• Home /
• Analyses /
• 2023 /
• The proposal on security of EU information: transforming the “bubble” into a “fortress”?

The proposal on security of EU information: transforming the “bubble” into a “fortress”?

Topic

Country/Region

07 September 2023

Part 1 of a series /// EU institutions are currently discussing a proposal for a new law "on information security in the institutions, bodies, offices and agencies of the Union." While the objective itself may be legitimate, the proposal as it stands seeks to extend to other EU institutions and agencies the secrecy and opacity that has for so long characterised the work of the Council. It undermines existing legislation on public access to official documents and would fatally undermine the treaty obligation for the institutions, bodies, offices and agencies of the EU "to conduct their work as openly as possible." At the same time, the proposal fails to ensure the interinstitutional and interagecy cooperation necessary to ensure an effective administration.

Image: Maurits Verbiest, CC BY 2.0

---

For extensive documentation on this proposal see our Observatory: Regulation on security of EU information (2022 proposal)

The second part of this series is available here: The proposal on security of EU information: how to burst the bubble and open the EU fortress

---

Information security

The European Parliament's civil liberties committee (EU) and the Council of the EU are currently working on a legislative proposal dealing with information security in the institutions, bodies, offices and agencies of the Union. At first sight, the 76 pages of text appear "technical" - but upon closer inspection it is clear that the law may have a huge impact not just from an organizational point of view, but also politically. If adopted as it stands it may pave the way for the transformation of the "EU bubble" into a sort of (administrative) fortress, and substitute the principle of "transparency by design" with the principle of "confidentiality by design."

In principle the objective, as announced in the title of the proposal, is legitimate: granting a comparable level of protection in all the EU institutions, agencies and bodies, for information and documents, which, according to the law, should be protected. To do so a wide interinstitutional coordination group is proposed, as well as a network of security officials in all the EU entities. A secure information network (TEMPEST) is foreseen, along with the establishment of various authorities (for example, the TEMPEST authority will be responsible for preventing "unintentional electronic emanations" of classified material).

So far so good, and if the content of the proposal was limited to these organizational aspects it could even be seen as an example of administrative cooperation consistent with the chosen legal basis for this Regulation, Article 298 of the Treaty on the Functioning of the European Union (TFEU): "the institutions, bodies, offices and agencies of the Union shall have the support of an open, efficient and independent European administration."

What is worrying is the fact that, in parallel with the definition of the physical security of EU information, this proposal on the one hand redefines the conditions of treatment, access and sharing of all kinds of information and documents produced and handled by the EU institutions, agencies and bodies; and on the other does not frame adequately the conditions of interinstitutional and interagency cooperation.

Undermining transparency: from the "right to know" to the "need to know"

The first problematic aspect the new proposal, contrary to what the Commission states, completely overlaps and modifies the 2001 Regulation on public access to documents. While the principle of that Regulation is to enhance the peoples' right to know by granting that everything is public unless a specific exception is applicable, Chapter 4 of the information security proposal takes the opposite approach. Mirroring the logic of the current Council internal security rules, it requires that almost all internal documents should be protected and shared only with people with a recognized "need to know" unless the document is marked as "public."

By replacing the "right to know" foreseen in the Treaty with the a "need to know" mechanism, the proposed Regulation turns the EU transparency principle on its head. That principle is defined in Article 1 of the Treaty on European Union (TEU) and Article 15(1) of the TFEU. The former states that decisions are to be taken "as openly as possible and as closely as possible to the citizen," while the latter requires that: "In order to promote good governance and ensure the participation of civil society, the Union’s institutions, bodies, offices and agencies shall conduct their work as openly as possible."

Last but not least, the proposed information security framework goes against the notion of openness set out in Article 298 TFEU, which requires that the EU administration should not only be independent and efficient but also "open." By offering each EU institution, agency and body has the possibility to "protect" its internal information and documents by invoking the very fuzzy notion of "harm" - in the words of Article 3(aa) of the proposal, "the potential adverse effect of a given threat... to the legitimate public and private interests, measured as a combination of the likelihood of threats occurring and their impact" - the proposal fundamentally threatens the right to access legislative and non-legislative information as required by the treaties and the Regulation on access to documents.

In short: with this proposal the Commission is hoping to engage in a form of time travel. By the endorsing at legislative level the Council internal security rules, it proposes going back to the pre-Maastricht Treaty era, when it was up to the EU institutions to decide whether or not to grant access to their internal documents. But ever since the Amsterdam Treaty and, even more so, the Lisbon Treaty, this practice is incompatible with an EU bound by the rule of law and where there should not be space for dark zones. It is therefore quite surprising that until now the European Parliament has not proposed substantial amendments to the legislative proposal in order to preserve the transparency principle in the EU institutional framework.  

Independent and efficient administration

There is a further way in which the proposal falls short of implementing the principle of an independent and efficient administration, as required by Article 298 TFEU. By transforming each EU institution, agency and body into a sort of "sandbox," it will make it extremely difficult to implement the principle of "mutual sincere cooperation" foreseen by Article 13(2) TEU. Interagency and interinstitutional cooperation is essential to achieve most of the missions foreseen by the treaties and it is therefore highly problematic to insist on the independence of each EU entity without foreseeing, in law, a mechanism of structured interinstitutional and interagency cooperation, beyond the enhanced cooperation on protecting each others' secrets pushed by the proposal.

In failing to provide legal procedures for arbitration and conflict prevention, the proposal paves the way to an administrative framework mired in perpetual conflict. Referring to the fact that the Court of Justice may solve possible problems of interpretation or potential cases of failure to act by any of the entities in question is a poor approach, given that legislation should be guided by the principle of granting legal certainty to EU citizens and the EU administration. It is also quite bizarre that the European Ombudsman has not been associated or consulted on the proposal at stake.

Both the European Parliament and the Council of the EU are still discussing the proposal, prior to entering into negotiations with one another. Is there time to turn this pig's ear into a silk purse?

Author: Emilio de Capitani

---

For extensive documentation on this proposal see our Observatory: Regulation on security of EU information (2022 proposal)

Further reading