On 5 March 2024, the Grand Chamber of the Court of Justice of the European Union handed down a landmark judgment that was years in the making. The case is formally known as C 588/21 P, Public.Resource.Org and Right to Know v Commission. The Judgment of the Court is identified as ECLI:EU:C:2024:201.

As the Court notes, the cause of action emerged from an Irish organisation together with Public.Resource.Org assisting parents who wanted access to four technical safety and environmental standards for children’s toys. Notwithstanding the standards development being requested from CEN by the European Commission and imposed in its regulations, the Commission refused to make them available except by paying nearly 1,200 Euros for access to the four standards.

The Court found “...that the right of access to documents of the institutions, bodies, offices and agencies of the Union, whatever their medium, is guaranteed to any citizen of the Union, and to any natural or legal person residing or having its registered office in a Member State, by…the Charter of Fundamental Rights of the European Union (‘the Charter’). The Court also noted that “the exercise of that right is…governed by Regulation…to ensure the widest possible access to documents’ and to ‘establish rules ensuring the easiest possible exercise of [that] right’.”

The Court then held that there was “...an overriding public interest [in document disclosure] arising from the principles of the rule of law, transparency, openness and good governance, and justifying the disclosure of the requested harmonised standards, since those standards form part of EU law owing to their legal effects.” The court also ordered the Commission pay all the appellant litigation costs.

The Court’s process included additional findings and exhaustive analysis in an Opinion of the Court’s Advocate General Medina on multiple relevant European rights issues which independently exist as legal norms.

Commentary

Although the Court’s judgement was necessarily directed at the European Commission, the losing party was the Belgium-based, private joint legacy standards body known as CEN/CENELEC that “brings together National Standardization Bodies of 34 European countries” that participate in ISO and IEC. It has enjoyed a de facto monopoly to repackage ISO/IEC standards as European normative standards and sell them for enormous prices. The practices have been abusive in the cybersecurity sector.

CEN/CENELEC attempted to spin the loss of appeal by noting the Court did not address the Medina copyright finding—which is that copyright does not exist for the standards because they lack originality and were largely produced by public resources.

However, the Medina finding still exists as a norm and is bolstered by other notable judicial decisions in the U.S.

Some important points are being lost in the subsequent focus on adverse revenue stream consequences for a couple of legacy ICT standards bodies pursuing untenable business practices. The result here is an extraordinary affirmation of European human rights and values for citizens by its highest human rights body and Advocate General.

It is worth noting that the initiative here emerged in 1991 when the principal advocate—Carl Malamud—came to the ITU to propose “Project Bruno” to convert all ITU standards into commonly used formats and make them available worldwide in three weeks for zero cost. (The project was named after the Dominican friar Giordano Bruno, who was burned at the stake by the Inquisition for making available information about the cosmos.) Secretary-General Tarjanne agreed to Malamud’s proposal and the work accomplished as promised. Malamud went across the street (at the time) to the ISO Director General’s office with the same offer. It was refused. The next year the matter was raised at ETSI with Director-General Rosenbrock. He also agreed, undertook the work by the Secretariat and subsequently applied it to 3GPP. Several years after that, the ITU accomplished the same, and the ITU’s 193 Nation State Members supported the practice in its basic instruments.

Essentially, none of the scores of new industry standards bodies established over the past 30 years place standards behind paywalls. Legacy organizations had decades to adapt. There are many reasons for this shift that go beyond the human right of access that was the basis for the decision.

• First – as noted by Medina and the U.S. appellate courts—a private institution that takes the specification IPR of participating contributors intended for widespread public use and then asserts its own IPR and availability controls for the purposes of generating its own funding revenue—is juridically repugnant. The behaviour is considered especially egregious when that IPR is then asserted as normative through regulatory instruments.
• Second – the institutional behaviour begets closed, non-transparent standards processes that impede collaboration, scrutiny of the work and necessary regular revisions.
• Third – the institutional behaviour is inherently anti-competitive and induces further anticompetitive behaviour among standards distributors.
• Fourth – the practices significantly impede participation and market entry by SMEs, micro enterprises, and individuals.
• Fifth – as recently noted within the IETF—the inability for open scrutiny of the standards introduces potentially significant vulnerabilities. It is not apparent that CEN/CLC/ISO/IEC themselves even have vulnerability disclosure policies.

Also worth noting is a profound standards-making paradigm change that has occurred over the past several decades. It is relatively easy and highly cost-effective today for specialised industry sector product vendors to “roll their own” technical standards body. Cobbling together cloud-based “standards-as-a-service” capabilities and engaging in low-cost collaboration methods have now become widespread and expanding by the month. Legacy standards bodies that fail to emulate that paradigm will themselves ultimately fail.

The European judicial findings and judgment here are landmark affirmations of basic human rights and law, as well as legislative transparency and good governance. They also bring significant benefits to ordinary citizens and the entire cybersecurity sector.