Sie möchten Beschwerde gegen ein EU-Organ oder eine EU-Einrichtung einlegen?
- EN English
Decision on the European Commission’s refusal to give public access to documents concerning its impact assessment related to a legislative proposal on preventing and combatting child sexual abuse (joint cases 2206/2022/SF and 2208/2022/SF)
Entscheidung
Fall 2206/2022/SF - Geöffnet am Montag | 30 Januar 2023 - Entscheidung vom Mittwoch | 18 Oktober 2023 - Betroffene Institution Europäische Kommission ( Missstand in der Verwaltungstätigkeit festgestellt ) - Land Irland
Fall 2208/2022/SF - Geöffnet am Montag | 30 Januar 2023 - Entscheidung vom Mittwoch | 18 Oktober 2023 - Betroffene Institution Europäische Kommission ( Missstand in der Verwaltungstätigkeit festgestellt ) - Land Irland
Beschwerde eingereicht
08/12/2022Analyse der Beschwerde
08/12/2022Laufende Untersuchung
30/01/2023Ergebnis der Untersuchung
18/10/2023
The complainant, an Irish civil liberties organisation, made two requests for public access to background documents and technical information, which fed into the Commission’s impact assessment accompanying its proposal for a regulation laying down rules to prevent and combat child sexual abuse. The Commission identified two documents as falling within the scope of the complainant’s requests and granted wide partial access.
The complainant considered that the Commission had failed to identify all relevant documents falling within the scope of its requests.
The Ombudsman found that the Commission had indeed failed to identify a document, namely a list of experts that clearly fell within the scope of the complainant’s requests. The Ombudsman considered that this constitutes maladministration.
The Ombudsman suggested that the Commission register the complainant’s request for public access to the list of experts as a new request and handle it in accordance with Regulation 1049/2001.
Background to the complaint
1. In May 2022, the Commission proposed new EU legislation to prevent and combat child sexual abuse online (hereafter ‘the CSAM regulation’).[1] The proposed rules, once adopted, will oblige service providers to detect, report and remove child sexual abuse material (CSAM) online, while ensuring that the fundamental rights of users are protected.
2. The Commission carried out an impact assessment[2] of its legislative proposal. The impact assessment report[3] states that, in 2020, the Commission organised, under the EU Internet Forum (EUIF)[4], an expert process to assess whether there are technical solutions that allow for the detection of CSAM while maintaining the same or comparable benefits of encryption. It further states that the work of these experts is summarised in Annex 9 to the impact assessment report - the ‘outcome document’.
3. In October 2022, the complainant made two requests for public access to documents[5] related to the impact assessment report. More specifically, it asked for any background documents and technical information, including those pertaining to the expert group, which was appointed by companies and Member States represented in the EUIF, and whose work fed into Annex 9 of the impact assessment report.
4. When the complainant did not receive a reply within 15 working days, it asked the Commission to review the implicit refusal to grant access (by making ‘confirmatory applications’).
5. In November 2022, the Commission replied. It identified two documents as falling within the scope of the complainant’s requests. It disclosed both documents, but redacted personal data in one of them. The Commission stated that it did not hold any other documents falling within the scope of the requests.
6. Dissatisfied with how the Commission handled its public access requests and the time it has taken, the complainant turned to the Ombudsman in December 2022.
The inquiry
7. The Ombudsman opened an inquiry into how the Commission handled the two requests for public access to documents.
8. In the course of the inquiry, the Ombudsman inquiry team met with relevant staff of the Commission and inspected the documents requested by the complainant. The Ombudsman subsequently shared the meeting report with the complainant, which provided comments on it.
Arguments presented to the Ombudsman
By the complainant
9. The complainant claimed that the Commission failed to handle its requests within the time limits prescribed by Regulation 1049/2001.
10. The complainant also considered that the Commission failed to address all elements of its requests for access to documents. For example, the Commission did not provide the complainant with a list of attendees and technical experts who participated in consultations and the EUIF meetings, as it requested. Neither did the Commission provide the complainant with a working link to one document referenced in the impact assessment report.
11. More generally, the complainant took issue with the fact that the Commission identified and partially disclosed only two documents, which are earlier versions of Annex 9 to the impact assessment report. The complainant considered it unlikely that a regulation of such importance relies on an impact assessment that did not draw on further documentation.
By the Commission
12. In the meeting with the Ombudsman inquiry team, the Commission representatives acknowledged that the handling of the complainant’s requests was slightly delayed. They explained that the complainant’s requests seemed to be requests to justify a political decision rather than requests for public access to a specific set of documents. The Commission therefore first checked internally with the legal unit whether the requests could be handled as requests for public access. Another reason for the delay was that the Commission had transitioned between two IT systems for the internal handling of public access to documents requests. This transition also led to an administrative mistake, whereby the reply to the complainant’s initial request was not sent in time.
13. With respect to the identification of all documents falling within the scope of the request, the Commission representatives said that they had identified the colleagues who might hold information that concerned the request and asked them to look proactively through every record that could be relevant to the complainant. This included searches in the electronic record system, inboxes, notes, file folders, SharePoint and any other record that might contain relevant information.
14. As concerns the EUIF meetings, the Commission representatives explained that three online technical workshops took place in 2020. During the first workshop, academics, experts and companies were invited to share their perspectives on the matter as well as any documents that could be valuable for the discussion. After this workshop, a first draft of the ‘outcome document’ was produced, which summarises the input given orally by the participants and references a number of relevant documents. This first draft was shared with the participants via an online file sharing service and some participants provided written comments. Other participants commented orally on the first draft during the second workshop. Those contributions were then added to the final version of the ‘outcome document’ that was presented during the third and final workshop for the participants’ endorsement. This ‘outcome document’ is the only document that was produced in relation to the substance of these workshops. It was subsequently shared with the EUIF. One year later, it was used as supporting information to the impact assessment report. As the content of the final version of the ‘outcome document’ was agreed during the final workshop, no further changes were made to the document that is now set out in Annex 9 to the impact assessment report. There is no other final version than the one disclosed to the complainant.
15. The Commission further contended that emails exchanged in the context of the workshops were of an organisational nature and contained only the links to the remote online meetings. They did not contain any substantive information that could have been relevant for the complainant. As such, the emails were not identified as falling within the scope of the complainant’s request. Following the meeting with the Ombudsman inquiry team, the Commission tried to retrieve these emails. However, as they were not kept on file and are over two years old, they had already been deleted in line with the Commission’s retention policy.
16. In the meeting with the Ombudsman inquiry team, the Commission representatives acknowledged that a written list of the participants to the EUIF workshops exists. However, the Commission could not disclose the list for data protection and public security reasons, given the nature of the issues discussed.
17. The Commission representatives noted that many companies, which participate in the EUIF, are concerned about their security and public image. In addition, the topics discussed in the EUIF are often of a sensitive, operational nature and disclosure could be exploited by malicious actors to circumvent detection mechanisms and moderation efforts by companies. Revealing some of the strategies and tactics of companies, or specific technical approaches also carries a risk of informing offenders on ways to avoid detection. The Commission representatives provided additional confidential information during the meeting with the Ombudsman inquiry team on why the list of experts could not be disclosed.
18. As regards the alleged failure to provide the complainant with a working link to one of the documents referenced in the impact assessment report, the Commission representatives said that the Commission does not necessarily hold a copy of the documents that are linked in the footnotes of the ‘outcome document’. The Commission consulted these documents online but did not download or copy them. The document, for which the complainant requested a working link, is also no longer accessible to the Commission.
The Ombudsman’s assessment
19. The complainant considered that the Commission did not reply within the statutory time limit of 15 working days. The Ombudsman notes that, in accordance with Regulation 1049/2001, the time limit to reply may, in exceptional cases, be extended by another 15 working days, provided that the applicant is notified in advance of such an extension. In this case, the Commission failed to notify the complainant in advance of the extension. This is regrettable.
20. The complainant further considered that the Commission did not address all elements of its two public access requests. In particular, it argued that the Commission should have (i) provided a working link to the document referenced in a footnote in Annex 9 to the impact assessment report and (ii) should have granted access to the list of experts participating in the EUIF workshops that the complainant had requested.
21. As concerns the link, the Ombudsman considers the Commission’s explanation that it did not download or copy the document referenced and that it thus no longer has access to the document reasonable. However, the Ombudsman regrets that the Commission did not inform the complainant of this in its reply. Had the Commission communicated more clearly and in a timely manner with the complainant, a complaint to the Ombudsman in this regard could have been avoided.
22. The Ombudsman welcomes the steps the Commission took in this case (outlined in paragraph 13 above) to identify documents falling within the scope of the complainant’s requests. It is however problematic that despite this extensive search, the Commission did not identify the document containing the list of experts in its reply to the complainant.
23. The Ombudsman recalls that, when dealing with public access requests, the institution must first search for and identify all the documents that could potentially fall within the scope of a public access request. Then, after having conducted a concrete and individual examination of all documents covered by a request, the institution may refuse access if the documents’ disclosure would undermine one of the interests protected in Article 4 of Regulation 1049/2001. Such a refusal must always be duly motivated. In this case, the complainant’s request explicitly stated that it sought public access to “all information [...] including the list of attendees and the experts who were consulted [...]. Nevertheless, the Commission did not identify the list of experts as falling within the scope of the complainant’s request. This means that the complainant did not have the opportunity to challenge (the reasons for) the institution’s refusal to disclose the document. This constitutes maladministration.
24. However, rather than issuing a recommendation, the Ombudsman considers that the most useful way forward for the complainant at this stage is that the Commission now registers the complainant’s request for the list as a new request for public access to documents, and deals with it swiftly. She will make a suggestion in this regard.
25. As regards the complainant’s claim that further documents should exist, besides the list of experts, the Commission representatives explained, in detail, why the ‘outcome document’ (and its two earlier versions) are the only documents that were produced in relation to the substance of the EUIF workshops. The Ombudsman considers these explanations reasonable.
Conclusion
Based on the inquiry, the Ombudsman closes this case with the following finding:
The Commission’s failure to identify the list of experts as falling within the scope of the complainant’s public access request constitutes maladministration.
The complainant and the Commission will be informed of this decision.
Suggestion for improvement
26. Given the Commission’s failure to identify the list of experts despite the complainant’s clear interest in it, the Commission should register this now as a new request for public access to documents and handle it in accordance with Regulation 1049/2001.
Emily O'Reilly
European Ombudsman
Strasbourg, 18/10/2023
[1] Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse Com(2022) 209 final; available at: https://eur-lex.europa.eu/resource.html?uri=cellar:13e33abf-d209-11ec-a95f-01aa75ed71a1.0001.02/DOC_1&format=PDF
[2] The Commission carries out impact assessments on initiatives, such as legislative proposals, that are expected to have significant economic, social or environmental impacts. More information available at: https://commission.europa.eu/law/law-making-process/planning-and-proposing-law/impact-assessments_en#:~:text=Impact%20assessments%20examine%20whether%20there,proposal%20for%20a%20new%20law.
[3] Impact Assessment Report accompanying the proposal for a regulation laying down rules to prevent and combat child sexual abuse SWD(2022) 209 final; available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=SWD:2022:209:FIN&from=EN
[4] In 2015, the Commission launched the European Union Internet Forum (EUIF) to address the misuse of the internet for terrorist purposes. In 2019, the fight against child sexual abuse online was added to EUIF’s area of activities. The Commission chairs the Forum. A list of members and other information is available at: https://home-affairs.ec.europa.eu/networks/european-union-internet-forum-euif_en
[5] Under Regulation 1049/2001 regarding public access to European Parliament, Council and Commission documents: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32001R1049