EU-USA Agreement on the exchange of classified information
- "carte blanche" for exchanging information on a host of issues
- all documents to be exchanged by courier
- no electronic exchanges
Yet another EU-USA agreement slipped into the EU's acquis almost unnoticed over the summer - to create a system for the exchange of classified information between the two states. [Footnote 1]
The mandate for the agreement was set in motion in 2003, see: Building the new security regime: EU agrees to exchange of classified documents on "crisis operations" including justice and home affairs issues
The agreement has been signed by the EU (Council and Commission) under Articles 24 and 38 of the Treaty on the European Union. Agreements negotiated under these Articles do not have to be referred to the European Parliaments or national parliaments, so they have no say at all.
On 3 May 2007 the formal Council of the European Union's Decision (pdf) and the text of the Agreement (pdf) were published in the Official Journal. The scope as set out in 2003 was to cover:
"many different areas of EU business (not only security and defence matters)"
The 2007 Agreement is not much more forthcoming, simply stating that:
"the USG [US government] and the EU share the objectives to strengthen their own security in all ways..."
"a permanent need therefore exists to exchange classified information between the USG and the EU"
No further details on the scope of matters to be covered is given.
"Classified information" is simply described as anything that:
"the unauthorised disclosure of which could cause varying degree of damage or harm to the interests of the USG or of the EU or one of its Member States"
The classification categories to be covered on both sides are:
- TOP SECRET/TRES SECRET UE
- SECRET/SECRET UE
- CONFIDENTIAL/CONFIDENTIEL UE
However, the EU has added another category: RESTREINT EU, for which there is:
"No US equivalent" (Article 3.2)
The "Restricted" category is not mentioned in the EU's Regulation on access to documents but is included in the Council's security regulations (pdf) adopted in 2001. Most documents in the EU are in the category "LIMITE" which is not a classified document category.
Article 4 of the 2007 Agreement says the recipient state shall not use or disclose:
"classified information for any other purpose than that for which it was provided without the prior written approval of the releasing Party" (4.3)
The same (Article 4.4) goes for the "further release" or disclosure - this would cover third states but does it cover "further" release to the myriad of US federal, state or local agencies?
However, the Agreement does not affect the long-standing bilateral agreements the US has with individual EU member states - especially those with the UK (Article 19).
An intriguing aspect of the Agreement is the "Transmission" of classified documents (Article 9). All classified information "in written form" is to be sent either to the Chief Registry Officer of the Council or to the US Mission in Brussels (Article 9.1). Whereas classified information in "electronic" form shall be encrypted and transmitted/sent:
"up to the level Confidential/Confidentiel UE"
which begs the question of how Secret and Top Secret information is to be exchanged? For which see below.
The technical arrangements (Article 13) for the Agreement are in the hands of the US Department of State, the Security Office of the General Secretariat of the Council (under the direction of the Secretary-General, Mr Solana) and the European Commission's Security Directorate.
"Oversight" (Article 12) is to be in the hands of: i) the US Secretaries of State and Defense and the Director of National Intelligence; ii) the Secretary-General of the Council; and iii) the Member of the Commission responsible for security.
There is no mention at all of parliamentary or Congressional "oversight".
Although the Agreement came into force on 30 April it is only now coming into operation because the technical details on both sides had to be agreed (Article 18).
The technical arrangements
It was by letter on 26 July that the EU side wrote to Mr Brenner (US Mission in Brussels) to confirm that the US was "able to protect and safeguard classified information" allowing the Agreement to become operational: Letter from Private Office of the Secretary General of the Council (pdf).
The details for the "Security Arrangements" for the exchange of information" is set out separately in: Security arrangement between the EU Council General Sectariat Security Office (GSCSO) and the European Commission Security Directorate (ECSD) and the United States Department of State for the protection of classified information exchanged between the EU and the United States of America (pdf).
The odd EU category of "Restreint UE", which has no US equivalent:
"is to be handled on a "need to know basis" and is to be afforded a level protection at least equivalent to that foreseen in the Council's security regulations."
"Restreint UE" documents will be held in "an administrative area of lesser security" (10.iii) and their loss or "compromise" is only to be reported where there are "unusual features".
The arrangement sets out the standards for Registries to be created to handle access, authorisation, copying, destruction etc.
Although, as noted above, Confidential (and Restreint) documents and media (electronic files) shall be encrypted and transmitted/sent:
"up to the level Confidential/Confidentiel UE"
The "Security arrangement" has a section on the "Manual transmission of classified information between participants" (Section 21) which says:
"When exchanging information classified CONFIDENTIEL UE or CONFIDENTIAL and above, appropriately cleared couriers are to be used by both sides."
It would appear that no classified information is to be electronically exchanged (except perhaps the EU's "Restreint" low-level category) and that there are problems with transmitting electronic information between the USA and the EU in a secure way.
So a procedure is set out Articles 21-23 which involves "cleared couriers" delivering and collecting documents in "sealed, covered vehicles". The "documents" are to be exchanged in "double sealed envelopes" with the "innermost envelope bearing on the classification and the outer one the name of the recipient. The documents are to be stored in areas protected by "intrusion-detection equipment" or guards and there is to be "continuous surveillance"
Why has the EU not got secure, encrypted, communications?
Although the US "signalled" their general agreement to the text on 23 March 2007 it seems the EU had to start putting its "house in order". First, on the military front it "prolonged" the approvals of "temporary" cryptographic devices to communicate with NATO and SHAPE (Supreme HQ Allied Powers Europe) as as EU "approved" devices "could yet not be used" EU-NATO-links (EU doc no: 6289/07). Second, and more surprisingly, it was only in January 2007 that the CSG approved the general use of "the UK line encryptor THAMER" up to and including SECRET EU: Encryption programme up to and including SECRET EU (EU doc no: 5645/07, pdf). THAMER (link to their brochure) is approved by the UK government, is used by NATO (since 2004) and is: "constructed in such a way that tampering is evident if it has occurred" - could it be that a gap had existed in the EU's encryption defences which had to be plugged?
Country/Organisation "Maximum releaseable electronically" by EU
(see: Third country agreements (EU doc no: 7778/07)
NATO EU Top Secret
Norway Confidential EU
Iceland Restricted EU
UN Restricted EU
USA no more than Restricted EU (see above)
European Space Agency None
EU Police Mission (EUPM)
EU Police Mission: DR Congo None
EU military crisis
"Operation Althea" None
What is striking is not just the lack of trust in the security arrangements for the exchange of classified information between the EU and the USA but that none of the EU's own police and space agencies and its military missions' communications are secure enough for the electronic transmission of classified documents. It seems extraordinary that the EU has not put in place a secure, encrypted, means of communication. [Footnote 2]
As there has been no parliamentary and hence public debate on this EU-US Agreement its scope is not defined except in the most general terms, ie: "security".
Does it cover military and defence matters alone? Or does it extend to civil-military research developing under the European Security Research Agenda? Does it cover justice and home affairs - policing, migration, asylum, data retention access, databases and data-mining? Does it cover "terrorist" proscription lists and intelligence on targeted groups?
The "Oversight" provisions are a joke. The Agreement is to be overseen by its signatories, with no suggestion of parliamentary or Congressional involvement.
Tony Bunyan, Statewatch editor, comments:
"I would reiterate the comments I made in 2003. This is another instance of secret policymaking. European and national parliaments should be consulted and the texts made public so that there can be a debate as to their content and consequences.
Putting these agreements in place is not just about exchanging classified documents, it is also about the construction of a security regime for future cooperation on defence, foreign policy and justice and home affairs between the EU, non-EU states and unaccountable international organisations. It is about cementing the aims and objectives of the EU-NATO-USA politico-military axis."
Footnote 1: The existing agreeements are: EU-US Europol; EU-US Eurojust, EU-US extradition; EU-US mutual cooperation; EU-US PNR (passenger name record); EU-US SWIFT.
Footnote 2: The entire EU communications system is managed and serviced by British Telecom: see: BT wins EU network services contract (Computer Weekly, link). BT's contract covers literally all EU institutions, agencies and courts and the 180-plus external Missions around the world.
Statewatch News online | Join Statewatch news e-mail list | EU research resources: Joint online subscription
© Statewatch ISSN 1756-851X.Material may be used providing the source is acknowledged. Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.