Proposal of the European Ombudsman for a solution in case 1050/2018/FP on the European Commission’s refusal to grant public access to an official’s e-mails relating to a legislative proposal
Løsning - Dato Torsdag | 05 september 2019
Sag 1050/2018/DL - Indledt den Onsdag | 10 oktober 2018 - Afgørelse af Onsdag | 29 april 2020 - Den vedrørte institution Europa-Kommissionen ( Konstaterede fejl og forsømmelser )
Made in accordance with Article 3(5) of the Statute of the European Ombudsman
Background to the complaint
1.In March 2018, the complainant requested the European Commission to give him public access to copies of all e-mail correspondence to and from a named Commission official related to Article 13 of the draft Directive on Copyright in the Digital Single Market. The official in question worked in the Commission’s Directorate-General for Communications Networks, Content, and Technology (‘DG CNCT’). It appears from the complaint that part of the official’s tasks related to preparing the draft Directive.
2.In May 2018, the Commission denied access to the requested emails because of the need to protect the privacy of the individual. The Commission explained that e-mails originating from, or sent to, a specifically identified individual constitute ‘personal data’ within the meaning of Regulation 45/2001. Consequently, in order to handle the complainant's request for public access to documents, it would have been necessary to carry out a processing of the official’s personal data.
3.The Commission further argued that it might access e-mails held in the work e-mail accounts of its staff in specific, exceptional circumstances only. Consequently, the Commission stated that it was not in a position to access the requested e-mails in order to handle the complainant’s request.
4.The complainant filed a request for review, a so-called ‘confirmatory application’, asking the Commission to reconsider its position. In June 2018, the Commission confirmed its refusal to grant public access to the document.
5. Dissatisfied with the Commission’s decision, the complainant turned to the Ombudsman on 7 June 2018.
6.The Ombudsman opened an inquiry into the Commission’s refusal to grant access to the requested e-mails. In the course of the inquiry, the Ombudsman received the Commission’s comments on the case.
Arguments presented to the Ombudsman
The complainant’s arguments
7.The complainant argues that the Commission did not give a satisfactory justification for its refusal to grant public access to the requested e-mails. He argued that the e-mails constitute ‘documents’ subject to EU rules on public access to documents. He argues that any privacy concerns could be addressed within the procedure foreseen by the Regulation on public access to documents and should not prevent the Commission from identifying the requested e-mails in the first place.
The European Commission’s arguments
8.The Commission first stated that according to its internal rules, e-mails that contain important information, involve action or follow-up, or which may later be needed as proof, should be registered in the Commission’s documents management system. Conversely, emails, which do not qualify for registration, should not be permanently stored. These emails should be deleted by the sender and the recipient(s) when they become obsolete and/or are superseded by events’. The internal rules also specify that unregistered emails are automatically deleted from the email accounts after six months.
9.The Commission also argues that since the requested e-mails were sent to/from a specifically identified staff member, the list and content of the e-mails contain ‘personal data’ of that person. It argues that to handle the complainant’s request, the Commission would have to retrieve the requested e-mails from the staff member’s e-mail account, which would constitute ‘processing’ of personal data of that staff member. It argued that such processing would not be legitimate and lawful within the meaning of Article 5 of Regulation 45/2001.
10.According to the Commission’s own internal rules, it can only lawfully access its staff members’ electronic correspondence (which may contain both personal and professional e-mails) for security or investigation purposes. In the Commission’s view, searching a staff member’s e-mail account to identify the documents necessary for handling a request for public access to documents is neither necessary nor proportionate. In addition, the Commission argues that asking for the consent of the staff member (for the Commission) to conduct a search of his e-mail account would not be an appropriate legal basis, as the consent could not be considered “free” in the sense of the EU privacy rules, due to the dependency relationship between employer and employee.
11.Finally, the Commission claims that even if the requested e-mails were identified, disclosing them would constitute a transfer of personal data. This is only allowed when the recipient has established that there is a necessity for the transfer and there is no reason to assume that the data subject’s legitimate interests might be prejudiced. Since the complainant did not establish such a necessity, the use of the exception based on privacy under Article 4(1)(b) of Regulation 1049/2001 would be justified.
The Ombudsman's assessment
12.EU rules on public access to documents apply to all documents held by an EU institution (that is to say documents drawn up or received by the institution and in its possession) in all areas of European Union activity. The concept of a ‘document’ is given a broad definition by Regulation 1049/2001, and covers any content whatever its medium (written on paper or stored in electronic form or as a sound, visual or audio-visual recording) concerning a matter relating to the policies, activities and decisions falling within the institution’s sphere of responsibility.
13.EU Courts have ruled that the nature of the storage medium on which the content is saved, or the presentation of the content, has no bearing on whether or not it falls within the scope of the access to documents rules.
14.The Ombudsman is of the view that, given the work-related nature of the requested e-mails (which concern a legislative proposal), they should, if they are still in the possession of the Commission (see below), be considered ‘documents’ received or drawn up by the institution, and thus subject to public access requests.
15.The Ombudsman considers that an e-mail must be considered as a “document drawn up by the institution” when it has been drafted by an official (or an agent) in the course of his or her professional duties and has been sent by the official for a work-related purpose using the e-mail account provided by the institution.
16.An e-mail should always be considered a “document received by the Institution” when it is addressed to an official (or an agent), in his or her work capacity and concerns a matter that relates to the responsibilities of the official or more generally of the institution.
17.Whether e-mails are subsequently registered in the Commission’s document management system is not relevant for the purpose of the definition of a ‘document’ under Regulation 1049/2001. Registering a document is a consequence of the existence of a document and not a pre-requisite for its existence.
18. An email is in the possession of an institution as soon the institution is in a position to exercise control over how the email is handled. An institution is entitled to instruct its officials as to how they should handle emails they receive in their work email inbox when these emails relate to the work of the institution. The institution can, for example, order the officials to store, to retrieve, to dispose of, to register or to make public any email the officials receive in their work e-mail account, provided the email relates to the work of the institution. The fact that an institution may not have (yet) exercised this right of control does not imply that the email is not already in the possession of the institution, and thus subject to EU access to documents rules.
19.It is possible that an email which has been received in an inbox of an official is no longer retained. This can occur if there is a document retention policy, which would either remove emails automatically after a set period of time, or require staff to manually remove copies of the emails. However, until a document is removed permanently from the email system, it remains in the possession of the institution. The Commission has not addressed the question whether the documents in this case have been retained.
20.In light of the above, the Ombudsman considers that the e-mails sent or received by the official concerned which relate to policies, activities or decisions of the EU, and which had not been permanently deleted from the work e-mail account of the official when the request for public access was received by the Commission, are ‘documents’ ‘in the possession of the Commission’, subject to the rules on public access to documents.
21. For the avoidance of doubt, emails of a personal nature received by an official in his or her work inbox are by definition excluded by the scope of EU rules on public access to documents since these rules only apply to documents related to the policies, activities or decisions of the EU. That is, the rules only apply to work related emails.
22. It is, of course, possible that the work email account of the official concerned contains both work related emails and, exceptionally, emails that are not related to his work activities (private emails).
23. It is also possible that the work related emails also contain some personal data, such as names and contact details.
24.The Ombudsman however disagrees with the Commission’s argument that to identify the requested documents, the Commission would need to carry out an act of processing of personal data. Even if such an exercise were considered to be an act of processing personal data, the Ombudsman’s view is that it is necessary for compliance with the Commission’s legal obligations and would not infringe the privacy rights of the official concerned.
25. First, given the work-related nature of the requested e-mails, it is possible that at least some or all of them will have already been registered in the document management system of the Commission. They could therefore be retrieved from it without searching the e-mail account of the official.
26.Second, it is within the power of the Commission to retrieve any other work-related emails from the e-mail account of the official whilst fully respecting the personal data and the private life of the individual. For example, the Commission could ask the staff member himself to retrieve relevant the emails from his own e-mail account (provided they have not been permanently deleted.) This option would certainly not require the Commission to process the official’s personal data. Such a request would not impinge on the private life of the staff member, but would merely be a normal work-related task.
27. Once the documents subject to the request for public access have been identified, the Commission will be in a position to make a concrete assessment concerning their disclosure.
The proposal for a solution
The Ombudsman proposes that the Commission should order the official concerned to identify and retrieve any relevant document that is still stored in the staff member e-mail account. The Commission should also search its document register for relevant documents.
After it has identified the documents, the Commission should assess whether or not to disclose them in accordance with the provision set forth by the EU rules on public access to documents.
The Commission is invited to inform the Ombudsman by 7 October 2019 of any action it has taken in relation to the above solution proposal.
 Decision of the European Parliament of 9 March 1994 on the regulations and general conditions governing the performance of the Ombudsman's duties (94/262/ECSC, EC, Euratom), OJ 1994 L 113, p. 15.
 Article 13 of the Proposal for a Directive related to the use of protected content by information society service providers. In May 2019, the Directive was adopted by the Council and the Parliament. Member States have until June 2021 to incorporate the Directive into national law.
 According to Article 4(1)(b) of Regulation 1049/20012001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents, available at http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32001R1049&rid=1
 Regulation (EU) 45/2001 was applicable at the time of the complainant’s access request, it has now been replaced by Regulation (EU) 2018/1725.
Regulation 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents, available at: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2001:145:0043:0048:en:PDF .
 Note of the Secretary-General of 16 January 2015 (not provided to the Ombudsman).
 In accordance with Article 2(a) of Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32001R0045
 As set out in Article 2 (b) of Regulation 45/2001.
 As set out in a note of the European Commission Secretary-General of 16 January 2015.
 In accordance with Article 8 of Regulation 45/2001.
 Judgement of the Court of 21 July 2011, Sweden v MyTravel and Commission, C506/08 P, ECR, EU:C:2011:496, paragraph 88.
 SeeJudgment of the General Court of 26 October 2011, Dufour v ECB, T‑436/09, ECR, EU:T:2011:634, paragraphs 88 and 90 to 93.