck with the European Parliament which obtained that the exception of the “originator’s principle” should had been limited to the intergovernmental domains (at the time the internal and external security policies covered by art. 24 and 38 of the EU Treaty). The logic was that for these policies the Member States are mainly under the control of their national parliaments so that the European Parliament (as well as the Court of Justice) could not be considered co-responsible for violation of EU law.

On this basis the Council has progressively built an autonomous legal framework which can hardly be considered a simple implementation of Art.9 of Regulation 1049/01. Not only the Council has added another lower level of classified documents (“Restricted”) but it embodied  the “originator’s principle”. The Council latest version of these security rules is the Decision 2013/488/EU and  has been adopted  by the Council on its internal organizational powers (art. 240 TFEU) and “without prejudice to Articles 15 and 16 of the Treaty on the Functioning of the European Union (TFEU) and to instruments implementing them”.(eg Regulation 1049/01 and the measures protecting personal data).

Notwithstanding this “disclaimer” this Council Decision has become “de facto” an harmonizing measure as it  define the “principles” which should frame the European Union Classified Informations (EUCI). To comply with the rule of law and democratic principles these “principles” should had been adopted by the  co-legislator as foreseen by art. 15 of the TFEU (1) and by the EU Charter. But the general application of these “internal rules” derives by the fact that they should be “copy and pasted” as such in all the EU Institutions agencies and bodies “internal” security rules if the latter want to share classified informations with the Council or between them.

Also in the international negotiations the Originator’s principle has been spread in dozen of international agreements even if since the entry into force of the Lisbon Treaty these agreements deals with the exchange of classified information linked with  the common foreign and security policy (art. 37 of the TEU) (2). When classified informations deals with Judicial and police cooperation in criminal matters they now require an internal legal basis as it happened  for the  Decision concluding the EU-US agreement on TFTP. The “mutual respect clause foreseen by art. 40 TEU (3) should be respected and the European Parliament approbation is required.

Quite rightly then the European Parliament Legal Service has considered that the “technical modalities” invoked by Europol to justify the refusal of access by the Ombusdman could not be considered a sound legal basis as they were simple  “implementing measures” of the TFTP agreement and have been not part of the agreement itself.

Can the Ombusdman, the European Parliament and the Court of justice be considered simple “third parties” ?

However I am less convinced of the EP Legal Service reasoning  when it justify  the EUROPOL refusal to give the Ombusdman access to the JSB report because the originator’s  principle is embodied in …the Europol internal Security Rules.

First of all I believe that in case of conflict between the Europol Security Rules (which mirror the Council Internal security rules which themselves are implementing measure of art. 9 of Regulation 1049/01) and the Ombudsman Statute the latter should  prevail as the latter it is a direct implementation of the Treaty and is of legislative nature (as it has been adopted in codecision by the European Parliament and the Council).

Secondly (and more importantly) I consider that the question as highlighted by the Ombudsman is indeed more of constitutional nature and deals with the preservation of the principle of institutional balance in an autonomous legal order as it is the European Union (see the recent Court of Justice opinion 2/13 on the EU accession to the ECHR).

Under this perspective I think that the way how the Council has implemented the art 9 of Regulation 1049/01 is creating a sort of “executive privilege” which has no  basis in the EU primary law and can which moreover is threatening the prerogatives of the other institutions.

I find also misleading (to say the least) the formula applied by the Council in the international agreements on the exchange of classified information (even if now limited to external security policy). The formula is the following : 

The EU institutions and entities to which this Agreement applies shall be: the European Council, the Council of the European Union (hereinafter ‘the Council’), the General Secretariat of the Council, the High Representative of the Union for Foreign Affairs and Security Policy, the European External Action Service (hereinafter ‘the EEAS’) and the European Commission. For the purposes of this Agreement, these institutions and entities shall be referred to as ‘the EU’..

How can be considered complying with the EU founding values of democracy and of the rule of law as well as with the principle of legal certainty a formula which give the right to a third country such as Russia, Georgia, Turkey,  (4)  to decide that the Ombudsman, the European Parliament and the Court of Justice are “third parties which can be forbidden from acceding to classified information” even when their access is linked with the exercise of their constitutional prerogatives? (5)


For all these reasons I think that the Ombudsman should had challenged the Europol refusal before the Court of justice by giving to the Luxembourg Judges the possibility to better frame the scope of the originator’s principle and of the “third party” rule in the EU law.

In the meantime it could also be possible that the Commission (and notably its Vice president of  Timmermans in charge of the Rule of law of the EU Charter) take on board the amendments to Regulation 1049/01 (and to art. 9) as voted by the European Parliament on December 2011.

Last but not least I think that also the European Parliament should take advantage of what he has learned in Ombudsman-Europol case in  the  current negotiations with the Council on the post-Lisbon  EUROPOL decision. It could be worth amending some worrying articles of the Council “general approach” (Council Doc 10033/14 of May 28 2014) . For instance art.67 of rightly makes reference to Regulation 1049/01 but art. 69 makes reference to the Council Internal Security rules instead to art. 9 of Regulation 1049/01. I think it could also be wise to examine the content of the Europol adopted and pending international agreements as the Council “general approach” foresee  that Europol International agreements “established on the basis of Decision 2009/371/JHA and agreements concluded by Europol as established by the Europol Convention before 1 January 2010 should remain in force”.


(1)  “General principles and limits on grounds of public or private interest governing this right of access to documents shall be determined by the European Parliament and the Council, by means of regulations, acting in accordance with the ordinary legislative procedure.” (art. 15 p 3 TFEU)

(2)  See for example the 2011 agreement between the EU and Serbia on the exchange of classified information)

(3) Art 40 TEU. “The implementation of the common foreign and security policy shall not affect the application of the procedures and the extent of the powers of the institutions laid down by the Treaties for the exercise of the Union competences referred to in Articles 3 to 6 of the Treaty on the Functioning of the European Union. 

Similarly, the implementation of the policies listed in those Articles shall not affect the application of the procedures and the extent of the powers of the institutions laid down by the Treaties for the exercise of the Union competences under this Chapter.”

(4)  The third Countries with which the agreements have been concluded are :   Australia, Bosnia and Herzegovina, Former Yugoslav Republic of Macedonia, Iceland,  Israel, Liechtenstein, Montenegro, Norway, Serbia, Switzerland, Ukraine and United States of America. Agreements have also been signed with: Canada (Negotiating mandate approved by the Council  on 21.10.2003 – Under negotiation),  Turkey (Negotiated but not yet approved by the Council), Russian Federation (Agreement signed on 01.6.2010 and published  in OJ L 155, 22.6.2010, p.57. Exchange of  notes verbales following entry into force of the  Lisbon Treaty . Negotiations on  the implementing arrangements are ongoing), Albania Negotiating mandate approved by the Council  on 20.01.2014 (Under  negotiation), Georgia (Negotiating mandate approved by the Council  on 20.01.2014.Under negotiation).

(5) The fact that  the “third party rule” constitutes a guarantee for the third party to a certain extent, but it is not an absolute principle of law has been debated during the negotiations of the EU-Canada exchange of classified informations (with reference to Section 38 of the Canada Evidence Act).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: