Email(s) from the Executive Director to 1) Frontex staff, including staff at the Frontex Liaison Office in Brussels, 2) the Management Board and 3) the European Commission regarding the AbolishFrontex demonstration that took place on 9 June in front of the Frontex office in Brussels as further clarified by you: The link provided was to a news article about the AbolishFrontex demonstration that took place on 9 June that I refer to in my application. It was provided to you for further clarification and to avoid any further delays with the processing of my PAD. I note your arguments in your confirmatory application: In accordance with Article 7(2) of Regulation EC 1049/2001, I herewith lodge a confirmatory application and request Frontex to reconsider its position within 15 working days of receiving this reply. Firstly, I would like to thank the agency for considering my initial request and partially disclosing the relevant email correspondence. It is regrettable, however, that the Agency has chosen to redact considerable parts of the documents. As detailed below, I argue that Frontex’ use of the exceptions cited in Articles 4(1) and 4(2) to justify non-disclosure is excessive, disproportionate, and runs contrary to both the spirit and letter of Regulation EC 1049/2001 and relevant case law. Frontex has opted for an excessively broad application of the exceptions in justifying non-disclosure of the substantive parts of the documents, thereby 1 In accordance with Article 8(2) of Regulation (EC) No 1049/2001 of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43). Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

acting undermining transparency of the conduct of EU agencies. Furthermore, as detailed below, the response suffers from several procedural and substantive shortcomings, which raise serious concerns about the extent to which the request was handled in good faith. Please note that this confirmatory application does not pertain to redacted information relating to personal data and protected from public disclosure pursuant to Article 4(1)(b). Below, I offer a reasoned, paragraph-by-paragraph, rebuttal to each of the justifications for non-disclosure: (1) security measures applicable to Frontex staff and premises and protection of public security interest The claim that “effectivity” of any security “measures” could “[reveal] Frontex vulnerabilities and [facilitate] such attacks i.a. by enabling the perpetrators of such attacks to foresee Frontex reactions to security incidents, thus limiting safety of its staff and office areas” is not compelling. The mere fact that a document concerns an interest protected by an exception cannot justify application of that exception. The risk of a protected interest being undermined must be reasonably foreseeable and not purely hypothetical (see, to that effect, Case T- 211/00 Kuijer v Council [2002] ECR II‑485, paragraph 56). No compelling case has been made in your letter. It is highly unlikely that the emails contain any details that, if disclosed, could seriously and foreseeably undermine staff safety. For example, it is hard to imagine how disclosure of the redacted phrases in email 1 could pose a foreseeable threat to staff or public security within the scope of the exception cited in Article 4(1). I therefore request Frontex to review the documents and disclose the relevant parts of the email exchanges. (2) information on the means of communication used by law enforcement officials and protection of public security interest The notion that Fabrice Leggeri’s email address – an EU official who is not involved in day-to- day law enforcement activities nor is he a police officer or hold any such rank – constitutes “detailed information on the means of communication used by law enforcement officials” is preposterous. Equally preposterous is the notion that public disclosure of the Executive Director’s email address could somehow foreseeably and non-hypothetically “put law enforcement officials’ work in jeopardy and harm the course of future and ongoing operations aimed at curtailing the activities of organized criminal networks involved in the smuggling and migrants and trafficking in human beings.” Consequently, the use of the “public security” exception cited in Article 4(1)(a) is, in this specific case, excessive and disproportionate. May I remind you, in this context, that Fabrice Legerri is a public official of a public body – not a private fiefdom. The notion that his official email address can be kept secret from the public on the grounds invoked by your Office suggests that this request was not handled in good faith but with the aim of redacting as many parts of the documents as possible, contrary to the spirit and the letter of the Regulation and relevant case law. (3) personal data N/A (4) disclosure undermining an ongoing investigation Your reply does not demonstrate how the fragmentary email exchanges are likely to contain any detailed information that could seriously and foreseeably undermine “investigations” within the meaning of Article 4(3), even if Frontex did indeed pursue criminal charges against the individuals involved. Furthermore, you claim that no overriding public interest is Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

“ascertainable” in this case that is “not indistinguishable from individual or private interests.” However, you provide no explanation of what arguments were considered as part of the public interest test. Furthermore, this is a somewhat curious assertation given the case at hand: the response of a public body to a protest by European citizens and organised civil society, in the broader political context of an extensive and, indeed, unprecedented public debate about the implication of Frontex in human rights violations at the EU’s external borders. There is thus an overriding public interest – that is objective and general in nature – for EU citizens to understand how Frontex responded to such a protest and how a non-violent civil society campaign is presented internally to Frontex staff, which includes a large number of EU “civil servants”. Additionally, your reasoning for non-disclosure takes at face value the unfounded assumption that the peaceful protest that took place in Brussels (and other locations) – in which no individual was harmed and where just a few hours later the premises were left “spotless” according to the disclosed documents – constitutes a criminal “attack”. This is a matter for national courts, not Frontex, to determine. Most worryingly, your reasoning in this paragraph refers to investigations pertaining to “serious incident reports” – a matter that is evidently irrelevant to the case at hand. This renders the substantive arguments against disclosure void and raises, once again, serious concerns about procedural flaws in the handling of this request. (5) disclosure undermining internal decision-making The claim that disclosure of information could “seriously undermine internal decision-making processes regarding current and future activities of Frontex” is somewhat bizarre in relation to documents detailing Frontex’s immediate response to a public protest. Furthermore, the reference to “ongoing discussions taking place within Frontex and under its auspices and involving numerous stakeholders require special protection” and that “disclosing the redacted parts would reveal negotiation positions of the stakeholders” is baffling and bears no relevance to the case at hand. The documents evidently do not refer to any “negotiations” with stakeholders nor are they likely to contain information that could seriously undermine its decision-making process as is incumbent upon you to demonstrate. Furthermore, it is difficult to see how actions taken by Frontex in reaction to the protests can be construed to constitute “decision-making” within the meaning of the Regulation. Your reply therefore invokes the notion of “internal decision-making” too loosely. At stake here is the response of a public body to an act of protest by members of the public and civil society, not decisions pertaining to the exercise of public authority within the mandate of the Agency. To conclude, in considering this confirmatory application, it is worth recalling that the necessity to give utmost consideration to public interest criteria follows from the fact that Regulation 1049/2001 was adopted as a result of a continuous development on a European level to enhance democracy by making the decision-making process of the institutions more transparent. Moreover, it has been clearly established in previous case law that “the purpose of the regulation [1049/2001] is to give the public the widest possible right of access” and that “the exceptions to that right set out in Article 4 of the regulation must be interpreted and applied strictly” (paragraph 55).[1] While the “public security” exception does indeed offer EU bodies wider discretion and is not subject to a public interest test, there is nonetheless an obligation to demonstrate that disclosure of relevant information would pose a serious, foreseeable and non-hypothetical risk, following an individualised case-by-case assessment of the documents. The contrary would give EU bodies the possibility of an indiscriminate use of this exception. Crucially, it is not sufficient to simply copy/paste generic justifications invoked in relation to previous requests that bear no relevance to the case at hand, which seems to have been the case here as evidenced above. In this context, may I remind you that none of the exceptions can be invoked merely on the grounds that the redacted information, if disclosed to the public, could put the agency’s reputation at risk. In light of the above, I would like to ask Frontex to reconsider its position and further disclose the identified documents within the 15-day period set down in Regulation 1049/2001. I would Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

also like to remind the agency of its obligation under EU case law (case T-188/98, paragraph 46) to review each argument put forward by the applicant and address them individually." I.           Preliminary considerations Before addressing each of your arguments, I would like to point out that the correspondence disclosed to you with the letter of 27 August 2021 pertains to a recent occurrence, which took place on 9 June 2021, which is regarded as a security incident with implications on the safety and personal integrity of Frontex staff and other persons in the premises as well as general security implications of Frontex. As such, the above is reflected by the cumulative applicability of several exemptions to the majority of the non-disclosed parts of the documents, where the decision-making process protected under Article 4(3) of Regulation (EC) No 1049/2001 is closely linked to measures relating to the protection of public security within the meaning of Article 4(1)(a) first indent of Regulation (EC) No 1049/2001, and to the ongoing investigations of the incident within the meaning of Article 4(2) third indent of Regulation (EC) No 1049/2001. In this context, I also note that the subject matter of the requested documents does not pertain to an institution acting in its legislative capacity, where, in principle, wider access should be granted.    2 II.          Your point (1) security measures applicable to Frontex staff and premises and protection of public security interest Under point (1) of your confirmatory application, you claim that the disclosure of the respective passages of the documents would not pose any foreseeable risk to public security. In that regard, I note that Frontex’ reply to your initial application of 27 August 2021 provided ample information to allow you “to understand the reasons why access to the information requested was refused”.3 It must further be added that revealing detailed information on exceptional security measures aimed at the protection of Frontex personnel and premises, introduced immediately after the attack, respectively security incident, on said premises, in combination with the detailed data on the time when particular messages were sent (disclosed in the reply to your initial application), would enable perpetrators of attacks, respectively security incidents, of this or other kind to infer information from the nature, directions, scale, decision-making framework and precise timing of Frontex’ response to such incidents. Based on this information perpetrators would be put in a position to exploit possible weaknesses and improve their planning and coordination and to develop contingency measures for similar attacks, respectively security incidents. Due to the ascertainable possibility of future attacks, respectively security incidents, and the likelihood of escalations there is a reasonably foreseeable and not purely hypothetical likelihood of a harm of the security of Frontex and other staff, third parties, as well as premises and thus a threat to public security. While it is not possible to provide more detailed information without depriving this exception of its very purpose4, please be informed that in reference to “email 1” indicated by you as 2 See recital 6 of Regulation (EC) No 1049/2001). 3 Judgment of the General Court of 27 November 2019 in case T-31/18, Izuzquiza and Semsrott v European Border and Coast Guard Agency (FRONTEX), para. 110. 4 Judgment of the General Court of 7 February 2018 in case T-851/16, Access Info Europe v European Commission, para. 122. Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

an example, the passages, whose non-disclosure you question with the present argument, concerned concrete actions to be taken in premises in concrete geographic locations, as well as specific instructions to the personnel within a set operational framework. Consequently, I come to the same conclusion as already expressed in our reply of 27 August 2021. III.       Your point (2) information on the means of communication used by law enforcement officials and protection of public security interest With reference to your point (2) of your confirmatory application I note that your argument is limited only to the non-disclosure of the personal email address of the Executive Director and does not concern other email addresses, access to which had to be refused. To that end, you argue that the Executive irector is not involved in the day-to-day law enforcement activities and you question that the disclosure of this email address could foreseeably and not merely hypothetically put law enforcement officials’ work in jeopardy and harm the course of future and ongoing operations, concluding that the non- disclosure of this information constituted an excessive and disproportionate application of the exemption under Article 4(1)(a) first indent of Regulation (EC) No 1049/2001. Recalling the reasons leading to the non-disclosure of the email addresses contained in the documents, including the personal email in question, as explained in Frontex reply of 27 August 2021, I point to the managing functions of the Executive Director as detailed in Article 106(4) of the European Border and Coast Guard Regulation5, The safeguarding of these functions requires undistorted and continuous multilateral communication with other internal and external stakeholders, in the course of which not only the person concerned uses his mailbox, but it serves also for the coordination of activities of other internal stakeholders. Revealing this email address would open way for abuse , in particular through cybersecurity threats capable of distorting the communications of Frontex senior management, including exchanges with direct impact on Frontex’ response to future attacks, respectively security incidents, but also operations and other aspects of its mandate and general functioning. Therefore, revealing this information would pose a foreseeable, and not merely hypothetical threat to the exchange of information within Frontex, thus undermining the protection of the public interest in public security and seriously undermine Frontex' internal decision-making processes. Frontex continuously engages with the public in various for a, including through questions@frontex.europa.eu. IV.        Your point (3) personal data I understand that your reference to “N/A” does not contest the reply of 27 August 2021 5 Regulation (EU) 2019/1896 of 13 November 2019 on the European Border and Coast Guard (OJ L 295, 14.11.2019, p. 1). Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

V.         Your point (4) disclosure undermining an ongoing investigation In point (4) of your confirmatory application, you disagree with Frontex’ decision not to disclose the relevant passages of correspondence due to the protection of an investigation. Please be informed that the passages concerned, pertaining to a recent attack, respectively security incident, which took place less than three months before the decision of 27 August 2021 was taken, were forming part of an establishment of facts in order to assess the – developing – situation and to develop protective measures for staff, third persons and           assets.6   This assessment will also form the basis regarding the pursuit of legal actions taken and to be taken. The disclosure of further pieces of information within the documents would have compromised investigation as the investigators’ effective access to the facts could have been distorted in such a way as to effectively deprive them of the possibility to conduct the investigation without interference. I thus conclude that disclosure of the passages in question would have led to a foreseeable risk for the purpose of the investigation being undermined. In regard to the reference to serious incident reports in indent four of our reply of 27 August 2021, I would like to thank you for having pointed this editorial mistake, which , I herewith rectify and replace it with “redacted parts” to read: information relating to an ongoing investigation, whose disclosure at the present stage would jeopardise the ability of Frontex and Member States to evaluate and to verify, in this ongoing structured and formalized procedure, facts and information, possibly with a view to take a position. Consequently, access to the redacted parts has to be refused based on Article 4(2) third indent of Regulation (EC) No 1049/2001 as their disclosure would undermine the protection of the purpose of investigations. No overriding public interest that is objective and general in nature and not indistinguishable from individual or private interests for the release of these documents is ascertainable in the present case; VI.        Your point (5) disclosure undermining internal decision-making As regards point (5) of your confirmatory application you bring forward that: The documents evidently do not refer to any “negotiations” with stakeholders nor are they likely to contain information that could seriously undermine its decision-making process as is incumbent upon you to demonstrate. Furthermore, it is difficult to see how actions taken by Frontex in reaction to the protests can be construed to constitute “decision-making” within the meaning of the Regulation. Your reply therefore invokes the notion of “internal decision-making” too loosely. As explained on 27 August 2021 and under “Preliminary considerations”, I note that the refusal based on the internal decision-making process had to be invoked regarding the respective passages of the documents in addition to the absolute exception under Article 4(1)(a) first indent of Regulation (EC) No 1049/2001 and the ongoing investigation as per Article 4(2) third indent of Regulation (EC) No 1049/2001. These passages contain detailed information on the discussions of Frontex internally and with external stakeholders, such as local security authorities, regarding Frontex’ first reaction and long 6 Judgment of the Court of Justice of 7 September 2017 in case C-331/15 P, Schlyter v Commission, para. 47. Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

term strategies to an attack, respectively security incident, as explained to you in reply to points (1) and (4) of your confirmatory application. Not least because of the proximity to the event and them containing information and strategies regarding current and future security measures and other actions, their disclosure would seriously undermine the Agency's decision-making process in this and other cases in the future as laid down in Article 4(3) of Regulation (EC) No 1049/2001 due to their direct link with the security and physical integrity of Frontex staff, third persons and premises. VII.       Overriding public interest In points (4) and (5) of your confirmatory application you argue that overriding public interest existed by bring forward that: (…) given the case at hand: the response of a public body to a protest by European citizens and organised civil society, in the broader political context of an extensive and, indeed, unprecedented public debate about the implication of Frontex in human rights violations at the EU’s external borders. There is thus an overriding public interest – that is objective and general in nature – for EU citizens to understand how Frontex responded to such a protest and how a non-violent civil society campaign is presented internally to Frontex staff, which includes a large number of EU “civil servants”. (…) At stake here is the response of a public body to an act of protest by members of the public and civil society, not decisions pertaining to the exercise of public authority within the mandate of the Agency. From this I understand that you link the overriding public interest to an abstract intention of non- defined “EU citizens to understand how Frontex responded to such a protest and how a non-violent civil society campaign is presented internally to Frontex staff (…)”. Such general reference does not however constitute such an overriding public interest.10 Nor do your general considerations regarding the “response of a public body to an act of protest by members of the public and civil society” satisfy that requirement,11the existence of which you would have to prove.12 Your points do therefore not meet the requirements of this test under Articles 4(2) third indent and 4(3) of Regulation (EC) No 1049/2001.. In consequence, I concur with the decision of 27 August 2021 in that the release of the documents would indeed seriously undermine the decision-making processes and undermine the protection of an ongoing investigations within the meaning of Articles 4(3) and 4(2) third indent of Regulation (EC) No 1049/2001 respectively. In sum, I uphold and rectify the decision of 27 August 2021 as explained above. 10 Judgment of the General Court of 11 July 2018 in case T-643/13, Rogesa v Commission, para. 107 11 Judgment of the General Court of 9 October 2018 in case T-634/17, Pint v Commission, para. 56.12 Judgment of the Court of Justice of 2 October 2014 in case C-127/13, Strack v Commission, para. 128. 12 Judgment of the Court of Justice of 2 October 2014 in case C-127/13, Strack v Commission, para. 128. Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

In accordance with Article 8(1) of Regulation (EC) No 1049/2001, you are entitled to institute court proceedings and/or make a complaint to the European Ombudsman under the relevant provisions of the Treaty on the Functioning of the European Union. Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01