3. How the INFOSEC proposal builds a wider, but still incomplete, legal framework for EU Classified informations (EUCI)
“The core of the proposed Regulation on the security of EU information (hereafter the INFOSEC proposal) concerns the creation and management of EU classified information (EUCI). In doing so, it substantially modifies Article 9 of Regulation 1049/2001, which deals with public access (or not) to so-called “sensitive documents”.
According to that article:
“Sensitive documents are documents originating from the institutions or the agencies established by them, from Member States, third countries or International Organizations, classified as ‘TRÈS SECRET/TOP SECRET’, ‘SECRET’ or ‘CONFIDENTIEL’ in accordance with the rules of the institution concerned, which protect essential interests of the European Union or of one or more of its Member States in the areas covered by Article 4(1)(a), notably public security, defense and military matters.”
Paragraph 3 of the same article also makes clear that: “Sensitive documents shall be recorded in the register or released only with the consent of the originator.”
Paragraph 7 says: “The Commission and the Council shall inform the European Parliament regarding sensitive documents in accordance with arrangements agreed between the institutions.”
It should be noted that Article 9 of Regulation 1049/2001 was a “fast and dirty” solution for a problem which arose in July 2000: Javier Solana, newly appointed Secretary General of the Council, negotiated with the new NATO Secretary General, Mr Robertson, an administrative arrangement with NATO on the exchange of classified information with the Council of the EU. However, that arrangement was challenged before the Court by the European Parliament (EP) and the Dutch government, because they considered that it limited a citizen’s fundamental right of access to documents, and exceptions to such fundamental right should have been framed by law.
At the time, the negotiation of Regulation 1049/01 was under the pressure of a deadline established in the Treaty. The reference to “sensitive” documents was added at the end of the legislative procedure and, because of this, the EP and the Dutch government withdrew their case before the Court.
Unfortunately, it was a Pyrrhic victory – it soon became clear that Article 9 of Regulation 1049/2001 was (and still is) a rather elusive and patchy framework for EU classified information.
A number of points can be made in this regard:
a) It does not regulate how the information should be classified and declassified in the interests of the EU, as opposed to the interests of the originator (whether that be a member State, EU institution, agency or body). Quite the contrary – by transferring the definition of these aspects to the internal security of each institution it paved the way to different standards and the very well-known risk of over classification.
b) It foresees a very weak framework for parliamentary oversight. By making reference to interinstitutional agreements and not codifying in secondary law the EP’s constitutional right to oversee classified information, it places the institution in an ancillary position. It is unfortunate that the EP has not fought until now to obtain treatment comparable to the one reserved for national parliaments with regard to their governments.
The solutions may be different, and special procedures and perhaps even special parliamentary bodies may be needed, but a stronger EP role is more than necessary because this lack of oversight will not be covered at national level – governments will declare that they are barred from revealing the information because it is classified at “European” level! Moreover, the instrument of an “interinstitutional agreement/arrangement” as currently foreseen by Article 295 of the Lisbon Treaty has strong constitutional limitations. As the Council Legal Service itself recognized in 2018: “The wording of the provision (NDR art.295 TFEU), and notably the use of the term ‘arrangements’, points to the fact that IIAs are instruments for regulating the modalities of cooperation and not for the regulation of substantive policy areas.”
It is thus quite surprising that, since the first Interinstitutional Agreement in 2002, the European Parliament has not asked for a sturdier legal basis for its oversight power.
With the adoption of the INFOSEC Regulation the situation will become even worse, because the EP will be obliged to negotiate interinstitutional agreements with all the other EU institutions, agencies and bodies if access to classified information is necessary for fulfilling its own constitutional role. From the outside, 21 years after the first interinstitutional agreement, the fact that the EP is still negotiating the revision of the 2002 interinstitutional agreement on access to classified information in the Common Security and Defence Policy (CSDP) area instead of creating a true legislative legal basis for its oversight may look to some like a form of Stockholm syndrome. To exit from such an impasse would not be wise for the European Parliament to study the more suitable model by looking at the experience of the major EU Member States and, even of the USA ?
c) Article 9 recognises, albeit only in the domain of “sensitive” documents and information, the so-called “originator privilege” or “author rule.” This is an exception to the general philosophy of Regulation 1049/2001, as made clear in Article 4(5):
“A Member State may request the institution not to disclose a document originating from that Member State without its prior agreement.” The point was, and still is, that the EU institutions may only by bound by law and not by the will of an “author”, even if it were an EU member state, a point confirmed in the jurisprudence of the Court of Justice of the EU.
What the INFOSEC proposal does is to transform the exception of the “originator principle” in a rule. But, by recognizing to each EU Institution, Agency and Body the power of classify information in the interest of the EU it does not establish a mechanism which may verify that the EU interest is adequately by the classification or if it has been abusively established. For instance, an oversight power may be recognized to the European Commission or to the Ombudsman to decide if a document/information created by the EU Agencies should be declassified.
Clear rules on this point at INFOSEC level, may prevent from happening, other “incidents”, such as the one which occurred between Europol, the Ombudsman and the Commission, in 2015 when the Ombudsman asked to inspect the report of Europol’s Joint Supervisory Body (JSB) on the implementation of the EU-US Terrorist Finance Tracking Programme Agreement ( see https://www.ombudsman.europa.eu/fr/case/en/42114 )
d) It does not foresee a judicial oversight of classified information. Today it is still up to the originator to decide whether or not to give the Court of Justice access to classified information. This is not a rhetorical question: it has already happened that the Council did’nt answer positively to a Court of Justice request of having access to classified informations. As Deirdre Curtin remind us in her essay Top Secret Europe: “…in the OMPI case (*) on the blacklisting of terrorists by the UN and within the EU context, the Court said clearly that the Council could not base its decision on information that is not revealed to the Court.” ( Case T-248/08, People’s Mojahedin Organization of Iran v Council (OMPI III) para 73). It is worth recalling that in some Countries such as the USA
e) It does not solve the problem of sharing of “sensitive information” between entities which have a legitimate “need to know.” Instead, as Article 9 is focused on the security of each author of “sensitive information” and does not refer to common legislative standards, this has been done until now by the Council. This institution remains the main creator and exchanger of classified information, and has imposed via bilateral agreements with all the other EU institutions, agencies and bodies its internal security rules which, in turn, mirror the NATO standards. It is because of the legal fragility of this “de facto harmonisation” that the Commission has decided to launch a legislative initiative establishing at secondary law level the principles which should be respected in this domain inside the EU.
However, the solution envisaged in the INFOSEC proposal still does not address the main weaknesses of Article9 of Regulation 1049/2001 nor the weaknesses of the Council Internal Security Rules which are proposed to become the common EU standard. . In fact, in some cases it makes the situation even worse.
A useful example can be seen in the EU security agreements with third countries and international organizations on the exchange of classified information foreseen by articles 55-68 of the INFOSEC proposal.
The proposal requires, as a rule, that these agreements be negotiated and concluded according to Article 218 of the Lisbon Treaty, which will finally give the possibility for the EP to give its consent and to be fully and timely informed of the agreements’ content. But INFOSEC foresees also the possibility of continuing with “executive” arrangements which can be negotiated not only by the Council but also by other EU Institutions, agencies and bodies without associating the EP. That exclusion of the EP has been , unfortunately, until now the case and dozens of international agreements have been negotiated by the Council using Article 13 of its internal security rules as a legal basis.
Now, if the INFOSEC proposal is adopted not only the Council but also all the other EU Institutions Agencies and bodies will have a legal basis for negotiating and concluding these executive “arrangements”. It would be wise to make clear in the INFOSEC proposal that the arrangements shall foresee that, because of the EU’s constitutional framework, no veto can be exercised over the transmission of classified information to the EP and to the CJEU.
4. Summing up: by endorsing the INFOSEC legislative proposal is the EP shooting on its Foot ?