3.1 Transparency – European Area of Freedom Security & Justice

Why the European Parliament should reject (or substantially amend) the Commission’s proposal on EU Information Security (“INFOSEC”). (1) The issue of “classified information”

By Emilio De Capitani

1.Setting the scene of EU legal framework on access to documents and to confidential information before the Lisbon Treaty

To better understand why the Commission “INFOSEC” draft legislative proposal (2022/0084(COD) on information security shall be substantially amended, let’s recall what was before the Lisbon Treaty and of the Charter, the EU legal framework on access to documents, and notably of EU classified information. With the entry into force of the Amsterdam Treaty on May 1999 the EP and the Council have been under the obligation (art.255 TCE) of adopting in two years time new EU rules framing the individual right of access to documents by establishing at the same time “the general principles and limits of public interests” which may limit such right of access.(emphasis added).

Notwithstanding a rather prudent Commission’s legislative proposal the EP strongly advocated a stronger legal framework for access to documents, for legislative transparency and even for the treatment at EU level of information which, because of their content, should be treated confidentially (so called ,“sensitive” or “classified information”).

Needless to say “Sensitive” or “classified information” at Member States level, are deemed to protect “essential interests” of the State and, by law, are subject to a special parliamentary and judicial oversight regime.[1] As a consequence, at EU level, even after Lisbon, national classified information are considered an essential aspect of national security which “.. remains the sole responsibility of each Member State” (art. 4.2 TEU) and “..no Member State shall be obliged to supply information the disclosure of which it considers contrary to the essential interests of its security;”(art 346.1(a)TFEU.

However, if national classified information is shared at EU level as it is the case for EU internal or external security policies it shall be treated as for any other EU policy by complying with EU rules. Point is on what legal basis these rules should be founded. This issue came to the fore already in 2000 when the newly appointed Council Secretary General Xavier SOLANA negotiated with NATO a first interim agreement on the exchange of classified information. The agreement which mirrored at EU level the NATO Classification standards (“Confidential”, “Secret” and “Top Secret”) was founded on the Council internal organizational power but this “administrative” approach was immediately challenged before the Court of Justice by the a Member State (NL) [2]and by the European Parliament itself [3] which considered that the correct legal basis should had been the new legislation on access to documents foreseen by art 255 of TEC which was at the time under negotiation. The Council, at last, acknowledged that art.255 TEC on access to documents was right legal basis and a specific article (art.9[4]) was inserted in in Regulation 1049/01 implementing art.255 TEC and the EP and NL withdrew their applications before the CJEU[5].

Point is that Art.9 of Regulation 1049/01 still covers only the possible access by EU citizens and such access may be vetoed by the “originator” of the classified information. Unlike national legislation on classified information art.9 didn’t solved, unfortunately, for the lack of time, the issue of the democratic and judicial control by the European Parliament and by the Court of Justice to the EUCI. Art.9(7) of Regulation 1049/01 makes only a generic reference to the fact that “The Commission and the Council shall inform the European Parliament regarding sensitive documents in accordance with arrangements agreed between the institutions.” A transitional and partial solution has then been founded by negotiating Interinstitutional Agreements between the Council and the EP in 2002 [6]and in 2014 [7]and between the European Commission[8] in 2010.

Point is that interinstitutional agreements even if they may be binding (art.295 TFEU) they can only “facilitate” the implementation of EU law which, as described above, in the case of democratic and judicial control of classified information still does not exists. Not surprisingly, both the Council and the Commission Interinstitutional agreements consider that the “originator” principle should also be binding for the other EU institutions such as the European Parliament and the Court of Justice.

This situation is clearly unacceptable in an EU deemed to be democratic and bound by the rule of law as it create zones where not only the EU Citizens but also their Representatives may have no access because of “originator’s” veto. As result, in these situations the EU is no more governed by the rule of law but only by the “goodwill” of the former.

To make things even worse the Council established practice is to negotiate with third Countries and international organizations agreements [9]covering the exchange of confidential information by declaring that the other EU Institutions (such as the EP and the Court of Justice) should be considered “third parties” subject then to the “originator” principle.

Such situation has become kafkianesque with the entry into force of the Lisbon treaty which recognize now at primary law level the EP right to be “fully and timely” informed also on classified information exchanged during the negotiation of an international agreement[10]. Inexplicabily , fourtheen years since the entry into force of the Traty the European Parliament has not yet challenged before the Court of Justice these clearly unlawful agreements.

That Institutional problem kept apart, fact remains that until the presentation of the draft INFOSEC proposal none challenged the idea that in the EU the correct legal basis supporting the treatment also of classified information should be the same of access to documents which after the entry into force of the Lisbon treaty is now art.15.3 of the TFEU[11].

2 Why the Commission choice of art 298 TFEU as the legal basis for the INFOSEC proposal is highly questionable [12]

After the entry into force of the Lisbon Treaty and of the Charter the relation between the fundamental right of access to documents and the corresponding obligation of the EU administration of granting administrative transparency and disclose or not its information/documents has now been strengthened also because of art.52 of the EU Charter.

In an EU bound by the rule of law and by democratic principles, openness and the fundamental right of access should be the general rule and “limits” to such rights should be an exception framed only “by law”. As described above the correct legal basis for such “law” is art.15 of the TFEU which, as the former art.255 TEC, states that “General principles and limits on grounds of public or private interest..” may limit the right of access and the obligation of disclosing EU internal information / documents. Also from a systemic point of view “limits” to disclosure and to access are now covered by the same Treaty article which frames (in much stronger words than art 255 before Lisbon) the principles of “good governance”(par 1), of legislative transparency (par 2) and of administrative transparency (par 3).

Such general “Transparency” rule is worded as following: “1. In order to promote good governance and ensure the participation of civil society, the Union institutions, bodies, offices and agencies shall conduct their work as openly as possible.(..) Each institution, body, office or agency shall ensure that its proceedings are transparent and shall elaborate in its own Rules of Procedure specific provisions regarding access to its documents, in accordance with the regulations referred to in the second subparagraph.”

Bizarrely, the European Commission has chosen for the INFOSEC regulation art.298 TFEU on an open, independent and efficient EU administration by simply ignoring art.15 TFEU and by making an ambiguous reference to the fact that INFOSEC should be implemented “without prejudice” of the pre-Lisbon Regulation 1049/01 dealing with access to documents and administrative transparency. How a “prejudice” may not exist when both Regulations are overlapping and INFOSEC Regulation is upgrading the Council Internal Security rules at legislative level is a challenging question.

It is indeed self evident that both the INFOSEC Regulation and Regulation 1049/01 deal with the authorized/unauthorised “disclosure” of EU internal information/documents.

Such overlapping of the two Regulations is even more striking for the treatment EU Classified information (EUCI) as these information are covered both by art. 9 of Regulation 1049/01 and now by articles 18 to 58 and annexes II to VI of the INFOSEC Regulation.

As described above, Art 255 TCE has since Lisbon been replaced and strengthened by art 15 TFEU so that the Commission proposal of replacing it with art.298 TFEU looks like a “detournement de procedure” which may be challenged before the Court for almost the same reasons already raised in 2000 by the EP and by NL. It would then been sensible to relaunch the negotiations on the revision of Regulation 1049 in the new post-Lisbon perspective but the Commission has decided this year to withdraw the relevant legislative procedure. Submitting a legislative proposal such INFOSEC promoting overall confidentiality and withdrawing at the same time a legislative proposal promoting transparency seems a rather Commission’s strong message to the public.

3 Does the INFOSEC proposal grant a true security for EU internal information?

Point is that European administrative transparency is now a fundamental right of the individual enshrined in the Charter (Article 42).The protection of administrative data is one of the aspects of the “duty” of good administration enshrined in Article 41 of the Charter which stipulates that every person has the right of access to their file, “with due regard for the legitimate interests of confidentiality and professional and business secrecy.”

However Art.298 TFEU is not the legal basis framing professional secrecy. It is only a provision on the functioning of the institutions and bodies which, “in carrying out their tasks … [must be based] on an “open” European administration”[13] and is not an article intended to ensure the protection of administrative documents.

This objective is better served by other legal basis of the Treaties.

First of all, protecting the archives of EU institutions and bodies from outside interference is, even before being a legitimate interest, an imperative condition laid down by the Treatiesand the related 1965 Protocol on the Privileges and Immunities of the Union adopted on the basis of the current Article 343 TFEU. Articles 1 and 2 of that Protocol stipulate that the premises and buildings of the Union, as well as its archives, “shall be inviolable.”

Furthermore, in order to ensure that, in the performance of their duties, officials are obliged to protect the documents of their institutions, Article 17 of the Staff Regulations stipulates that

1. Officials shall refrain from any unauthorized disclosure of information coming to their knowledge in the course of their duties, unless such information has already been made public or is accessible to the public.

Again, (as for Regulation 1049/01), the INFOSEC regulation reinstate that it should be applied “without prejudice” of the Staff Regulation by so mirroring the second paragraph of art.298 TFEU which states that itself states that it should be implemented “in accordance with the Staff Regulations and the rules adopted on the basis of Article 336.” So, also from this second perspective, the correct legal basis for INFOSEC could be the Article 339 (on professional secrecy) and 336 TFEU, with the consequent amendment of the Staff Regulations by means of a legislative regulation of the Parliament and the Council.

By proposing a legislative regulation on the basis of Article 298, the Commission therefore circumvents both the obligation imposed by Article 336, art 339 (on professional secrecy) and, more importantly of Article 15(3) TFEU, according to which each institution or body “..shall ensure (i.e., must ensure) the transparency of its proceedings [and therefore also their protection from external interference] and shall lay down in its rules of procedure specific provisions concerning access to its documents [and therefore also concerning their protection], in accordance with the regulations referred to in the second subparagraph.”(NDR currently Regulation 1049/01)

The objectives set out in Article 298 cannot therefore override the requirements of protecting the fundamental right of access to documents, nor those of Article 15 TFEU which could be considered the “center of gravity”when several legal basis are competing [14].

The same applies to compliance with the regulation establishing the Statute and, in particular, compliance with Article 17 thereof, cited above.

Ultimately, the provisions on the legislative procedure for Union legislative acts are not at the disposal of the Commission, given that administrative transparency is a fundamental right and the protection of documents is a corollary thereof and not a means of functioning of the institutions. Administrative transparency is a fundamental right of every person; the protection of administrative data is a legitimate interest of every administration.

A ”public” interest that can certainly limit the right of access, but only under the conditions established by the legislator of art 15 TFEU and only by the latter.

4. Conclusions

If a recommendation may be made now to the co-legislators is to avoid illusionary shortcuts such as the current Commission proposal whose real impact on the EU administrative “bubble” is far to be clear[15] . The EU Legislator, since the entry into force of the Lisbon Treaty more than fourteen years ago is faced to much more pressing problems.

What is mostly needed is not inventing several layers of illusionary “protection” of the EU information but framing the administrative procedures by law as suggested several times by the European Parliament and by the multiannual endeavor of brilliant scholars focusing on the EU Administrative law[16].

What matters is that the management and the access to EU information should be framed by law and not depend from the goodwill of the administrative author or the receiver as proposed by the INFOSEC Regulation. Nor information security is strengthened transforming each one of the 64 EU “entities” covered by the INFOSEC Regulation [17] in sand-boxes where the information is shared only with the people who, according to the “originator” has a “need to know” and not a “right to know”.

Moreover the EU should limit and not generalize the power for each one of the 64 EU entities of create “classified” information (EUCI). In this perspective art.9 of Regulation 1049/01 needs indeed a true revision but in view of the new EU Constitutional framework and of the new institutional balance arising from the Lisbon treaty and of the Charter.

Fourtheen years after Lisbon the democratic oversight of the European Parliament and the judicial control of the Court of Justice on classified documents , shall be granted by EU law as it is the case in most of the EU Countriesand not by interinstitutional agreements which maintain the “Originator” against these institutions in violation of the rule of law principle as well as of the EU institutional balance.

Could still be acceptable fourteen years after the entry into force of the Lisbon Treaty that the European Parliament and the Court of justice are not taken in account in the dozens of international agreements by which the Council frame the exchange of EUCI with third countries and international organizations?

Instead of dealing with these fundamental issues the European Commission in its 67 pages proposal makes no reference to 24 years of experience in the treatment of classified information and prefer dragging the co-legislators in Kafkian debates dealing with “sensitive but not classified information” or on the strange idea by which documents should marked “public” by purpose and not by their nature (by so crossing the line separating public transparency from public propaganda).

But all that been said, it is not the Commission which will be responsible before the Citizens (and the European Court) for badly drafted legislation. It will be the European Parliament and the Council which shall now take their responsibility. They can’t hide behind the Commission unwillingness to deal with substantive issues (as well as with other aspects of legislative and administrative transparency) ; if the Council also prefer maintain the things as they were before Lisbon it is up to the European Parliament to take the lead and establish a frank discussion with the other co-legislator and verify if there is the will of fixing the real growing shortcomings in the EU administrative “Bubble”.

Continuing with the negotiations on the current version of the INFOSEC proposal notably on the complex issue of classified information paves the way to even bigger problems which (better soon than later) risk to be brought as in 2000 on the CJEU table.

[1] According to the Venice Commission “.. at International and national level access to classified documents is restricted by law to a particular group of persons. A formal security clearance is required to handle classified documents or access classified data. Such restrictions on the fundamental right of access to information are permissible only when disclosure will result in substantial harm to a protected interest and the resulting harm is greater than the public interest in disclosure. Danger is that if authorities engage in human rights violations and declare those activities state secrets and thus avoid any judicial oversight and accountability. Giving bureaucrats new powers to classify even more information will have a chilling effect on freedom of information – the touchstone freedom for all other rights and democracy – and it may also hinder the strive towards transparent and democratic governance as foreseen since Lisbon by art.15.1 of TFEU (emphasis added) The basic fear is that secrecy bills will be abused by authorities and that they lead to wide classification of information which ought to be publicly accessible for the sake of democratic accountability. Unreasonable secrecy is thus seen as acting against national security as “it shields incompetence and inaction, at a time that competence and action are both badly needed”. (…) Authorities must provide reasons for any refusal to provide access to information. The ways the laws are crafted and applied must be in a manner that conforms to the strict requirements provided for in the restriction clauses of the freedom of information provisions in the ECHR and the ICCPR.”

[2] Action brought on 9 October 2000 by the Kingdom of the Netherlands against the Council of the European Union (Case C-369/00) (2000/C 316/37)

[3] Action brought on 23 October 2000 by the European Parliament against the Council of the European Union (Case C-387/00) (2000/C 355/31) LINK chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:C2000/355/31

[4] Regulation 1049/01 Article 9”Treatment of sensitive documents

1. Sensitive documents are documents originating from the institutions or the agencies established by them, from Member States, third countries or International Organisations, classified as “TRÈS SECRET/TOP SECRET”, “SECRET” or “CONFIDENTIEL” in accordance with the rules of the institution concerned, which protect essential interests of the European Union or of one or more of its Member States in the areas covered by Article 4(1)(a), notably public security, defence and military matters.

2. Applications for access to sensitive documents under the procedures laid down in Articles 7 and 8 shall be handled only by those persons who have a right to acquaint themselves with those documents. These persons shall also, without prejudice to Article 11(2), assess which references to sensitive documents could be made in the public register.

3. Sensitive documents shall be recorded in the register or released only with the consent of the originator.

4. An institution which decides to refuse access to a sensitive document shall give the reasons for its decision in a manner which does not harm the interests protected in Article 4.

5. Member States shall take appropriate measures to ensure that when handling applications for sensitive documents the principles in this Article and Article 4 are respected.

6. The rules of the institutions concerning sensitive documents shall be made public.

7. The Commission and the Council shall inform the European Parliament regarding sensitive documents in accordance with arrangements agreed between the institutions.

[5] Notice for the OJ.Removal from the register of Case C-387/00¹By order of 22 March 2002 the President of the Court of Justice of the European Communities ordered the removal from the register of Case C-387/00: European Parliament v Council of the European Union. OJ C 355 of 09.12.2000.

[6] Interinstitutional Agreement of 20 November 2002 between the European Parliament and the Council concerning access by the European Parliament to sensitive information of the Council in the field of security and defence policy (OJ C 298, 30.11.2002, p. 1).

[7] According to the Interinstitutional Agreement of 12 March 2014 between the European Parliament and the Council concerning the forwarding to and handling by the European Parliament of classified information held by the Council on matters other than those in the area of the common foreign and security policy (OJ C 95, 1.4.2014, pp. 1–7) “4. The Council may grant the European Parliament access to classified information which originates in other Union institutions, bodies, offices or agencies, or in Member States, third States or international organisations only with the prior written consent of the originator.”

[8] According to annex III point 5 of the Framework Agreement on relations between the European Parliament and the European Commission (OJ L 304, 20.11.2010, pp. 47–62) In the case of international agreements the conclusion of which requires Parliament’s consent, the Commission shall provide to Parliament during the negotiation process all relevant information that it also provides to the Council (or to the special committee appointed by the Council). This shall include draft amendments to adopted negotiating directives, draft negotiating texts, agreed articles, the agreed date for initialling the agreement and the text of the agreement to be initialled. The Commission shall also transmit to Parliament, as it does to the Council (or to the special committee appointed by the Council), any relevant documents received from third parties, subject to the originator’s consent. The Commission shall keep the responsible parliamentary committee informed about developments in the negotiations and, in particular, explain how Parliament’s views have been taken into account.”

[9] SEE : Agreements on the security of classified information Link : https://eur-lex.europa.eu/EN/legal-content/summary/agreements-on-the-security-of-classified-information.html

[10] Article 218.10 TFUE states clearly that “The European Parliament shall be immediately and fully informed at all stages of the procedure” when the EU is negotiating international agreements even when the agreements “relates exclusively or principally to the common foreign and security policy,” (art.218.3 TFUE).

[11] Interestingly reference to art.15 of the TFEU is also made in the EP-Council 2014 Interinstitutional Agreement on access to classified information (not dealing with External Defence) See point 15 : This Agreement is without prejudice to existing and future rules on access to documents adopted in accordance with Article 15(3) TFEU; rules on the protection of personal data adopted in accordance with Article 16(2) TFEU; rules on the European Parliament’s right of inquiry adopted in accordance with third paragraph of Article 226 TFEU; and relevant provisions relating to the European Anti-Fraud Office (OLAF)

[12] However this legal basis was fit for another legislative proposal, of a more technical nature, which has now become EU Regulation 2023/2841 layng down measures for a high common level of cybersecurity for the institutions, bodies, offices and agencies of the Union. This Regulation apply at EU administrative level the principles established for the EU Member States by Directive (EU) 2022/2555 (²) improving the cyber resilience and incident response capacities of public and private entities. It created an Interinstitutional Cybersecurity Board ( IICB) and a Computer Emergency Response Team (CERT) which operationalizes the standards defined by the IICB and interact with the other EU Agencies (such as the EU Agency dealing with informatic security, Enisa), the corresponding structures in the EU Member States and even the NATO structures. It may be too early to evaluate if the Regulation is fit for its purpose ([12]) but the general impression is that its new common and cooperative system of alert and mutual support between the EU Institutions, Agencies and bodies may comply with the letter and spirit of art.298 of the TFEU

[13] Quite bizarrely this “open” attribute is not cited in the INFOSEC proposal and, even more strangely, none of the EU institutions has until now consulted the EU Ombudsman and/or the Fundamental Rights Agency.

[14] See Case C-338/01 Commission of the European Communities v Council of the European Union(Directive 2001/44/EC – Choice of legal basis)“The choice of the legal basis for a Community measure must rest on objective factors amenable to judicial review, which include in particular the aim and the content of the measure. If examination of a Community measure reveals that it pursues a twofold purpose or that it has a twofold component and if one of these is identifiable as the main or predominant purpose or component whereas the other is merely incidental, the act must be based on a single legal basis, namely that required by the main or predominant purpose or component. By way of exception, if it is established that the measure simultaneously pursues several objectives which are inseparably linked without one being secondary and indirect in relation to the other, the measure must be founded on the corresponding legal bases…”

[15] Suffice to cite the following legal disclaimer :”This Regulation is without prejudice to Regulation (Euratom) No 3/1958 17 , Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of other servants of the European Economic Community and the European Atomic Energy Community 18 , Regulation (EC) 1049/2001 of the European Parliament and of the Council 19 , Regulation (EU) 2018/1725 of the European Parliament and of the Council 20 , Council Regulation (EEC, EURATOM) No 354/83 21 , Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council 22 , Regulation (EU) 2021/697 of the European Parliament and of the Council 23 , Regulation (EU) [2023/2841] of the European Parliament and of the Council 24 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.

[16] See ReNEUAL Model Rules on EU Administrative Procedure. ReNEUAL working groups have developed a set of model rules designed as a draft proposal for binding legislation identifying – on the basis of comparative research – best practices in different specific policies of the EU, in order to reinforce general principles of EU law

https://www.reneual.eu/projects-and-publications/reneual-1-0

[17] The Council has listed not less than 64 EU entities (EU Institutions Agencies and Bodies – EUIBAs) in document WK8535/2023

EU Transparency and participative democracy in the EU institutions after Lisbon :“Everything must change for everything to remain the same”?

by Emilio DE CAPITANI *[1]

Foreword

In a famous Italian novel “The Leopard” which describes a key moment of regime change in Sicily a young protagonist, Tancredi, addresses the old Prince of Salina, suggesting as the best strategy in order to maintain the old privileges to adapt, at least apparently, to the new situation.

This seems to be also the strategy chosen by the European institutions after the entry into force of the Treaty of Lisbon when dealing with openness and transparency of their decision-making process.

This Treaty marks a radical change from the previous situation, notably because it make visible and strengthens the interrelation between the principles of the Rule of law, democracy, mutual trust and transparency in the EU. This relation was already implicit before the Treaty but has become more evident at primary law level with the definition of the EU funding values (art 2 TEU), the binding nature of the EU Charter of fundamental rights and the establishment in the Treaties of clear legal basis transforming these principles in reality within the EU institutional framework and in relation with the EU Member States.

Under this perspective several articles of the EU Charter become relevant when dealing with principles of openness and transparency in the EU such the art.11 on Freedom of expression and information and articles 41 and 42 on the right to good administration and of access to EU documents. These rights should be granted and promoted not only by the EU Institutions Agencies and bodies but also by the Member states when implementing EU law. If a decision making process should be transparent at EU level the same transparency should be granted when EU measures are transposed at national level [2].

Openness and Transparency as corollaries of EU democracy

Furthermore the Lisbon Treaty has also endorsed several ambitious institutional innovations negotiated at the time of the draft Constitutional Treaty and which have now a direct or indirect impact on EU notions of rule of law, mutual trust, democracy and transparency.

First of all, the Treaty makes clear the democratic nature of the EU not only by strengthening representative democracy (“The functioning of the Union shall be founded on representative democracy.” Art.10.1 TEU) but also by recognizing the principle of participative democracy [3] (“Every citizen shall have the right to participate in the democratic life of the Union. Decisions shall be taken as openly and as closely as possible to the citizen” art.10.3 TEU).

Participative democracy is further strengthened by recognizing the role of Civil Society in art.11 TEU according to which “1. The institutions shall, by appropriate means, give citizens and representative associations the opportunity to make known and publicly exchange their views in all areas of Union action. 2. The institutions shall maintain an open, transparent and regular dialogue with representative associations and civil society.”.

Moreover, the Lisbon treaty confirms the principle of openness when it states that “(EU) decisions are taken as openly as possible and as closely as possible to the citizen.”(art 1, 2nd Alinea TEU). This provision was already present before Lisbon, but since then the notion of what could be considered “possible” has evolved both from a technical and political point of view. From a technical perspective, in the last twenty years the digital transformation has already triggered also at EU level the notion of e-government[4], of re-use of public data [5]. In a Google era efficient communication techniques that involve and empower citizens make now possible involving citizens in public decision-making processes.[6]

From a political perspective the new Treaty emphasizes that “In all its activities, the Union shall observe the principle of the equality of its citizens, who shall receive equal attention from its institutions, bodies, offices and agencies.” (art.9 TEU). When translated in transparency policies this principle requires that, when in public domain, information should be accessible by means and procedures which should not be directly or indirectly discriminatory [7].

(EU) Preaching “Transparency by design…

The Lisbon Treaty not only proclaimed the democratic principles on which the EU is founded and should be promoted (art 9-12 TEU) but confirmed the principle of openness and of participative democracy according to which ‘(EU) decisions are taken as openly as possible and as closely as possible to the citizens’ (art.1.2 TEU) and “[e]very citizen shall have the right to participate in the democratic life of the Union. Decisions shall be taken as openly and as closely as possible to the citizen.”(art.10.3 TEU).

Moreover, EU Legislative acts [8] are now defined at primary law level (art.289 TFEU) and the obligation of granting ‘Legislative transparency’ is now foreseen by Article 15(2) TFEU according to which “The European Parliament shall meet in public, as shall the Council when considering and voting on a draft legislative act.” As a consequence, granting legislative transparency has become a self-standing constitutional obligation which cannot be jeopardized by measures of EU secondary law or even more, by internal practices of the EU institutions. In other words, the mandatory principle of ‘legislative transparency’ established by Article 15(2) TFEU and 16.8 TEU should no more, be mixed with the ‘transparency on demand’ approach of the “pre-Lisbon” era when the scope of legislative transparency was often linked to the aleatory condition that a citizen may ask or not access to a legislative preparatory document.

…but framing “confidentiality by design”.

Unfortunately, even today, fifteen years since the entry into force of the Lisbon Treaty legislative preparatory documents made proactively public by the EU legislators following art.15.2 TFEU are still a fraction of the documents prepared and debated by the Commission, the Council and, even by the European Parliament along a legislative procedure.

The Council is the most appalling case of hiding legislative preparatory documents.

Even today, the Council’ internal Rules of procedures [9]consider that confidentiality should be the rule and transparency the exception. According to Council Internal Guidelines transparency of Council meetings when debating legislative procedures (as required by Article 16(8) TEU) is required only for “formal” Meetings at ministerial level. By so doing, citizen’s access is excluded not only from the “informal” Ministerial meetings but also from all the Coreper and working parties meetings no matter if, in a more general perspective, the Council is a single legal entity and preparatory bodies should not be considered apart).[10] As a proof that the main Council inspiration is “confidentiality by design” instead of “transparency by design” is the Council reorganization operational since 2015 of its internal document management[11]. Its 130/150 internal working parties have been transformed into ‘virtual communities’, which are de facto also virtual ‘sandboxes’ where working (WK) documents covering also legislative preparatory works (also at ‘trilogue level’) are shared only between the Community members [12].

By doing so the Council of the European Union is, since years preventing, routinely, access and democratic participation of EU citizens and of civil society, and is making unduly difficult the work of journalists, preventing the National Parliaments from checking the respect of the principle of subsidiarity and, last but not least, hiding essential information to the other co-legislator, the European Parliament.

The EU “Catch 22” how promoting confidentiality to protect ..transparency

To justify this behavior the Council still today refer to the exceptions set in art.4 and 9 of the pre-Lisbon Regulation 1049/2001 , and notably to the need of ‘protecting its decision making process’ as foreseen by art.4.3 of that Regulation. According to this principle “Access to a document, drawn up by an institution for internal use or received by an institution, which relates to a matter where the decision has not been taken by the institution, shall be refused if disclosure of the document would seriously undermine the institution’s decision-making process, unless there is an overriding public interest in disclosure”. Suffice to note that, if transposed to legislative preparatory works this principle may justify, for instance, the confidentiality of the work of the Parliamentary committees but this will clash with the provisions of art. 15.2 TFEU imposing the publicity of meetings of the EP and of the Council when acting as legislators (and this voer also the preparatory bodies as the EP and the Council have a single institutional identity). Moreover such use of a generic exception by an institution in its own interest will clash with the interinstitutional nature of the EU legislative process as described by art 294 of the TFEU.

To overcome the clash between the current provisions of the treaty and the exception described in art.4.3 of the pre-Lisbon Regulation 1049/01 there are then only two possibilities: either you consider that this exception is not relevant for legislative procedures or you consider that when legislation is at stake the “overriding public interest” is directly foreseen by the treaty and no exception can be raised. Behaving like the Council does when acting as legislator, create a “Catch 22” situation where confidential is invoked to “protect” a procedure which should be …transparent.

Needless to say this Council behavior has been denounced in several occasions, not only by the other co-legislator, the EP, but also by the EU Ombudsman not to speak of the Court of Justice. The latter with several rulings has framed in stricter terms the scope of Regulation 1049/01 exceptions even before the entry into force of the Lisbon treaty and of art.15.2 TFEU. It is then quite appalling that the impact on the Council practice of the EP pressure, of the Ombudsman recommendations of the CJUE jurisprudence has been very limited and anecdotical. [14]

To overcome all these legal inconsistencies the European Parliament voted on December 15^th , 2011[15] several ambitious amendments aligning Regulation 1049/2001 to the post-Lisbon new Constitutional framework. The EP Plenary not only considered that legislative debates should not be covered by the pre-Lisbon exceptions listed in art. 4, but voted also a legislative framework for classified documents (art. 9) and paved the way for the implementation of the principle of good administration by EU institutions, agencies and bodies. In the same perspective it also adopted two legislative proposals on framing the principle of good administration by the EU institutions, Agencies and bodies [16]

Unfortunately, the EP position on the alignment of Regulation 1049/01 with the Lisbon treaty, is , since thirteen years still formally pending, and has not been endorsed by the European Commission nor by the EU Council so that the EU and its citizens are still confronted with a secondary law (Regulation 1049/2001) and a wide practice of the EU institutions, agencies and bodies not complying with the new post-Lisbon constitutional framework.

In a quite opposite direction from the EP recommendation on the revision of Regulation 1049/01 and on the establishment of an EU code on good administration founded on art 298 TFUE (open, independent and efficient EU Public administration) the European Commission submitted in 2022 on the same legal basis (and without consulting the EU Ombudsman) a legislative proposal[17] dealing with information security in the institutions, bodies, offices and agencies of the Union.

The so called ‘INFOSEC’ Proposal, if adopted as it stands, may even pave the way for the transformation of the ‘EU Bubble’ into a sort of (administrative) fortress and substitute the principle of ‘transparency by design’ arising from art. 1.2 TEU with the principle of ‘confidentiality by design’[18] of all EU Institutions, Agencies and Bodies. It does so by redefining the conditions of treatment, access and sharing of all kinds of information/documents treated by the EU institutions, agencies and bodies by so overlapping and turning upside down Regulation 1049/2001 and the letter and spirit of the Treaty.

If the principle of Regulation 1049/2001 is to frame the right to know of EU citizens by granting that everything is public unless a specific exception is applicable, the logic of the new Commission proposal is that almost all internal documents should be protected and shared only with people with a recognised ‘need to know’ unless the document is marked as ‘public’. This will generalise to all the EU Institutions, Agencies and bodies the current Council practice of limiting the access internal documents in clear clash with art. 1 of the TEU which requires that the EU Institutions should act as openly as possible and the art.298 TFEU requiring that the EU administration should be not only indipendent and efficient but also “open”.

With the new proposed legal regime, the Commission, by endorsing and widening in a legislative measure the current Council internal security rules, is proposing to go back to the pre-Maastricht era when it was up to the EU institutions to decide whether or not to give access to their internal documents [19]. But since the Amsterdam Treaty (Article 255 TCE) and, even more, since the Lisbon Treaty, this practice is no longer compatible within an EU that is bound by the rule of law.

The core of the proposed INFOSEC Regulation is the creation and management of EU classified information (EUCI). By doing so, it substantially amends Article 9 of Regulation 1049/2001, which deals with so-called ‘sensitive documents’. It does not regulate how the information should be classified and declassified in the interests of the EU, as opposed to the interests of the originator (whether that be a member State, EU institution, agency or body). It is worth recalling that Article 9 of Regulation 1049/2001 recognises the so-called ‘originator privilege’ only in the domain of ‘sensitive’ documents and information mainly covered by the EU external defence policy (former Second “Pillar”). As such it is an exception to the general philosophy of Regulation 1049/2001 according to which the EU institutions may only be bound by law and not by the will of an ‘author’, even if it were an EU Member State. [20]

How the EP risks slowly turning to intergovernamental practices

The EP has been, since its first direct election, the most supportive institution of the transparency of the EU decision making process both in the interest of the EU citizens and its own constitutional role. For decades it has challenged the Council and Commission reluctance when sharing the relevant information on what was happening on the ground inside or outside the EU. The Court of Justice has recognised in several cases that the EP’s right to relevant information is explicitly recognised by the Treaty notably for international agreements (Article 218 (10) TFEU).

Unfortunately, instead of pushing the Council towards an open ‘parliamentary’ approach to legislation, the EP has followed the Council ‘diplomatic’ approach notably in the crucial phase of inter-institutional negotiations (‘trilogues’) even when, as is normally the case, these negotiations take place in the first parliamentary ‘reading’.

Although the CJEU considers the documents shared within the trilogues meetings as ‘legislative’[21], the European Parliament still publish these documents only since March 2023 but only after specific requests for access by EU citizens and after a consistent delay so that the information becomes available when the agreements have been reached.

This practice does not fit with Article 15(2) TFEU nor with the CJEU jurisprudence according to which ‘[i]n a system based on the principle of democratic legitimacy, co-legislators must be answerable for their actions to the public and if citizens are to be able to exercise their democratic rights they must be in a position to follow in detail the decision-making process within the institutions taking part in the legislative procedures and to have access to all relevant information.’[22]

[1] Affiliate to the Scuola Superiore S.Anna (Pisa)

[2] In this perspective it is quite bizarre that the Council evoke the notion of sincere cooperation by the Member States in order not to debate publicly at national level the EU legislative preparatory documents (coded as LIMITE) notably through the National Parliaments

[3] This emphasis for participative democracy is now also echoed at UN level by the 2030 Agenda for Sustainable Development whose Goal 16 foresees notably, to “Develop effective, accountable and transparent institutions at all levels”(16.6) Ensure responsive, inclusive, participatory and representative decision-making at all levels (16.7) 16.10 Ensure public access to information and protect fundamental freedoms, in accordance with national legislation and international agreements (16.10)

[4] See the European Commission communication https://commission.europa.eu/business-economy-euro/egovernment_en

[5] See the Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information which maybe a clear reference also for comparable initiatives of the EU Institutions, agencies and bodies.

[6] See the recent Council Conclusions on the EU’s ambition to play a leading role globally in the digital transformation and digital governance that respects, promotes and protects universal human rights, democracy and sustainable development, and puts people and their universal human rights at the centre, in line with the international law and the EU Declaration on Digital Rights and Principles. (Doc 9957/24 of 21^st of May 2024)

[7] This issue is relevant not only in cases of proactive publication but also when an information is disclosed following a Citizen’s request. If the information/document deals with legislative procedures it should be accessible in the public domain to everyone without further request for access.

[8] It should be noted that the concept of draft legislative act and legislative acts referred to in Article 15(2) TFEU does not correspond to the concept of legislative documents and legislative procedures referred to in the Pre-Lisbon Regulation 1049/01. While Article 15(2) TFEU refers to the projects and legislative acts defined in Article 289 TFEU (i.e. the joint adoption of legislative acts by the Council and the European Parliament), the Regulation, which pre-dates the entry into force of Article 289 TFEU, refers to “documents drawn up or received in the course of procedures for the adoption of acts which are legally binding”.2 Now, according for instance to the new Article 290 TFEU, Commission delegated acts which were “legislative” before Lisbon are now “non-legislative acts” (see also Article 16.8 TEU as to the “non-legislative activities” of the Council

[9] Council Decision of 1 December 2009 adopting the Council’s Rules of Procedure Link : https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32009D0937

[10] Indeed, Article 5(1) of the Council Rules of Procedure (CRP) provides that, unless deliberating or voting on legislative acts, Council meetings must not be public, and Article 6(1) CRP stipulates that ‘Without prejudice to Articles 7, 8 and 9 and to provisions on public access to documents, the deliberations of the Council shall be covered by the obligation of professional secrecy …’, but on page 54 of its commentary on the CRP it is notably stated explicitly that : This rule also applies to the preparatory work for Council meetings, that is, all the Council’s preparatory bodies (Coreper, committees and working parties). However, legislative work in preparatory bodies is not public.”(emphasis added)

[11] See the Council public document 7385/16 of 2 May 2016, “Delegates Portal: a new Community Approach to document distribution”. The reorganization of the internal production/diffusion of Council internal documents has been endorsed by the Coreper in public document 6704/13 CIS 5 work on COCOON (Council Collaboration Online)”. The system has been generalised to all Working Parties in 2015. See https://data.consilium.europa.eu/doc/document/ST-7385-2016-INIT/en/pdf .

[12] Meijers Committee, ‘Working Documents’ in the Council of the EU cause a worrying increase in secrecy in the legislative process, CM2107 June 2021 https://www.commissie-meijers.nl/wp-content/uploads/2021/09/2107_en.pdf .

101See (2022/0084(COD) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52022PC0119.

[13] Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access

to European Parliament, Council and Commission documents.

[14] European Ombudsman openly stated for the first time in a recent decision of March 2024 that EU institutions are not giving effect to case law on public access to legislative documents. See European Ombudsman, Case OI/4/2023/MIK, ‘How the European Parliament, the Council of the EU and the European Commission deal with requests for public access to legislative documents’, https://www.ombudsman.europa.eu/en/case/en/64321.. Cited by the EP Study “Regulation 1049/2001 on the right of access to documents, including the digital context” https://www.europarl.europa.eu/RegData/etudes/STUD/2024/762890/IPOL_STU(2024)762890_EN.pdf

[15] See Legislative Procedure 2008/0090(COD).Link https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?lang=en&reference=2008/0090(COD)

[16] With the aim of guaranteeing the right to good administration and ensuring an open, efficient and independent EU civil service, on 15 January 2013 the European Parliament adopted a first resolution (Rapporteur Luigi Berlinguer SD Italy) presenting detailed recommendations to the Commission on a Law of Administrative Procedure of the EU under the new legal basis of Article 298 of the Treaty on the Functioning of the European Union (TFEU). A second resolution for an open, efficient and independent European Union administration (rapporteur: Haidi Hautala, Greens/EFA, Finland) in June 2016 (2016/2610(RSP)).

[17] See Legislative Procedure 2022/0084(COD) Proposal for a Regulation of the European Parliament and of the Council on information security in the institutions, bodies, offices and agencies of the Union Link : https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2022/0084(COD)&l=en

[18] In principle, the objective as announced in the title of the proposal is legitimate: granting a comparable level of protection in all the EU institutions, agencies and bodies, for information and documents, which, according to the law, should be protected. To do so a wide inter-institutional coordination group is proposed, as well as a network of security officials in all the EU entities and a securitised informatic network (TEMPEST) is foreseen.

[19] By replacing the ‘right to know’ foreseen at the Treaty with the a ‘need to know’ mechanism the proposed Regulation

turn upside down the EU openness and transparency principle.

[20] What the INFOSEC proposal does is transform the exception of the ‘originator principle’ in a rule against the provision of Regulation 1049/2001. It does not foresee judicial oversight of classified information. It does not solve the problem of the sharing of ‘sensitive information’ between entities that have a legitimate “need to know”. Last but not least, it threatens the EP oversight role of EU security agreements with third countries and international organisations on the exchange of classified information.

[21] See Case T-540/15 De Capitani v European Parliament

[22] Case T-163/21 De Capitani v Council EU:T:2023:15.

The new proposal on the security of EU informations: transforming the EU “Bubble” in an EU “Fortress” ? (3)

3. How the INFOSEC proposal builds a wider, but still incomplete, legal framework for EU Classified informations (EUCI)

“The core of the proposed Regulation on the security of EU information (hereafter the INFOSEC proposal) concerns the creation and management of EU classified information (EUCI). In doing so, it substantially modifies Article 9 of Regulation 1049/2001, which deals with public access (or not) to so-called “sensitive documents”.

According to that article:

“Sensitive documents are documents originating from the institutions or the agencies established by them, from Member States, third countries or International Organizations, classified as ‘TRÈS SECRET/TOP SECRET’, ‘SECRET’ or ‘CONFIDENTIEL’ in accordance with the rules of the institution concerned, which protect essential interests of the European Union or of one or more of its Member States in the areas covered by Article 4(1)(a), notably public security, defense and military matters.”

Paragraph 3 of the same article also makes clear that: “Sensitive documents shall be recorded in the register or released only with the consent of the originator.”

Paragraph 7 says: “The Commission and the Council shall inform the European Parliament regarding sensitive documents in accordance with arrangements agreed between the institutions.”

It should be noted that Article 9 of Regulation 1049/2001 was a “fast and dirty” solution for a problem which arose in July 2000: Javier Solana, newly appointed Secretary General of the Council, negotiated with the new NATO Secretary General, Mr Robertson, an administrative arrangement with NATO on the exchange of classified information with the Council of the EU. However, that arrangement was challenged before the Court by the European Parliament (EP) and the Dutch government, because they considered that it limited a citizen’s fundamental right of access to documents, and exceptions to such fundamental right should have been framed by law.

At the time, the negotiation of Regulation 1049/01 was under the pressure of a deadline established in the Treaty. The reference to “sensitive” documents was added at the end of the legislative procedure and, because of this, the EP and the Dutch government withdrew their case before the Court.

Unfortunately, it was a Pyrrhic victory – it soon became clear that Article 9 of Regulation 1049/2001 was (and still is) a rather elusive and patchy framework for EU classified information.

A number of points can be made in this regard:

a) It does not regulate how the information should be classified and declassified in the interests of the EU, as opposed to the interests of the originator (whether that be a member State, EU institution, agency or body). Quite the contrary – by transferring the definition of these aspects to the internal security of each institution it paved the way to different standards and the very well-known risk of over classification.

b) It foresees a very weak framework for parliamentary oversight. By making reference to interinstitutional agreements and not codifying in secondary law the EP’s constitutional right to oversee classified information, it places the institution in an ancillary position. It is unfortunate that the EP has not fought until now to obtain treatment comparable to the one reserved for national parliaments with regard to their governments.

The solutions may be different, and special procedures and perhaps even special parliamentary bodies may be needed, but a stronger EP role is more than necessary because this lack of oversight will not be covered at national level – governments will declare that they are barred from revealing the information because it is classified at “European” level! Moreover, the instrument of an “interinstitutional agreement/arrangement” as currently foreseen by Article 295 of the Lisbon Treaty has strong constitutional limitations. As the Council Legal Service itself recognized in 2018: “The wording of the provision (NDR art.295 TFEU), and notably the use of the term ‘arrangements’, points to the fact that IIAs are instruments for regulating the modalities of cooperation and not for the regulation of substantive policy areas.”

It is thus quite surprising that, since the first Interinstitutional Agreement in 2002, the European Parliament has not asked for a sturdier legal basis for its oversight power.

With the adoption of the INFOSEC Regulation the situation will become even worse, because the EP will be obliged to negotiate interinstitutional agreements with all the other EU institutions, agencies and bodies if access to classified information is necessary for fulfilling its own constitutional role. From the outside, 21 years after the first interinstitutional agreement, the fact that the EP is still negotiating the revision of the 2002 interinstitutional agreement on access to classified information in the Common Security and Defence Policy (CSDP) area instead of creating a true legislative legal basis for its oversight may look to some like a form of Stockholm syndrome. To exit from such an impasse would not be wise for the European Parliament to study the more suitable model by looking at the experience of the major EU Member States and, even of the USA ?

c) Article 9 recognises, albeit only in the domain of “sensitive” documents and information, the so-called “originator privilege” or “author rule.” This is an exception to the general philosophy of Regulation 1049/2001, as made clear in Article 4(5):

“A Member State may request the institution not to disclose a document originating from that Member State without its prior agreement.” The point was, and still is, that the EU institutions may only by bound by law and not by the will of an “author”, even if it were an EU member state, a point confirmed in the jurisprudence of the Court of Justice of the EU.

What the INFOSEC proposal does is to transform the exception of the “originator principle” in a rule. But, by recognizing to each EU Institution, Agency and Body the power of classify information in the interest of the EU it does not establish a mechanism which may verify that the EU interest is adequately by the classification or if it has been abusively established. For instance, an oversight power may be recognized to the European Commission or to the Ombudsman to decide if a document/information created by the EU Agencies should be declassified.

Clear rules on this point at INFOSEC level, may prevent from happening, other “incidents”, such as the one which occurred between Europol, the Ombudsman and the Commission, in 2015 when the Ombudsman asked to inspect the report of Europol’s Joint Supervisory Body (JSB) on the implementation of the EU-US Terrorist Finance Tracking Programme Agreement ( see https://www.ombudsman.europa.eu/fr/case/en/42114 )

d) It does not foresee a judicial oversight of classified information. Today it is still up to the originator to decide whether or not to give the Court of Justice access to classified information. This is not a rhetorical question: it has already happened that the Council did’nt answer positively to a Court of Justice request of having access to classified informations. As Deirdre Curtin remind us in her essay Top Secret Europe: “…in the OMPI case (*) on the blacklisting of terrorists by the UN and within the EU context, the Court said clearly that the Council could not base its decision on information that is not revealed to the Court.” ( Case T-248/08, People’s Mojahedin Organization of Iran v Council (OMPI III) para 73). It is worth recalling that in some Countries such as the USA

e) It does not solve the problem of sharing of “sensitive information” between entities which have a legitimate “need to know.” Instead, as Article 9 is focused on the security of each author of “sensitive information” and does not refer to common legislative standards, this has been done until now by the Council. This institution remains the main creator and exchanger of classified information, and has imposed via bilateral agreements with all the other EU institutions, agencies and bodies its internal security rules which, in turn, mirror the NATO standards. It is because of the legal fragility of this “de facto harmonisation” that the Commission has decided to launch a legislative initiative establishing at secondary law level the principles which should be respected in this domain inside the EU.

However, the solution envisaged in the INFOSEC proposal still does not address the main weaknesses of Article9 of Regulation 1049/2001 nor the weaknesses of the Council Internal Security Rules which are proposed to become the common EU standard. . In fact, in some cases it makes the situation even worse.

A useful example can be seen in the EU security agreements with third countries and international organizations on the exchange of classified information foreseen by articles 55-68 of the INFOSEC proposal.

The proposal requires, as a rule, that these agreements be negotiated and concluded according to Article 218 of the Lisbon Treaty, which will finally give the possibility for the EP to give its consent and to be fully and timely informed of the agreements’ content. But INFOSEC foresees also the possibility of continuing with “executive” arrangements which can be negotiated not only by the Council but also by other EU Institutions, agencies and bodies without associating the EP. That exclusion of the EP has been , unfortunately, until now the case and dozens of international agreements have been negotiated by the Council using Article 13 of its internal security rules as a legal basis.

Now, if the INFOSEC proposal is adopted not only the Council but also all the other EU Institutions Agencies and bodies will have a legal basis for negotiating and concluding these executive “arrangements”. It would be wise to make clear in the INFOSEC proposal that the arrangements shall foresee that, because of the EU’s constitutional framework, no veto can be exercised over the transmission of classified information to the EP and to the CJEU.

4. Summing up: by endorsing the INFOSEC legislative proposal is the EP shooting on its Foot ?

Openness, Transparency and the Right of Access to Documents in the EU

THIS IS AN “In-depth analysis” FOR THE PETITIONS COMMITTEE OF THE EUROPEAN PARLIAMENT. FULL TEXT ACCESSIBLE HERE

AUTHORS : Deirdre CURTIN, Päivi LEINO-SANDBERG.

Abstract . Upon request of the PETI Committee, the Policy Department on Citizens’ Rights and Constitutional Affairs commissioned the present analysis, which examines the situation in relation to openness, transparency, access to documents and information in the EU. Case law and developments in the jurisprudence of the CJEU are examined, notably for legislative documents, documents relating to administrative proceedings, to Court proceedings, infringement proceedings and EU Pilot cases, protection of privacy and international relations. Current and future challenges, as well as conclusions and policy recommendations are set out, in order to ensure compliance with the Treaties’ and Charter of Fundamental Rights’ requirements aimed at enhancing citizens’ participation in the EU decision-making process, and consequently stronger accountability and democracy in the EU.

OPENNESS, TRANSPARENCY AND THE RIGHT TO ACCESS DOCUMENTS IN THE EU

The Treaty of Lisbon, in force since December 2009, includes a number of reforms emphasising open-decision making, citizen participation and the role of transparency and good administration in building up the democratic credentials of the European Union (EU).

As regards democratic decision-making and transparency in particular, a specific Title in the Treaty on the European Union (TEU) now includes a number of core provisions on democratic principles, applicable in all areas of Union action.

They underline the principle of representative democracy through the European Parliament, representing the citizens directly at Union level, and through the governments forming the European Council and the Council and that are democratically accountable either to their national parliaments, or to their citizens.1

Even participatory democracy enjoys a pivotal role in the new Treaty framework; in order to guarantee the right of ’every citizen’ to ’participate in the democratic life of the Union’, the Treaty establishes that ’[d]ecisions shall be taken as openly and as closely as possible to the citizen’ and that both citizens and representatives should be given opportunities to ’make known and publicly exchange their views in all areas of Union action’.2

These provisions have a linkage both with the new citizens’ initiative3 and with Article 15 TFEU, which places the legislature under an obligation to act publicly, and establishes that citizens have the right to access documents held by all Union institutions, bodies and agencies.

The right of access to documents, and its nature as a fundamental right, is further emphasised by Article 42 of the EU Charter of Fundamental Rights, which now enjoys ‘the same legal value as the Treaties’.4

In practice, open decision-making is to a large extent realised through the right of the general public to access documents. Regulation No 1049/2001 on public access to documents held by the EU institutions (Access Regulation),5 builds on the principle of ‘widest possible access’, and has together with case law been instrumental in operationalising the right of citizen access by establishing procedures and standards for the exercise of their democratic rights.

All documents held by the European Parliament, Council and Commission are public, as the main principle, but certain public and private interests are protected through specific exceptions under Article 4. But as exceptions derogate from the principle of the widest possible public access to documents, they must, according to established case-law, be interpreted and applied narrowly.6

Article 15(3) TFEU extends the public right of access to documents of all the Union institutions, bodies, offices and agencies. The Court of Justice, the European Central Bank and the European Investment Bank are subject to this provision only when exercising their administrative tasks.

The original 2001 Regulation only directly applies to the European Parliament, the Council, and the Commission. However, its application has been extended to the agencies by virtue of a specific provision in their respective founding acts. Furthermore, a number of institutions and bodies have adopted voluntary acts laying down rules on access to their documents which are identical or similar to Regulation No 1049/2001.

It has been 15 years since the adoption of Regulation No 1049/2001. In the same time frame the Commission and the Council set about adopting internal rules based on their rules of procedure on security and other classifications for documents. Such rules continue to exist in amended form today and exist alongside the legislative rules on access to documents.

Discussions on the reform of Regulation No 1049/2001 have been pending since 2008.7

While one would think that the tendency was – in line with the recent Treaty reforms – to strengthen the rights of citizens further, in fact the opposite seems to be the case, with discussions on reform mainly circulating around new ways to limit citizen access,8 many of them in rather fundamental ways that seem to be at odds with the letter of the Treaties.

These discussions bear witness to what seems to be a change of paradigm and priorities.

The tendency since the Treaty of Maastricht has been to strengthen the rights of citizens,9 now this objective seems lees squarely at the forefront of either the policy agenda or actual institutional practice. Staffan Dahllöf, a journalist specialising in freedom of information, describes the situation as follows: The voices asking for openness and citizen’s involvement are today weaker and fewer than they were when the present rules were decided in 2001 – at least amongst the Member State governments, and definitely in the Commission. It’s more like the Empire strikes back.10

Since there is a complete impasse in the legislative procedure (already for a very long time) on amending the 2001 Regulation, the role of the CJEU is very much centre-stage with litigants attempting to challenge a range of embedded secretive practices across a range of institutions and tasks.11

From a democratic point of view this can be considered problematic as it shifts responsibility from the EU legislator to the courts who cannot re-design the system in the required manner but deal with issues on a case by case basis, as and when they are brought before it. The same applies to the European Ombudsman, although her work is increasingly significant in bringing specific secretive practices to light and tackling them both on a case by case basis and more structurally through a growing number of own initiative enquiries.

Keeping in mind Dahllöf’s accurate observation quoted above, opening negotiations on the reform of Regulation No 1049/2001 naturally brings with it a risk of discussions leading to a further tightening of the EU transparency regime. The current Commission is not necessarily positively disposed to increasing transparency (as evidenced in legal observations before the CJEU in particular), and it has the backup of the majority of Member States in the Council.

Despite this, we think that there should be an open discussion about the possibilities of increasing openness. If this proves to be impossible, the Parliament can always block any reform that could result in negative outcomes or a levelling down.

In this note we discuss recent developments in jurisprudence and the challenges that currently exist in the application of the Regulation No 1049/2001 with a focus on public access by citizens. We conclude with a number of policy recommendations for consideration.

CONTINUE READING...

NOTES (to the section above)

1 Article 10(1) and (2) TEU.
2 Article 10(3) TEU, Article 11 TEU.
3 See Regulation No 211/2011 on the citizens’ initiative, OJ L [2011] 65/1.
4 Article 6(1) TEU.
5 Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents, OJ L 145/43.
6 See e.g. C-280/11 P Council v Access Info Europe para 30 and the case law quoted in the paragraph.
7. See e.g. Ian Harden, ‘The Revision of Regulation 1049/2001 on Public Access to Documents’, 15(2) European Public Law (2009) 239-256.
8 See the open letter by Beatrice Ask, Minister for Justice, Sweden and Anna-Maja Henriksson, Minister of Justice, Finland, published at http://www.wobbing.eu/sites/default/files/Open%20letter.pdf.
9 For one account of the EU’s transparency development so far, see Deirdre Curtin, ’Judging EU Secrecy’, Cahiers de Droit Européen, 2012 (2) 459 – 490.
10 Staffan Dahllöf, ‘Guide to the battle of transparency – UPDATED’, 09/06/2012, available at the EU wobbing website http://www.wobbing.eu/news/guide-battle-transparency-%E2%80%93-updated. On the varying positions of the Member States to the reform process, see M.Z. Hillebrandt, D.M. Curtin and A.J. Meijer, ‘Transparency in the EU Council of Ministers: An Institutional Analysis’, 20(1) European Law Journal, 2014, 1-20.
11 For a discussion, see Päivi Leino, “Transparency, Participation and EU Institutional Practice: An Inquiry into the Limits of the ‘Widest Possible’”, EUI Working Paper (LAW 3/2014).

European Data Protection Supervisor Opinion on the EU-U.S. Privacy Shield draft adequacy decision

ORIGINAL PUBLISHED HERE

Executive Summary (emphasis are added)

Data flows are global. The EU is bound by the Treaties and the Charter of Fundamental Rights of the European Union which protect all individuals in the EU. The EU is obliged to take all necessary steps to ensure the rights to privacy and to the protection of personal data are respected throughout all processing operations, including transfers.

Since the revelations in 2013 of surveillance activities, the EU and its strategic partner the United States have been seeking to define a new set of standards, based on a system of self-certification, for the transfer for commercial purposes to the U.S. of personal data sent from the EU. Like national data protection authorities in the EU, the EDPS recognises the value, in an era of global, instantaneous and unpredictable data flows, of a sustainable legal framework for commercial transfers of data between the EU and the U.S., which represent the biggest trading partnership in the world. However, this framework needs to fully reflect the shared democratic and individual rights-based values, which are expressed on the EU side in the Lisbon Treaty and the Charter of Fundamental Rights and on the U.S. side by the U.S. Constitution.

The draft Privacy Shield may be a step in the right direction but as currently formulated it does not adequately include, in our view, all appropriate safeguards to protect the EU rights of the individual to privacy and data protection also with regard to judicial redress. Significant improvements are needed should the European Commission wish to adopt an adequacy decision. In particular, the EU should get additional reassurances in terms of necessity and proportionality, instead of legitimising routine access to transferred data by U.S. authorities on the basis of criteria having a legal basis in the recipient country, but not as such in the EU, as affirmed by the Treaties, EU rulings and constitutional traditions common to the Member States.

Moreover, in an era of high hyperconnectivity and distributed networks, self-regulation by private organisations, as well as representation and commitments by public officials, may play a role in the short term whilst in the longer term they would not be sufficient to safeguard the rights and interests of individuals and fully satisfy the needs of a globalised digital world where many countries are now equipped with data protection rules.

Therefore, a longer term solution would be welcome in the transatlantic dialogue, to also enact in binding federal law at least the main principles of the rights to be clearly and concisely identified, as is the case with other non EU countries which have been ‘strictly assessed’ as ensuring an adequate level of protection; what the CJEU in its Schrems judgment expressed as meaning ‘essentially equivalent’ to the standards applicable under EU law, and which according to the Article 29 Working Party, means containing ‘the substance of the fundamental principles’ of data protection.

We take positive note of the increased transparency demonstrated by the U.S. authorities as to the use of the exception to the Privacy Shield principles for the purposes of law enforcement, national security and public interest.

However, whereas the 2000 Safe Harbour Decision formally treated access for national security as an exception, the attention devoted in the Privacy Shield draft decision to access, filtering and analysis by law enforcement and intelligence of personal data transferred for commercial purposes indicates that the exception may have become the rule. In particular, the EDPS notes from the draft decision and its annexes that, notwithstanding recent trends to move from indiscriminate surveillance on a general basis to more targeted and selected approaches, the scale of signals intelligence and the volume of data transferred from the EU, subject to potential collection and use once transferred and notably when in transit, may still be high and thus open to question.

Although these practices may also relate to intelligence in other countries, and while we welcome the transparency of the U.S. authorities on this new reality, the current draft decision may legitimise this routine. We therefore encourage the European Commission to give a stronger signal: given the obligations incumbent on the EU under the Lisbon Treaty, access and use by public authorities of data transferred for commercial purposes, including when in transit, should only take place in exceptional circumstances and where indispensable for specified public interest purposes.

On the provisions for transfers for commercial purposes, controllers should not be expected constantly to change compliance models. And yet the draft decision has been predicated on the existing EU legal framework, which will be superseded by Regulation (EU) 2016/679 (General Data Protection Regulation) in May 2018, less than one year after the full implementation by controllers of the Privacy Shield. The GDPR creates and reinforces obligations on controllers which extend beyond the nine principles developed in the Privacy Shield. Regardless of any final changes to the draft, we recommend the European Commission to comprehensively assess the future perspectives since its first report, to timely identify relevant steps for longer term solutions to replace the Privacy Shield, if any, with more robust and stable legal frameworks to boost transatlantic relations.

The EDPS therefore issues specific recommendations on the Privacy Shield.

(FULL TEXT) Continue reading “European Data Protection Supervisor Opinion on the EU-U.S. Privacy Shield draft adequacy decision”

EP Research Service : Interinstitutional Agreement on Better Law-Making

ORIGINAL ACCESSIBLE HERE

Author: Laura Tilindyte

According to Article 295 TFEU, the European Parliament, the Council and the Commission may conclude interinstitutional agreements (IIAs) setting out arrangements for their cooperation. A number of such agreements are in place, including the 2003 IIA on Better Law-Making, which is now to be replaced by a new agreement. With the aim of ensuring a high quality of legislation, the new agreement contains provisions concerning the various stages of the policy cycle, including programming, legislating and implementation.

Background

In May 2015, the Commission presented a comprehensive Better Regulation Package, including a proposal for a new Interinstitutional Agreement (IIA) on Better Regulation. The current IIA on Better Law-Making dates back to 2003, and was considered in need of revision given the developments in the better regulation agenda. A new interinstitutional agreement also reflects the recognition of the need for a renewed commitment on the part of all three institutions involved in the legislative process (Parliament, Council and Commission) in order for better law-making efforts to succeed. The Parliament’s Conference of Presidents charged the ALDE Group leader, Guy Verhofstadt, with conducting negotiations on the Parliament’s behalf. Negotiations between the three institutions were formally launched on 25 June 2015 under the Luxembourg Presidency of the Council. The text of the agreement was finalised on 8 December 2015, and endorsed by the Council and Commission in the same month. Following its endorsement by the Constitutional Affairs (AFCO) Committee, it now requires the Parliament’s approval in plenary.

The contents of the agreement

In its structure, the new IIA on Better Law-Making roughly follows the phases of the policy cycle. It contains provisions regarding, inter alia, common objectives, programming, better law-making tools (impact assessment, stakeholder consultation and ex-post evaluation), legislative instruments, delegated and implementing acts, transparency, implementation and simplification.

The agreement first of all sets out the common commitment of the three institutions to promote simplicity, clarity and consistency in Union legislation as well as ‘utmost transparency’ in the legislative process. The agreement envisages strengthened cooperation between the three institutions with regard to multiannual and annual programming. The latter is to encompass (early) exchanges of views both before and after the adoption of the Commission Work Programme, as well as interinstitutional consultations on Commission plans to withdraw any legislative proposal. The agreement requires the Commission to provide reasons for such withdrawals and to take due account of the co-legislators’ positions when doing so. The agreement further calls upon the Commission to ‘give prompt and detailed consideration’ to own-initiative requests made by the Parliament and the Council (based on Articles 225 and 241 TFEU respectively), and to reply to such requests within three months, including giving reasons when it makes no subsequent proposal.

The agreement emphasises the positive contribution of better law-making tools to better quality legislation, including ex-ante impact assessment (IA), stakeholder consultation and ex-post evaluation of legislation. The final agreement explicitly reaffirms that impact assessment is a tool for taking well-informed decisions and not a substitute for political decision-making. Departing from the notion in the Commission’s initial IIA proposal that all substantial amendments should be subject to impact assessment, the final text provides that the EP and Council are free to carry out impact assessments of their substantial amendments ‘when they consider this to be appropriate and necessary’. One innovation of the final text (as well as of the better regulation package in general) is the commitment of the Commission systematically to conduct IAs on delegated and implementing acts with significant potential impacts. The agreement further stresses the important role of stakeholder input in ensuring well-informed decision-making, and calls upon the Commission to encourage direct participation of ‘end users’ of legislation, in particular SMEs. The new agreement will replace the 2005 common approach of the institutions to impact assessment.

When proposing legislative instruments, the Commission is expected to explain and justify, inter alia, its choice of the legal basis and the proposal’s compliance with the principles of subsidiarity and proportionality. To safeguard the Parliament’s prerogatives, the IIA now also explicitly provides for a trilateral exchange of views in case there is a suggestion of modification of the legal basis, entailing a change from ordinary legislative procedure to special legislative procedure, or non-legislative procedure.

The provisions regarding delegated and implementing acts contain a few important novelties. In a move to safeguard the Council’s interests, the IIA further commits the Commission to conduct consultation of Member States’ experts, as well as public consultations prior to the adoption of delegated acts. The Parliament and the Council are to have equal access to information regarding such expert consultations and, importantly, systematic access to the meetings of such expert groups. The IIA envisages further negotiations between the institutions with a view to establishing delineation criteria for delegated and implementing acts and, finally, provides for establishing a joint register of delegated acts by the end of 2017. Moreover, the agreement calls upon the Commission to make proposals by the end of 2016 for the alignment of existing legislation, which still needs adapting to the new legal framework created by the Lisbon Treaty (i.e. the new hierarchy of norms, including delegated and implementing acts), in particular acts which provide for use of the ‘regulatory procedure with scrutiny’. On delegated acts, the annex to the agreement sets out a revised ‘common understanding’ of the three institutions, replacing that of 2011, in particular setting some principles for the Commission’s preparation of delegated acts.

The IIA reaffirms the principle of sincere cooperation between the institutions, including information-sharing and dialogue, and emphasises that the Parliament and the Council, as co-legislators, shall exercise their powers on an equal footing. The agreement contains a commitment to enhanced transparency, which is to include ‘appropriate handling of trilateral negotiations’ (trilogues). To this end, the institutions agree to ‘improve communication to the public during the whole legislative cycle’, and commit to identifying, by 31 December 2016, ‘ways of further developing platforms and tools’ to ‘facilitate the traceability of the various steps in the legislative process’. Actual improvements in this respect thus depend on further action still to be agreed.

The new IIA reflects a new emphasis on the question of how Union law is being implemented and applied in practice. Accordingly, the agreement stresses the need for swift and correct application of Union law at national level, and calls upon the Member States to ‘communicate clearly’ to their citizens when transposing Union legislation. In particular, with the aspiration to tackle ‘gold-plating’, the IIA provides that, whenever Member States choose to add elements ‘that are in no way related’ to the said Union legislation, they should make such additions ‘identifiable’ through the transposing acts or associated documents. The IIA further calls for interinstitutional cooperation with the aim of updating and simplifying existing Union legislation, as well as the avoidance of administrative burdens without, however, compromising the objectives of the legislation in question.

Procedure and areas for further action

The conclusion of interinstitutional agreements by the Parliament is governed by Rule 140 of the Parliament’s Rules of Procedure, which provides that such agreements are to be ‘signed by the President after examination by the committee responsible for constitutional affairs and after approval by Parliament.’

On 23 February 2016, the AFCO Committee adopted a report on the conclusion of the IIA, drafted by its Chair, Danuta Hübner (EPP, Poland). Besides endorsing the new agreement and the improvements it brings, the report also sets out areas requiring further action. These include, inter alia, open questions on the delineation criteria for delegated and implementing acts, practical arrangements for interinstitutional cooperation, and transparency of trilateral negotiations, as well as a review of the relevant points of Parliament’s Rules of Procedure with a view to possible adjustments. The agreement will enter into force upon the signature of the parties, and is binding upon those parties only.

BETTER…ADMINISTRATIVE MAKING AT EU LEVEL (when the European Parliament paves the way to an, almost reluctant, European Commission…).

Since years the European Parliament ask the European Commission to submit a formal legislative proposal framing the administrative activity of the European Union as foreseen by art 298 of the Treaty on the functioning of the European Union and by the European Charter of Fundamental Rights.

According to the former “In carrying out their missions, the institutions, bodies, offices and agencies of the Union shall have the support of an open, efficient and independent European administration”.

Even more clearly the art 41 of the Charter (Right to good administration) states that :
1. Every person has the right to have his or her affairs handled impartially, fairly and within a reasonable time by the institutions, bodies, offices and agencies of the Union.
2.This right includes:
(a)the right of every person to be heard, before any individual measure which would affect him or her adversely is taken;
(b)the right of every person to have access to his or her file, while respecting the legitimate interests of confidentiality and of professional and business secrecy;
(c)the obligation of the administration to give reasons for its decisions.
3.Every person has the right to have the Union make good any damage caused by its institutions or by its servants in the performance of their duties, in accordance with the general principles common to the laws of the Member States.
4. Every person may write to the institutions of the Union in one of the languages of the Treaties and must have an answer in the same language.”

More than six year have past since the entry into force of the Treaty, in the meantime the EU administrative constellation has become even more complex with new agencies, authorities and networks but the European Commission has not yet considered that the time has come to bring some order in a domain which many have described as the “maquis” communautaire (instead of “aquis” communautaire..). This is even more appalling bearing in mind the increasing importance recognized also by the Court of Justice to the principle of good administration when assessing the legitimacy of the activity of the EU Member States or even of third countries. ..

It has then to be praised the fact that also in this legislature the Legal Affairs Committee (JURI) of the European Parliament has decided to ask to a group of eminent experts in this domain to write a full fledged legislative text which can “inspire” the European Commission. The full study and the text are accessible here .

Below the text of the draft legislative proposal as well as the first part of the study “The context and legal elements of a Proposal for a Regulation on the Administrative Procedure of the European Union’s institutions, bodies, offices and agencies” authored by Professors Diana-Urania Galetta, Herwig C. H. Hofmann, Oriol Mir Puigpelat and Jacques Ziller.

Emilio De Capitani

—————————————

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the Administrative Procedure of the European Union’s institutions, bodies, offices and agencies

THE EUROPEAN   PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having    regard    to    the    Treaty    on    the    Functioning    of   the    European    Union,   and    in    particular Article 298   thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Acting in accordance with the ordinary legislative procedure, Whereas:
(1) With the development of the competences of the European Union, citizens are increasingly confronted with the Union’s institutions, bodies, offices and agencies, without always having their procedural rights adequately protected.
(2) In a Union under the rule of law it is necessary to ensure that procedural rights and obligations are always adequately defined, developed and complied with. Citizens are entitled to expect a high level of transparency, efficiency, swift execution and responsiveness from the Union’s institutions, bodies, offices and agencies. Citizens are also entitled to receive adequate information regarding possibility to take any further action in the matter.
(3) The existing rules and principles on good administration are scattered across a wide variety of sources: primary law, secondary law, case-law of the Court of Justice of the European Union, soft law and unilateral commitments by the Union’s institutions.
(4) Over the years, the Union has developed an extensive number of sectoral administrative procedures, in the form of both binding provisions and soft law, without necessarily taking into account the overall coherence of the system. This complex variety of procedures has resulted in gaps and inconsistencies in these procedures.
(5) The fact that the Union lacks a coherent and comprehensive set of codified rules of administrative law makes it difficult for citizens to understand their administrative rights under Union law.
(6) In April 2000, the European Ombudsman proposed to the institutions a Code of Good Administrative Behaviour in the belief that the same code should apply to all Union institutions, bodies, offices   and   agencies.
(7) In its resolution of 6 September 2001, Parliament approved the European Ombudsman’s draft code with modifications and called on the Commission to submit a proposal for a regulation containing a Code of Good Administrative Behaviour based   on Article 308 of the Treaty establishing the European Community.
(8) The existing internal codes of conduct subsequently adopted by the different institutions, mostly based on that Ombudsman’s Code, have a limited effect, differ from one   another and are not   legally binding.
(9) The entry into force of the Treaty of Lisbon has provided the Union with the legal basis for the adoption of an Administrative Procedure Regulation. Article 298 of the Treaty on the Functioning of the European Union (TFEU) provides for the adoption of regulations to assure that in carrying out their mission, the institutions, bodies, offices and agencies of the Union have the support of an open, efficient and independent European administration. The entry into force of the Treaty of Lisbon also gave the Charter of Fundamental Rights of the European Union (“the Charter”) the same legal   value as the Treaties.
(10) Title V (“Citizens’ Rights”) of the Charter enshrines the right to good administration in Article 41, which provides that every person has the right to have his or her affairs handled impartially, fairly and within a reasonable time by the institutions, bodies, offices and agencies of the Union. Article 41 of the Charter further indicates, in a non-exhaustive way, some of the elements included in the definition of the right to good administration such as the right to be heard, the right of every person to have access to their file, the right to be given reasons for a decision of the administration and the possibility of claiming damages caused by the institutions and its servants in the performance of their duties, and language rights.
(11) An efficient Union administration is essential for the public interest. An excess as well as a lack of rules and procedures can lead to maladministration, which may also result from the existence of contradictory, inconsistent or unclear rules and procedures.
(12) Properly structured and consistent administrative procedures support both an efficient administration and a proper enforcement of the right to good administration guaranteed as a general principle of Union law and under Article 41 of the Charter.
(13) In its Resolution of 15 January 2013 the European Parliament called for the adoption of a regulation on a European Law of Administrative Procedure to guarantee the right to good administration by means of an open, efficient and independent European administration. Establishing a common set of rules of administrative procedure at the level of the Union’s institutions, bodies, offices and agencies should enhance legal certainty, fill gaps in the Union legal system and should thereby contribute to compliance with the rule of law.
(14) The purpose of this Regulation is to establish a set of procedural rules which the Union’s administration should comply with when carrying out its administrative activities. These procedural rules aim at assuring both an open, efficient and independent administration and a proper enforcement of the right to good administration.
(15) In line with Article 298 TFEU this Regulation should not apply to the Member States’ administrations.. Furthermore, this Regulation should not apply to legislative procedures, judicial proceedings and procedures leading to the adoption of non-legislative acts directly based on the Treaties, delegated acts or implementing acts.
(16) This Regulation should apply to the Union’s administration without prejudice to other Union’s legal acts which provide for specific administrative procedural rules. However, sector-specific administrative procedures are not fully coherent and complete. With a view to ensuring overall coherence in the administrative activities of the Union’s administration and full respect of the right to a good administration, legal acts providing for specific administrative procedural rules should, therefore, be interpreted in compliance with this Regulation and their gaps should be filled by the relevant provisions of this Regulation. This Regulation establishes rights and obligations as a default rule for all administrative procedures under Union law and therefore reduces the fragmentation of applicable procedural rules, which result from sector-specific legislation.
(17) The procedural administrative rules laid down in this Regulation aim at implementing the principles on good administration established in a large variety of legal sources in light of the case law of the Court of Justice of the European Union. Those principles are set out here below and their formulation should inspire the interpretation   of the provisions of   this   Regulation.
(18) The principle of the rule of law, as recalled in Article 2 of the Treaty on European Union (TEU), is the heart and soul of the Union’s values. In accordance with that principle, any action of the Union has to be based on the Treaties in compliance with the principle of conferral. Furthermore, the principle of legality, as a corollary to the rule of law, requires that activities of the Union’s administration are carried out in full accordance with the law.
(19) Any legal act of Union law has to comply with the principle of proportionality. This requires any measure of the Union’s administration to be appropriate and necessary for meeting the objectives legitimately pursued by the measure in question: where there is a choice among several potentially appropriate measures, the least burdensome option has to be taken and any charges imposed by the administration not be disproportionate to the aims pursued.
(20) The right to good administration requires that administrative acts be taken by the Union’s administration pursuant to administrative procedures which guarantee impartiality, fairness and   timeliness.
(21) The right to good administration requires that any decision to initiate an administrative procedure be notified to the parties and provide the necessary information enabling them to exercise their rights during the administrative procedure. In duly justified and exceptional cases where the public interest so requires, the Union’s   administration   may delay   or omit   the notification.
(22) When the administrative procedure is initiated upon application by a party, the right to good administration imposes a duty on the Union’s administration to acknowledge receipt of the application in writing. The acknowledgment of receipt should indicate the necessary information enabling the party to exercise his or her rights of defence during the administrative procedure. However, the Union’s administration should be entitled to reject pointless or abusive applications as they might jeopardize administrative efficiency.
(23) For the purposes of legal certainty an administrative procedure should be initiated within a reasonable time after the event has occurred. Therefore, this Regulation should include   provisions   on   a period of limitation.
(24) The right to good administration requires that the Union’s administration exercise a duty of care, which obliges the administration to establish and review in a careful and impartial manner all the relevant factual and legal elements of a case taking into account all pertinent interests, at every stage of the procedure. To that end, the Union’s administration should be empowered to hear the evidence of parties, witnesses and experts, request documents and records and carry out visits or inspections. When choosing experts, the Union’s administration should ensure that they are technically   competent and not affected by a conflict   of interest.
(25) During the investigation carried out by the Union’s administration the parties should have a duty to cooperate by assisting the administration in ascertaining the facts and circumstances of the case. When requesting the parties to cooperate, the Union’s administration should give them a reasonable time-limit to reply and should remind them of the right against self-incrimination where the administrative procedure may lead to a penalty.
(26) The right to be treated impartially by the Union’s administration is a corollary of the fundamental right to good administration and implies staff members’ duty to abstain   from   taking   part   in   an   administrative   procedure   where   they   have,   directly or indirectly,    a    personal    interest,    including,    in    particular,    any    family    or    financial interest, such   as to   impair their impartiality.
(27) The right to good administration might require that, under certain circumstances inspections be carried out by the administration, where this is necessary to fulfil a duty or achieve an objective under Union law. Those inspections should respect certain   conditions and procedures in order to   safeguard   the   rights   of the parties.
(28) The right to be heard should be complied with in all proceedings initiated against a person which are liable to conclude in a measure adversely affecting that person. It should not be excluded or restricted by any legislative measure. The right to be heard requires that the person concerned receive an exact and complete statement of the claims or objections raised and is given the opportunity to submit comments on the truth   and relevance of the   facts and   on   the documents used.
(29) The right to good administration includes the right of a party to the administrative procedure to have access to its own file, which is also an essential requirement in order to enjoy the right to be heard. When the protection of the legitimate interests of confidentiality and of professional and business secrecy does not allow full access to a file, the party should at least be provided with an adequate summary of the content of the file. With a view to facilitating access to one’s files and thus ensuring transparent information management, the Union’s administration should keep records of its incoming and outgoing mail, of the documents it receives and measures it takes, and establish an index of the recorded   files.
(30) The Union’s administration should adopt administrative acts within a reasonable time-limit. Slow administration is bad administration. Any delay in adopting an administrative act should be justified and the party to the administrative procedure should be duly informed thereof and provided with an estimate of the expected date of the adoption   of the administrative act.
(31) The right to good administration imposes a duty on the Union’s administration to state clearly the reasons on which its administrative acts are based. The statement of reasons should indicate the legal basis of the act, the general situation which led to its adoption and the general objectives which it intends to achieve. It should disclose clearly and unequivocally the reasoning of the competent authority which adopted the act in such a way as to enable the parties concerned to decide if they wish   to defend their   rights by an application   for judicial   review.
(32) In accordance with the right to an effective remedy, neither the Union nor Member States can render virtually impossible or excessively difficult the exercise of rights conferred by Union law. Instead, they are obliged to guarantee real and effective judicial protection and are barred from applying any rule or procedure which might prevent,   even   temporarily, Union law from   having   full   force and   effect.
(33) In accordance with the principles of transparency and legal certainty, parties to an administrative procedure should be able to clearly understand their rights and duties that derive from an administrative act addressed to them. For these purposes, the Union’s administration should ensure that its administrative acts are drafted in a clear, simple and understandable language and take effect upon notification to the parties. When carrying out that obligation it is necessary for the Union’s administration to make proper use of information and communication technologies and to adapt to their development.
(34) For the purposes of transparency and administrative efficiency, the Union’s administration should ensure that clerical, arithmetic or similar errors in its administrative acts are corrected by the competent authority.
(35) The principle of legality, as a corollary to the rule of law, imposes a duty on the Union’s administration to rectify or withdraw unlawful administrative acts. However,   considering   that   any   rectification   or   withdrawal of   an   administrative   act may conflict with the protection of legitimate expectations and the principle of legal certainty, the Union’s administration should carefully and impartially assess the effects of the rectification or withdrawal on other parties and include the conclusions of such an assessment in the reasons of the rectifying or withdrawing act.
(36) Citizens of the Union have the right to write to the Union’s institutions, bodies, offices and agencies in one of the languages of the Treaties and to have an answer in the same language. The Union’s administration should respect the language rights of the parties by ensuring that the administrative procedure is carried out in one of the languages of the Treaties chosen by the party. In the case of an administrative procedure initiated by the Union’s administration, the first notification should be drafted in one of the languages of the Treaty corresponding to the Member State in which the party is located.
(37) The principle of transparency and the right of access to documents have a particular importance under an administrative procedure without prejudice of the legislative acts adopted under Article 15(3) TFEU. Any limitation of those principles should be narrowly construed to comply with the criteria set out in Article 52(1) of the Charter and therefore should be provided for by law and should respect the essence of the rights and freedoms and be subject to the principle of proportionality.
(38) The right to protection of personal data implies that without prejudice of the legislative acts adopted under Article 16 TFEU, data used by the Union’s administration   should be accurate, up-to-date   and lawfully   recorded.
(39) The principle of protection of legitimate expectations derives from the rule of law and implies that actions of public bodies should not interfere with vested rights and final legal situations except where it is imperatively necessary in the public interest. Legitimate expectations should be duly taken into account where an administrative act is rectified or withdrawn.
(40) The principle of legal certainty requires Union rules to be clear and precise. That principle aims at ensuring that situations and legal relationships governed by Union law remain foreseeable in that individuals should be able to ascertain unequivocally what their rights and obligations are and be able to take steps accordingly. In accordance with the principle of legal certainty, retroactive measures should not be taken except in legally justified circumstances.
(41) With a view to ensuring overall coherence in the activities of the Union’s administration, administrative acts of general scope should comply with the principles of good administration referred to in this Regulation.
(42) In the interpretation of this Regulation, regard should be had especially to equal treatment and non-discrimination, which apply to administrative activities as a prominent corollary to the rule of law and the principles of an efficient and independent European administration,

HAVE ADOPTED THIS REGULATION:

CHAPTER I GENERAL   PROVISIONS

Article 1 Subject matter and objective…
Continue reading “BETTER…ADMINISTRATIVE MAKING AT EU LEVEL (when the European Parliament paves the way to an, almost reluctant, European Commission…).”

Strasbourg Court: Hungarian legislation on secret anti-terrorist surveillance does not have sufficient safeguards against abuse

Press release accessible here

In January 12 Chamber judgment¹ in the case of Szabó and Vissy v. Hungary (application no. 37138/14) the European Court of Human Rights held, unanimously, that there had been:

a violation of Article 8 (right to respect for private and family life, the home and correspondence)
of the European Convention on Human Rights, and
no violation of Article 13 (right to an effective remedy) of the European Convention.

The case concerned Hungarian legislation on secret anti-terrorist surveillance introduced in 2011.

The Court accepted that it was a natural consequence of the forms taken by present-day terrorism that governments resort to cutting-edge technologies, including massive monitoring of communications, in pre-empting impending incidents.

However, the Court was not convinced that the legislation in question provided sufficient safeguards to avoid abuse. Notably, the scope of the measures could include virtually anyone in Hungary, with new technologies enabling the Government to intercept masses of data easily concerning even persons outside the original range of operation. Furthermore, the ordering of such measures was taking place entirely within the realm of the executive and without an assessment of whether interception of communications was strictly necessary and without any effective remedial measures, let alone judicial ones, being in place.

Principal facts

The applicants, Máté Szabó and Beatrix Vissy, are Hungarian nationals who were born in 1976 and 1986 respectively and live in Budapest. At the relevant time they worked for a non-governmental watchdog organisation (Eötvös Károly Közpolitikai Intézet) which voices criticism of the Government.

A specific Anti-Terrorism Task Force was established within the police force as of 1 January 2011. Its competence is defined in section 7/E of Act no. XXXIV of 1994 on the Police, as amended by Act no. CCVII of 2011. Under this legislation, the task force’s prerogatives in the field of secret intelligence gathering include secret house search and surveillance with recording, opening of letters and parcels, as well as checking and recording the contents of electronic or computerised communications, all this without the consent of the persons concerned.

In June 2012 the applicants filed a constitutional complaint arguing that the sweeping prerogatives in respect of secret intelligence gathering for national security purposes under section 7/E (3) breached their right to privacy. The Constitutional Court dismissed the majority of the applicants’ complaints in November 2013. In one aspect the Constitutional Court agreed with the applicants, namely, it held that the decision of the minister ordering secret intelligence gathering had to be supported by reasons. However, the Constitutional Court held in essence that the scope of national security-related tasks was much broader than the scope of the tasks related to the investigation of particular crimes, thus the differences in legislation between criminal secret surveillance and secret surveillance for national security purposes were not unjustified.

Complaints, procedure and composition of the Court

Relying on Article 8 (right to respect for private and family life, the home and the correspondence), the applicants complained that they could potentially be subjected to unjustified and disproportionately intrusive measures within the Hungarian legal framework on secret surveillance for national security purposes (namely, “section 7/E (3) surveillance”). They alleged in particular that this legal framework was prone to abuse, notably for want of judicial control. They also complained that their exposure to secret surveillance without judicial control or remedy breached their rights under Article 6 § 1 (right to a fair hearing/ access to court) and Article 13 (right to an effective remedy) read in conjunction with Article 8.

The application was lodged with the European Court of Human Rights on 13 May 2014.

Privacy International and the Center for Democracy & Technology, both non-governmental organisations, were given permission to make written submissions as third parties.

Judgment was given by a Chamber of seven judges, composed as follows:

Vincent A. de Gaetano (Malta), President,
András Sajó (Hungary),
Boštjan M. Zupančič (Slovenia),
Nona Tsotsoria (Georgia),
Paulo Pinto de Albuquerque (Portugal),
Krzysztof Wojtyczek (Poland),
Iulia Antoanella Motoc (Romania),
and also Fatoş Aracı, Deputy Section Registrar.

————————————————-
Decision of the Court

Article 8 (privacy rights)

Firstly, the Court noted that the Constitutional Court, having examined the applicants’ constitutional complaint on the merits, had implicitly acknowledged that they had been personally affected by the legislation in question. In any case, whether or not the applicants – as staff members of a watchdog organisation – belonged to a targeted group, the Court considered that the legislation directly affected all users of communication systems and all homes. Moreover, the domestic law does not apparently provide any possibility for an individual who suspected that their communications were being intercepted to lodge a complaint with an independent body. Considering these two circumstances, the Court was of the view that the applicants could therefore claim to be victims of a violation of their rights under the European Convention. Furthermore, the Court was satisfied that the applicants had exhausted domestic remedies by bringing to the attention of the national authorities – namely the Constitutional Court – the essence of their grievance.

The Court found that there had been an interference with the applicants’ right to respect for private and family life as concerned their general complaint about the rules of section 7/E (3) (and not as concerned any actual interception of their communications allegedly taking place). It was not in dispute between the parties that that interference’s aim was to safeguard national security and/or to prevent disorder or crime and that it had had a legal basis, namely under the Police Act of 1994 and the National Security Act. Furthermore, the Court was satisfied that the two situations permitting secret surveillance for national security purposes under domestic law, namely the danger of terrorism and rescue operations of Hungarian citizens in distress abroad, were sufficiently clear to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities were empowered to resort to such measures.

However, the Court was not convinced that the Hungarian legislation on “section 7/E (3) surveillance” provided safeguards which were sufficiently precise, effective and comprehensive in as far as the ordering, execution and potential redressing of such measures were concerned.

Notably, under “section 7/E”, it is possible for virtually any person in Hungary to be subjected to secret surveillance as the legislation does not describe the categories of persons who, in practice, may have their communications intercepted. The authorities simply have to identify to the government minister responsible the name of the individual/s or the “range of persons” to be intercepted, without demonstrating their actual or presumed relation to any terrorist threat.

Furthermore, under the legislation, when requesting permission from the Minister of Justice to intercept an individual’s communications, the anti-terrorism task force is merely required to argue that the secret intelligence gathering is necessary, without having to provide evidence in support of their request. In particular, such evidence would provide a sufficient factual basis to apply such measures and would enable an evaluation of their necessity based on an individual suspicion regarding the targeted individual. The Court reiterated that any measure of secret surveillance which did not correspond to the criteria of being strictly necessary for the safeguarding of democratic institutions or for the obtaining of vital intelligence in an individual operation would be prone to abuse by authorities with formidable technologies at their disposal.

Another element which could be prone to abuse is the duration of the surveillance. It was not clear from the wording of the law whether the renewal of a surveillance warrant (on expiry of the initial 90 days stipulated under the National Security Act) for a further 90 days was possible only once or repeatedly.

Moreover, these stages of authorisation and application of secret surveillance measures lacked judicial supervision. Although the security services are required, when applying for warrants, to outline the necessity of the secret surveillance, this procedure does not guarantee an assessment of whether the measures are strictly necessary, notably in terms of the range of persons and the premises concerned. For the Court, supervision by a politically responsible member of the executive, such as the Minister of Justice, did not provide the necessary guarantees against abuse. External, preferably judicial control of secret surveillance activities offers the best guarantees of independence, impartiality and a proper procedure.

As concerned the procedures for redressing any grievances caused by secret surveillance measures, the Court noted that the executive did have to give account of surveillance operations to a parliamentary committee. However, it could not identify any provisions in Hungarian legislation permitting a remedy granted by this procedure to those who are subjected to secret surveillance but, by necessity, are not informed about it during their application. Nor did the twice yearly general report on the functioning of the secret services presented to this parliamentary committee provide adequate safeguards, as it was apparently unavailable to the public. Moreover, the complaint procedure outlined in the National Security Act also seemed to be of little relevance, since citizens subjected to secret surveillance measures were not informed of the measures applied. Indeed, no notification – of any kind – of secret surveillance measures is foreseen in Hungarian law. The Court reiterated that as soon as notification could be carried out without jeopardising the purpose of the restriction after the termination of the surveillance measure, information should be provided to the persons concerned.

In sum, given that the scope of the measures could include virtually anyone in Hungary, that the ordering was taking place entirely within the realm of the executive and without an assessment of whether interception of communications was strictly necessary, that new technologies enabled the Government to intercept masses of data easily concerning even persons outside the original range of operation, and given the absence of any effective remedial measures, let alone judicial ones, the Court concluded that there had been a violation of Article 8 of the Convention.

Other articles

Given the finding relating to Article 8, the Court considered that it was not necessary to examine the applicants’ complaint under Article 6 of the Convention.
Lastly, the Court reiterated that Article 13 could not be interpreted as requiring a remedy against the state of domestic law and therefore found that there had been no violation of Article 13 taken together with Article 8.

Article 41 (just satisfaction)

The Court held that the finding of a violation constituted in itself sufficient just satisfaction for any non-pecuniary damage sustained by the applicants. It awarded 4,000 for costs and expenses.

Separate opinion

Judge Pinto de Albuquerque expressed a separate opinion which is annexed to the judgment. The judgment is available only in English.

Under Articles 43 and 44 of the Convention, this Chamber judgment is not final. During the three-month period following its delivery, any party may request that the case be referred to the Grand Chamber of the Court. If such a request is made, a panel of five judges considers whether the case deserves further examination. In that event, the Grand Chamber will hear the case and deliver a final judgment. If the referral request is refused, the Chamber judgment will become final on that day.

Once a judgment becomes final, it is transmitted to the Committee of Ministers of the Council of Europe for supervision of its execution. Further information about the execution process can be found here: www.coe.int/t/dghl/monitoring/execution.

Press contacts

echrpress@echr.coe.int | tel.: +33 3 90 21 42 08
Tracey Turner-Tretz (tel: + 33 3 88 41 35 30)
Nina Salomon (tel: + 33 3 90 21 49 79) Denis Lambert (tel: + 33 3 90 21 41 09) Inci Ertekin (tel: + 33 3 90 21 55 30)

The European Court of Human Rights was set up in Strasbourg by the Council of Europe Member States in 1959 to deal with alleged violations of the 1950 European Convention on Human Rights.

Zakharov v Russia: Mass Surveillance and the European Court of Human Rights

Reblogged also by EU LAW ANALYSIS on Wednesday, 16 December with permission from the IALS Information Lawand Policy Centre blog

by Lorna Woods, (*)

Introduction

The European Court of Human Rights has heard numerous challenges to surveillance regimes, both individual and mass surveillance, with mixed results over the years. Following the Snowden revelations, the question would be whether the ECtHR would take a hard line particularly as regards mass surveillance, given its suggestion in Kennedy that indiscriminate acquisition of vast amounts of data should not be permissible. Other human rights bodies have condemned this sort of practice, as can be seen by the UN Resolution 68/167 the Right to Privacy in the Digital Age. Even within the EU there has been concern as can be seen in cases such as Digital Rights Ireland (discussed here) and more recently in Schrems (discussed here). The Human Rights Court has now begun to answer this question, in the Grand Chamber judgment in Zakharov v. Russia(47143/06), handed down on December 42015.

Facts

Zakharov, a publisher and a chairman of an NGO campaigning for media freedom and journalists’ rights, sought to challenge the Russian system for permitting surveillance in the interests of crime prevention and national security. Z claimed that the privacy of his communications across mobile networks was infringed as the Russian State, by virtue of Order No. 70, had required the network operators to install equipment which permitted the Federal Security Service to intercept all telephone communications without prior judicial authorisation.

This facilitated blanket interception of mobile communications. Attempts to challenge this and to ensure that access to communications was restricted to authorised personnel were unsuccessful at national level. The matter was brought before the European Court of Human Rights. He argued that the laws relating to monitoring infringe his right to private life under Article 8; that parts of these laws are not accessible; and that there are no effective remedies (thus also infringing Art. 13 ECHR).

Judgment

The first question was whether the case was admissible. The Court will usually not rule on questions in abstracto, but rather on the application of rules to a particular situation. This makes challenges to the existence of a system, rather than its use, problematic. The Court has long recognised that secret surveillance can give rise to particular features that may justify a different approach. Problematically, there were two lines of case law, one of which required the applicant to show a ‘reasonable likelihood’ that the security services had intercepted the applicant’s communications (Esbester) and which favoured the Government’s position, and the other which suggested the menace provided by a secret surveillance system was sufficient (Klass) and which favoured the applicant.

The Court took the opportunity to try to resolve these potentially conflicting decisions, developing its reasoning in Kennedy. It accepted the principle that legislation can be challenged subject to two conditions: the applicant potentially falls within the scope of the system; and the level of remedies available. This gives the Court a form of decision matrix in which a range of factual circumstances can be assessed. Where there are no effective remedies, the menace argument set out in its ruling in Klass would be accepted.

Crucially, even where there are remedies, an applicant can still challenge the legislation if ‘due to his personal situation, he is potentially at risk of being subjected to such measures’ [para 171]. This requirement of ‘potentially at risk’ seems lower than the ‘reasonable likelihood’ test in the earlier case of Esbester. The conditions were satisfied in this case as it has been recognised that mobile communications fall within ‘private life’ and ‘correspondence’ (see Liberty, para 56, cited here para 173).

This brought the Court to consider whether the intrusion could be justified. Re-iterating the well-established principles that, to be justified, any interference must be in accordance with the law, pursue a legitimate aim listed in Article 8(2) and be necessary in a democratic society, the Court considered each in turn.

The requirement of lawfulness has a double aspect, formal and qualitative. The challenged measure must be based in domestic law, but it must also be accessible to the person concerned and be foreseeable as to its effects (see e.g Rotaru). While these principles are generally applicable to all cases under Article 8 (and applied analogously in other rights, such as Articles 9, 10 and 11 ECHR), the Court noted the specificity of the situation. It stated that:

‘…. domestic law must be sufficiently clear to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures’ [para 229].

In this, the Court referred to a long body of jurisprudence relating to surveillance, which recognises the specific nature of the threats that surveillance is used to address. In the earlier case of Kennedy for example, the Court noted that ‘threats to national security may vary in character and may be unanticipated or difficult to define in advance’ [para 159].

While the precision required of national law might be lower than the normal standard, the risk of abuse and arbitrariness are clear, so the exercise of any discretion must be laid down by law both as to its scope and the manner of its exercise. It stated that ‘it would be contrary to the rule of law … for a discretion granted to the executive in the sphere of national security to be expressed in terms of unfettered power’ [para 247]. Here, the Court noted that prior judicial authorisation was an important safeguard [para 249]. The Court gave examples of minimum safeguards:

The nature of offences which may give rise to an interception order
A definition of the categories of people liable to have their telephones tapped
A limit on the duration of telephone tapping
Protections and procedures for use, storage and examination of resulting data
Safeguards relating to the communication of data to third parties
Circumstances in which data/recordings must be erased/destroyed (para 231)
the equipment installed by the secret services keeps no logs or records of intercepted communication, which coupled with the direct access rendered any supervisory arrangements incapable of detecting unlawful interceptions
the emergency procedure provided for in Russian law, which enables interception without judicial authorization, does not provide sufficient safeguards against abuse.

The Court then considered the principles for assessing whether the intrusion was ‘necessary in a democratic society’, highlighting the tension between the needs to protect society and the consequences of that society of the measures taken to protect it. The Court emphasised that it must be satisfied that there are adequate and effective guarantees against abuse.

In this oversight mechanisms are central, especially where individuals will not – given the secret and therefore unknowable nature of surveillance – be in a position to protect their own rights. The court’s preference is to entrust supervisory control to a judge. For an individual to be able to challenge surveillance retrospectively, affected individuals need either to be informed about surveillance or for individuals to be able to bring challenges on the basis of a suspicion that surveillance has taken place.

Russian legislation lacks clarity concerning the categories of people liable to have their phones tapped, specifically through the blurring of witnesses with suspects and the fact that the security services have a very wide discretion. The provisions regarding discontinuation of surveillance are omitted in the case of the security services. The provisions regarding the storage and destruction of data allow for the retention of data which is clearly irrelevant; and as regards those charged with a criminal offence is unclear as to what happens to the material after the trial.

Notably, the domestic courts do not verify whether there is a reasonable suspicion against the person in respect of whose communications the security services have requested interception be permitted. Further, there is little assessment of whether the interception is necessary or justified: in practice it seems that the courts accept a mere reference to national security issues as being sufficient.

The details of the authorisation are also not specified, so authorisations have been granted without specifying – for example – the numbers to be interception. The Russian system, which at a technical level allows direct access, without the police and security services having to show an authorisation is particularly prone to abuse. The Court determined that the supervisory bodies were not sufficiently independent. Any effectiveness of the remedies available to challenge interception of communications is undermined by the fact that they are available only to persons who are able to submit proof of interception, knowledge and evidence of which is hard if not impossible to come by.

Comments

The Court could be seen as emphasising in its judgment by repeated reference to its earlier extensive case law on surveillance that there is nothing new here. Conversely, it could be argued that Zakharov is a Grand Chamber judgment which operates to reaffirm and highlight points made in previous judgments about the dangers of surveillance and the risk of abuse. The timing is also significant, particularly from a UK perspective. Zakharov was handed down as the draft Investigatory Powers Bill was published. Cases against the UK are pending at Strasbourg, while it follows the ECJ’s ruling in Schrems, with Davis (along with the Swedish Tele2 reference), querying whether theDigital Rights ruling applies to national data retention schemes, now pending before the ECJ (on that issue, see discussion here). The ECtHR noted the Digital Rights Ireland case in its summary of applicable law.

In setting out its framework for decisions, the Court’s requirement of ‘potentially at risk’ even when remedies are available seems lower than the ‘reasonable likelihood’ test in Esbester. The Court’s concern relates to ‘the need to ensure that the secrecy of surveillance measures does not result in the measures being effectively unchallengeable and outside the supervision of the national judicial authorities and of the Court’ [para 171]. This broad approach to standing is, as noted by Judge Dedon’s separate but concurring opinion, in marked contrast to the approach of the United States Supreme Court in Clapper where that court ‘failed to take a step forward’ (Opinion, section 4).

The reassessment of ‘victim status’ simultaneously determines standing, the question of the applicability of Article 8 and the question of whether there has been an infringement of that right. The abstract nature of the review then means that a lot falls on the determination of ‘in accordance with the law’ and consequently the question of whether the measures (rather than individual applications) are necessary in a democratic society. The leads to a close review of the system itself and the safeguards built in. Indeed, it is noteworthy that the Court did not just look at the provisions of Russian law, but also considered how they were applied in practice.

The Court seemed particularly sceptical about broadly determined definitions in the context of ‘national, military, economic or ecological security’ which confer ‘almost unlimited degree of discretion’ [para 248]. Although the system required prior judicial authorisation (noted para 259], in this case it was not sufficient counter to the breadth of the powers. So, prior judicial authorisation will not be a ‘get out of gaol free’ card for surveillance systems. There must be real oversight by the relevant authorities.

Further, the Court emphasised the need for the identification of triggering factor(s) for interception of communications, as otherwise this will lead to overbroad discretion [para 248]. Moreover, the Court stated that the national authorisation authorities must be capable of ‘verifying the existence of a reasonable suspicion against the person concerned’ [260-2], which in the context of technological access to mass communications might be difficult to satisfy. The Court also required that specific individuals or premises be identified. If it applies the same principles to mass surveillance currently operated in other European states, many systems might be hard to justify.

A further point to note relates to the technical means by which the interception was carried out. The Court was particularly critical of a system which allows the security services and the police the means to have direct access to all communications. It noted that ‘their ability to intercept the communications of a particular individual or individuals is not conditional on providing an interception authorisation to the communications service provider’ [para 268], thereby undermining any protections provided by the prior authorisation system.

Crucially, the police and security services could circumvent the requirement to demonstrate the legality of the interception [para 269]. The problem is exacerbated by the fact that the equipment used does not create a log of the interceptions which again undermines the supervisory authorities’ effectiveness [para 272]. This sort of reasoning could be applied in other circumstances where police and security forces have direct technical means to access content which is not dependent on access via a service provider (e.g. hacking computers and mobiles).

In sum, not only has the Russian system been found wanting in terms of compliance with Article 8, but the Court has drawn its judgment in terms which raised questions about the validity of other systems of mass surveillance.

Professor of Internet Law, University of Essex

EU-US Umbrella Data Protection Agreement : Detailed analysis by Douwe Korff

14 October 2015 (NOTA BENE : This text is more than 60 pages)

by Douwe KORFF (FREE GROUP MEMBER)

About the Fundamental Rights Europe Expert Group (FREE): The Fundamental Rights European Experts Group (FREE Group : http://www.free-group.eu) is a Belgian non governmental organisation (Association Sans But Lucratif (ASBL) Registered at Belgian Moniteur: Number 304811. According to art 3 and 4 of its Statute ( see below *) the association focus is on monitoring, teaching and advocating in the European Union freedom security and justice related policies. In the same framework we follow also the EU actions in protecting and promoting EU values and fundamental rights in the Member States as required by the article 2, 6 and 7 of the Treaty on the European Union (risk of violation by a Member State of EU founding values)

About the author: Douwe Korff is a Dutch comparative and international law expert on human rights and data protection. He is Emeritus Professor of International Law, London Metropolitan University; Associate, Oxford Martin School, University of Oxford (Global Cybersecurity Capacity Centre); Fellow, Centre for Internet & Human Rights, University of Viadrina, Frankfurt/O and Berlin; and Visiting Fellow, Yale University (Information Society Project).

Acknowledgments: The author would like to express his thanks to Mme. Marie Georges and Prof. Steve Peers, members of FREE Group, for their very helpful comments on and edits of the draft of this Note.

OVERALL CONCLUSIONS

We believe the following aspects of the Umbrella Agreement violate, or are likely to lead to violations of, the Treaties and the EU Charter of Fundamental Rights:

The Umbrella Agreement appears to allow the “sharing” of data sent by EU law enforcement agencies to US law enforcement agencies with US national security agencies (including the FBI and the US NSA) for use in the latter’s mass surveillance and data mining operations; as well as the “onward transfer” of such data to “third parties”, including national security agencies of yet other (“third”) countries, which the Agreement says may not be subjected to “generic data protection conditions”;
The Umbrella Agreement does not contain a general human rights clause prohibiting the “sharing” or “onward transfers” of data on EU persons, provided subject to the Agreement, with or to other agencies, in the USA or elsewhere, in circumstances in which this could lead to serious human rights violations, including arbitrary arrest and detention, torture or even extrajudicial killings or “disappearances” of the data subjects (or others);
The Umbrella Agreement does not provide for equal rights and remedies for EU- and US nationals in the USA; but worse, non-EU citizens living in EU Member States who are not nationals of the Member State concerned – such as Syrian refugees or Afghan or Eritrean asylum-seekers, or students from Africa or South America or China – and non-EU citizens who have flown to, from or through the EU and whose data may have been sent to the USA (in particular, under the EU-US PNR Agreement), are completely denied judicial redress in the USA under the Umbrella Agreement.

In addition:

The Umbrella Agreement in many respects fails to meet important substantive requirements of EU data protection law;
The Umbrella Agreement also fails to meet important requirements of EU data protection law in terms of data subject rights and data subjects’ access to real and effective remedies; and
In terms of transparency and oversight, too, the Umbrella Agreement falls significantly short of fundamental European data protection and human rights requirements.

The Agreement should therefore, in our view, not be approved by the European Parliament in its present form.

FULL TEXT OF THE ANALYSIS

Introduction / Background

Continue reading “EU-US Umbrella Data Protection Agreement : Detailed analysis by Douwe Korff”