Decision in cases 320/2021/DDJ and 599/2021/DDJ on the refusal by the EU Agency for Law Enforcement Cooperation (Europol) to grant public access to documents related to its interactions with two companies providing a data analysis platform
The cases concerned two requests for public access to documents detailing Europol’s contractual relations and communications with two companies providing a data analysis platform for the Agency. Europol refused public access, in part or in full, to most of the documents identified in the first request, arguing mainly that disclosure would undermine the protection of the public interest as regards public security. Europol refused public access to all the documents identified in the second request in order to protect public security and its internal decision-making process.
On the basis of an inspection of the requested documents, the Ombudsman considered that most of the information they contained would, if disclosed, be likely to undermine the protection of the public interest as regards public security. The Ombudsman did not consider that there were grounds to continue her inquiry as regards the very limited information that was not covered by that exception.
While the Ombudsman identified a number of shortcomings in how Europol had dealt with the matter, overall she concluded that there was no maladministration by Europol in refusing public access to the documents at issue.
Background to the complaint
1. In 2012, Europol concluded a contract with a private consultancy concerning the development of a data analysis platform. In recent years, concerns have been raised about this platform, including as regards the processing of personal data.
2. In October and December 2020, the complainant – a researcher – submitted two requests for public access to documents to Europol relating to Europol’s contractual relations and communication with two consultancy companies involved in the development of the data analysis platform. In the second request, the complainant also requested access to documents relating to communication with Europol’s Management Board on this topic and to a number of operational plans.
3. In respect of the first request, Europol identified 63 documents as falling within the scope of the complainant’s request. It granted public access to parts of eleven documents and to two documents in their entirety. Europol refused access to the other documents. As regards the second request, Europol identified seven documents, all of which it refused access to.
4. The complainant asked Europol to review these decisions (by submitting ‘confirmatory applications’) in December 2020 and February 2021, raising several points of disagreement with Europol’s initial decisions.
5. In January and March 2021, Europol confirmed its initial decisions regarding both requests.
6. As he disagreed with Europol’s decisions, the complainant turned to the Ombudsman.
7. The Ombudsman opened an inquiry into Europol’s refusal to grant public access to the documents identified in the complainant’s requests.
8. In the course of the inquiry, the Ombudsman’s inquiry team examined the requested documents in view of the reasons provided by Europol for not disclosing them.
Arguments presented to the Ombudsman
Arguments presented by Europol
9. Regarding the first access to documents request made by the complainant, Europol invoked the exceptions for the protection of the public interest as regards public security, and the protection of the privacy and the integrity of the individual.
10. Concerning the documents to which only partial public access had been granted, Europol explained that it had redacted personal data as well as information on the technical details of Europol’s system and operating procedures. The release of such sensitive information, in the latter category, would have a negative impact on the internal work processes at Europol, Europol’s cyber resilience and related responses. It would also negatively affect the trust and cooperation between Europol and its partners, which is essential to Europol’s activities, and which therefore would prevent Europol from fulfilling its tasks.
11. Regarding the documents to which it denied public access in their entirety, Europol explained that these consisted of contractual documents, as well as correspondence, minutes of meetings, and reports. According to Europol, both these sets of documents contain information on technical details of Europol’s system(s) and its functionalities. The contractual documents identified also contain information on the specifications and requirements of Europol’s system and of Europol environments, operating procedures, business processes and workflows. The release of such sensitive information to the public would undermine the trust between Europol and its partners, which is essential to Europol’s activities, and which therefore would prevent Europol from fulfilling its tasks.
12. As regards the second request, Europol invoked the exceptions for the protection of the public interest as regards public security, protection of the privacy and the integrity of the individual, and protection of its decision-making process.
13. Europol refused access to three documents, relating to minutes of Management Board meetings and correspondence between Europol’s directorate and the Management Board, as they pertain to sensitive matters in relation to Europol’s systems, the release of which could hinder Europol’s ability to perform its tasks effectively.
14. In the case of one document, relating to correspondence between Europol’s directorate and the Management Board, Europol refused public access because its disclosure would reveal opinions for internal use as part of deliberations and preliminary consultations within Europol, thereby in turn undermining Europol’s decision-making process.
15. Regarding the last three documents identified, Europol indicated that they contain operational information, the release of which could affect the effectiveness of present and future operational activities of EU member states in their fight against serious crime. In addition, their disclosure would jeopardise the trust and cooperation between Europol and its partners, essential to Europol’s activities, thereby potentially hindering Europol’s ability to execute its tasks effectively.
Arguments presented by the complainant
16. The complainant argued that Europol applied the exceptions to the right of public access to documents – in so far as they were based on Articles 4(1) and 4(3) of the applicable rules – excessively restrictively, thereby acting against EU transparency standards and contrary to case law of the EU courts.
17. Due to the broad manner in which Europol seemed to have used justifications for non-disclosure, the complainant said that Europol did not base its refusal on 1) the foreseeable and more than purely hypothetical harm to one of the protected interests, and 2) a case by case analysis of the potential harm of disclosure. The complainant further argued that Europol failed to demonstrate how disclosure of the documents identified would actually undermine the proper fulfilment of its tasks.
18. The complainant argued that Europol failed to consider whether partial access could be granted. Europol further failed to consider that exceptions to the right to public access may apply only during the period when protection is justified on the basis of the content of the document.
19. Regarding the second request, the complainant contended that Europol should have assessed whether there was an overriding public interest in disclosure for the document that was refused to protect Europol’s decision-making process. The complainant noted that the company’s involvement in Europol’s work is of particular public interest, especially considering that it had been subject to media articles and inquiries by the European Data Protection Supervisor (EDPS). The complainant argued that Europol’s decision does not show that it had taken this into account.
20. Lastly, the complainant considered that Europol, by merely confirming its initial decision in one sentence, failed to comply with its obligation to review each argument put forward by an applicant in a confirmatory decision.
The Ombudsman's assessment
21. The Ombudsman recognises the importance of public scrutiny regarding the topic of data processing by law enforcement agencies. It should, however, be noted that the documents to which public access is sought in this case relate to the purchase and implementation of an IT platform to improve public security. It should also be noted that the EU’s specialised body overseeing the institutions’ compliance with data protection rules, the EDPS, has recently looked into how Europol processes personal data of individuals and has made several recommendations to Europol.
22. When applying the exceptions of Article 4(1)(a) of Regulation 1049/2001 (and thereby by analogy the relevant provision in the Europol rules on public access), including the exception for the protection of the public interest as regards public security, EU institutions enjoy a wide margin of discretion.
23. Having reviewed the documents in question, the Ombudsman finds the refusal of public access based on the exception of protecting the public interest as regards public security to be reasonable in respect of almost all redactions. The documents indeed refer to technical details of Europol’s security system and/or working procedures within Europol, disclosure of which could undermine public security.
24. In addition, the Ombudsman finds that the refusal to grant public access to one document, based on the need to protect Europol’s decision-making process, was, given the content of that document, justified. There is no obvious overriding public interest which would justify the disclosure of that document.
25. The Ombudsman notes that some very limited parts of the documents could have been better covered by the exception relating to the protection of commercial interests of a natural or legal person, for example information relating to pricing. There is no obvious overriding public interest which would justify the disclosure of this information. While from a formal legal perspective, it was an oversight by Europol not to invoke that exception, the Ombudsman does not consider it justified to continue her inquiry as regards these very limited redactions since it would be unlikely to give rise to broader public access.
26. From the documentation provided to the Ombudsman by Europol, which included a detailed description by Europol of how it handled the requests, the Ombudsman is further satisfied that Europol performed adequately a reassessment of its initial decision when it took its confirmatory decisions. The Ombudsman also considers that Europol has made an adequate assessment as to the question whether partial access could be granted to the documents at issue, evidenced by the fact that most of the framework contract between Europol and the consultancy companies was disclosed.
27. The Ombudsman considers, however, that Europol’s communication with the complainant could have been better. Specifically, Europol could have engaged better with the complainant in respect of his arguments raised in the confirmatory applications. While the Ombudsman understands that Europol may not have been able to reveal more information regarding the nature of the requested documents, it could have explained better its position on some of the arguments raised by the complainant, for example, to reassure the complainant that it had assessed, where relevant, whether there was an overriding public interest in disclosure.
Based on the inquiry, the Ombudsman closes this case with the following conclusion:
While there were a number of shortcomings in how Europol dealt with the complainant’s requests, overall there was no maladministration by Europol regarding the non-disclosure of the requested documents.
The complainant and Europol will be informed of this decision.
 See paragraph 21 below.
 Under Regulation 1049/2001 on public access to European Parliament, Council and Commission documents: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32001R1049.
 Europol, following a standard procedure, signed a contract with a consultancy company, including a US-based sub-contractor, aimed at providing a platform for an analysis system. Europol started operating this software as of 2016.
 Europol initially communicated to the complainant a number of 66 documents but explained to the Ombudsman in the course of the inquiry that some documents had been counted twice.
 One document identified in the request was already part of the complainant’s first access to documents request to Europol.
 The complainant requested: 1.“Details of any past or ongoing contractual agreements and terms of reference [between Europol and consultancy companies]; 2. Master Services Agreement (MSA) between Europol [and consultancy companies]; 3. Any exchanges (e.g. emails, including attachments) and meeting records (minutes, memos, agendas) involving Europol officials and representatives of the [consultancy companies] between January 2018-October 2020.”
 In accordance with Article 4(1)(a) and Article 4(1)(b) of the Management Board Rules on Public Access to Europol Documents; Europol’s implementing decision of Regulation 1049/2001, the exceptions of which in Article 4 are mostly identical to Regulation 1049/2001 (and which is available via the following link: https://www.europol.europa.eu/sites/default/files/documents/decision_of_the_mb_rules_applying_reg_1049_2001.pdf).
 The complainant requested a number of specific documents (including dates and file numbers) relating to: 1. Minutes of Europol’s Management Board meetings; 2. Correspondence between Europol’s directorate and the Management Board; 3.) Operational plans for Taskforce Fraternite and “Secondary Security Checks” at the EU external borders.
 In accordance with Article 4(3) of the Management Board Rules on Public Access to Europol Documents (see footnote 7).
 As per Article 4(5) of the Management Board Rules on Public Access to Europol documents (see footnote 7).
 As per Article 4(6).
 Cf. Article 4(3).
 A redacted version of the EDPS’ decision is available at: https://edps.europa.eu/data-protection/our-work/publications/investigations/edps-decision-own-initiative-inquiry-europols_en.
 See the decision of the European Ombudsman in case 1767/2018/MIG. Cf. also: Judgment of the General Court of 11 July 2018, ClientEarth v Commission, T-644/16, paragraphs 23-25 (http://curia.europa.eu/juris/document/document.jsf?text=&docid=203913&pageIndex=0&doclang=EN&mo%20de=lst&dir=&occ=first&part=1&cid=6019725).
 As per Article 4(2) of the Management Board Rules on Public Access (see footnote 7).