Security incidents
Dear Communications Networks, Content and Technology,
Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I seek access to the documents that contain the following information regarding Directive (EU) 2018/1972 on the European Electronic Communications Code (EECC):
1. Specific security incident reports received from Member States to the extent that they have been shared with the Commission either directly or via ENISA (EEC Article 40.2). In particular, reports on personal data breaches originating from SS7 and/or Diameter attacks.
2. Annual Reports from Member States: Copies of the annual summary reports provided to the Commission by each Member States competent authority on the notifications it has received on the security incidents and the action taken, as required by EECC Article 40.2.
3. Reports on the evaluation by the Commission of the security incident reports and notifications received from Member States, as well as any recommendations issued, documents on meetings held, or other relevant action taken in response to these reports. Similarly, any action taken by the Commission as a result of the failure to produce these reports.
My postal address is Calle vinaroz [ADDRESS] Spain, however no need to send hard copies, an electronic response will suffice.
Yours faithfully,
Rachel Hanna
Dear Sir or Madam,
We hereby acknowledge the receipt of your request for access to documents
sent on 27/11/2023 and registered on 27/11/2023 under the case number
2023/7048.
We will handle your request within 15 working days as of the date of
registration. The time-limit expires on 18/12/2023. We will let you know
if we need to extend this time limit for additional 15 working days.
To find more information on how we process your personal data, please see
[1]the privacy statement.
Yours faithfully,
Secretariat-General - Access to Documents
European Commission
References
Visible links
1. https://ec.europa.eu/info/principles-and...
Hello,
Please find attached a message concerning your request for access to
Commission documents registered under the above case number 2023/7031 and
2023/7048.
Please acknowledge the receipt of this message by return email.
Kind regards,
DG CONNECT Access to documents Team
Hello,
Please find attached a message concerning your request for access to
Commission documents registered under the above case number 2023/7031 and
2023/7048.
Please acknowledge the receipt of this message by return email.
Kind regards,
DG CONNECT Access to documents Team
Dear Communications Networks, Content and Technology,
Under Article 7 Regulation 1049/2001, I would like to submit the below confirmatory application concerning my below requests.
EASE 2023/7031
My first request, numbered EASE 2023/7031 sought access to the documents that contain the following information regarding Directive (EU) 2018/1972 on the European Electronic Communications Code (EECC):
1. Any guidance provided to Member States on implementation of this Directive. In particular guidance on:
- determining whether a security incident has had a significant impact on the operation of networks or service (as per Article 40.2);
- leasing of Global Titles and/or Diameter addresses by mobile network operators.
2. Copies of Implementing Acts adopted by the Commission which detail the technical and organisational aspects that Member States should ensure are included in national measures on security and reporting, as per EECC Article 40.5.
You stated that you did not hold any corresponding documents.
We regret to inform you that DG CONNECT does not hold any documents that would correspond to the description given in your application EASE 2023/7031.
EASE 2023/7048:
Regarding my second request, numbered EASE 2023/7048, I sought access to the documents that contain the following information regarding Directive (EU) 2018/1972 on the European Electronic Communications Code (EECC):
1. Specific security incident reports received from Member States to the extent that they have been shared with the Commission either directly or via ENISA (EEC Article 40.2). In particular, reports on personal data breaches originating from SS7 and/or Diameter attacks.
2. Annual Reports from Member States: Copies of the annual summary reports provided to the Commission by each Member States competent authority on the notifications it has received on the security incidents and the action taken, as required by EECC Article 40.2.
3. Reports on the evaluation by the Commission of the security incident reports and notifications received from Member States, as well as any recommendations issued, documents on meetings held, or other relevant action taken in response to these reports. Similarly, any action taken by the Commission as a result of the failure to produce these reports.’
In relation to my point 1 and 2, you identified 54 documents falling within its scope:
Point 1. of the request:
- Specific security incident report 1 (Document 1)
- Specific security incident report 2 (Document 2)
Point 2. of the request:
- 2021 annual summary reports by Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherland, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden (Documents 3 – 28)
- 2022 annual summary reports by Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherland, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden (Documents 29 – 54)
You state that disclosure of these documents cannot be granted under Article 4(1)(a), first indent of Regulation 1049/2001, which stipulates that access to a document shall be refused where disclosure would undermine the protection of the public interest as regards public security:
“The requested documents are security incident reports and annual reports containing sensitive information that is relevant for public security. Disclosure of this information could reveal potential weaknesses in critical infrastructure and could therefore lead to security risks. Moreover, public disclosure of these documents would have negative consequences for the reporting of security incidents by Member States. Based on the foregoing there is a real and non-hypothetical risk, that disclosure of these documents would undermine the protection of public interest, as regards public security.”
Partial access to these documents was also denied:
“We have considered whether partial access could be granted to these documents. However, partial access is not possible considering that these documents are covered in their entirety by the exception of Article 4 (1)(a), first indent of Regulation 1049/2001.”
In terms of point 3, you state that you do not hold any corresponding documents:
We regret to inform you that DG CONNECT does not hold any documents that would correspond to the description given in … point 3 of your application EASE 2023/7048.
In response to this denial, I present the below arguments in my confirmatory application:
1. EASE 2023/7048: The harm that disclosure would cause has not been sufficiently proven.
2. EASE 2023/7048: Granting partial access to the requested documents would not have negative consequences for the reporting of security incidents by Member States.
3. EASE 2023/7031: It was not explained why DG CONNECT does not hold requested documents
1. EASE 2023/7048: The harm that disclosure would cause has not been sufficiently proven.
The harm test applicable to Article 4(1)(a) has not been sufficiently proven as it was not sufficiently demonstrated how disclosure of the document would cause a reasonably foreseeable, non-hypothetical harm to public security.
In Case T 233/09 Access Info Europe v Council, the General Court confirmed that the mere fact that a document concerns an interest protected by an exception to disclosure is not sufficient to justify the application of that exception.
The Court of Justice of the European Union has also stated that an EU body “remains obliged (...) to explain how disclosure of that document could specifically and actually undermine the interest protected by an exception provided for in that provision, and the risk of the interest being undermined must be reasonably foreseeable and must not be purely hypothetical.” (Judgment of 3 July 2014. Council of the European Union v Sophie in 't Veld.C-350/12P para. 64)
Relying on an exception that carries a harm test may be justified only if access to that document could specifically and effectively undermine the protected interest. Moreover, the risk of the protected interest being undermined must not be purely hypothetical and must be reasonably foreseeable.
By simply stating that “disclosure of this information could reveal potential weaknesses in critical infrastructure” and that “public disclosure of these documents would have negative consequences for the reporting of security incidents” it was not sufficiently demonstrated, specifically and actually, how wider access to that document would cause a reasonably foreseeable, non-hypothetical harm.
2. EASE 2023/7048: Granting partial access to the requested documents would not have negative consequences for the reporting of security incidents by Member States.
It is unlikely that the entire document is covered by the protected interest. Partial access to the areas not covered by the exception should be granted.
Denying partial access because an exception applies to parts of a documents goes against the essence of 1049/2001, which states, at recital 4, that:
The purpose of this Regulation is to give the fullest possible effect to the right of public access to documents.
If full disclosure cannot be granted, I request access to redacted versions of the documents that would provide anonymised and/or statistical data concerning security incident reporting e.g.
• The number / type security incidents within the reports;
• Objective / source of the security incident;
• Action taken to remedy security incidents.
I therefore request partial access to the identified documents, with the parts covered by the exception redacted.
Releasing a redacted version of the documents, only offering anonymised/statistical data would not have negative consequences for the reporting of security incidents by Member States.
3. EASE 2023/7031: It was not explained why DG CONNECT does not hold requested documents
EECC Article 40.5 states that the Commission:
may adopt implementing acts detailing the technical and organisational measures referred to in paragraph 1, as well as the circumstances, format and procedures applicable to notification requirements pursuant to paragraph 2.
In request EASE 2023/7031, I requested:
2. Copies of Implementing Acts adopted by the Commission which detail the technical and organisational aspects that Member States should ensure are included in national measures on security and reporting, as per EECC Article 40.5.
You state that you do not hold any documents that correspond to this description. Does this mean that there the Commission has not enacted any Implementing Acts under EECC as of yet? Or are they held by another DG in the Commission, not DG CONNECT?
Please do not hesitate to contact me should you require any clarifications on this confirmatory application.
Yours sincerely
Rachel Hanna
Your message has been received by the Transparency Unit of the
Secretariat-General of the European Commission.
Requests for public access to documents are treated on the basis of
[1]Regulation (EC) No 1049/2001 of 30 May 2001 regarding public access to
European Parliament, Council and Commission documents.
The Secretariat-General will reply to your request within 15 working days
upon registration of your request and will duly inform you of the
registration of the request (or of any additional information to be
provided in view of its registration and/or treatment).
L’unité «Transparence» du secrétariat général de la Commission européenne
a bien reçu votre message.
Les demandes d’accès du public aux documents sont traitées sur la base du
[2]règlement (CE) n° 1049/2001 du 30 mai 2001 relatif à l’accès du public
aux documents du Parlement européen, du Conseil et de la Commission.
Le secrétariat général répondra à votre demande dans un délai de 15 jours
ouvrables à compter de la date d’enregistrement de votre demande, et vous
informera de cet enregistrement (ou vous indiquera toute information
supplémentaire à fournir en vue de l'enregistrement et/ou du traitement de
votre demande).
Ihre Nachricht ist beim Referat „Transparenz“ des Generalsekretariats der
Europäischen Kommission eingegangen.
Anträge auf Zugang zu Dokumenten werden auf der Grundlage der
[3]Verordnung (EG) Nr. 1049/2001 vom 30. Mai 2001 über den Zugang der
Öffentlichkeit zu Dokumenten des Europäischen Parlaments, des Rates und
der Kommission behandelt.
Das Generalsekretariat beantwortet Ihre Anfrage innerhalb von
15 Arbeitstagen nach deren Registrierung und wird Sie über die
Registrierung Ihres Antrags (oder die Notwendigkeit weiterer Informationen
im Hinblick auf dessen Registrierung und/oder Bearbeitung) unterrichten.
References
Visible links
1. https://eur-lex.europa.eu/legal-content/...
2. https://eur-lex.europa.eu/legal-content/...
3. https://eur-lex.europa.eu/legal-content/...
Dear Sir or Madam,
We hereby acknowledge the receipt of your confirmatory request for case
2023/7048, sent on 25/01/2024 and registered on 25/01/2024.
We will handle your confirmatory request within 15 working days as of the
date of registration. The time-limit expires on 15/02/2024. We will let
you know if we need to extend this time limit for additional 15 working
days.
Yours faithfully,
Secretariat-General - Access to Documents
European Commission
Dear HANNA, Rachel,
Please find attached the electronic version of European Commission
Decision C(2024)4207 as adopted by the European Commission on 12/06/2024
concerning the request 2023/7048.
In accordance with the Terms and Conditions of this portal, please note
that this decision is being formally notified pursuant to article 297 TFEU
through this electronic platform only.
Yours sincerely,