The new proposal on the security of EU information: a wider but incomplete legal framework for classified information


Part 3 of a series /// The proposal on security of EU information, as introduced, would create a legal framework for classified information with a number of gaps and loopholes that would prevent the European Parliament and the Court of Justice from exercising their roles as set out in the EU treaties. Changes are required to fix these problems.

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

Image: Casey Marshall, CC BY 2.0

The second part of this series is available here: The proposal on security of EU information: how to burst the bubble and open the EU fortress

The first part is available here: The proposal on security of EU information: transforming the “bubble” into a “fortress”?

The core of the proposed Regulation on the security of EU information (hereafter the INFOSEC proposal) concerns the creation and management of EU classified information (EUCI). In doing so, it substantially modifies Article 9 of Regulation 1049/2001, which deals with public access (or not) to so-called “sensitive documents”.

According to that article:

“Sensitive documents are documents originating from the institutions or the agencies established by them, from Member States, third countries or International Organizations, classified as ‘TRÈS SECRET/TOP SECRET’, ‘SECRET’ or ‘CONFIDENTIEL’ in accordance with the rules of the institution concerned, which protect essential interests of the European Union or of one or more of its Member States in the areas covered by Article 4(1)(a), notably public security, defense and military matters.”

Paragraph 3 of the same article also makes clear that: “Sensitive documents shall be recorded in the register or released only with the consent of the originator.” Paragraph 7 says: “The Commission and the Council shall inform the European Parliament regarding sensitive documents in accordance with arrangements agreed between the institutions.”

It should be noted that Article 9 of Regulation 1049/2001 was a “fast and dirty” solution for a problem which arose in July 2000: Javier Solana, newly appointed Secretary General of the Council, negotiated with the new NATO Secretary General, Mr Robertson, an administrative arrangement with NATO on the exchange of classified information with the Council of the EU. However, that arrangement was challenged before the Court by the European Parliament (EP) and the Dutch government, because they considered that it limited a citizen’s fundamental right of access to documents, and exceptions to such fundamental right should have been framed by law.

At the time, the negotiation of Regulation 1049/01 was under the pressure of a deadline established in the Treaty. The reference to “sensitive” documents was added at the end of the legislative procedure and, because of this, the EP and the Dutch government withdrew their case before the Court. Unfortunately, it was a pyrrhic victory – it soon became clear that Article 9 of Regulation 1049/2001 was (and still is) a rather elusive and patchy framework for EU classified information.

A number of points can be made in this regard:

a) It does not regulate how the information should be classified and declassified in the interests of the EU, as opposed to the interests of the originator (whether that be a member State, EU institution, agency or body). Quite the contrary – by transferring the definition of these aspects to the internal security of each institution it paved the way to different standards and the very well-known risk of over classification.

b) It foresees a very weak framework for parliamentary oversight. By making reference to interinstitutional agreements and not codifying in secondary law the EP’s constitutional right to oversee classified information, it places the institution in an ancillary position. It is unfortunate that the EP has not fought until now to obtain treatment comparable to the one reserved for national parliaments with regard to their governments. The solutions may be different, and special procedures and perhaps even special parliamentary bodies may be needed, but a stronger EP role is more than necessary because this lack of oversight will not be covered at national level – governments will declare that they are barred from revealing the information because it is classified at “European” level! Moreover, the instrument of an “interinstitutional agreement/arrangement” as currently foreseen by Article 295 of the Lisbon Treaty has strong constitutional limitations. As the Council Legal Service itself recognized in 2018:

“The wording of the provision (NDR art.295 TFEU), and notably the use of the term ‘arrangements’, points to the fact that IIAs are instruments for regulating the modalities of cooperation and not for the regulation of substantive policy areas.”

It is thus quite surprising that, since the first Interinstitutional Agreement in 2002, the European Parliament has not asked for a sturdier legal basis for its oversight power. With the adoption of the INFOSEC Regulation the situation will become even worse, because the EP will be obliged to negotiate interinstitutional agreements with all the other EU institutions, agencies and bodies if access to classified information is necessary for fulfilling its own constitutional role. From the outside, 21 years after the first interinstitutional agreement, the fact that the EP is still negotiating the revision of the 2002 interinstitutional agreement on access to classified information in the Common Security and Defence Policy (CSDP) area instead of creating a true legal basis for its oversight may look to some like a form of Stockholm syndrome. To exit from such an impasse, would it not be wise for the EP to study a more suitable model by looking at the experience of the major EU member states, or even of the USA?

c) Article 9 recognises, albeit only in the domain of “sensitive” documents and information, the so-called “originator privilege” or “author rule.” This is an exception to the general philosophy of Regulation 1049/2001, as made clear in Article 4(5): “A Member State may request the institution not to disclose a document originating from that Member State without its prior agreement.” The point was, and still is, that the EU institutions may only by bound by law and not by the will of an “author”, even if it were an EU member state, a point confirmed in the jurisprudence of the Court of Justice of the EU. What the INFOSEC proposal is not only to transform the exception in a rule but also to avoid possible counter-limits to possible abuses.

d) It does not foresee judicial oversight of classified information. Even today it up to the originator to decide whether or not to give the Court of Justice access to classified information. As Deirdre Curtin remind us in her essay Top Secret Europe:

“ the OMPI case on the blacklisting of terrorists by the UN and within the EU context, the Court said clearly that the Council could not base its decision on information that is not revealed to the Court.”

e) It does not solve the problem of sharing of “sensitive information” between entities which have a legitimate “need to know.” Instead, as Article 9 is focused on the security of each author of “sensitive information” and does not refer to common legislative standards, this been done by the Council. This institution remains the main creator and exchanger of classified information, and has imposed via bilateral agreements with all the other EU institutions, agencies and bodies its internal security rules which, in turn, mirror the NATO standards. It is because of the legal fragility of this “de facto harmonisation” that the Commission has decided to launch a legislative initiative establishing at secondary law level the principles which should be respected in this domain inside the EU. However, the solution envisaged in the INFOSEC proposal still does not address the main weaknesses of Article 9 of Regulation 1049/2001. In fact, in some cases it makes the situation even worse.

A useful example can be seen in the EU security agreements with third countries and international organizations on the exchange of classified information foreseen by articles 55-68 of the INFOSEC proposal.

On the positive side, the proposal requires that these agreements be negotiated and concluded according to Article 218 of the Lisbon Treaty, which will finally give the possibility for the EP to give its consent and to be fully and timely informed of the agreements’ content. This has not been the case until now and dozens of international agreements have been negotiated by the Council using Article 13 of its internal security rules as a legal basis.

However, if the INFOSEC proposal is adopted as it is, not only the Council but also all other EU institutions, agencies and bodies will have a legal basis for negotiating and concluding these executive “arrangements”. It would be wise to make clear in the INFOSEC proposal that the arrangements shall foresee that, because of the EU’s constitutional framework, no veto can be exercised over the transmission of classified information to the EP and to the CJEU.

Author: Emilio de Capitani

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

Further reading

Regulation on security of EU information (2022 proposal)

<p>Documentation relating to the 2022 proposal for a Regulation on information security in the institutions, bodies, offices and agencies of the Union. The proposal threatens to pave the way for the transformation of the "EU bubble" into a sort of (administrative) fortress, and substitute the principle of "transparency by design" with the principle of "confidentiality by design."</p>

12 September 2023

The proposal on security of EU information: how to burst the bubble and open the EU fortress

Part 2 of a series /// The Commission's proposal on security of EU information threatens to fatally undermine the rules on access to documents, which are essential for transparency, openness and public participation in democratic-decision making. The European Parliament and the Council need to take action to fix the proposal on security of information. At the same time, there are clear steps they could take to improve the access to documents rules, ensuring that legislative deliberations are as open and transparent as required by the treaties.

07 September 2023

The proposal on security of EU information: transforming the “bubble” into a “fortress”?

Part 1 of a series /// EU institutions are currently discussing a proposal for a new law "on information security in the institutions, bodies, offices and agencies of the Union." While the objective itself may be legitimate, the proposal as it stands seeks to extend to other EU institutions and agencies the secrecy and opacity that has for so long characterised the work of the Council. It undermines existing legislation on public access to official documents and would fatally undermine the treaty obligation for the institutions, bodies, offices and agencies of the EU "to conduct their work as openly as possible." At the same time, the proposal fails to ensure the interinstitutional and interagecy cooperation necessary to ensure an effective administration.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error