- EN English
Decision on the European Commission’s refusal to give public access to documents concerning its proposal for a regulation to prevent and combat online child sexual abuse (case 2421/2023/MIG)
Decision
Case 2421/2023/MIG - Opened on Thursday | 21 December 2023 - Recommendation on Friday | 26 April 2024 - Decision on Friday | 10 January 2025 - Institution concerned European Commission ( Maladministration found ) - Country Czechia
Complaint submitted
14/12/2023Analysis of the complaint
15/12/2023Inquiry ongoing
21/12/2023Preliminary outcome
26/04/2024Inquiry outcome
10/01/2025
The case concerned a request for public access to documents drawn up or received by the European Commission when preparing its legislative proposal for a regulation to prevent and combat online child sexual abuse. The Commission identified 121 documents and gave wide public access to 88 of them, redacting personal data only. Regarding the remaining 33 documents, the Commission gave access to parts of five documents. In refusing access, the Commission relied on several exceptions to public access provided for under the EU legislation on public access to documents, including the need to protect its ongoing decision-making. The complainant was dissatisfied with the limited access granted to these 33 documents.
The Ombudsman inquiry team inspected the documents and, based on that, the Ombudsman was not convinced by the Commission’s arguments that their wider disclosure would (seriously) undermine the interests the Commission aimed to protect. The Ombudsman took the view that the Commission’s refusal to grant wide public access to the requested documents constituted maladministration. She recommended that the Commission re-consider its position on the request with a view to giving wide public access to the documents.
In reply, the Commission granted the complainant significantly increased access to certain categories of documents. However, it maintained that it could not disclose large parts of the documents reflecting its internal deliberations and exchanges of views on the draft legislative proposal.
The Ombudsman considered that the Commission had not provided reasonable explanations as to why no further access could be given to these documents in their entirety. She thus concluded that the Commission had failed to give the widest access possible to the documents at issue, thus, once again, not giving effect to the clear case law that requires EU institutions to apply a particularly high standard of transparency to legislative documents. The Ombudsman closed the inquiry confirming her finding of maladministration.
Background to the complaint
1. Fighting against child sexual abuse is a priority for the EU and part of the EU strategy for the period 2020 to 2025.[1] The approach of the European Commission is based on eight initiatives including facilitating the prevention of sexual child abuse, enabling easier detection and reporting and providing stronger support for victims.[2]
2. In May 2022, the Commission adopted a legislative proposal[3] for new rules on preventing and combating child sexual abuse material (CSAM). The CSAM proposal specifically focuses on combating online sexual child abuse and provides that operators of online platforms should have a duty to detect, report and remove CSAM from their services. The proposal also envisages the establishment of a new EU Centre on Child Sexual Abuse to support operators of online platforms in their new duties.
3. When preparing the CSAM proposal, the Commission consulted various stakeholders, including in the context of public consultations and direct exchanges with its staff. In this way, the Commission gathered input from civil society organisations, technology companies and public authorities.
4. The CSAM proposal gave rise to some criticism by the public and expert bodies, such as the European Data Protection Supervisor (EDPS), questioning the effectiveness, necessity and proportionality of the proposed rules. For example, concerns were raised about a possible generalised and indiscriminate scanning of content of electronic communications and the fundamental rights implications this would entail.[4]
5. The CSAM proposal is still being considered by the EU’s co-legislators, the Council of the EU and the European Parliament.
6. In March 2023, the complainant, a researcher and journalist, requested the Commission to provide him with public access[5] to all documents drawn up or received by the Commission when drafting the legislative proposal between January 2021 and March 2023.
7. When the complainant did not receive a reply within the prescribed time limit, he asked the Commission to review this implicit refusal to give public access (by making a ‘confirmatory application’). In his confirmatory application, the complainant argued that there is an overriding public interest in disclosure.
8. In December 2023, the Commission adopted a decision, identifying 121 documents as falling within the scope of the complainant’s access request. It gave wide public access to 88 documents, redacting only personal data. Regarding the remaining 33 documents, the Commission refused to give access to 28 documents in their entirety and to five documents in part. These 33 documents date from 2021 and can be divided into four categories:
- exchanges with interest representatives from the technology industry (documents 9, 11, 13, 14, 94 and 106),
- exchanges with public authorities from Germany (documents 48 to 50),
- drafts of the impact assessment conducted by the Commission when preparing its legislative proposal, and related documents (documents 61 to 69), and
- internal exchanges and comments on the draft CSAM proposal from various Commission departments, including the Commission Legal Service (documents 56, 89 to 92 and 110 to 119).
9. In refusing access to (parts of) these documents, the Commission relied on a number of exceptions provided for under Regulation 1049/2001. More specifically, the Commission argued that some information contained in three documents[6] could be misused by potential child abuse perpetrators. Disclosure would thus undermine the public interest as regards public security. The Commission also stated that two documents[7] contained commercially sensitive information. In addition, concerning all documents but one[8], the Commission said that they contained preliminary views and policy options that are still under consideration. Disclosure would thus undermine its ability to prepare a decision free from external pressure. In relation to 11 documents[9], the Commission also relied on the need to protect legal advice, arguing that disclosure would harm its interest in seeking frank and objective input and legal advice from its staff.
10. In addition, the Commission redacted parts of three documents that it deemed to fall outside the scope of the access request, as well as personal data.
11. At the same time, the Commission “closed” the complainant’s confirmatory application and informed him that he could now make a new one. It did, however, not inform the complainant of the remedies available under Regulation 1049/2001.
12. Dissatisfied with the Commission’s decision to refuse access to parts of five documents[10] and 28 documents[11] in their entirety, the complainant turned to the Ombudsman. He considered that the redactions made by the Commission were excessive, noting the passage of time and that the CSAM proposal had been issued. The complainant was also dissatisfied that the Commission had not considered his arguments in favour of the existence of an overriding public interest and contended that, due to concerns[12] about possible conflicts of interest and irregularities, the public interest in disclosure had in the meantime only increased. The complainant did not challenge the redaction of personal data.
The inquiry
13. The Ombudsman opened an inquiry into the Commission’s refusal to grant public access to (parts of) the 33 documents at issue in the complaint.
14. In the course of the inquiry, the Ombudsman inquiry team inspected the documents at issue as well as limited additional information provided by the Commission in reply to the complaint.
The Ombudsman's recommendation
15. Based on the review of the documents, the Ombudsman considered that they should benefit from the high level of transparency that applies to ‘legislative documents’.[13]
16. In addition, concerning two documents[14], the Ombudsman considered that the Commission had applied the exception for the protection of the public interest as regards public security excessively. This included a report of a meeting by the EU Internet Forum on safety-by-design in which the Commission had redacted sensitive statements made by participants as well as their organisations’ names. Given that sensitive statements had been withheld, the Ombudsman was not convinced that a redaction of the organisations’ names had been necessary in order to protect public security.
17. As regards the protection of the Commission’s ongoing decision making, the Ombudsman noted that, when the access request was made, the Commission had already completed its impact assessment and had issued its legislative proposal. Irrespective of this, the Ombudsman took the view that, in line with EU case law[15], any ongoing decision-making in itself would not have been sufficient to justify the refusal of access. Rather, it would have been for the Commission to put forward ‘tangible evidence’ illustrating that there is a reasonably foreseeable risk of external pressure that could seriously undermine the decision-making process in question.[16]
18. Concerning the protection of legal advice, the Ombudsman considered it unreasonable that the comments on the draft CSAM proposal that the Commission had obtained from several of its departments, including its Legal Service, (recorded in ten documents[17]) is particularly sensitive.
19. Furthermore, the Ombudsman questioned whether the commercial information in one document[18] could still be considered sensitive, given that it was almost four years old. She also noted that the Commission had not consulted the company concerned.
20. Finally, the Ombudsman considered that there would be an overriding public interest in disclosure. Firstly, the Ombudsman found that transparency would allow the public to scrutinise who and what informed the CSAM proposal and would enable the public to challenge this information. Secondly, in light of the debate about possible conflicts of interest, access to the documents was also needed to verify whether the Commission acted in a fully independent manner and exclusively in the general interest when drafting the legislative proposal.
21. The Ombudsman concluded that the Commission’s refusal to give wide public access to the documents constituted maladministration and recommended that the Commission should re-consider its position on the complainant’s access request with a view to providing significantly increased access, taking into account the Ombudsman’s considerations in the recommendation.[19]
The Commission’s reply to the recommendation and the complainant’s comments on the reply
22. Following the Ombudsman’s recommendation, the Commission consulted some of the third parties concerned and gave significantly increased access to certain categories of documents. However, the Commission maintained its view that no access can be granted to the documents that reflect the views that its departments shared internally.
23. Specifically, the Commission disclosed the exchanges with public authorities from Germany with redactions of limited personal data only.
24. The Commission also gave significantly increased access to the exchanges with interest representatives from the technology industry, that is, exchanges with Discord, Meta, Microsoft and Snap.
25. In this regard, following the consultation of one company, the Commission maintained that disclosure of parts of a report[20] on a remote meeting it held with that company would undermine public security. In particular, it said, these parts contain “sensitive information, including information on technical measures (...) in place to prevent child sexual abuse and (...) policy around fighting illegal content online, including child sexual abuse (...)”. Disclosure of this information “could benefit those who perpetrate such abuse” and could be detrimental to the prevention of such crime.
26. The Commission also confirmed its position on the report[21] of a meeting by the EU Internet Forum, namely, that disclosure of the names of the participating organisations would undermine public security. The Commission argued that disclosure would make known what preventative actions specific companies take. This, in turn, would allow potential perpetrators to circumvent these measures.
27. After consulting another company, the Commission maintained that some information related to the research and development of new products had to be withheld in one document[22] so as to protect the company’s commercial interest.
28. The Commission did not re-assess the exchanges it had with Thorn (that it had withheld to protect its ongoing decision-making) as it understood that the Ombudsman did not take issue with its position on the document[23] in question.
29. As regards the documents[24] related to its impact assessment, the Commission has now disclosed parts of five documents with limited redactions of personal data only. These parts mainly reflect the procedural steps taken before the Regulatory Scrutiny Board. They also include documents that are publicly available on the Commission website[25], such as a study report on the options for the creation of a European Centre to prevent and counter child sexual abuse, opinions of the Regulatory Scrutiny Board and annexes to the impact assessment.
30. The Commission upheld its refusal to disclose any part of the meeting minutes and other documents reflecting its internal discussions on the possible options for new legislation as well as the drafts of its impact assessment. In doing so, the Commission argued that the inter-institutional dialogue and the negotiations between the Member States in the Council of the EU, particularly as regards the striking of a balance between the fundamental rights at stake, are still ongoing. Therefore, disclosure of its internal preliminary exchanges would undermine the Commission’s ability to defend its position on this difficult question. It would also undermine its effectiveness as an honest broker in the context of the upcoming trilogues.
31. The Commission added that since the inter-institutional negotiations started, “there have been constant attempts by interest groups opposed to the proposal to influence the outcome of the negotiations. This was done notably through aggressive communications campaigns that have made extensive use of out-of context leaked documents. This has put enormous pressure on the co-legislators, polarising the debate and making it extremely difficult to reach a compromise. Faced by public opinion backlashes, Member States have been forced to draw multiple conflicting red lines, rendering the attempt to achieve the required fundamental rights balance more difficult.” In terms of external pressure, the Commission also stated that there had been media articles that had “contained disinformation and insinuations as well as leaked files (...) which had put significant pressure on the Commission and on the inter-institutional negotiations.” To underline its view, the Commission referred to several articles, including one[26] that was co-authored by the complainant.
32. Concerning the comments on the draft CSAM proposal from various Commission departments, the Commission maintained that no public access can be granted to the documents in their entirety. More specifically, the Commission argued that the documents contain a legal analysis of questions that are legally and politically sensitive, as they relate to the detection of CSAM. Disclosure would thus undermine the ongoing inter-institutional negotiations on the draft proposal and the Commission’s ability to seek frank and comprehensive legal advice. The Commission also mentioned that it could still revise the CSAM proposal, as long as the Council of the EU has not taken a decision on it.
33. The complainant was grateful to have received increased access to the documents at issue. However, he was disappointed that the Commission continued to withhold “crucial details of internal deliberations (...) regarding one of the most controversial pieces of EU legislation in recent years”, arguing that the Commission had failed to take into account the overriding public interest in disclosure. The complainant was also concerned that the Commission had not re-assessed its exchanges with Thorn. Finally, the complainant was worried about the allegations the Commission had made about the role of the media.
The Ombudsman's assessment after the recommendation
34. The Ombudsman welcomes the fact that the Commission has now provided further access to certain categories of documents. She also notes that the redactions of commercially sensitive information in one document[27] are rather limited and, in light of the arguments put forward by the Commission, appear reasonable. However, overall, the Ombudsman is not satisfied that the Commission has provided the widest access possible to the documents at issue.
35. In particular, the Ombudsman finds it unreasonable that no access could be given to any parts of the documents related to the Commission’s impact assessment and its departments’ comments on the draft CSAM proposal[28].
36. These documents clearly constitute legislative documents to which the highest standard of transparency applies.[29] This includes the opinions of the Commission Legal Service, which the Commission considers, for the purpose of transparency, are to be treated differently from legal opinions issued by the Legal Service of the Council of the EU during the ordinary legislative procedure. As stated before[30], the Ombudsman cannot agree with this view. The Commission is a “key player in the legislative process”.[31] Accordingly, the case law concerning public access to Council documents is also relevant to Commission documents drawn up in the context of a legislative process.[32] In line with this, the Court of Justice did not distinguish between the legal opinions drawn up in relation to a legislative procedure by the legal services of the institutions.[33]
37. What is more, the Commission in this case could not explain why, based on their content, the relevant documents should be exempt from this rule in their entirety. Notably, the documents do not contain information on the challenges related to the detection of CSAM and thus the balancing of the fundamental rights at stake throughout. For example, as the Commission itself noted, the documents related to its impact assessment also contain “information and views on the design and structure of a potential European Centre to prevent and counter child sexual abuse.” Likewise, as regards the inter-service consultation, the feedback the Commission received from its departments concerned the draft legislative proposal as a whole. The content of this feedback thus goes beyond the question of how best to balance the fundamental rights at stake in relation to the detection of CSAM.
38. In addition, the arguments put forward by the Commission remain rather generic, referring to the fact that the legislative proposal is politically sensitive. It is therefore still unclear why the Commission considers those parts that do relate to the detection of CSAM to be sensitive throughout. Whilst the Commission mentions the delicate and complex nature of this subject and the ongoing inter-institutional discussions, its reply falls short in explaining how disclosure of specific content could seriously undermine those discussions.
39. The Commission has now for the first time explained what external pressure some of its staff members had been exposed to while preparing the legislative proposal. Such personal attacks on staff are unacceptable. That said, one can only speculate what triggered these specific incidents, but it is difficult to see a link to the documents at issue. In other words, these examples do not illustrate that disclosure of (parts of) the documents would, at this stage, lead to external pressure that would seriously undermine the ongoing inter-institutional negotiations.
40. The Ombudsman also notes that the fact that the final version of the impact assessment and the opinion of the Regulatory Scrutiny Board have been made public has no bearing on the question whether the draft versions thereof can be withheld based on the need to protect an ongoing decision-making process.
41. Concerning the protection of legal advice, the Commission argues that the feedback obtained during the inter-service consultation concerned novel and complex political and legal questions. It added that the advice was provisional, addressed to a limited number of recipients and provided at short notice.
42. The Ombudsman considers that these generic arguments could be applied to any inter-service consultation on a legislative proposal. In fact, the Commission has used this same reasoning in other similar cases.[34] The failure by the Commission to provide specific examples and concrete evidence of the risk of disclosure is at odds with the applicable case-law, according to which EU institutions must carry out a specific and individual assessment of the documents requested.[35]
43. Access to a legal opinion in the context of a legislative procedure may be refused only if the legal opinion is particularly sensitive or of a particularly wide scope. [36] To determine whether a legal opinion is particularly sensitive, it is the content of that opinion that needs to be considered.[37]
44. It is not sufficient that the legal opinion relates to a controversial legislative initiative or a sensitive field. Rather, the novelty and contentious character of a file are elements that very much support disclosure.[38] Conferring particular sensitivity on legal advice concerning novel issues would, in practice, impede the disclosure of a large portion of that legal advice, as it is precisely when dealing with novel issues that institutions request advice from their legal services.[39]
45. The Ombudsman also reiterates that there is a strong public interest in disclosure, including in the light of the fundamental rights at stake.[40] The need for transparency is even more pressing where, like in this case, fundamental questions are addressed in the legislative proposal. Where the fundamental rights of citizens are at stake, it is of particular importance that the administration can defend the position it has decided to take. This includes explaining why it proposed certain elements to become law and not others. That the public might question such choices, even before a decision is taken, is, in the words of the Court, “an integral part of the exercise by EU citizens of their democratic rights.”[41] The Ombudsman therefore notes with concern the remarks that the Commission made as regards the public’s engagement on this important matter. She considers that more transparency could give the public a better understanding of the matter at hand and could thereby avert speculation.
46. To conclude, the Ombudsman finds that significantly increased, if not full, public access should have been given to the documents that reflect the Commission’s internal deliberations and views.
47. In light of the above, the Ombudsman considers that the Commission has, once again, failed to give effect to the clear case law that requires EU institutions to apply a particularly high standard of transparency to legislative documents. The Ombudsman therefore confirms her finding of maladministration.
48. Finally, it is unclear why the Commission understood that the Ombudsman did not take issue with the non-disclosure of the exchanges with Thorn based on the need to protect an ongoing decision-making process. Given that the Commission disclosed (at least parts) of the substantive exchanges with all other interest representatives that it had identified in reply to the complainant’s access request (including those not covered by the complaint), it is unclear why this document was not partially disclosed too.
Conclusion
Based on the inquiry, the Ombudsman closes this case with the following finding:
While the Ombudsman welcomes the fact that the Commission has now provided further access to certain categories of documents in this case, she confirms her finding that the refusal by the European Commission to give wide public access to the 33 documents at issue constituted maladministration.
The complainant and the European Commission will be informed of this decision.
Emily O'Reilly
European Ombudsman
Strasbourg, 10/01/2025
[1] For more information, see: https://home-affairs.ec.europa.eu/policies/internal-security/child-sexual-abuse_en#:~:text=The%20Commission%20will%20ensure%20that,sexual%20abuse%20and%20sexual%20exploitation
[2] See: https://home-affairs.ec.europa.eu/whats-new/communication-campaigns/euvschildsexual-abuse-campaign-prevent-and-combat-child-sexual-abuse_en.
[3] Proposal for a Regulation laying down rules to prevent and combat child sexual abuse: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A209%3AFIN.
[4] See, for example, EDPS, Briefing note on the CSAM proposal: “The Point of No Return”, available at: https://edps.europa.eu/data-protection/our-work/publications/factsheets/2023-10-23-briefing-note-csam-point-no-return_en. See also Complementary impact assessment by the European Parliament dated April 2023: https://www.europarl.europa.eu/RegData/etudes/STUD/2023/740248/EPRS_STU(2023)740248_EN.pdf.
[5] Under Regulation 1049/2001 regarding public access to European Parliament, Council and Commission
documents: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32001R1049&from=EN.
[6] Documents 9, 11 and 94.
[7] Documents 14 and 94.
[8] Document 94.
[9] Documents 106 and 110 to 119.
[10] Documents 11, 13, 14, 56 and 94.
[11] Documents 9, 48 to 50, 61 to 69, 89 to 92, 106 and 110 to 119.
[12] See minutes of the meeting of the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament of 25 October 2023, agenda point 8: https://www.europarl.europa.eu/doceo/document/LIBE-PV-2023-10-25-1_EN.pdf.
[13] In accordance with Article 12(2) of Regulation 1049/2001.
[14] Documents 9 and 11.
[15] Judgment of the Court of 4 September 2018, ClientEarth v Commission, C-57/16, paragraph 109:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62016CJ0057&qid=1712587747391.
[16] Judgment of the General Court of 21 April 2021, Pech v Council, T-252/19, paragraph 92:
[17] Documents 110 to 119.
[18] Document 14.
[19] The full text of the Ombudsman’s recommendation is available at: https://www.ombudsman.europa.eu/en/recommendation/en/185538.
[20] Document 9.
[21] Document 11.
[22] Document 14.
[23] Document 13.
[24] Documents 61 to 69.
[25] See: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12726-Fighting-child-sexual-abuse-detection-removal-and-reporting-of-illegal-content-online_en.
[26] See: https://balkaninsight.com/2023/09/25/who-benefits-inside-the-eus-fight-over-scanning-for-child-sex-content/.
[27] Document 14.
[28] Documents 61, 62, 63, 64, 65.2, 65.3, 65.4, 66.1 to 66.3, 66.6, 67.1, 68.2, 69.3, 69.5, 69.6 and 69.9 (impact assessment) and documents 89 to 92 and 110 to 119 (inter-service consultation).
[29] ClientEarth v Commission (see footnote 15 above).
[30] See decision on the European Commission’s refusal to give public access to documents related to its proposal for a regulation on the European Health Data Space (case 1999/2022/SF), paragraphs 33 ff.: https://www.ombudsman.europa.eu/en/decision/en/179450#_ftnref22.
[31] ClientEarth v Commission, paragraphs 87f. (see footnote 15 above).
[32] Judgment of the General Court of 15 September 2016, Philip Morris v Commission, T-796/14, paragraphs 55f.: https://curia.europa.eu/juris/document/document.jsf?text=&docid=183328&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=850120.
[33] Judgment of the Court of 8 June 2023, Council v Pech, C-408/21 P, paragraph 92f.: https://curia.europa.eu/juris/document/document.jsf?text=&docid=274436&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=13457842.
[34] See, for example, decision in case 1999/2022/SF (footnote 30 above) and decision on how the European Parliament, the Council of the European Union and the European Commission handle requests for public access to legislative documents (OI/4/2023/MIK): https://www.ombudsman.europa.eu/en/decision/en/196680.
[35] ClientEarth v Commission (see footnote 15 above).
[36] Judgment of the Court of 1 July 2008, Sweden and Turco v Council, C‑39/05 P and C‑52/05 P, paragraph 69: https://curia.europa.eu/juris/document/document.jsf?text=&docid=67058&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=13457842.
[37] Council v Pech, paragraph 61 (see footnote 33 above). https://curia.europa.eu/juris/document/document.jsf?text=&docid=274436&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=13457842.
[38] Judgment of the General Court, Miettinen v Council of the EU, T-395/13, paragraph 37: https://curia.europa.eu/juris/liste.jsf?language=en&num=T-395/13.
[39] Ibid, paragraphs 42 f.
[40] See Opinion of the Legal Service of the Council of the EU of 26 April 2023: https://data.consilium.europa.eu/doc/document/ST-8787-2023-INIT/en/pdf.
[41] ClientEarth v Commission, paragraph 108 (see footnote 15 above).