by Emilio DE CAPITANI
The Civil Liberties Committee (LIBE) of the European Parliament is currently working on a legislative proposal (2022/0084(COD)) dealing with information security in the institutions, bodies, offices and agencies of the Union. At first sight the 76 pages long text looks “technical”, but looking closer it is clear that it may have a huge impact, not only from an organizational point of view, but also in a more political perspective. If adopted as it stands it may even pave the way for the transformation of the “EU Bubble” in a sort of (Administrative) Fortress and substitute the principle of “Transparency by design” with the principle of “confidentiality by design”.
In principle the objective, as announced in the title of the proposal, is legitimate: granting a comparable level of protection in all the EU institutions, agencies and bodies, for information and documents, which, according to the law, should be protected. To do so a wide interinstitutional coordination group is proposed, as well as a network of security officials in all the EU entities and a securitized informatic network (TEMPEST) is foreseen.
So far so good, and if the content of the proposal was limited to these organizational aspects it could, even, be an example of administrative cooperation which may be consistent with the chosen legal basis for this Regulation eg art.298 of the TFEU.
What is worrying is the fact that, in parallel with the definition of the physical security of EU information, this proposal on one side redefines the conditions of treatment, access and sharing of all kinds of information/document treated by the EU Institutions, Agencies and bodies and, on the other side does not frame adequately the conditions of interinstitutional / interagency cooperation.
On the first aspect the new proposal, unlike what is declared by the EU Commission, completely overlaps and modify Regulation 1049/01 on access to public documents but following a completely different logic. If the principle of Regulation 1049/01 is to frame the right to know of EU Citizens by granting that everything is public unless a specific exception is applicable, the logic of the new Commission proposal, which mirror the logic of the current Council internal security rules, is that almost all internal documents should be protected and shared only with people with a recognized “need to know” unless the document is marked as “public”.
By replacing the “right to know” foreseen at the Treaty with the a “need to know” mechanism the proposed Regulation turn upside down the EU transparency principle as defined by art.1 of the TUE according to which “..decisions are taken as openly as possible and as closely as possible to the citizen” and by art.15.1 of the TFEU which states that “In order to promote good governance and ensure the participation of civil society, the Union’s institutions, bodies, offices and agencies shall conduct their work as openly as possible.” Last but not least the new proposed framework goes against the notion of openness echoed in art 298 TFEU which requires that the EU administration should not only be Independent and efficient but also “Open”. Recognizing, as the new proposal does, to each EU institution agency and body the possibility to “protect” its internal information/documents by invoking the very fuzzy notion of “harm” as described in the proposal (“to the legitimate public and private interests, measured as a combination of the likelihood of threats occurring and their impact”…) the new draft Regulation threatens in a fundamental way the right to access to legislative and non legislative information as required by art.15 of the TFEU and by Regulation 1049/01.
To put it short: with this new envisaged legal regime the Commission (by the endorsing at legislative level the Council internal security rules) is proposing to the EP to go back to the pre-Maastricht era when it was up to the EU institutions to decide if giving access to their internal documents. But since Amsterdam (with the art.255 of the TCE) and, even more, since Lisbon, this practice is no more compatible within an EU which is bound by the rule of law and where there should not be space for dark zones. It is therefore quite surprising that until now the EP has not proposed to the legislative proposal substantial amendments which may adequately preserve the Transparency principle in the EU institutional framework.
On the second aspect this proposal is also failing short from implementing the principle of an independent and efficient administration as required by art.298 TFEU because by transforming each EU Institution agency and body in a sort of sandbox it will make extremely difficult implementing the principle of sincere cooperation foreseen by art 13.2 of the TUE. In an European Union where in most cases interagency and interinstitutional cooperation is essential to achieve the missions foreseen by the Treaties it is highly problematic insisting on each EU entity independence without foreseeing by law mechanism of a structured interinstitutional and interagency cooperation (outside the enhanced cooperation on protecting each other secrets).
Not providing legal procedures for arbitration and conflict prevention this proposal paves the way to a permanent conflictual administrative framework. Referring to the fact that the Court of Justice may solve possible problems of interpretation of a badly designed legislation or solve potential cases of failure to act by all these EU entities is a very bad approach for a legislator which is deemed to be guided by the principle of granting legal certainty to EU Citizens and to the EU administration. Furthermore it is quite bizarre that the European Ombudsman has not been associated or consulted on the proposal at stake.
(to be continued)
European Area of Freedom Security & Justice 