European union – European Area of Freedom Security & Justice

Why the European Parliament should reject (or substantially amend) the Commission’s proposal on EU Information Security (“INFOSEC”). (1) The issue of “classified information”

By Emilio De Capitani

1.Setting the scene of EU legal framework on access to documents and to confidential information before the Lisbon Treaty

To better understand why the Commission “INFOSEC” draft legislative proposal (2022/0084(COD) on information security shall be substantially amended, let’s recall what was before the Lisbon Treaty and of the Charter, the EU legal framework on access to documents, and notably of EU classified information. With the entry into force of the Amsterdam Treaty on May 1999 the EP and the Council have been under the obligation (art.255 TCE) of adopting in two years time new EU rules framing the individual right of access to documents by establishing at the same time “the general principles and limits of public interests” which may limit such right of access.(emphasis added).

Notwithstanding a rather prudent Commission’s legislative proposal the EP strongly advocated a stronger legal framework for access to documents, for legislative transparency and even for the treatment at EU level of information which, because of their content, should be treated confidentially (so called ,“sensitive” or “classified information”).

Needless to say “Sensitive” or “classified information” at Member States level, are deemed to protect “essential interests” of the State and, by law, are subject to a special parliamentary and judicial oversight regime.[1] As a consequence, at EU level, even after Lisbon, national classified information are considered an essential aspect of national security which “.. remains the sole responsibility of each Member State” (art. 4.2 TEU) and “..no Member State shall be obliged to supply information the disclosure of which it considers contrary to the essential interests of its security;”(art 346.1(a)TFEU.

However, if national classified information is shared at EU level as it is the case for EU internal or external security policies it shall be treated as for any other EU policy by complying with EU rules. Point is on what legal basis these rules should be founded. This issue came to the fore already in 2000 when the newly appointed Council Secretary General Xavier SOLANA negotiated with NATO a first interim agreement on the exchange of classified information. The agreement which mirrored at EU level the NATO Classification standards (“Confidential”, “Secret” and “Top Secret”) was founded on the Council internal organizational power but this “administrative” approach was immediately challenged before the Court of Justice by the a Member State (NL) [2]and by the European Parliament itself [3] which considered that the correct legal basis should had been the new legislation on access to documents foreseen by art 255 of TEC which was at the time under negotiation. The Council, at last, acknowledged that art.255 TEC on access to documents was right legal basis and a specific article (art.9[4]) was inserted in in Regulation 1049/01 implementing art.255 TEC and the EP and NL withdrew their applications before the CJEU[5].

Point is that Art.9 of Regulation 1049/01 still covers only the possible access by EU citizens and such access may be vetoed by the “originator” of the classified information. Unlike national legislation on classified information art.9 didn’t solved, unfortunately, for the lack of time, the issue of the democratic and judicial control by the European Parliament and by the Court of Justice to the EUCI. Art.9(7) of Regulation 1049/01 makes only a generic reference to the fact that “The Commission and the Council shall inform the European Parliament regarding sensitive documents in accordance with arrangements agreed between the institutions.” A transitional and partial solution has then been founded by negotiating Interinstitutional Agreements between the Council and the EP in 2002 [6]and in 2014 [7]and between the European Commission[8] in 2010.

Point is that interinstitutional agreements even if they may be binding (art.295 TFEU) they can only “facilitate” the implementation of EU law which, as described above, in the case of democratic and judicial control of classified information still does not exists. Not surprisingly, both the Council and the Commission Interinstitutional agreements consider that the “originator” principle should also be binding for the other EU institutions such as the European Parliament and the Court of Justice.

This situation is clearly unacceptable in an EU deemed to be democratic and bound by the rule of law as it create zones where not only the EU Citizens but also their Representatives may have no access because of “originator’s” veto. As result, in these situations the EU is no more governed by the rule of law but only by the “goodwill” of the former.

To make things even worse the Council established practice is to negotiate with third Countries and international organizations agreements [9]covering the exchange of confidential information by declaring that the other EU Institutions (such as the EP and the Court of Justice) should be considered “third parties” subject then to the “originator” principle.

Such situation has become kafkianesque with the entry into force of the Lisbon treaty which recognize now at primary law level the EP right to be “fully and timely” informed also on classified information exchanged during the negotiation of an international agreement[10]. Inexplicabily , fourtheen years since the entry into force of the Traty the European Parliament has not yet challenged before the Court of Justice these clearly unlawful agreements.

That Institutional problem kept apart, fact remains that until the presentation of the draft INFOSEC proposal none challenged the idea that in the EU the correct legal basis supporting the treatment also of classified information should be the same of access to documents which after the entry into force of the Lisbon treaty is now art.15.3 of the TFEU[11].

2 Why the Commission choice of art 298 TFEU as the legal basis for the INFOSEC proposal is highly questionable [12]

After the entry into force of the Lisbon Treaty and of the Charter the relation between the fundamental right of access to documents and the corresponding obligation of the EU administration of granting administrative transparency and disclose or not its information/documents has now been strengthened also because of art.52 of the EU Charter.

In an EU bound by the rule of law and by democratic principles, openness and the fundamental right of access should be the general rule and “limits” to such rights should be an exception framed only “by law”. As described above the correct legal basis for such “law” is art.15 of the TFEU which, as the former art.255 TEC, states that “General principles and limits on grounds of public or private interest..” may limit the right of access and the obligation of disclosing EU internal information / documents. Also from a systemic point of view “limits” to disclosure and to access are now covered by the same Treaty article which frames (in much stronger words than art 255 before Lisbon) the principles of “good governance”(par 1), of legislative transparency (par 2) and of administrative transparency (par 3).

Such general “Transparency” rule is worded as following: “1. In order to promote good governance and ensure the participation of civil society, the Union institutions, bodies, offices and agencies shall conduct their work as openly as possible.(..) Each institution, body, office or agency shall ensure that its proceedings are transparent and shall elaborate in its own Rules of Procedure specific provisions regarding access to its documents, in accordance with the regulations referred to in the second subparagraph.”

Bizarrely, the European Commission has chosen for the INFOSEC regulation art.298 TFEU on an open, independent and efficient EU administration by simply ignoring art.15 TFEU and by making an ambiguous reference to the fact that INFOSEC should be implemented “without prejudice” of the pre-Lisbon Regulation 1049/01 dealing with access to documents and administrative transparency. How a “prejudice” may not exist when both Regulations are overlapping and INFOSEC Regulation is upgrading the Council Internal Security rules at legislative level is a challenging question.

It is indeed self evident that both the INFOSEC Regulation and Regulation 1049/01 deal with the authorized/unauthorised “disclosure” of EU internal information/documents.

Such overlapping of the two Regulations is even more striking for the treatment EU Classified information (EUCI) as these information are covered both by art. 9 of Regulation 1049/01 and now by articles 18 to 58 and annexes II to VI of the INFOSEC Regulation.

As described above, Art 255 TCE has since Lisbon been replaced and strengthened by art 15 TFEU so that the Commission proposal of replacing it with art.298 TFEU looks like a “detournement de procedure” which may be challenged before the Court for almost the same reasons already raised in 2000 by the EP and by NL. It would then been sensible to relaunch the negotiations on the revision of Regulation 1049 in the new post-Lisbon perspective but the Commission has decided this year to withdraw the relevant legislative procedure. Submitting a legislative proposal such INFOSEC promoting overall confidentiality and withdrawing at the same time a legislative proposal promoting transparency seems a rather Commission’s strong message to the public.

3 Does the INFOSEC proposal grant a true security for EU internal information?

Point is that European administrative transparency is now a fundamental right of the individual enshrined in the Charter (Article 42).The protection of administrative data is one of the aspects of the “duty” of good administration enshrined in Article 41 of the Charter which stipulates that every person has the right of access to their file, “with due regard for the legitimate interests of confidentiality and professional and business secrecy.”

However Art.298 TFEU is not the legal basis framing professional secrecy. It is only a provision on the functioning of the institutions and bodies which, “in carrying out their tasks … [must be based] on an “open” European administration”[13] and is not an article intended to ensure the protection of administrative documents.

This objective is better served by other legal basis of the Treaties.

First of all, protecting the archives of EU institutions and bodies from outside interference is, even before being a legitimate interest, an imperative condition laid down by the Treatiesand the related 1965 Protocol on the Privileges and Immunities of the Union adopted on the basis of the current Article 343 TFEU. Articles 1 and 2 of that Protocol stipulate that the premises and buildings of the Union, as well as its archives, “shall be inviolable.”

Furthermore, in order to ensure that, in the performance of their duties, officials are obliged to protect the documents of their institutions, Article 17 of the Staff Regulations stipulates that

1. Officials shall refrain from any unauthorized disclosure of information coming to their knowledge in the course of their duties, unless such information has already been made public or is accessible to the public.

Again, (as for Regulation 1049/01), the INFOSEC regulation reinstate that it should be applied “without prejudice” of the Staff Regulation by so mirroring the second paragraph of art.298 TFEU which states that itself states that it should be implemented “in accordance with the Staff Regulations and the rules adopted on the basis of Article 336.” So, also from this second perspective, the correct legal basis for INFOSEC could be the Article 339 (on professional secrecy) and 336 TFEU, with the consequent amendment of the Staff Regulations by means of a legislative regulation of the Parliament and the Council.

By proposing a legislative regulation on the basis of Article 298, the Commission therefore circumvents both the obligation imposed by Article 336, art 339 (on professional secrecy) and, more importantly of Article 15(3) TFEU, according to which each institution or body “..shall ensure (i.e., must ensure) the transparency of its proceedings [and therefore also their protection from external interference] and shall lay down in its rules of procedure specific provisions concerning access to its documents [and therefore also concerning their protection], in accordance with the regulations referred to in the second subparagraph.”(NDR currently Regulation 1049/01)

The objectives set out in Article 298 cannot therefore override the requirements of protecting the fundamental right of access to documents, nor those of Article 15 TFEU which could be considered the “center of gravity”when several legal basis are competing [14].

The same applies to compliance with the regulation establishing the Statute and, in particular, compliance with Article 17 thereof, cited above.

Ultimately, the provisions on the legislative procedure for Union legislative acts are not at the disposal of the Commission, given that administrative transparency is a fundamental right and the protection of documents is a corollary thereof and not a means of functioning of the institutions. Administrative transparency is a fundamental right of every person; the protection of administrative data is a legitimate interest of every administration.

A ”public” interest that can certainly limit the right of access, but only under the conditions established by the legislator of art 15 TFEU and only by the latter.

4. Conclusions

If a recommendation may be made now to the co-legislators is to avoid illusionary shortcuts such as the current Commission proposal whose real impact on the EU administrative “bubble” is far to be clear[15] . The EU Legislator, since the entry into force of the Lisbon Treaty more than fourteen years ago is faced to much more pressing problems.

What is mostly needed is not inventing several layers of illusionary “protection” of the EU information but framing the administrative procedures by law as suggested several times by the European Parliament and by the multiannual endeavor of brilliant scholars focusing on the EU Administrative law[16].

What matters is that the management and the access to EU information should be framed by law and not depend from the goodwill of the administrative author or the receiver as proposed by the INFOSEC Regulation. Nor information security is strengthened transforming each one of the 64 EU “entities” covered by the INFOSEC Regulation [17] in sand-boxes where the information is shared only with the people who, according to the “originator” has a “need to know” and not a “right to know”.

Moreover the EU should limit and not generalize the power for each one of the 64 EU entities of create “classified” information (EUCI). In this perspective art.9 of Regulation 1049/01 needs indeed a true revision but in view of the new EU Constitutional framework and of the new institutional balance arising from the Lisbon treaty and of the Charter.

Fourtheen years after Lisbon the democratic oversight of the European Parliament and the judicial control of the Court of Justice on classified documents , shall be granted by EU law as it is the case in most of the EU Countriesand not by interinstitutional agreements which maintain the “Originator” against these institutions in violation of the rule of law principle as well as of the EU institutional balance.

Could still be acceptable fourteen years after the entry into force of the Lisbon Treaty that the European Parliament and the Court of justice are not taken in account in the dozens of international agreements by which the Council frame the exchange of EUCI with third countries and international organizations?

Instead of dealing with these fundamental issues the European Commission in its 67 pages proposal makes no reference to 24 years of experience in the treatment of classified information and prefer dragging the co-legislators in Kafkian debates dealing with “sensitive but not classified information” or on the strange idea by which documents should marked “public” by purpose and not by their nature (by so crossing the line separating public transparency from public propaganda).

But all that been said, it is not the Commission which will be responsible before the Citizens (and the European Court) for badly drafted legislation. It will be the European Parliament and the Council which shall now take their responsibility. They can’t hide behind the Commission unwillingness to deal with substantive issues (as well as with other aspects of legislative and administrative transparency) ; if the Council also prefer maintain the things as they were before Lisbon it is up to the European Parliament to take the lead and establish a frank discussion with the other co-legislator and verify if there is the will of fixing the real growing shortcomings in the EU administrative “Bubble”.

Continuing with the negotiations on the current version of the INFOSEC proposal notably on the complex issue of classified information paves the way to even bigger problems which (better soon than later) risk to be brought as in 2000 on the CJEU table.

[1] According to the Venice Commission “.. at International and national level access to classified documents is restricted by law to a particular group of persons. A formal security clearance is required to handle classified documents or access classified data. Such restrictions on the fundamental right of access to information are permissible only when disclosure will result in substantial harm to a protected interest and the resulting harm is greater than the public interest in disclosure. Danger is that if authorities engage in human rights violations and declare those activities state secrets and thus avoid any judicial oversight and accountability. Giving bureaucrats new powers to classify even more information will have a chilling effect on freedom of information – the touchstone freedom for all other rights and democracy – and it may also hinder the strive towards transparent and democratic governance as foreseen since Lisbon by art.15.1 of TFEU (emphasis added) The basic fear is that secrecy bills will be abused by authorities and that they lead to wide classification of information which ought to be publicly accessible for the sake of democratic accountability. Unreasonable secrecy is thus seen as acting against national security as “it shields incompetence and inaction, at a time that competence and action are both badly needed”. (…) Authorities must provide reasons for any refusal to provide access to information. The ways the laws are crafted and applied must be in a manner that conforms to the strict requirements provided for in the restriction clauses of the freedom of information provisions in the ECHR and the ICCPR.”

[2] Action brought on 9 October 2000 by the Kingdom of the Netherlands against the Council of the European Union (Case C-369/00) (2000/C 316/37)

[3] Action brought on 23 October 2000 by the European Parliament against the Council of the European Union (Case C-387/00) (2000/C 355/31) LINK chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:C2000/355/31

[4] Regulation 1049/01 Article 9”Treatment of sensitive documents

1. Sensitive documents are documents originating from the institutions or the agencies established by them, from Member States, third countries or International Organisations, classified as “TRÈS SECRET/TOP SECRET”, “SECRET” or “CONFIDENTIEL” in accordance with the rules of the institution concerned, which protect essential interests of the European Union or of one or more of its Member States in the areas covered by Article 4(1)(a), notably public security, defence and military matters.

2. Applications for access to sensitive documents under the procedures laid down in Articles 7 and 8 shall be handled only by those persons who have a right to acquaint themselves with those documents. These persons shall also, without prejudice to Article 11(2), assess which references to sensitive documents could be made in the public register.

3. Sensitive documents shall be recorded in the register or released only with the consent of the originator.

4. An institution which decides to refuse access to a sensitive document shall give the reasons for its decision in a manner which does not harm the interests protected in Article 4.

5. Member States shall take appropriate measures to ensure that when handling applications for sensitive documents the principles in this Article and Article 4 are respected.

6. The rules of the institutions concerning sensitive documents shall be made public.

7. The Commission and the Council shall inform the European Parliament regarding sensitive documents in accordance with arrangements agreed between the institutions.

[5] Notice for the OJ.Removal from the register of Case C-387/00¹By order of 22 March 2002 the President of the Court of Justice of the European Communities ordered the removal from the register of Case C-387/00: European Parliament v Council of the European Union. OJ C 355 of 09.12.2000.

[6] Interinstitutional Agreement of 20 November 2002 between the European Parliament and the Council concerning access by the European Parliament to sensitive information of the Council in the field of security and defence policy (OJ C 298, 30.11.2002, p. 1).

[7] According to the Interinstitutional Agreement of 12 March 2014 between the European Parliament and the Council concerning the forwarding to and handling by the European Parliament of classified information held by the Council on matters other than those in the area of the common foreign and security policy (OJ C 95, 1.4.2014, pp. 1–7) “4. The Council may grant the European Parliament access to classified information which originates in other Union institutions, bodies, offices or agencies, or in Member States, third States or international organisations only with the prior written consent of the originator.”

[8] According to annex III point 5 of the Framework Agreement on relations between the European Parliament and the European Commission (OJ L 304, 20.11.2010, pp. 47–62) In the case of international agreements the conclusion of which requires Parliament’s consent, the Commission shall provide to Parliament during the negotiation process all relevant information that it also provides to the Council (or to the special committee appointed by the Council). This shall include draft amendments to adopted negotiating directives, draft negotiating texts, agreed articles, the agreed date for initialling the agreement and the text of the agreement to be initialled. The Commission shall also transmit to Parliament, as it does to the Council (or to the special committee appointed by the Council), any relevant documents received from third parties, subject to the originator’s consent. The Commission shall keep the responsible parliamentary committee informed about developments in the negotiations and, in particular, explain how Parliament’s views have been taken into account.”

[9] SEE : Agreements on the security of classified information Link : https://eur-lex.europa.eu/EN/legal-content/summary/agreements-on-the-security-of-classified-information.html

[10] Article 218.10 TFUE states clearly that “The European Parliament shall be immediately and fully informed at all stages of the procedure” when the EU is negotiating international agreements even when the agreements “relates exclusively or principally to the common foreign and security policy,” (art.218.3 TFUE).

[11] Interestingly reference to art.15 of the TFEU is also made in the EP-Council 2014 Interinstitutional Agreement on access to classified information (not dealing with External Defence) See point 15 : This Agreement is without prejudice to existing and future rules on access to documents adopted in accordance with Article 15(3) TFEU; rules on the protection of personal data adopted in accordance with Article 16(2) TFEU; rules on the European Parliament’s right of inquiry adopted in accordance with third paragraph of Article 226 TFEU; and relevant provisions relating to the European Anti-Fraud Office (OLAF)

[12] However this legal basis was fit for another legislative proposal, of a more technical nature, which has now become EU Regulation 2023/2841 layng down measures for a high common level of cybersecurity for the institutions, bodies, offices and agencies of the Union. This Regulation apply at EU administrative level the principles established for the EU Member States by Directive (EU) 2022/2555 (²) improving the cyber resilience and incident response capacities of public and private entities. It created an Interinstitutional Cybersecurity Board ( IICB) and a Computer Emergency Response Team (CERT) which operationalizes the standards defined by the IICB and interact with the other EU Agencies (such as the EU Agency dealing with informatic security, Enisa), the corresponding structures in the EU Member States and even the NATO structures. It may be too early to evaluate if the Regulation is fit for its purpose ([12]) but the general impression is that its new common and cooperative system of alert and mutual support between the EU Institutions, Agencies and bodies may comply with the letter and spirit of art.298 of the TFEU

[13] Quite bizarrely this “open” attribute is not cited in the INFOSEC proposal and, even more strangely, none of the EU institutions has until now consulted the EU Ombudsman and/or the Fundamental Rights Agency.

[14] See Case C-338/01 Commission of the European Communities v Council of the European Union(Directive 2001/44/EC – Choice of legal basis)“The choice of the legal basis for a Community measure must rest on objective factors amenable to judicial review, which include in particular the aim and the content of the measure. If examination of a Community measure reveals that it pursues a twofold purpose or that it has a twofold component and if one of these is identifiable as the main or predominant purpose or component whereas the other is merely incidental, the act must be based on a single legal basis, namely that required by the main or predominant purpose or component. By way of exception, if it is established that the measure simultaneously pursues several objectives which are inseparably linked without one being secondary and indirect in relation to the other, the measure must be founded on the corresponding legal bases…”

[15] Suffice to cite the following legal disclaimer :”This Regulation is without prejudice to Regulation (Euratom) No 3/1958 17 , Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of other servants of the European Economic Community and the European Atomic Energy Community 18 , Regulation (EC) 1049/2001 of the European Parliament and of the Council 19 , Regulation (EU) 2018/1725 of the European Parliament and of the Council 20 , Council Regulation (EEC, EURATOM) No 354/83 21 , Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council 22 , Regulation (EU) 2021/697 of the European Parliament and of the Council 23 , Regulation (EU) [2023/2841] of the European Parliament and of the Council 24 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.

[16] See ReNEUAL Model Rules on EU Administrative Procedure. ReNEUAL working groups have developed a set of model rules designed as a draft proposal for binding legislation identifying – on the basis of comparative research – best practices in different specific policies of the EU, in order to reinforce general principles of EU law

https://www.reneual.eu/projects-and-publications/reneual-1-0

[17] The Council has listed not less than 64 EU entities (EU Institutions Agencies and Bodies – EUIBAs) in document WK8535/2023

“Re-arming” Europe without real democratic control?

by Emilio DE CAPITANI

The European Council Conclusions of March 6th extraordinary meeting mark an unexpected change of course towards an European Union defence policy. If confirmed at the next meeting on March 20th/21st, this would see the European ship leave a safe port – even if essentially intergovernmental – to set sail for a destination that, at least from these first steps, seems to be clearly drifting away from the main course that the Union’s institutions have always followed until now. The course is one that, over the last 70 years, has allowed an entire Continent to live in peace, without any need for rearmament, through the use of the “community method” and economic and civil integration. A continent that had previously been the scene of two world wars, both triggered by imperialistic ambitions and, in the second, also by the ethical baseness of a violence never before reached in the history of human civilization.

Returning to the theme of the drift of the Conclusions of March 6, it is worth saying that what caused the shift was not so much Putin’s aggression against Ukraine (already underway since 2014 following the invasion of Crimea) but rather US President Trump’s position making clear to the other NATO allies that, in the event of military aggression of a member state, the protection of the American umbrella will be no longer automatic nor the financial contribution to this North Atlantic defense pact by the United States. Following these messages Ursula Von Der Leyen (VDL), President of the Commission, after, most probably having received the green light from the chancelleries of most EU member states, presented on March 5th a first plan, inappropriately called the “Re-arm Europe”, and whose objectives, as expected, have been, at least for the time being, unanimously approved by all the members of the European Council.

European public opinion has thus, suddenly, realized, that within the European Council, the highest political body of the European Union bringing together the Heads of State and Government, there is a great desire to take up arms, without any of them having consulted, beforehand, not even their parliaments in public session or, at least, the European Parliament. It looks that, once again, these leaders consider that it’s better to give this news to their citizens only after the fact, even though the same citizens, in the case of “rearmament” will not only put in their money but also the people necessary to ensure the increased defense measures. Moreover it will be easy, for these Heads of State and Government returning home from Brussels, to explain to the their national press that all the other colleagues pushed for it and “Brussel” has decided it. All for one (the Member States), and one for all (the Union), as usual….

Why is it “improperly” called a “Rearm Plan”? First of all, because the word “rearmament” has been banned from the European political lexicon since the Schuman Declaration of 1950. Secondly, because the term “rearmament” – that is, a return to the use of weapons – does not evoke a defensive intention, and even less of peace, as it could be, for example: “the new EU Military Defense Plan”. If until now the Union, in order to achieve peace, has welcomed millions of displaced Ukrainians, deployed money and adopted restrictive measures against Russia, the time has come, after President Trump’s announcements, of launching an European Union diplomatic initiative, according to the most authentic ” community method” and re-launch the role of the United Nations, rediscover the spirit of the Helsinki Accords that in 1975 contributed to overcoming the East-West divide on the European continent and try to bring the countries directly and indirectly involved around a table.

In any case, the plan proposed by President VDL, consisting of two distinct financial packages, raises serious reservations, not only political, but also parliamentary and legal.

The first package is the loosening of budgetary constraints up to 1.5% for defense spending by member states. Overall, this initiative should free up to 650 billion euros of national resources, to be spent not so much on the development of the defense industries already present in some Member States, but following a new European defense strategy. And this should happen through a mechanism of indebtedness that had not even been granted to the Member States for the achievement of fundamental objectives such as social protection or the fight against pollution…. From a European perspective, the choice may be questionable also due to the fact that, in March 2024, the Commission itself has already submitted to the European legislator an “EDIP” draft regulation (1) see below).

From a national perspective, however, it will be up to the parliaments of the Member States to decide whether or not to support the choices of their governments

Well, it’s clear that since this is a financial plan combined with the second basket of the VDL proposal engaging 150 billion euro on the EU Budget, all the national and European parliaments will wait until the next European Council on March 21st to find out if the Council, on the proposal of the Commission, will indeed adopt a new financial instrument in favor of Member States on art. 122 TFEU (2) as announced by the Commission President Von Der Leyen’s proposal to establish “a new EU instrument under Article 122 TFEU to provide Member States with loans backed by the EU budget.” According to the letter “ With up to EUR 150 billion, this instrument would strongly support EU efforts to achieve a rapid and significant increase in investments in Europe’s defence capabilities – now and over this decade. Such funding could be used for priority capabilities domains for which action is necessary at European level, in alignment with NATO:

air and missile defence;
artillery systems;
missiles and ammunition;
drones and anti-drone systems;
strategic enablers and critical infrastructure protection, including in relation to space;
military mobility;
cyber, artificial intelligence and electronic warfare.

Further increasing the impact of this new instrument would be achieved by buying together, which would ensure interoperability and predictability, reduce costs, and create the scale needed to strengthen our European defence industrial base.” (emphasis added)

The “new instrument” proposed by the President of the Commission is therefore much more ambitious than the initiatives undertaken until now by the EU in this field. Moreover, it presupposes the definition, at a European level, of “priority capability areas where action is needed at the European level, in line with NATO”. Therefore prior consultation with NATO (where the US ambassador sits) is foreseen, while the European Parliament itself is not involved, even if not only European taxpayer/citizen money is at stake, but also the content of policies that affect its rights and vital interests.

But, with the current Treaty, who is authorized to make this kind of decision?

The answer is not simple because the Treaties, even after Lisbon, have provided a framework that is ambiguous to say the least, if not incomplete and contradictory. This is because, at least until recently, the majority of Member States relied on the NATO Treaty for the defense of the Union’s territory, in a sort of division of labor with the EU Treaties (see art. 42 TEU). However,following the recent positions taken on the other side of the Atlantic, this division of labor is now being questioned and various solutions are being studied, first and foremost that of the construction of a “European pillar” within NATO. However, the impression is that this too is a temporary solution and that, sooner or later, the European Union must finally assume responsibility for its own defense.
If this is the medium to long term perspective, it should be self evident that the European Union, even before a future formal amendment of the Treaties, must apply to this “European” rearmament plan the same fundamental democratic principles, as it does to the rest of European policies. It would indeed be paradoxical that in fields that are sensitive and essential for the security of citizens in the face of increasing external threats the EU will not abide to the principles according to which “the functioning of the Union is founded on representative democracy” (art.10.1 TEU) or that according to which “Every citizen shall have the right to participate in the democratic life of the Union. Decisions are taken as openly as possible and as closely as possible to the citizen. (art.10.3 TEU).

In such constitutional context, the Commission’s proposal to base the financing of 150 billion on the basis of art.122 TFEU, without the direct involvement of the European Parliament, is highly questionable, not to say contrary to Union law. It is worth noting that Article 122, has been already used in the past to try to stem the Greek Euro crisis, the COVID crisis and the energy crisis following the Russian invasion of Ukraine, but it is a legal basis suitable only for emergency measures in the economic domain, and therefore unusable in situations dealing with defence and that can last for years. Suffice it to remember that during the Euro crisis art.122 TFEU was abandoned by the same Member States who proposed it because they recognized that it was necessary, for a medium long perspective, to adopt a real Treaty, even though “complementing” the TEU (the European Stability Mechanism – ESM).

So a first reason why art.122 TFEU, should be excluded as a legal basis justifying a Council measure aimed at defending the citizens of the Union, in the years to come is that it is a temporary measure, even though is intended, as President VDL herself admits in her letter, to be valid for at least the next decade. But, most importantly, art. 122 does not foresee the involvement of the European Parliament which, as it happened for the European Council conclusion on the Rearm Europe project, will be “informed” only after the fact. Democratic control, which in military matters and the recruitment of people to be entrusted with the use of arms, are the basis of the Constitution of every democratic state, must also be respected within the EU by involving the EP in these extremely important political decisions, and this through the identification of an appropriate legal basis that involves it. In this perspective President VDL proposal is in itself not only clearly anti-parliamentary, anti-democratic but it contradicts the assessment according to which we are facing historic times. So, why not take this occasion to set the basis for a true EU defence policy in the Treaty instead of prolonging the current anti-democratic regime set fifteen years ago for the EU Defense policy?

Let’s hope that the European Parliament will take this occasion to re-establish the EU institutional balance also in this domain and will formally reserve the right, starting with its next resolutions on defense, to challenge before the Court of Justice any type of measure or act taken without its prior and effective involvement. Moreover, since this matter also directly involves the national parliaments, the European Parliament should also call them together in the spirit and letter of Article 12 TEU, according to which they contribute to the European construction (thereby also strenghtening parliamentary democracy within the EU).

As for the merits, it is only necessary to remember that, according to articles 3 to 6 TFEU, the Union has no direct powers regarding rearmament, and it may be questionable whether it has any regarding support for member states [i];

In this context and, as the Treaty currently stands, the only possible legal basis for such involvement of the Union and the association of the EP in the construction of a defense policy is that of art. 352.1 TFEU according to which ” If action by the Union should prove necessary, within the framework of the policies defined in the Treaties, to attain one of the objectives set out in the Treaties, and the Treaties have not provided the necessary powers, the Council, acting unanimously on a proposal from the Commission and after obtaining the consent of the European Parliament, shall adopt the appropriate measures. (emphasis added) It is worth recalling that previous amendments of the Treaties were anticipated by legislative measures adopted with this “implicit” powers legal basis.

That having been said it is quite likely that for different political and institutional reasons the EU will not be ready to use art.352 TFEU ( notably because it requires unanimity in the Council and we all know how slippery the situation is in the Council when Unanimity is at stake…) However, another alternative, even if less clean and straight, is to integrate the VDL Objectives and the 150 billion financing in the draft “EDIP” Regulation(3) currently under discussion at the EP and the Council which already foresee the adoption of an EU Defense Strategy. It is worth mentioning that, despite all the limitations of this proposal already denounced by the European Court of Auditors , EDIP would follow an ordinary legislative procedure, thus guaranteeing the full co-responsibility of the European Parliament without requiring unanimity in the Council as provided for in Article 352 TFEU. Negotiations are proceeding swiftly in both the Council and the European Parliament and this should allow the inter-institutional negotiations (trilogue) to start as soon as possible.

As explained above there are therefore serious alternatives to recourse to Article 122 that the European Parliament may raise to protect its constitutional prerogatives in the face of an initiative by which the European Council, the Council and the Commission exclude it from the decision-making process. By appealing to the Court, against the choice of that legal basis (NDR : moreover emergency measures in the defence sector require art.222 TFUE and not 122 TFUE) the Parliament would not only defend its constitutional prerogatives, but also the fundamental need of respect democratic principles, the Rule of Law and, above all, the rights of the citizens who elected it, even in matters of defense. Then, who knows, the Council and the Commission could accept the fall back position of dealing with these matters in codecision with the EP through the EDIP legislative proposal…

NOTES
1 REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL establishing the European Defence Industrial Program and a framework for measures to ensure the timely availability and supply of defence products (“EDIP”) (2024/0061(COD) Link https://eur-lex.europa. eu/legal-content/IT/TXT/HTML/?uri=CELEX:52024PC0150

2 Article 122 (ex Article 100 of the TEC) 1.Without prejudice to any other procedures provided for in the Treaties, the Council, on a proposal from the Commission, may decide, in a spirit of solidarity between Member States, upon the measures appropriate to the economic situation, in particular if severe difficulties arise in the supply of certain products, notably in the area of energy. 2. Where a Member State is in difficulties or is seriously threatened with severe difficulties caused by natural disasters or exceptional occurrences beyond its control, the Council, on a proposal from the Commission, may grant, under certain conditions, Union financial assistance to the Member State concerned. The President of the Council shall inform the European Parliament of the decision taken.

(3) The legal bases for the draft EDIP Regulation aimed at ensuring the timely availability and supply of defense products are (1) Article 173 TFEU in relation to the competitiveness of the EDTIB; (2) Article 114 TFEU in relation to the European Defense Equipment Market (EDEM); (3) Article 212 TFEU in relation to strengthening Ukraine’s DTIB and (4) Article 322 TFEU in relation to financial provisions.

EU Transparency and participative democracy in the EU institutions after Lisbon :“Everything must change for everything to remain the same”?

by Emilio DE CAPITANI *[1]

Foreword

In a famous Italian novel “The Leopard” which describes a key moment of regime change in Sicily a young protagonist, Tancredi, addresses the old Prince of Salina, suggesting as the best strategy in order to maintain the old privileges to adapt, at least apparently, to the new situation.

This seems to be also the strategy chosen by the European institutions after the entry into force of the Treaty of Lisbon when dealing with openness and transparency of their decision-making process.

This Treaty marks a radical change from the previous situation, notably because it make visible and strengthens the interrelation between the principles of the Rule of law, democracy, mutual trust and transparency in the EU. This relation was already implicit before the Treaty but has become more evident at primary law level with the definition of the EU funding values (art 2 TEU), the binding nature of the EU Charter of fundamental rights and the establishment in the Treaties of clear legal basis transforming these principles in reality within the EU institutional framework and in relation with the EU Member States.

Under this perspective several articles of the EU Charter become relevant when dealing with principles of openness and transparency in the EU such the art.11 on Freedom of expression and information and articles 41 and 42 on the right to good administration and of access to EU documents. These rights should be granted and promoted not only by the EU Institutions Agencies and bodies but also by the Member states when implementing EU law. If a decision making process should be transparent at EU level the same transparency should be granted when EU measures are transposed at national level [2].

Openness and Transparency as corollaries of EU democracy

Furthermore the Lisbon Treaty has also endorsed several ambitious institutional innovations negotiated at the time of the draft Constitutional Treaty and which have now a direct or indirect impact on EU notions of rule of law, mutual trust, democracy and transparency.

First of all, the Treaty makes clear the democratic nature of the EU not only by strengthening representative democracy (“The functioning of the Union shall be founded on representative democracy.” Art.10.1 TEU) but also by recognizing the principle of participative democracy [3] (“Every citizen shall have the right to participate in the democratic life of the Union. Decisions shall be taken as openly and as closely as possible to the citizen” art.10.3 TEU).

Participative democracy is further strengthened by recognizing the role of Civil Society in art.11 TEU according to which “1. The institutions shall, by appropriate means, give citizens and representative associations the opportunity to make known and publicly exchange their views in all areas of Union action. 2. The institutions shall maintain an open, transparent and regular dialogue with representative associations and civil society.”.

Moreover, the Lisbon treaty confirms the principle of openness when it states that “(EU) decisions are taken as openly as possible and as closely as possible to the citizen.”(art 1, 2nd Alinea TEU). This provision was already present before Lisbon, but since then the notion of what could be considered “possible” has evolved both from a technical and political point of view. From a technical perspective, in the last twenty years the digital transformation has already triggered also at EU level the notion of e-government[4], of re-use of public data [5]. In a Google era efficient communication techniques that involve and empower citizens make now possible involving citizens in public decision-making processes.[6]

From a political perspective the new Treaty emphasizes that “In all its activities, the Union shall observe the principle of the equality of its citizens, who shall receive equal attention from its institutions, bodies, offices and agencies.” (art.9 TEU). When translated in transparency policies this principle requires that, when in public domain, information should be accessible by means and procedures which should not be directly or indirectly discriminatory [7].

(EU) Preaching “Transparency by design…

The Lisbon Treaty not only proclaimed the democratic principles on which the EU is founded and should be promoted (art 9-12 TEU) but confirmed the principle of openness and of participative democracy according to which ‘(EU) decisions are taken as openly as possible and as closely as possible to the citizens’ (art.1.2 TEU) and “[e]very citizen shall have the right to participate in the democratic life of the Union. Decisions shall be taken as openly and as closely as possible to the citizen.”(art.10.3 TEU).

Moreover, EU Legislative acts [8] are now defined at primary law level (art.289 TFEU) and the obligation of granting ‘Legislative transparency’ is now foreseen by Article 15(2) TFEU according to which “The European Parliament shall meet in public, as shall the Council when considering and voting on a draft legislative act.” As a consequence, granting legislative transparency has become a self-standing constitutional obligation which cannot be jeopardized by measures of EU secondary law or even more, by internal practices of the EU institutions. In other words, the mandatory principle of ‘legislative transparency’ established by Article 15(2) TFEU and 16.8 TEU should no more, be mixed with the ‘transparency on demand’ approach of the “pre-Lisbon” era when the scope of legislative transparency was often linked to the aleatory condition that a citizen may ask or not access to a legislative preparatory document.

…but framing “confidentiality by design”.

Unfortunately, even today, fifteen years since the entry into force of the Lisbon Treaty legislative preparatory documents made proactively public by the EU legislators following art.15.2 TFEU are still a fraction of the documents prepared and debated by the Commission, the Council and, even by the European Parliament along a legislative procedure.

The Council is the most appalling case of hiding legislative preparatory documents.

Even today, the Council’ internal Rules of procedures [9]consider that confidentiality should be the rule and transparency the exception. According to Council Internal Guidelines transparency of Council meetings when debating legislative procedures (as required by Article 16(8) TEU) is required only for “formal” Meetings at ministerial level. By so doing, citizen’s access is excluded not only from the “informal” Ministerial meetings but also from all the Coreper and working parties meetings no matter if, in a more general perspective, the Council is a single legal entity and preparatory bodies should not be considered apart).[10] As a proof that the main Council inspiration is “confidentiality by design” instead of “transparency by design” is the Council reorganization operational since 2015 of its internal document management[11]. Its 130/150 internal working parties have been transformed into ‘virtual communities’, which are de facto also virtual ‘sandboxes’ where working (WK) documents covering also legislative preparatory works (also at ‘trilogue level’) are shared only between the Community members [12].

By doing so the Council of the European Union is, since years preventing, routinely, access and democratic participation of EU citizens and of civil society, and is making unduly difficult the work of journalists, preventing the National Parliaments from checking the respect of the principle of subsidiarity and, last but not least, hiding essential information to the other co-legislator, the European Parliament.

The EU “Catch 22” how promoting confidentiality to protect ..transparency

To justify this behavior the Council still today refer to the exceptions set in art.4 and 9 of the pre-Lisbon Regulation 1049/2001 , and notably to the need of ‘protecting its decision making process’ as foreseen by art.4.3 of that Regulation. According to this principle “Access to a document, drawn up by an institution for internal use or received by an institution, which relates to a matter where the decision has not been taken by the institution, shall be refused if disclosure of the document would seriously undermine the institution’s decision-making process, unless there is an overriding public interest in disclosure”. Suffice to note that, if transposed to legislative preparatory works this principle may justify, for instance, the confidentiality of the work of the Parliamentary committees but this will clash with the provisions of art. 15.2 TFEU imposing the publicity of meetings of the EP and of the Council when acting as legislators (and this voer also the preparatory bodies as the EP and the Council have a single institutional identity). Moreover such use of a generic exception by an institution in its own interest will clash with the interinstitutional nature of the EU legislative process as described by art 294 of the TFEU.

To overcome the clash between the current provisions of the treaty and the exception described in art.4.3 of the pre-Lisbon Regulation 1049/01 there are then only two possibilities: either you consider that this exception is not relevant for legislative procedures or you consider that when legislation is at stake the “overriding public interest” is directly foreseen by the treaty and no exception can be raised. Behaving like the Council does when acting as legislator, create a “Catch 22” situation where confidential is invoked to “protect” a procedure which should be …transparent.

Needless to say this Council behavior has been denounced in several occasions, not only by the other co-legislator, the EP, but also by the EU Ombudsman not to speak of the Court of Justice. The latter with several rulings has framed in stricter terms the scope of Regulation 1049/01 exceptions even before the entry into force of the Lisbon treaty and of art.15.2 TFEU. It is then quite appalling that the impact on the Council practice of the EP pressure, of the Ombudsman recommendations of the CJUE jurisprudence has been very limited and anecdotical. [14]

To overcome all these legal inconsistencies the European Parliament voted on December 15^th , 2011[15] several ambitious amendments aligning Regulation 1049/2001 to the post-Lisbon new Constitutional framework. The EP Plenary not only considered that legislative debates should not be covered by the pre-Lisbon exceptions listed in art. 4, but voted also a legislative framework for classified documents (art. 9) and paved the way for the implementation of the principle of good administration by EU institutions, agencies and bodies. In the same perspective it also adopted two legislative proposals on framing the principle of good administration by the EU institutions, Agencies and bodies [16]

Unfortunately, the EP position on the alignment of Regulation 1049/01 with the Lisbon treaty, is , since thirteen years still formally pending, and has not been endorsed by the European Commission nor by the EU Council so that the EU and its citizens are still confronted with a secondary law (Regulation 1049/2001) and a wide practice of the EU institutions, agencies and bodies not complying with the new post-Lisbon constitutional framework.

In a quite opposite direction from the EP recommendation on the revision of Regulation 1049/01 and on the establishment of an EU code on good administration founded on art 298 TFUE (open, independent and efficient EU Public administration) the European Commission submitted in 2022 on the same legal basis (and without consulting the EU Ombudsman) a legislative proposal[17] dealing with information security in the institutions, bodies, offices and agencies of the Union.

The so called ‘INFOSEC’ Proposal, if adopted as it stands, may even pave the way for the transformation of the ‘EU Bubble’ into a sort of (administrative) fortress and substitute the principle of ‘transparency by design’ arising from art. 1.2 TEU with the principle of ‘confidentiality by design’[18] of all EU Institutions, Agencies and Bodies. It does so by redefining the conditions of treatment, access and sharing of all kinds of information/documents treated by the EU institutions, agencies and bodies by so overlapping and turning upside down Regulation 1049/2001 and the letter and spirit of the Treaty.

If the principle of Regulation 1049/2001 is to frame the right to know of EU citizens by granting that everything is public unless a specific exception is applicable, the logic of the new Commission proposal is that almost all internal documents should be protected and shared only with people with a recognised ‘need to know’ unless the document is marked as ‘public’. This will generalise to all the EU Institutions, Agencies and bodies the current Council practice of limiting the access internal documents in clear clash with art. 1 of the TEU which requires that the EU Institutions should act as openly as possible and the art.298 TFEU requiring that the EU administration should be not only indipendent and efficient but also “open”.

With the new proposed legal regime, the Commission, by endorsing and widening in a legislative measure the current Council internal security rules, is proposing to go back to the pre-Maastricht era when it was up to the EU institutions to decide whether or not to give access to their internal documents [19]. But since the Amsterdam Treaty (Article 255 TCE) and, even more, since the Lisbon Treaty, this practice is no longer compatible within an EU that is bound by the rule of law.

The core of the proposed INFOSEC Regulation is the creation and management of EU classified information (EUCI). By doing so, it substantially amends Article 9 of Regulation 1049/2001, which deals with so-called ‘sensitive documents’. It does not regulate how the information should be classified and declassified in the interests of the EU, as opposed to the interests of the originator (whether that be a member State, EU institution, agency or body). It is worth recalling that Article 9 of Regulation 1049/2001 recognises the so-called ‘originator privilege’ only in the domain of ‘sensitive’ documents and information mainly covered by the EU external defence policy (former Second “Pillar”). As such it is an exception to the general philosophy of Regulation 1049/2001 according to which the EU institutions may only be bound by law and not by the will of an ‘author’, even if it were an EU Member State. [20]

How the EP risks slowly turning to intergovernamental practices

The EP has been, since its first direct election, the most supportive institution of the transparency of the EU decision making process both in the interest of the EU citizens and its own constitutional role. For decades it has challenged the Council and Commission reluctance when sharing the relevant information on what was happening on the ground inside or outside the EU. The Court of Justice has recognised in several cases that the EP’s right to relevant information is explicitly recognised by the Treaty notably for international agreements (Article 218 (10) TFEU).

Unfortunately, instead of pushing the Council towards an open ‘parliamentary’ approach to legislation, the EP has followed the Council ‘diplomatic’ approach notably in the crucial phase of inter-institutional negotiations (‘trilogues’) even when, as is normally the case, these negotiations take place in the first parliamentary ‘reading’.

Although the CJEU considers the documents shared within the trilogues meetings as ‘legislative’[21], the European Parliament still publish these documents only since March 2023 but only after specific requests for access by EU citizens and after a consistent delay so that the information becomes available when the agreements have been reached.

This practice does not fit with Article 15(2) TFEU nor with the CJEU jurisprudence according to which ‘[i]n a system based on the principle of democratic legitimacy, co-legislators must be answerable for their actions to the public and if citizens are to be able to exercise their democratic rights they must be in a position to follow in detail the decision-making process within the institutions taking part in the legislative procedures and to have access to all relevant information.’[22]

[1] Affiliate to the Scuola Superiore S.Anna (Pisa)

[2] In this perspective it is quite bizarre that the Council evoke the notion of sincere cooperation by the Member States in order not to debate publicly at national level the EU legislative preparatory documents (coded as LIMITE) notably through the National Parliaments

[3] This emphasis for participative democracy is now also echoed at UN level by the 2030 Agenda for Sustainable Development whose Goal 16 foresees notably, to “Develop effective, accountable and transparent institutions at all levels”(16.6) Ensure responsive, inclusive, participatory and representative decision-making at all levels (16.7) 16.10 Ensure public access to information and protect fundamental freedoms, in accordance with national legislation and international agreements (16.10)

[4] See the European Commission communication https://commission.europa.eu/business-economy-euro/egovernment_en

[5] See the Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information which maybe a clear reference also for comparable initiatives of the EU Institutions, agencies and bodies.

[6] See the recent Council Conclusions on the EU’s ambition to play a leading role globally in the digital transformation and digital governance that respects, promotes and protects universal human rights, democracy and sustainable development, and puts people and their universal human rights at the centre, in line with the international law and the EU Declaration on Digital Rights and Principles. (Doc 9957/24 of 21^st of May 2024)

[7] This issue is relevant not only in cases of proactive publication but also when an information is disclosed following a Citizen’s request. If the information/document deals with legislative procedures it should be accessible in the public domain to everyone without further request for access.

[8] It should be noted that the concept of draft legislative act and legislative acts referred to in Article 15(2) TFEU does not correspond to the concept of legislative documents and legislative procedures referred to in the Pre-Lisbon Regulation 1049/01. While Article 15(2) TFEU refers to the projects and legislative acts defined in Article 289 TFEU (i.e. the joint adoption of legislative acts by the Council and the European Parliament), the Regulation, which pre-dates the entry into force of Article 289 TFEU, refers to “documents drawn up or received in the course of procedures for the adoption of acts which are legally binding”.2 Now, according for instance to the new Article 290 TFEU, Commission delegated acts which were “legislative” before Lisbon are now “non-legislative acts” (see also Article 16.8 TEU as to the “non-legislative activities” of the Council

[9] Council Decision of 1 December 2009 adopting the Council’s Rules of Procedure Link : https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32009D0937

[10] Indeed, Article 5(1) of the Council Rules of Procedure (CRP) provides that, unless deliberating or voting on legislative acts, Council meetings must not be public, and Article 6(1) CRP stipulates that ‘Without prejudice to Articles 7, 8 and 9 and to provisions on public access to documents, the deliberations of the Council shall be covered by the obligation of professional secrecy …’, but on page 54 of its commentary on the CRP it is notably stated explicitly that : This rule also applies to the preparatory work for Council meetings, that is, all the Council’s preparatory bodies (Coreper, committees and working parties). However, legislative work in preparatory bodies is not public.”(emphasis added)

[11] See the Council public document 7385/16 of 2 May 2016, “Delegates Portal: a new Community Approach to document distribution”. The reorganization of the internal production/diffusion of Council internal documents has been endorsed by the Coreper in public document 6704/13 CIS 5 work on COCOON (Council Collaboration Online)”. The system has been generalised to all Working Parties in 2015. See https://data.consilium.europa.eu/doc/document/ST-7385-2016-INIT/en/pdf .

[12] Meijers Committee, ‘Working Documents’ in the Council of the EU cause a worrying increase in secrecy in the legislative process, CM2107 June 2021 https://www.commissie-meijers.nl/wp-content/uploads/2021/09/2107_en.pdf .

101See (2022/0084(COD) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52022PC0119.

[13] Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access

to European Parliament, Council and Commission documents.

[14] European Ombudsman openly stated for the first time in a recent decision of March 2024 that EU institutions are not giving effect to case law on public access to legislative documents. See European Ombudsman, Case OI/4/2023/MIK, ‘How the European Parliament, the Council of the EU and the European Commission deal with requests for public access to legislative documents’, https://www.ombudsman.europa.eu/en/case/en/64321.. Cited by the EP Study “Regulation 1049/2001 on the right of access to documents, including the digital context” https://www.europarl.europa.eu/RegData/etudes/STUD/2024/762890/IPOL_STU(2024)762890_EN.pdf

[15] See Legislative Procedure 2008/0090(COD).Link https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?lang=en&reference=2008/0090(COD)

[16] With the aim of guaranteeing the right to good administration and ensuring an open, efficient and independent EU civil service, on 15 January 2013 the European Parliament adopted a first resolution (Rapporteur Luigi Berlinguer SD Italy) presenting detailed recommendations to the Commission on a Law of Administrative Procedure of the EU under the new legal basis of Article 298 of the Treaty on the Functioning of the European Union (TFEU). A second resolution for an open, efficient and independent European Union administration (rapporteur: Haidi Hautala, Greens/EFA, Finland) in June 2016 (2016/2610(RSP)).

[17] See Legislative Procedure 2022/0084(COD) Proposal for a Regulation of the European Parliament and of the Council on information security in the institutions, bodies, offices and agencies of the Union Link : https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2022/0084(COD)&l=en

[18] In principle, the objective as announced in the title of the proposal is legitimate: granting a comparable level of protection in all the EU institutions, agencies and bodies, for information and documents, which, according to the law, should be protected. To do so a wide inter-institutional coordination group is proposed, as well as a network of security officials in all the EU entities and a securitised informatic network (TEMPEST) is foreseen.

[19] By replacing the ‘right to know’ foreseen at the Treaty with the a ‘need to know’ mechanism the proposed Regulation

turn upside down the EU openness and transparency principle.

[20] What the INFOSEC proposal does is transform the exception of the ‘originator principle’ in a rule against the provision of Regulation 1049/2001. It does not foresee judicial oversight of classified information. It does not solve the problem of the sharing of ‘sensitive information’ between entities that have a legitimate “need to know”. Last but not least, it threatens the EP oversight role of EU security agreements with third countries and international organisations on the exchange of classified information.

[21] See Case T-540/15 De Capitani v European Parliament

[22] Case T-163/21 De Capitani v Council EU:T:2023:15.

Verfassungsblog : Why an EU Country under the Surveillance Procedure (Article 7.1 TEU) Should not Chair the Council Presidency

by Virgilio DASTOLI and Emilio DE CAPITANI

In accordance with the Council Decision on the exercise of the Presidency of the Council of the European Union,¹⁾ from July 1 of this year the office is to be held by Hungary. This occasion will mark the first time that the Presidency will have been held by a Member State that has been subject to the “surveillance” procedure in Article 7(1) of the Treaty on European Union, having been launched by the European Parliament in September 2018.

As the Court of Justice has recognised,²⁾ by adopting its Resolution, the EP has already triggered the legal consequences foreseen by Protocol 24.

‘[A]s long as the Council or the European Council has not taken a decision in respect of the Member State concerned, a Member State may, by way of derogation from the general rule laid down in that single article, take into consideration or declare admissible to be examined any asylum application lodged by a national of the Member State that is the subject of that procedure.’

Simply put, it means that Hungary is no longer to be considered a “safe country”, and if it should occur, a Hungarian may request asylum in another EU Country. In other words, the general presumption that fundamental rights and values are respected in that Member State is no longer absolute, and precaution should be taken when fundamental rights of individuals are concerned (as is the case in relation to the European Arrest Warrant). In a more general sense, and in the relations with other Member States or EU Institutions, the principle of mutual trust that is the bedrock of intra-EU cooperation is not “blind trust” and cannot be taken for granted.

Within this perspective, it would be sensible to assume that a Member State that does not enjoy the full confidence of the other Member States should not be responsible for a key coordinating role, as is the case when holding the Council Presidency. As a matter of fact, holding the Council Presidency is anything but a protocolar task. It plans, coordinates and chairs meetings of the Council and most of the Council’s preparatory bodies, i.e. working parties and committees. It suggests compromise solutions with a view to reaching an agreement between the Members of the Council (‘honest broker’). The Presidency should be, by definition, neutral and impartial. It is the moderator for discussions and cannot, therefore, favour either its own preferences or those of a particular Member State.

But holding the Council Presidency also has an essential interinstitutional dimension, because it is the Presidency that represents the Council in its relations with the European Parliament (EP) and negotiates on behalf of the Council to reach agreements on legislative files by protecting and promoting together the EU values that Hungary is openly challenging.

It is not surprising that the European Parliament (which originally triggered the Article 7(1) TEU procedure against Hungary) already one year ago³⁾ sent a Resolution to the Council and the Commission underlining

‘the important role of the presidency of the Council in driving forward the Council’s work on EU legislation, ensuring the continuity of the EU agenda and representing the Council in relations with the other EU institutions” but also questioning “…how Hungary will be able to credibly fulfil this task in 2024, in view of its non-compliance with EU law and the values enshrined in Article 2 TEU, as well as the principle of sincere cooperation’.

Surprisingly, neither the Commission nor the Council have to date furnished any response. Perhaps the reason was that these two institutions were expecting a positive development prior to the end of the legislative term, such as apparently occurred with Poland, (the only other European Country subjected to the Article 7(1) TEU procedure). Yet, unfortunately, in the case of Hungary, the situation has in the meantime rather worsened, to the extent that the European Parliament adopted two new Resolutions, the first on January 18 of this year⁴⁾ and the second on April 24.⁵⁾

These highly detailed texts summarise and update the already formidable list of all Hungarian infringements of the rule of law and of the Budgetary Conditionality Mechanism. The most recent text declares in even stronger words the same concerns as to the suitability of Hungary as President of the Council and declares the EP ‘readiness to take measures to defend the credibility of the Union with respect to the values enshrined in Article 2 TEU as regards cooperation with the Council’.

It remains to be seen if the two most recent EP texts will once again fall on deaf ears on the Council side. However, from a constitutional point of view, the assessment of the EP appears well founded and should have received much greater attention from the Council, notably because by maintaining the Hungarian Presidency the Council is threatening the smooth functioning of the EU in its essential legislative and budgetary functions as envisaged in the post-Lisbon Treaty framework: these functions now fall within the joint responsibility of the European Parliament and of the Council (Article 14(1) and 16(1) TEU), and this co-responsibility requires a great deal more than loyal cooperation between the two institutions (Article 13 TEU).

It would now be both prudent and sensible for the Council to modify its 2016 Decision, by qualified majority, as already provided for in legal doctrine,⁶⁾ by foreseeing explicitly that Council Presidency should not be held by a Country under art. 7 Procedure. As a consequence the Hungarian Presidency will be delayed until the Article 7(1) TEU surveillance procedure will have been successfully concluded. It has to be noted that a postponement should not be considered as a sanction against Hungary, but rather a simple precautionary measure to preserve the smooth functioning of the European Union and to avoid a period of interinstitutional bickering between the EU co-legislators, particularly at such a decisive moment for the EU legislature both from an internal and international point of view. Moreover, it wouldn’t be the first time that the Council Presidency has been postponed, and then for much less serious reasons. As rightly noted by the Meijers Committee,

‘changes in the previously agreed order of Presidencies have not been uncommon. They occurred on six occasions, for different reasons: three times after the accession of new Member States, in 1995, in 2005 and in 2007; in 2002 at the request of Germany because general elections were scheduled during its upcoming Presidency; in 2009 because of the Treaty of Lisbon; and in 2016 after accession of Croatia and the Brexit Referendum with regard to the UK Presidency, which was scheduled to start in 11 months’ time, as of July 2017. Therefore, it is established legal and political practice to reconsider the order of the Presidency in case of relevant circumstances, even if relatively close to the date that the rotation is scheduled to start’.

It is finally also worth noting that an urgent appeal to postpone the Hungarian Presidency has very recently been submitted to the EU Institutions by the European Movement (IT, ES, FR branches).⁷⁾ The European Commission President, Ursula Von Der Leyen, has shared it with the competent Members of the College, notably with Vice-President Maroš Šefčovič, who is responsible for interinstitutional relations. The time period until July 1 is rapidly diminishing, and on June 18 the General Affairs Council will decide on a reasoned proposal from the Commission on closing the Article 7(1) TEU procedure against Poland.⁸⁾ Will it also be the occasion to discuss the issue of the incoming Hungarian Presidency? If so the point could also be submitted for final decision at the European Council Meeting on June 27/28 under the chapter on institutional issues (as the general responsibility on the issue of Council Presidencies falls under the COEUR competence – Article 236 TFEU).

We, the undersigned scholars, experts and citizens, support this call for the postponement of the Hungarian Presidency.

Those who wish to support this initiative can send their contact details here.

Prof. Gábor Halmai, European University Institute, Florence

Prof. Sergio Fabbrini, Luiss University, Rome

Prof. Petra Bard, Radboud University

Prof. Tomacz Tadeus Koncewicz, University of Gdańsk, Department of European and Comparative Law

Prof. Laurent Pech, University College Dublin

Prof. Paul Craig, University of Oxford

Prof. Kim Lane Scheppele, Princeton University

Prof. Catherine Dupré, University of Exeter Law School

Prof. Maria Bergström, Uppsala University, Faculty of Law

Prof. Marie-Laure Basilien-Gainche University Jean Moulin Lyon 3, Institut Universitaire de France

Prof. Henri de Waele, Radboud University Nijmegen and University of Antwerp

Prof. Elspeth Guild, Queen Mary University of London

Prof. Olivier Costa, CNRS, CEVIPOF, Sciences Po, Paris

Dr. Marta Lasek-Markey, Trinity College Dublin

Prof. Stephen Skinner, University of Exeter

Dr. Christine Bicknell, Human Rights and Democracy Forum, University of Exeter Law School

Dr. Carlotta Garofalo, University of Graz

Ounia N. Doukoure, Paris 1 University, Institut Convergences Migrations ; Lille Catholic University

Prof. Marc Valéri, University of Exeter

Prof. Federico Fabbrini, Dublin City University

Prof. Dominique Custos, Caen Normandie University

Prof. Dino G. Rinoldi, Catholic University of the Sacred Heart of Milan

Prof. Nicoletta Parisi, Catholic University of the Sacred Heart of Milan

Prof. Douwe Korff, University of Oxford

Prof. Susanna Cafaro, University of Salento

Prof. Laurence Burgorgue-Larsen, Paris 1 University

Prof. Fred Constant, University of the Antilles

Prof. Jean-Manuel Larralde, Caen Normandie University

Prof. Maria Castillo, University Caen Normandie University

Prof. Maciej Bernatt, University of Warsaw

Prof. Yves Poullet, University of Namur

Prof. Antonio Da Re, University of Padova

Prof. Luciano Corradini, Roma Tre University

Prof. Massimiliano Guderzo, University of Siena

Prof. Massimo Fragola, Università della Calabria

This is a pre-peer reviewed version of an article submitted for publication in the European Law Journal.

References

↑1	Council Decision (EU) 2016/1316 of 26 July 2016 amending Decision 2009/908/EU (OJ L 208, 2.8.2016, p. 42) : https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016D1316.
↑2	See paras. 39 and 40 of Case C-650/18, Ungary v. European Parliament, June 3 2021, EU:C:2021:426:‘39 In the present case, it should be noted that the adoption of the contested resolution initiates the procedure laid down in Article 7(1) TEU. Under point (b) of the sole article of Protocol (No 24), once that procedure is initiated and as long as the Council or the European Council has not taken a decision in respect of the Member State concerned, a Member State may, by way of derogation from the general rule laid down in that single article, take into consideration or declare admissible to be examined any asylum application lodged by a national of the Member State that is the subject of that procedure.40 It follows that the adoption of the contested resolution has the immediate effect of lifting the prohibition, which is in principle imposed on the Member States, on taking into consideration or declaring admissible to be examined an asylum application made by a Hungarian national. That resolution thus changes, in relations between Member States, the position of Hungary in the field of asylum.’
↑3	European Parliament resolution of 1 June 2023 on the breaches of the Rule of Law and fundamental rights in Hungary and frozen EU funds (2023/2691 RSP)OJ C, C/2023/1223, 21.12.2023, ELI: http://data.europa.eu/eli/C/2023/1223/oj
↑4	See point 8 of the Resolution “Situation in Hungary and frozen EU funds” questioning again “..if the Hungarian Government will be able to credibly fulfil this task in 2024, in view of its non-compliance with EU law and the values enshrined in Article 2 TEU, as well as the principle of sincere cooperation;” and “asking the Council to find proper solutions to mitigate these risks as soon as possible”, https://www.europarl.europa.eu/doceo/document/TA-9-2024-0053_EN.html.
↑5	See Resolution Ongoing hearings under Article 7(1) TEU regarding Hungary to strengthen Rule of Law and its budgetary implications where it regretted ‘that the Council has not yet found a solution to this problem, and that representatives of the Hungarian Government would chair the Council’s meetings concerning democracy, the rule of law and fundamental rights, including meetings related to protecting the EU’s financial interests and budget; underscores that this challenge comes at the crucial moment of the European elections and the formation of the Commission; deplores the failure to find a solution and reiterates its readiness to take measures to defend the credibility of the Union with respect to the values enshrined in Article 2 TEU as regards cooperation with the Council;’ https://www.europarl.europa.eu/doceo/document/TA-9-2024-0367_EN.html.
↑6	See the Mejiers Committee “Comment on the exercise and order of the Presidency of the Council of the EU”, published on 19 May 2023, https://www.commissie-meijers.nl/comment/comment-on-the-exercise-and-order-of-the-presidency-of-the-council-of-the-eu/.
↑7	Available at: https://www.movimentoeuropeo.it/images/documenti/VIKTOR_ORB%C3%81N_MUST_NOT_CHAIR_THE_COUNCIL_OF_THE_EUROPEAN_UNION_MEIT-FR-ES.pdf.
↑8	Available at: https://data.consilium.europa.eu/doc/document/ST-10716-2024-INIT/en/pdf.

Would the EU buy an used car from this man ?

BRUSSELS, BELGIUM – APRIL 17: Hungarian Prime Minister Viktor Mihaly Orban talks to assembly during a discussion on Day 2 of The National Conservatism Conference at the Claridge on April 17, 2024 in Brussels, Belgium. (Photo by Thierry Monasse/Getty Images)

This rhetorical question dating back from the 1960s, joking on the credibility of President Nixon in the midst of Watergate, springs to mind when one notes that Hungarian President Orban is about to become the President of the Council of the European Union as of July 1 of this year.

Don’t be fooled , this is not a pro-forma appointment; quite the opposite. In that capacity the Hungarian President will be responsible for managing most of the day-to-day work of the Council of the Union at a time when the highest offices of the European institutions will be appointed, the first decisions in the political, legislative and budgetary spheres of the beginning of the legislature will be made, and, in the background, a decisive phase of the Ukraine crisis will be entered and a presidential elections will take place in the United States.

Now, Mr Orban is the President of a Country which is, since six years, under an EU’s surveillance procedure (Art 7.1 TEU) for risk of serious violation of the values on which the European Union is founded, and for which the transfer of European funds has been frozen for violation of the principle of the rule of law. Above all, we are talking of a country whose government daily puts spokes in the wheels of the European Union by using or threatening its right of veto on decisions such as those for sanctions on Russia or aid to Ukraine (so much so that some EU countries evoked earlier this year the possibility of suspending its right to vote-Article 7.2 TEU).

In a “normal” European Union, a Country with this profile should not be in charge of coordinating other member Countries, and it to would be sensible to postpone the Presidency, at least to a time when the surveillance procedure has been successful closed.

Quite surprisingly, until now, the European Council has not considered sensible to postpone the Hungarian Presidency even if should not be seen as a “sanction” against Hungary but, more, as a simple precautionary measure in the interest of the proper functioning of the Union. Moreover, postponing Council Presidencies is not uncommon and this kind of decision has been taken at qualified majority because of less important reasons (by the way such move would be less courageous and controversial than the one that President Michel’s father took twenty-four years ago, as Belgian foreign minister in the Haider affair…).

At the end of the Day, the obligation of promoting the respect for the values of the Union is binding not only for the EU countries but also for the institutions themselves and the Council should be aware that under the Hungarian Presidency it is more than likely that It may encounter problems in the pursuit of this goal. When EU fundamental values may be at stake precautionary measures are more than needed (as the EP proved when, because of Mr Buttiglione declarations on Homosexuality did’nt approved its Candidature as EU Commissioner for anti-discriminatory policies).

Postponing the Council Presidency was already suggested by the Meijer’s Committee in 2023 and, more recently, by the European Parliament with two resolutions on January 18 and on April 24 has denounced the many persistent Hungarian violations of European law. Will the EP President of the European Parliament, Metsola raise this issue before the European Council meeting already at its next June 17/18th (before the formal Institutional Meeting on June 27/28^th )?

The EP resolutions are even more justified by the fact that according to the treaties legislative and budgetary powers are a joint responsibility of the Parliament and the Council (Art.14.1 and 16.1 TEU) and, as it was the EP which triggered the art.7.1 Procedure against Hungary there is a clear risk of interinstitutional tensions in a delicate phase of the EU life, to say the least. The fact remains that a formal proposal to revise the 2009 European Council Decision on Council Presidencies may be made not only by the European Council Presidency but also by the President of the Commission and/or the current (Belgian) Council Presidency or following a request to the Presidency by any COEUR Member.

As simple Citizen I am puzzled by the fact that Hungarian open challenge to EU values has been condemned not only leftist political forces but also by liberal and EPP forces. What is the point of these repeated public statements in favor of the values of the Union if at the moment of being consistent with our own words we forget them?

In a way is like condemning someone of being drunk and giving him at the same time the keys of your car so that he can drive you home.

Artificial intelligence in the EU: promoting economy at the expenses of the rights of the individual?

by Emilio DE CAPITANI (*)[1]

“The advent of artificial intelligence (‘AI’) systems is a very important step in the evolution of technologies and in the way humans interact with them. AI is a set of key technologies that will profoundly alter our daily lives, be it on a societal or an economic standpoint. In the next few years, decisive decisions are expected for AI as it helps us overcome some of the biggest challenges we face in many areas today, ranging from health to mobility, or from public administration to education. However, these promised advances do not come without risks. Indeed, the risks are very relevant considering that the individual and societal effects of AI systems are, to a large extent, unexperienced.…”[2]

Foreword

1. According to the European Commission the recent proposal for a regulation on Artificial Intelligence is consistent with the EU Charter of Fundamental Rights and the secondary EU legislation on data protection, consumer protection, non-discrimination and gender equality. Notably, it “complements” the General Data Protection Regulation (Regulation (EU) 2016/679) and the Law Enforcement Directive (Directive (EU) 2016/680) by setting “..harmonised rules applicable to the design, development and use of certain high-risk AI systems and restrictions on certain uses of remote biometric identification systems”.

Is it true or the text is mainly economic oriented and fail to place the rights of those who will be subject to such AI systems at the heart of its reflection?

2. First of all it is worth noting that, while some commentators may have considered this new proposal to be the equivalent of the General Data Protection Regulation for AI, its general scheme is much more similar to Regulation (EU) 2019/1020 of 20 June 2019 on market surveillance and product compliance, the objective of which is to improve the internal market by strengthening market surveillance of products covered by Union legislation instead of protecting or promoting fundamental rights. The Commission’s proposal is essentially aimed at holding companies producing and marketing AI systems accountable, which is in itself a positive element in the context of the establishment of a European normative framework on artificial intelligence. According to EC Proposal AI systems must meet a number of criteria and undergo conformity assessment procedures, which are more or less stringent depending on the risks involved (see Articles 8 to 51 and Annexes IV to VIII [3]

3. However, it is quite surprising that the proposal is focused only on a “product”, (a “software” developed from techniques and approaches listed in an annex) and does not address the general notions of “algorithms” and “big data” which are the main feature artificial intelligence (AI) applications which needs huge amounts of data necessary to train it and it allowing, in return, to process the same data. By not referring directly on the nature of algorithms or the notion of big data, the Commission avoid placing the AI applications within the general framework of fundamental rights and data protection. Needless to say, a “right-based” approach is specular to the notion of ”duty” to protect that right by another individual or by the public administration. Take the case of Regulation 2016/679 or of Directive 2016/680 where the “rights of the data subject” are detailed in specific chapter whereas there is no similar provision in the AI proposal. Similarly, if the proposal defines AI system providers (“providers”), users (“users”), importers (“importers”) and distributors (“distributors”), it makes no reference at any time to persons who are subject to such systems. Moreover nothing, in particular, is said about the possible possibilities of recourse of individuals challenging the use of an AI system.

By choosing a market centric approach the Commission is undermining the aim of placing the individual at the core of the EU policies as declared in the EU Charter preamble.

I- Definitions and classifications

4. The proposal is built on a risk-based approach, but the classification of the systems as unacceptable, high or low is not clear:

– Article 6 on the classification of high-risk systems is a simple description of the systems falling within this category, without justification of the reasons for the choices made,

– Article 7, on the “amendments to Annex III”, which is the annex containing the systems considered to be high risk, does, however, contain a number of criteria which the Commission will have to take into account in order to add other systems in the future, if necessary.- However, the terms chosen lack precision: the systems referred to are those likely to harm health, safety or have a negative effect on fundamental rights («risque of adverse impact on fundamental rights»). But how to understand in this context the concept of negative effect?

5. The breakdown between the systems to be prohibited and those with a high risk is not further explained: why, for example, prohibit real-time remote facial recognition in public places for repressive purposes, But to authorize, considering them at high risk, the systems that, in terms of criminal prosecutions or management of migration, asylum and border control aim to detect the emotional state of a person? Similarly, what about systems that generate or manipulate audio or video content or images, which then appear to be falsely authentic, and which can be used in criminal proceedings without informing persons (section 52)?

6. Above all, this approach suggests that respect for fundamental rights may be variable in geometry, even though fundamental rights are not negotiable and must also be guaranteed, regardless of the level of risk presented by the AI system in question.[4]

II- Articulation with data protection

7. In this proposal, the Commission’s position on the European data protection framework is characterized by its ambiguity:

– Article 16 TFEU is one of the two legal bases of the proposal, alongside Article 114 TFEU. However, in its statement of reasons, the Commission is careful to point out that the basis of Article 16 concerns only those provisions relating to restrictions on the use of AI systems with regard to remote biometric identification in places accessible to the public and for the purposes of criminal proceedings (point 2.1. See also recital 2 of the proposal). However, the protection of individuals about the processing of their personal data cannot be limited to this single hypothesis, given the operating modalities of AI systems which, as indicated above, are based on massive data collections, which are not all non-personal or anonymized. In addition, anonymized data may in some cases be re-identified, and an interlaced set of non-personal data may identify individuals. In addition, anonymized data can be used to build profiles and have a direct impact on the privacy of individuals and create discrimination.

– Recital 41 states that the new Regulation should not be understood as constituting a legal basis for the processing of personal data, including special categories of data. Nevertheless, under recital 41 above, the classification of an AI system as high risk does not imply that its use is necessarily lawful under other European legislation, in particular those relating to the protection of personal data, and the use of polygraphs and similar tools or other systems to detect the emotional state of individuals. That recital specifies to that end that such use should continue to occur only in accordance with the applicable requirements resulting from the Charter and Union law. It therefore seems to follow that certain provisions of this proposal may prove to be incompatible with other provisions of European law: far from «supplementing» the legislative framework on data protection, the future regulation may, on the contrary, open the way to situations of conflict of laws.

– on the other hand, recital 72 states that this Regulation should provide the legal basis for the use of personal data collected for other purposes with a view to developing certain AI systems in the public interest in the case of AI regulatory “sandboxes”. However, as reminded above the Commission also states in its explanatory statement that this proposal is without prejudice to and complements the General Data Protection Regulation 2016/679 and Police Directive 2016/68 (point 1.2).

8. Furthermore, if certain AI systems authorized by this proposal are not to be approved because they would infringe the provisions of the Charter and European data protection law, this raises the question of the relevance of the proposed classification, if it legitimizes systems contrary to fundamental rights in general, and to data protection in particular. But who will decide at EU and national level which rule should prevail between the Data Protection and AI Regulations? The establishment of a new committee, the European Artificial Intelligence Committee, and the creation of national authorities responsible for ensuring the application of the proposal (Articles 56 to 59) risks to become a conflicting structure with the parallel decentralized structure for Data Protection and its European Data Protection Board and the EDPS [5].

III- Prohibitions and their limits

9. In a very symbolic way, the proposal opens, after a first title relating to the general provisions, with a title entitled “prohibited artificial intelligence practices”, which in reality only contains a single article, while the next title on high-risk systems consists of 46 articles.

There are four systems considered unacceptable:

– systems deploying subliminal techniques to distort a person’s behavior in a manner that causes or is likely to cause physical or psychological harm to the person or to another person;

– systems exploiting the vulnerabilities of a specific group of people due to their age, physical or mental disability, to distort the behavior of a person belonging to that group in a manner that causes or is likely to cause physical or psychological harm;

– systems used by public authorities for the evaluation or classification of the reliability of individuals over a period of time based on their social behavior or known or predicted personal or personality characteristics, with the establishment of a social score (“social score”) leading to one or both of the following: adverse or adverse treatment of persons in social contexts unrelated to the contexts in which the data were initially generated or collected; or/and adverse or adverse treatment of persons that is unjustified or disproportionate to their behavior or the seriousness of their behavior;

– ‘real-time’ remote biometric identification systems in public spaces in a criminal context, unless and to the extent that such use is strictly necessary for one of the following purposes: the targeted search for potential victims of an offence, the prevention of a specific, serious and imminent threat to the life or safety of persons, or of a terrorist attack, the search, location, the identification or prosecution of the offender or a suspect, where the maximum penalty for the offence is at least three years.

10. It follows from this list that the prohibitions mentioned are subject to several limitations and prohibitions:

– in the case of the first two prohibitions, they both imply at least the possibility of physical or psychological harm. However, with regard to vulnerable persons, the demonstration of the existence of a possibility of harm may be sensitive,

– with regard to the prohibition of the social score, it is envisaged only to the extent that this score is established by public authorities (and not private entities) and leads to unfavorable treatment in a context unrelated to the context from which the data were collected or in cases where such treatment appears disproportionate. The reading of these conditions reveals that in reality the social score is not prohibited as such. This analysis is confirmed by the review of Annex III, which includes several high-risk AI systems. Among them, systems to assess the reliability of individuals or establish their credit score (“credit score”) in cases of access to and use of essential public and private services,

– Finally, remote biometric identification systems are prohibited only if they aim at “real-time” identification, in public spaces and in criminal proceedings.

11. These limitations leave the field open to a posteriori identification, by private entities or by public authorities not acting in a repressive framework. It should also be noted that despite its regulatory form, the proposal leaves considerable room for manoeuvre for Member States to decide whether or not to use remote biometric identification systems in real time.

IV- Uses in criminal matters

12. In addition to the exceptions to the aforementioned prohibitions on real-time remote biometric identification, the proposal allows the possible use of AI systems in criminal matters[6].

Annex III, which lists the high-risk systems referred to in Article 6(2), provides for the following systems:

– systems intended to be used for the risk assessments for the commission of an offence or for recidivism by a person, or risk assessments for potential victims of an offence,

– systems intended to be used as polygraphs and similar tools or to detect the emotional state of a natural person,

– systems intended to be used to detect “deepfake” referred to in Article 52 (3),

– systems intended for use in assessing the reliability of evidence during an investigation or criminal prosecution,

– systems intended to be used to predict the occurrence or repetition of an actual or potential criminal offence, on the basis of the profiling of natural persons referred to in Article 3 para.4 of Directive 2016/680 or the assessment of personality traits and characteristics or past criminal behaviour of persons or groups,

– systems intended to be used for profiling persons referred to in Article 3 par.4 of Directive 2016/680 in the course of the detection, investigation or prosecution of criminal offences,

– AI systems for use in the analysis of crime involving natural persons, enabling law enforcement authorities to search for large datasets available in different data sources or data formats, to identify unknown patterns or to discover hidden relationships in the data.

13. Furthermore, a certain number of guarantees are limited or even excluded in the context of the use of AI systems in criminal matters:

– prior authorisation by a judicial or independent administrative authority for the use of real-time remote biometric identification may be postponed in urgent cases,

– Article 52, which seeks to impose an obligation to inform persons subject to certain systems, whether they are high-risk or not, excludes this obligation in criminal matters. This applies in particular to systems of emotional recognition or biometric categorisation, as well as those generating or manipulating audio, video or image content, which then appear to be falsely authentic,

– finally, Article 43, on conformity assessment of systems, provides for an assessment limited to internal control for all systems considered to be high-risk, with the exception of those relating to biometric identification and the categorization of persons.

14. The framework proposed by the Commission paves the way for highly controversial practices, particularly in predictive policing. The doctrine is very divided on the added value of AI systems in the assessment of future behavior of offenders, highlighting the risks of discrimination inherent in the functioning of algorithms [7].

It is worth recalling that this practice has already been unfortunately authorized by the EU with the anti-Money Laundering legislation [8]and notably by the infamous EU Directive on the use of Passenger Name Record data [9]. On the latter practice the CJEU has already adopted a very interesting Opinion (1/15) [10] dealing with a draft EU-Canada PNR Agreement but is now again seized of this subject because of several Preliminary Ruling requests challenging the EU Directive compliance with the art. 7 and 8 of the EU Charter as well as the with the principles of necessity and proportionality [11].

15. The possible use of lie detectors (“polygraphs”) also generates debate and there is no consensus on its use in criminal matters. It should also be pointed out that the Commission allows the use of polygraphs in the field of migration, asylum and the management of external borders, thus reinforcing the experience currently carried out under the “iBorderCtrl” project.

Similarly, the possibilities for the use of a posterior biometric recognition systems are also the subject of criticism within doctrine and civil society. Thus, on May 27, 2021, the NGO Privacy International announced the filing of several claims in Europe against the American company Clearview AI [12], specialized in facial recognition and the commercialization of data collected to law enforcement.

Conclusion

The European Commission may have missed the opportunity here to ensure full respect for European values in the context of the ‘collective digital transformation dimension of our society’. Beyond the question of whether the AI proposal is fully compatible with European data protection legislation and the requirements of the European Charter, it is clear that when decisions are taken on the basis of AI applications individuals should have the right to specific explanations, and collective rights should also be strengthened as it is already the case in other domains of wider impact (as it happens with the Aarhus legal framework in the environment related legislation).

Negotiations on the European Commission proposal are currently underway inside the European Parliament [13] and the Council of the EU [14]. Once established their respective positions the interinstitutional dialogue will start. In the meantime it is worth noting that the EP has already voted on October a non-legislative resolution curtailing the use of AI techniques for such activities as facial surveillance and predictive policing [15].

It remains to be seen if this “non-legislative” resolution will be mirrored in the coming months also in the legislative trialogue between the EP, the Commission and the Council where the pressure of the interior Ministers in favor of surveillance measures risks to remain rather strong.

NOTES

[1] I hereby thanks Mrs Michelle DUBROCARD working at the European Data Protection Supervisor Office for her unvaluable contribution and comments when drafting the present article.

[2] EDPS and EDPB joint Opinion 5/2021 recalling also that “…in line with the jurisprudence of the Court of Justice of the EU (CJEU), Article 16 TFEU provides an appropriate legal basis in cases where the protection of personal data is one of the essential aims or components of the rules adopted by the EU legislature. The application of Article 16 TFEU also entails the need to ensure independent oversight for compliance with the requirements regarding the processing of personal data, as is also required Article 8 of the Charter of the Fundamental Rights of the EU.”

[3] It is also likely that all these new obligations, which will have to be placed on the shoulders of companies, will not fail to revive the debate on the cumbersome nature of European legislation.

[4] Consistently with this approach the EDPS and the EDPB in their Joint Opinion 5/2021 “…call for a general ban on any use of AI for an automated recognition of human features in publicly accessible spaces – such as of faces but also of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals – in any context. A ban is equally recommended on AI systems categorizing individuals from biometrics into clusters according to ethnicity, gender, as well as political or sexual orientation, or other grounds for discrimination under Article 21 of the Charter. Furthermore, the EDPB and the EDPS consider that the use of AI to infer emotions of a natural person is highly undesirable and should be prohibited.”

[5] To avoid these risks, the future AI Regulation should clearly establish the independency of the supervisory authorities in the performance of their supervision and enforcement tasks. According to the EDPB/EDPS Joint Opinion cited above “..The designation of data protection authorities (DPAs) as the national supervisory authorities would ensure a more harmonized regulatory approach, and contribute to the consistent interpretation of data processing provisions and avoid contradictions in its enforcement among Member States.”

[6] Furthermore, according to the EDPS/EDPB Joint Opinion 5/2021, “..the exclusion of international law enforcement cooperation from the scope set of the Proposal raises serious concerns for the EDPB and EDPS, as such exclusion creates a significant risk of circumvention (e.g., third countries or international organisations operating high-risk applications relied on by public authorities in the EU)”.

[7] Literature on the risks of “Predictive Criminal Policy” is growing day by day. As rightly stated by A.Rolland in “Ethics, Artificial Intelligence and Predictive Policing” “First, the data can be subject to error: law enforcers may incorrectly enter it into the system or overlook it, especially as criminal data is known to be partial and unreliable by nature, distorting the analysis. The data may be incomplete and biased, with certain areas and criminal populations being over-represented. It may also come from periods when the police engaged in discriminatory practices against certain communities, thereby unnecessarily or incorrectly classifying certain areas as ‘high risk’. These implicit biases in historical data sets have enormous consequences for targeted communities today. As a result, the use of AI in predictive policing can exacerbate biased analyses and has been associated with racial profiling”.

[8] Fight against money laundering and terrorist financing (AML/CFT) at EU level is governed by a number of instruments which have to provide for rules affecting both public authorities and private actors who constitute the obliged entities: supervision, exchange of information and intelligence, investigation and cross-border cooperation on the one side, and obligations such as reporting or customer due diligence on the other. For this reason, the relevant instruments are based on a number of different legal bases spanning from economic policy and internal market to police and judicial cooperation. On 20 July 2021, the Commission proposed a legislative package that should enhance many of the above rules. The package consists of 1)A Regulation establishing a new EU AML/CFT Authority; 2)A Regulation on AML/CFT, containing directly-applicable rules; 3-A sixth Directive on AML/CFT (“AMLD6”), replacing the existing Directive 2015/849/EU (the fourth AML directive as amended by the fifth AML directive); 4) A revision of the 2015 Regulation on Transfers of Funds to trace transfers of crypto-assets (Regulation 2015/847/EU); 5)A revision of the Directive on the use of financial information (2019/1153/EU), which is not presented as part of the package, but is closely related to it.

[9] Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

[10] Opinion 1/15 pursuant to Article 218(11) TFEU — Draft agreement between Canada and the European Union — Transfer of Passenger Name Record data from the European Union to

[11] The leading Case 817/19 has been raised by the Belgian Constitutional Court and it will give the opportunity to the CJEU to decide if the indiscriminate collection of passengers data and their scoring for security purposes through secret algorithms (as currently done also in some Third Countries) is compatible with the EU Charter and with the ECHR and does not amount to a kind of general surveillance incompatible with a democratic society.

[12] In June 2020, the European Data Protection Board expressed its doubts about the existence of a European legal basis for the use of a service such as that proposed by Clearview AI .

[13] See the current state of legislative preparatory works here : https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-regulation-on-artificial-intelligence

[14] See the State of the play diffused by the Council Presidency here: https://data.consilium.europa.eu/doc/document/ST-9674-2021-INIT/en/pdf

[15] See the report Artificial intelligence in criminal law and its use by the police and judicial authorities in criminal matters,