Home / Blogs

A Landmark Standards Human Rights Judgment

On 5 March 2024, the Grand Chamber of the Court of Justice of the European Union handed down a landmark judgment that was years in the making. The case is formally known as C 588/21 P, Public.Resource.Org and Right to Know v Commission. The Judgment of the Court is identified as ECLI:EU:C:2024:201.

As the Court notes, the cause of action emerged from an Irish organisation together with Public.Resource.Org assisting parents who wanted access to four technical safety and environmental standards for children’s toys. Notwithstanding the standards development being requested from CEN by the European Commission and imposed in its regulations, the Commission refused to make them available except by paying nearly 1,200 Euros for access to the four standards.

The Court found “...that the right of access to documents of the institutions, bodies, offices and agencies of the Union, whatever their medium, is guaranteed to any citizen of the Union, and to any natural or legal person residing or having its registered office in a Member State, by…the Charter of Fundamental Rights of the European Union (‘the Charter’). The Court also noted that “the exercise of that right is…governed by Regulation…to ensure the widest possible access to documents’ and to ‘establish rules ensuring the easiest possible exercise of [that] right’.”

The Court then held that there was “...an overriding public interest [in document disclosure] arising from the principles of the rule of law, transparency, openness and good governance, and justifying the disclosure of the requested harmonised standards, since those standards form part of EU law owing to their legal effects.” The court also ordered the Commission pay all the appellant litigation costs.

The Court’s process included additional findings and exhaustive analysis in an Opinion of the Court’s Advocate General Medina on multiple relevant European rights issues which independently exist as legal norms.


Although the Court’s judgement was necessarily directed at the European Commission, the losing party was the Belgium-based, private joint legacy standards body known as CEN/CENELEC that “brings together National Standardization Bodies of 34 European countries” that participate in ISO and IEC. It has enjoyed a de facto monopoly to repackage ISO/IEC standards as European normative standards and sell them for enormous prices. The practices have been abusive in the cybersecurity sector.

CEN/CENELEC attempted to spin the loss of appeal by noting the Court did not address the Medina copyright finding—which is that copyright does not exist for the standards because they lack originality and were largely produced by public resources.

However, the Medina finding still exists as a norm and is bolstered by other notable judicial decisions in the U.S.

Some important points are being lost in the subsequent focus on adverse revenue stream consequences for a couple of legacy ICT standards bodies pursuing untenable business practices. The result here is an extraordinary affirmation of European human rights and values for citizens by its highest human rights body and Advocate General.

It is worth noting that the initiative here emerged in 1991 when the principal advocate—Carl Malamud—came to the ITU to propose “Project Bruno” to convert all ITU standards into commonly used formats and make them available worldwide in three weeks for zero cost. (The project was named after the Dominican friar Giordano Bruno, who was burned at the stake by the Inquisition for making available information about the cosmos.) Secretary-General Tarjanne agreed to Malamud’s proposal and the work accomplished as promised. Malamud went across the street (at the time) to the ISO Director General’s office with the same offer. It was refused. The next year the matter was raised at ETSI with Director-General Rosenbrock. He also agreed, undertook the work by the Secretariat and subsequently applied it to 3GPP. Several years after that, the ITU accomplished the same, and the ITU’s 193 Nation State Members supported the practice in its basic instruments.

Essentially, none of the scores of new industry standards bodies established over the past 30 years place standards behind paywalls. Legacy organizations had decades to adapt. There are many reasons for this shift that go beyond the human right of access that was the basis for the decision.

  • First – as noted by Medina and the U.S. appellate courts—a private institution that takes the specification IPR of participating contributors intended for widespread public use and then asserts its own IPR and availability controls for the purposes of generating its own funding revenue—is juridically repugnant. The behaviour is considered especially egregious when that IPR is then asserted as normative through regulatory instruments.
  • Second – the institutional behaviour begets closed, non-transparent standards processes that impede collaboration, scrutiny of the work and necessary regular revisions.
  • Third – the institutional behaviour is inherently anti-competitive and induces further anticompetitive behaviour among standards distributors.
  • Fourth – the practices significantly impede participation and market entry by SMEs, micro enterprises, and individuals.
  • Fifth – as recently noted within the IETF—the inability for open scrutiny of the standards introduces potentially significant vulnerabilities. It is not apparent that CEN/CLC/ISO/IEC themselves even have vulnerability disclosure policies.

Also worth noting is a profound standards-making paradigm change that has occurred over the past several decades. It is relatively easy and highly cost-effective today for specialised industry sector product vendors to “roll their own” technical standards body. Cobbling together cloud-based “standards-as-a-service” capabilities and engaging in low-cost collaboration methods have now become widespread and expanding by the month. Legacy standards bodies that fail to emulate that paradigm will themselves ultimately fail.

The European judicial findings and judgment here are landmark affirmations of basic human rights and law, as well as legislative transparency and good governance. They also bring significant benefits to ordinary citizens and the entire cybersecurity sector.

By Anthony Rutkowski, Principal, Netmagic Associates LLC

The author is a leader in many international cybersecurity bodies developing global standards and legal norms over many years.

Visit Page

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC