In what context does HERA deal with confidential information?
The Health Emergency Preparedness and Response Authority (HERA) was set up as a service of the Commission to strengthen Europe's ability to prevent, detect, and rapidly respond to cross-border health emergencies.
The October 2020 Commission Communication “Building a European Health Union: Reinforcing the EU’s resilience for cross-border health threats” and the November 2022 Commission Communication “State of Health Preparedness report” highlighted that COVID-19 demonstrated a lack of comparable data and understanding of the situation on which to base decision-making.
In this context, to deliver on its mandate, HERA essentially relies on data and information particularly relating to health threats and medical countermeasures when carrying out its operations.
Relevant data and information may not only originate from HERA or other Commission services themselves but also from third parties such as Member States, private businesses and other stakeholders. Such information may not always be publicly available and the disclosure of such may harm legitimate interests of the persons providing HERA with information or of other third parties.
When processing such information, the Commission (including HERA) protects the confidentiality, in particular when handling such information internally and when processing access to documents requests in accordance with Regulation 1049/2001.
What types of confidential information does HERA deal with?
The Commission mainly distinguishes between two confidentiality levels: (1) Sensitive non-classified Information (‘SNC’) and (2) EU classified information (‘EUCI’). Although HERA may deal with information of both levels, the present Questions & Answers focus on the handling of Sensitive non-classified Information.
Is HERA obliged to protect Sensitive non-classified (‘SNC’) information?
HERA, as a service of the Commission, is legally obliged to protect sensitive non-classified information. Most notably, Commission staff is under an obligation not to disclose information of any kind covered by the obligation of professional secrecy in accordance with Article 339 TFEU, in particular information about undertakings, their business relations or their cost components.
In addition, Commission officials have an obligation under Article 17 of the Staff Regulations not to disclose, without authorisation, information to which they have been exposed in the course of their work, unless that information has already been made public or is accessible to the public.
In relation to sensitive non-classified information, HERA implements all relevant legal requirements applicable to the Commission, including Commission Decision (EU, Euratom) 2015/443, Commission Decision (EU, Euratom) 2017/46, Commission Security Notice C(2019) 1903 and Commission Security Notice C(2019) 1904.
The measures accordingly implemented by HERA to safeguard sensitive non-classified information are in accordance with Article 9(6) of Commission Decision 2015/443. They range from special markings of information to specific instructions on storage of and access to sensitive non-classified information.
What kind of information is covered by the concept of ‘Sensitive non-classified’ information?
In accordance with Article 9(5)(b) of Commission Decision 2015/443 sensitive non-classified information (‘SNC’) is, in general, ‘information or material the Commission must protect because of legal obligations laid down in the Treaties or in acts adopted in implementation thereof, and/or because of its sensitivity.’
Therefore, the concept of sensitive non-classified information includes, but is not limited to information or material covered by the obligation of professional secrecy as referred to in Article 339 TFEU, information covered by the interests protected in Article 4 of Regulation 1049/2001 and personal data within the scope of Regulation (EU) 2018/1725.
Under what circumstances may business information constitute sensitive non-classified (‘SNC’) information?
Business information can, inter alia, be considered as SNC information if it falls within the scope of the obligation of professional secrecy under Article 339 TFEU or within the ‘commercial interest’ exception under the first indent of Article 4(2) of Regulation 1049/2001.
Such information may include but is not limited to business secrets, which are always afforded special protection (see ruling T-198/03 of the General Court). In principle, business information is covered by the obligation of professional secrecy if cumulatively:
- the information is known only to a limited number of persons,
- its disclosure is liable to cause serious harm to the person who has provided it or to third parties and
- the interests liable to be harmed by disclosure are, objectively, worthy of protection.
Depending on the circumstances, business information may therefore be considered SNC if it relates to the following indicative and non-exhaustive types of (business) information (see rulings T-718/15 and T-448/21 of the General Court):
- the business strategies of the undertaking(s) concerned;
- their commercial relations;
- specific expertise;
- prices;
- financing arrangements;
- amounts of sales;
- market shares.
Can third parties indicate which (parts of) information they deem sensitive?
In the event HERA receives information from a third party in any form (orally, in written or electronically), it will, in principle, ask the third party to indicate whether parts of the information are deemed to be sensitive. Such indication will feed into the assessment of the Commission (HERA) on the confidentiality of the information and the possible protective measures to be taken.
In general, sensitivity cannot be claimed for the entire or whole sections of a document as it is normally possible to protect confidential information with limited redactions. Therefore, third parties have the opportunity both to point out the passages in the documents of which disclosure might cause damage and to indicate the nature and scope of that damage.
Indication of sensitivity should in principle be made in written or electronic format and should specifically mark the passages for which confidentiality is claimed, ideally by providing a version of the document with the relevant passages blackened out.
In exceptional situations, notably where the document with confidential passages blackened is not understandable, HERA may ask the third party to provide a non-confidential summary.
In the event of an access to documents request, HERA will assess the request in line with Regulation 1049/2001. For further information, see question 8.
Does HERA intend to share SNC information with the European Parliament, any other Union bodies and/or third parties (not being Union bodies)? If so, under what circumstances?
In the event the European Parliament or other EU bodies would request the Commission to share sensitive non-classified information, it may consider transferring such information to the extent it is necessary for the performance of their institutional task and solely if appropriate safeguards are in place to preserve the sensitivity of the information.
Such precautions may include, in particular, informing the Union bodies of the documents or passages of documents which contain sensitive information, including sensitive business information.
Where HERA would intend to disclose sensitive information to other public bodies (not being Union bodies), it will do so only in case of a clear legal basis or with the unequivocal authorization of the person concerned. In the former case, the Commission (including HERA) will give the person concerned the possibility to be heard prior to any disclosure (see ruling C-650/19 of the European Court of Justice).
Given the (serious) damage that could result from improper communication of confidential information, the person concerned will have an opportunity to bring an action before the Court with a view to having the assessment made reviewed by it and to preventing disclosure of the information in question (see ruling C-53/85 of the European Court of Justice).
In the event of an access to documents request, HERA will assess the request in line with Regulation 1049/2001. For further information, see question 8.
How does HERA deal with sensitive non-classified information in the context of access to documents requests?
When receiving a request for access to documents, HERA applies Regulation 1049/2001. Thus, access to a document is in principle granted. However, should the requested document contain information of sensitive non-classified nature, access to (parts of) the document can be denied to the extent the disclosure of the information in question would undermine the protection of the public or private interests within the meaning of Article 4 of Regulation 1049/2001.
In the context of confidential business information, HERA will particularly assess whether the ‘commercial interest’ exception under the first indent of Article 4(2) of Regulation 1049/2001 applies.
Where an applicant under Regulation 1049/2001 requests access to a document originating from a third party, HERA consults the third party in question in accordance with Article 4(4) of Regulation 1049/2001 and Articles 5 and 6 of the detailed rules for the application of Regulation (EC) No 1049/2001.
The third party hereby can indicate its views to the Commission on the confidentiality of (parts of) the information contained in the document, which they must substantiate on the basis of the exceptions in Article 4 of Regulation (EC) No 1049/2001.
