Made in accordance with Article 3(6) of the Statute of the European Ombudsman^[1]

Background to the complaint

1. On 15 March 2018, the complainant requested the European Commission public access to “[a] copy of the inbox and outbox correspondence of [X^[2]] related to Article 13 of the Copyright in the Digital Single Market Directive” in accordance with the EU rules on public access to documents.^[3]

2. The Commission denied access to the requested emails on 2 May 2018, based on the protection of privacy.^[4]

3. On 3 May 2018, the complainant filed a request for review, a so-called ‘confirmatory application’, asking the Commission to reconsider its position.

4. On 6 June 2018, the Commission confirmed its refusal to grant public access to the requested documents. The Commission explained that e-mails originating from, or sent to, a specifically identified individual constitute ‘personal data’ within the meaning of the then applicable EU legislation regarding the protection of personal data.^[5] Consequently, according to the Commission, it would have been necessary, in order to handle the complainant's request, to carry out an act of processing of the official’s personal data. Since only in exceptional circumstances the Commission might access e-mails held in the work e-mail accounts of its staff, it argued it was not in a position to do so in this case. Even if the e-mails were retrieved and identified, the Commission contended it would be unable to transfer the personal data since the recipient failed to establish a necessity for such a transfer.^[6]

5. Dissatisfied with the Commission’s decision, the complainant turned to the Ombudsman on 7 June 2018. The Ombudsman inquired into the Commission’s refusal to grant access to the requested e-mails. She assessed the information and arguments provided by the complainant and by the Commission.

The Ombudsman's proposal for a solution

The Ombudsman’s solution proposal

6. Based on her inquiry, the Ombudsman presented the Commission with a proposal for a solution to the complaint.

7. The Ombudsman took the view that e-mails sent or received by an official which relate to policies, activities or decisions of the EU, and which have not been permanently deleted from the work e-mail account of the official when the request for public access is received by the Commission, are ‘documents’ ‘in the possession of the Commission’. They are therefore subject to the EU rules on public access to documents. The Ombudsman specified that the access rules only applied to work related emails, and that emails of a personal nature were therefore excluded from the scope of the EU public access rules.

8. The Ombudsman disagreed with the Commission that identifying the requested documents constituted an act of “processing personal data”. Even if it were considered to be such an act, the Ombudsman contended that it was necessary for the Commission to comply with its legal obligations.

9. The Ombudsman argued it was within the Commission’s power to retrieve the work-related emails from the e-mail account of the official whilst fully respecting the personal data and the private life of the individual. The Ombudsman considered that the Commission could ask or, if necessary, require the official to retrieve the relevant e-mails from his own e-mail account, since this would certainly not require the Commission to process personal data of the official.

10. In addition, if the requested e-mails were already registered in the document management system of the Commission, they could be retrieved without searching the official’s e-mail account.

11. Based on the above findings, the Ombudsman proposed that “the Commission should order the official concerned to identify and retrieve any relevant document that is still stored in the staff member e-mail account. The Commission should also search its document register for relevant documents”. In addition, the Ombudsman proposed that “after it has identified the documents, the Commission should assess whether or not to disclose them in accordance with the provision set forth by the EU rules on public access to documents”.

The Commission’s reply to the Ombudsman’s proposal

12. The Commission rejected the Ombudsman’s proposal for a solution.

13. The Commission agreed with the Ombudsman that it can make public emails of its officials in the context of their work. However, such identification and publication could not deprive staff members of the right to protection of their personal data under the EU rules on public access to documents^[7].

14. The Commission considered the Ombudsman’s proposal “to order the official to identify and retrieve any relevant document [...]” to aim at asking the official concerned whether he would retain e-mails relating to the request. In the present case, information about the existence of correspondence with the identified data subject constitutes information about the specific professional activities of that data subject. In this regard, the Commission argued that the notion of ‘private life’ cannot be taken to mean that the professional or commercial activities of either natural or legal persons are excluded.^[8]

15. Consequently, the Commission considered the information about the existence of correspondence to constitute personal data of that data subject. Due to the specific scope of the present request for access to documents, the Commission stated that both the list and the content of the emails constituted personal data. The Commission argued this applied to both unregistered emails and emails registered in its corporate management system. In addition, it did not deem it possible to prepare an anonymised version of the list.

16. Against that background, and since the complainant failed to establish the necessity of having the data transferred^[9], the Commission stated it was not in a position to transfer, through public disclosure, the list of incoming and outgoing correspondence. For the same reasons, since the request was for access to documents was expressed in terms referring to a named data subject, the Commission found that a specific and individual examination of each document requested could only lead to a refusal on the basis of EU legislation regarding the protection of personal data.

The Ombudsman's assessment after the proposal for a solution

17. The Ombudsman is disappointed that the Commission did not accept her proposal for a solution.

18. It is clear that if an institution were to access a staff member’s email inbox for the purpose of identifying and retrieving emails, this access, identification and retrieval would constitute the processing of personal data by the institution. The institution would have to comply with the requirements of the data protection regulation when carrying out such processing of personal data.

19. However, if an institution were to ask a staff member to identify and retrieve work-related emails located in his or her own email inbox, the actions needed to identify and retrieve these emails, by the data subject, cannot be considered acts of ‘processing personal data’ within the meaning of the data protection regulation. Simply stated, a person cannot infringe his or her own data protection rights by processing his or her own personal data.

20. Whether the emails thus retrieved could be made public would then depend on an analysis of the content of the emails at issue. Were the emails to contain any personal data, such as the names of individuals, it could be redacted before access was granted, if that content were the only obstacle to disclosure.

21. It is not possible for the Ombudsman to speculate as to whether or not relevant emails existed in the in-box of the official concerned. It is also not possible for the Ombudsman to speculate as to whether or not any such emails could, taking into account their specific content, be released. This impossibility results from the Commission’s failure to ask the official to check his or her inbox, despite the fact that such a request could not constitute an act of processing of personal data by the Commission.

22. In light of the above, the Ombudsman finds that the Commission’s refusal to ask the official to identify and retrieve the relevant work-related e-mails from his or her inbox, so as to allow the Commission to assess their potential disclosure, to be maladministration.

23. The Ombudsman deems the Commission’s approach in this case to set a dangerous precedent for future access to documents requests. If this approach were to be followed in other cases, all e-mails sent or received by officials in relation to policies, activities or decisions of the EU would, unless they are transferred to permanent non-personal Commission databases, be exempted from access to documents requests, based on a spurious argument that identifying and retrieving those documents would constitute a breach of the data protection rules.

24. Given that the access request dates from March 2018, it is now very likely that any non-registered e-mails in the inbox of the official concerned have now been deleted^[10]. In these circumstances, the Ombudsman finds that further inquiries into the complaint would not serve any useful purpose and closes the case with the following conclusion.

Conclusion

Based on the inquiry, the Ombudsman closes this case with the following conclusion:

The Commission’s failure to ask an official to identify and retrieve e-mails in the official’s work email in-box, so as to allow the Commission to assess whether the emails could be disclosed in response to a request for public access to document, is maladministration.

The complainant and the European Commission will be informed of this decision.

 

Emily O'Reilly

European Ombudsman

Strasbourg, 29/04/2020

 

[1] Decision of the European Parliament of 9 March 1994 on the regulations and general conditions governing the performance of the Ombudsman's duties (94/262/ECSC, EC, Euratom): https://eur-lex.europa.eu/legal-content/GA/TXT/?uri=CELEX:31994D0262.

[2] A named Commission official not occupying any senior management position.

[3] Regulation 1049/2001 regarding public access to European Parliament, Council and Commission documents, available at: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32001R1049.

[4] In accordance with Article 4(1)(b) of Regulation 1049/2001, “[...] The institutions shall refuse access to a document where disclosure would undermine the protection of:[...] privacy and the integrity of the individual, in particular in accordance with Community legislation regarding the protection of personal data”.

[5] Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32001R0045.

[6] In accordance with Article 8(b) of Regulation 45/2001, “[...] personal data shall only be transferred to recipients [...] if the recipient establishes the necessity of having the data transferred and if there is no reason to assume that the data subject's legitimate interests might be prejudiced”.

[7] Regulation 1049/2001.

[8] Judgment of the Court of Justice of 14 February 2008, Varec v Commission, C-450/06, paragraph 48.

[9] As required under Regulation 45/2001.

[10] In line with the Commission’s Secretary-General’s note on rules governing document management and access to documents of 16 January 2015, unregistered emails are automatically deleted from staff member’s e-mail accounts after six months.