All documents, including but not limited to memos, internal guidance or policy documents, notes, internal emails emails or texts, or other documents, related to or dealing with or referencing the recording of, archiving process for, revision of or access to the digital text messages (WhatsApp via any other text or chat application, or SMS) between Frontex staff or units involved in Frontex missions from Member States and the Libyan Coast Guard. The time limit of your confirmatory application has been extended by 15 working days on 1 December 2021.1 I note your arguments in your confirmatory application I am writing to make a confirmatory application of PAD-2021-00286. I believe that Frontex PAD has over-redacted the document you've sent me in response to this request, far and beyond the exemptions contemplated by Regulation 1049/2001. In this response, you've redacted information for five reasons: personal data, sensitive operational information, technical equipment, human resources and reporting tools. First, I'd like to note that you've cited ¨Personal Data¨ as an exemption in the supplied document, but you did not include a justification for the use of that exemption in your table of justifications. It is well-established by the general court that the exceptions set out in Regulation 1049/2001 “must be interpreted and applied strictly” (Case C-60/15 P, para. 63). The "mere fact that a document concerns an interest protected by an exception is not of itself sufficient to justify application of that exception" and "the risk of the protected interest being undermined must be reasonably foreseeable and not purely hypothetical" (Case T-471/08, para 29). Furthermore, “the institution to which the request is addressed must also provide explanations as to how access to that document could specifically and actually undermine the interest protected by the exception or exceptions relied on" (Case T‑210/15, para. 27). 1 In accordance with Article 8(2) of Regulation (EC) No 1049/2001 of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43). Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

Regarding this redaction of personal data, you have not demonstrated any specific reason for redacting this personal data, nor how it “could specifically and actually undermine" the protected interest. It is thus impossible to determine whether those exceptions have been interpreted and applied strictly, as is required. For the sake of this point, I'd like to note that we're talking about a situation where Frontex employees, ranging from your own PAD office all the way up to the agency's Executive Director, have been credibly accused of working to hide information about communications between Frontex and the Libyan Coast Guard. Given that, and the fact that this request is coming from a journalist working on an investigation about precisely this, I believe that it is imperative that you afford these documents the widest transparency possible. Second, I believe your office has grossly stretched the security exemption under Article 4(1)(a) first indent of Regulation 1049/2001 as relates ¨Reporting tools and methods used by law enforcement officials.¨ You've argued that the release of this information would ¨jeopardize the implementation of ongoing and future operations, and thus facilitate irregular migration and trafficking in human beings as the effectiveness of law enforcement measures would be significantly reduced.¨ This connection is a stretch. Let us remember that we're talking about internal emails, related not to border protection, but to the archival process for how border protection-adjacent text messages. It is absolutely impossible that the release of this information would ¨facilitate irregular migration.¨ I believe you're using this security exemption to prevent release of information, not because of a potential security risk, but because of its potential to make Frontex look bad. Alas, there's no exemption in Regulation 1049/2001 for Public Relations. You've also stated in the justification table that you're refusing access to information in these documents, citing ¨sensitive operational information.¨ While you haven't actually cited this exemption in the document you attached - I'm guessing it was a copy/paste error - I would like to address your argument in the justification table: You seek to deny access to what you're calling ¨sensitive operational information¨ based on a blanket security exemption from Article 4(1)(a) first indent and Article 4(3) related to internal decision making processes. Regarding the former, Frontex doesn't actually address how this information would represent a security issue aside from stating that it would. As established in earlier parts of this confirmatory application, your office must state specific reasons for which this information falls under an exception. I have a hard time trying to understand how an internal email as relates to archival processes could ¨hamper the effectiveness of Frontex operations,¨ as you've stated. Again, this seems like an argument more related to Frontex's PR concerns than anything related to security. Regarding the Article 4(3) exception, you note that these documents are used for the development of risk analysis, and ¨thus constitute a specific form of internal decision-making processes,¨ and that the documents’ release would ¨seriously undermine Frontex internal decision-making processes.¨ This logic is farcical: By definition, any information that Frontex deals can be used in a risk analysis. Thus trying to argue that any information used in a risk analysis constitutes a decisions making process and is therefore exempt under Article 4(3) would include literally every piece of information that Frontex touches and thus render Regulation 1049/2001 inoperable. This is clearly not the case. Beyond that, with in regards to your use of the Article 4(3) exemption, the same logic must be applied as the first section of this confirmatory application: Frontex has failed to argue why or how the disputed details are relevant to the agency’s risk analyses, just that they form part of the creation of risk analyses. Furthermore, it must be stated that Frontex has surpassed the limits of the application of Article 4(3) of Regulation 1049/2001 in this case for another reason: The Regulation establishes that access to a document can be refused on the basis of this article when it Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

“relates to a matter where the decision has not been taken by the institution,” or if the document “contain[s] opinions for internal use as part of deliberations and preliminary consultations within the institution”. Frontex’s risk analyses do not fall under either of these definitions. On one hand, Frontex’s risk analyses are not ¨decisions¨ taken, or to be taken, and therefore the details in dispute cannot be considered as “related to a matter where the decision has not yet been taken”. The very process of risk analysis as understood by Frontex is rather an ongoing study and/or evaluation of the situation at the EU’s borders; a process that culminates in conclusions and observations that may inform later decisions, but not on actual decisions themselves. The fact that an analysis could eventually contribute to a potential decision does not make the analysis a decision-making process per se within the framework of Regulation 1049/2001. On the other hand, the details in dispute are facts or (at the very most) factual descriptions of events, which certainly do not constitute “opinions for internal use”. Therefore the document in dispute and its contents do not fall under the definition of “decision-making process” as provided in Article 4(3) of Regulation 1049/2001, and cannot be refused on the basis of this article. Lastly, your response fails to provide any real consideration of the prospect of an overriding public interest, as contemplated throughout Article 4 of Regulation 1049/2001. You do state at one point that:¨ As no overriding public interest that is objective and general in nature and not indistinguishable from individual or private interests for the release of this information is ascertainable in the present case, the documents cannot be released based on Article 4(3) of Regulation (EC) No 1049/2001.¨ But I believe that this consideration was not done in earnest and ignores the facts of the case at hand: As I’ve stated to your office multiple times, I am a professional journalist actively involved in newsgathering. I am currently working on an investigation as relates to the contents of this request, parts of which will be published in the public sphere. There is a need for the widest possible public scrutiny, debate and understanding regarding the issues concerning this request, particularly when considering they involve documents that specifically contradict public statements by Frontex employees, including the agency’s Executive Director. Lastly, regarding your use of Article 4(1)(a) first indent to exempt you from disclosure of information related to technical equipment and human resources: you've stated in both cases that disclosure of this information ¨would be tantamount to disclosing the weaknesses and strengths of Frontex operations and pose a risk to their effectiveness. As a result, the course of ongoing and future similar operations would be hampered, ultimately defeating their purpose to counter and prevent cross-border crime and unauthorized border crossings.¨ I'd like to address the flaw in this logic directly: here you're essentially saying that the public can't know specific details of Frontex's work because that transparency would harm Frontex's effectiveness. This cynical view of public transparency contradicts the values put forth in the European treaties, generally, and specifically in Regulation 1049/2001. I am concerned that your office has actively worked to obstruct and circumvent the public scrutiny of Frontex that is mandated by European regulations, and has made decisions as relates to what information you do or do not make public based not on an honest assessment of European regulations but, rather, Frontex's anxieties about public scrutiny and its public image. Preliminary Considerations Before addressing your arguments, please note that the justification table attached to our reply of 5 November 2021 is more comprehensive than those Frontex was obliged to apply in its individual assessment of the document, and which are clearly marked for the redactions implemented. These Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

redactions read: “Text Removed – Reporting Tools”, “Text Removed – Personal Data” and “Text Removed – Human Resources”. Frontex review is therefore limited to these elements. Personal Data As regards your argument concerning the redaction of personal data, which we have also explained in the context of other applications, please note that the need for this was based on Article 4(1)(b) of Regulation (EC) No 1049/2001, read together with Article 4(6) of that Regulation. More specifically, Frontex is required to reconcile the application of Regulation (EC) No 1049/2001 and of Regulation (EU) 2018/17252, as stated also in Article 9(3) of Regulation (EU) 2018/1725. Article 1(1) of Regulation (EU) 2018/1725 states that the Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data by the Union institutions and bodies. According to Regulation (EU) 2018/1725, transmissions of personal data to recipients other than Union institutions and bodies is subject to specific conditions. Regulation (EU) 2018/1725 does not differentiate between the protection of personal data of European Union staff members or other persons and the release of these pieces of information would therefore prejudice the legitimate interests of the data subjects according to Article 9(1)(b) of Regulation (EU) 2018/1725. Frontex as the controller3 has the obligation, if there is a reason to assume that the data subject’s legitimate interests might be prejudiced, to establish whether it is proportionate to transmit the personal data for that specific purpose after having demonstrably weighed the various competing interests. In any case, based on Article 9(1)(b) of Regulation (EU) 2018/1725, it is for the applicant to establish that it is necessary to have the data transmitted for a specific purpose in the public interest. More concretely, it would fall on you to establish that the transfer of personal data is necessary for a specific purpose in the public interest within the meaning of Article 9(1)(b) of Regulation (EU) 2018/1725. For this, you must establish that the transfer of personal data is the most appropriate measure among other possible measures for obtaining your objective and that the transfer is proportionate for achieving this objective – i.e., you would have to provide express and legitimate reasons to that effect.4 You stated in this regard For the sake of this point, I'd like to note that we're talking about a situation where Frontex employees, ranging from your own PAD office all the way up to the agency's Executive Director, have been credibly accused of working to hide information about communications 2 Regulation (EU) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). 3 Pursuant to Article 3 of Regulation (EU) 2018/1725, ‘controller’ means the Union institution or body or the directorate-general or any other organisational entity which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by a specific Union act, the controller or the specific criteria for its nomination can be provided for by Union law. 4 Judgment of 15 July 2015 in case T-115/13, Dennekamp v European Parliament, para 59. Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

between Frontex and the Libyan Coast Guard. Given that, and the fact that this request is coming from a journalist working on an investigation about precisely this, I believe that it is imperative that you afford these documents the widest transparency possible This reference to an abstract and personal interest is not sufficient in terms of your requirement to state a specific purpose in the public interest within the meaning of Article 9(1)(b) of Regulation (EU) 2018/1725. As therefore you could not establish the pre-requisite of necessity under this Article, no analysis regarding the proportionality is required. Emphasizing again that the personal data contained in the document pertains to individuals, I conclude that releasing the personal data contained in these documents to you would prejudice their legitimate interests within the meaning of Regulation (EU) 2018/1725. In consequence, I uphold the decision of 5 November 2021 based on which Frontex had to bar access to personal data contained in the document as required by Article 4(1)(b) of Regulation (EC) No 1049/2001. As part of my reconsideration, I have reappraised the applicability of this justification in regard to several elements contained in the document as stated in the decision of 5 November 2021. Reporting Tools and Human Resources As part of my reconsideration, I have overturned several elements contained in the document regarding the decision of 5 November 2021 pertaining to reporting tools and human resources. For those elements in which Frontex is obliged to retain these justifications, please note that Frontex, when considering a refusal to grant access to elements of a document whose disclosure would undermine the protection of the public interest as regards public security as laid down in Article 4(1)(a) first indent of Regulation (EC) No 1049/2001, enjoys a wide discretion for the purpose of determining5 whether such disclosure to the public would undermine the interests protected by that provision. In the reply of 5 November 2021, Frontex provided ample information to allow you “to understand the reasons why access to the information requested”6 regarding these elements and why the information contained was refused. I would thus like emphasise that if the pieces of information contained therein were to fall into the hands of the criminal gangs involved in migrant smuggling and trafficking of human beings, they would be able to obtain an insight into human resources exercising operational functions and – in regard to “Text Removed – Reporting Tools” - tools and methods applied by law enforcement officials in ongoing and future operations in regard to reporting and conveying operational information – this includes the security of Frontex IT infrastructure. These pieces of information by themselves - but especially in combination with other sources - would allow such gangs to adapt their modus operandi accordingly in 5 Judgment of 27 November 2019 in case T-31/18, Izuzquiza and Semsrott v European Border and Coast Guard Agency (FRONTEX), para 65. 6 Judgment of 27 November 2019 in case T-31/18, Izuzquiza and Semsrott v European Border and Coast Guard Agency (FRONTEX), para. 110. Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

order to circumvent border surveillance in current and future operations or to inflict harm on officials and assets.7 While further information cannot be provided without jeopardizing that the interests, which the exceptions are specifically designed to protect, are undermined by de facto revealing the contents of the documents “and thereby depriving the exception of its very purpose”8, the reasons provided on 5 November 2021 and further elaborated in here in regard to these interests clearly show that there is a foreseeable, and not merely hypothetical, risk to public security in regard to them. It is these considerations that oblige invoking these exceptions in regard to Article 4(1)(a) first indent of Regulation (EC) No 1049/2001 within the wide discretion accorded to Frontex for the application of that 9 exception. International Relations The non-disclosed text contains information on third countries, the disclosure of which would undermine the trust placed in Frontex by these and other countries. Once the relationship between Frontex and those third countries is impaired, it is foreseeable that these countries will refrain from cooperating with Frontex, respectively that a form of engagement of Frontex with these countries will no longer be possible. Consequently, access to this text has to be refused as its disclosure would result in jeopardizing the ongoing and future international cooperation, respectively engagement, and thus undermine the protection of the public interest as regards international relations as stipulated in Article 4(1)(a) third indent of Regulation (EC) No 1049/2001. It is in this case not possible to provide further information concerning the reasons for non-disclosure without revealing their contents and thereby depriving this exception under Article 4 of Regulation (EC) No 1049/2001 of its very purpose. Conclusion Consequently, the Decision of 5 November 2021 is amended as explained in this letter and reflected in the attached document CA-PAD-2021-00310-document . 7 Judgment of 27 November 2019 in case T-31/18, Izuzquiza and Semsrott v European Border and Coast Guard Agency (FRONTEX), para 73. 8 Judgment of 26 April 2005 in case T-110/03, Sison v Council, para. 84 9 Judgment of the General Court of 27 November 2019 in case T-31/18, Izuzquiza and Semsrott v European Border and Coast Guard Agency (FRONTEX), para 74. Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

In accordance with Article 8(1) of Regulation (EC) No 1049/200110, you are entitled to institute court proceedings and/or make a complaint to the European Ombudsman under the relevant provisions of the Treaty on the Functioning of the European Union. 10 Regulation (EC) No 1049/2001 of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43). Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01