Background to the complaints

1. The European Union Agency for Law Enforcement Cooperation (Europol) is involved in the fight against child abuse online and offline, which is an EU priority included in the Multidisciplinary Platform Against Criminal Threats (EMPACT) 2022-2025 programme.[1]

2. The complainant, an academic researcher, made two requests to Europol for public access[2] to certain documents concerning the fight against online child sexual abuse. The first request, subject to case 1372/2024/OAM, concerned exchanges between Europol and the European Commission relating to the Commission’s legislative proposal for a Regulation to prevent and combat child sexual abuse (hereafter ‘the proposed CSAM Regulation’).[3] It also concerned Europol’s exchanges with Thorn, which describes itself as a nonprofit organisation, working on fighting online child sexual abuse. The second request, subject to case 2219/2024/OAM, also concerned emails Europol exchanged with Thorn, but for a different time period.

3. Europol decided to grant partial access to several documents it identified, while refusing to disclose others.

4. The complainant was not satisfied with the access received and asked Europol to review its decision (by making ‘confirmatory applications’). The confirmatory applications concerned:

In case 1372/2024/OAM:

• six exchanges with the Commission regarding online child sexual abuse/exploitation and/or the proposed CSAM Regulation covering the period 1 January 2022 - 24 February 2023 (hereafter ‘exchanges with the Commission’);
• nine exchanges with Thorn covering the period 1 January 2021 - 24 February 2023; and
• In case 2219/2024/OAM:
• seven exchanges with Thorn covering the period 25 February 2023 - 1 May 2024 (hereafter ‘exchanges with Thorn’).

5. In its confirmatory decisions, Europol maintained its previous positions.

6. As regards the exchanges with the Commission, Europol granted partial access to two documents (two records of meetings), redacting parts to protect personal data[4] and a decision-making process.[5] It refused access to the remaining four documents (a flowchart, two documents concerning the legal text of the proposed CSAM Regulation and a briefing note), based on the need to protect the public interest as regards public security,[6] as well as a decision-making process.  

7. As regards the exchanges with Thorn, Europol granted partial access to nine documents (case 1372/2024/OAM). It withheld personal data and limited sections arguing that these needed to be redacted to protect commercial interests[7] and its decision-making process, as well as the public interest as regards public security. Furthermore, it refused access to seven documents in their entirety (case 2219/2024/OAM), invoking the exception for the protection of the public interest as regards public security and of its decision-making process.

8. Dissatisfied with this outcome, the complainant turned to the Ombudsman in July and November 2024.

The inquiries

9. The Ombudsman opened two inquiries into Europol’s refusal to grant (full) public access to the documents at issue in the complaints.

10. As the complainant did not contest the redaction of personal data in his confirmatory applications, the Ombudsman did not assess whether Europol’s application of this exception was justified.

11. During the inquiries, the Ombudsman inquiry team inspected the 22 documents in question as well as the documentation provided by Europol regarding its consultations on the access requests with relevant third parties.[8]

12. Based on the inspection of documents in both cases, the Ombudsman made two solution proposals in February 2025.

The Ombudsman's solution proposal in case 1372/2024/OAM

13. The inspection showed that the exchanges between Europol and the Commission were meant to feed into the Commission’s legislative proposal for the CSAM Regulation.

14. The Ombudsman noted that under the EU Treaties, every citizen has “the right to participate in the democratic life of the Union”.[9] Therefore, EU decisions must be taken “as openly and as closely as possible to the citizen”.[10] This prerogative is considered particularly important when EU institutions are acting in their ‘legislative capacity’.[11] Indeed, the possibility for citizens to scrutinise and be made aware of all the information forming the basis for EU legislative action is a precondition for the effective exercise of their democratic rights.[12]

15. ‘Legislative documents’ must therefore be made directly accessible to the greatest possible extent.[13] Unless tangible, concrete, and specific evidence^[14] of exceptional circumstances can be demonstrated, the EU institutions are legally bound to disclose the requested legislative documents promptly.

16. EU case-law has clarified that legislative documents include documents drawn up or received by the Commission in the preparation of a legislative proposal.^[15] The documents at issue should therefore benefit from the wider access granted to legislative documents.

17. Europol invoked the exception for the protection of the public interest as regards public security to refuse access to four of the documents in their entirety. Whilst, in principle, the Ombudsman accepted that, in light of Europol’s wide discretion,[16] the use of the exception for the protection of the public interest as regards the public security was not manifestly wrong, she did not agree that the four documents were covered by this exception in their entirety. Europol still needed to better substantiate its views and to demonstrate a ‘specific and actual risk’ that is reasonably foreseeable and not purely hypothetical. It was not sufficient that the requested documents concern a protected interest.[17]

18. Furthermore, Europol invoked the exception for the protection of a decision-making process, arguing that (full) disclosure of the all the six exchanges with the Commission would undermine the decision-making process of the co-legislators still negotiating the proposed CSAM Regulation.[18] The Ombudsman considered that the arguments put forward by Europol to refuse access were not sufficient in this regard. Europol merely stated that, because the legislative process was ongoing, these (parts of) documents could not be disclosed. However, an ongoing decision-making process cannot in itself justify non-disclosure, even more so where the documents in question are legislative in nature. Europol must substantiate how the documents’ disclosure would seriously undermine the ongoing decision-making process, in a reasonably foreseeable and not purely hypothetical manner.[19]

19. Europol also granted partial access to nine exchanges with Thorn covering the period 1 January 2021 - 24 February 2023.

20. In refusing full access to some (parts) of these exchanges with Thorn, Europol relied on the protection of the public interest as regards public security. The Ombudsman found that, while Europol has a wide margin of discretion in the use of this exception (see paragraph 17), based on a review of the documents and the explanations provided by Europol, it remained unclear how disclosure would harm the public interest as regards public security.

21. Likewise, for the other exceptions invoked to redact some parts of the exchanges, namely the protection of Europol’s decision-making process and of commercial interests, the Ombudsman considered that Europol did not provide sufficient reasoning for the redactions. Specifically, Europol did not specify which decision-making process it was referring to and how the documents’ disclosure would seriously undermine that process, in a reasonably foreseeable and not purely hypothetical manner. Regarding the limited redactions made under the exception for protecting commercial interests, the Ombudsman found it questionable whether Europol redacted sensitive information related to intellectual property. Rather, some of the withheld elements appeared to be of a more general nature.

22. In view of the above considerations, the Ombudsman proposed that Europol reconsider its position on the disclosure of the documents at stake with a view to granting the widest possible access. The Ombudsman also proposed that, where Europol considers that access cannot be granted, it should explain, in detail and with reference to each document, how disclosure would undermine one or several of the interests listed in Article 4 of Regulation 1049/2001, if needed in a confidential annex.[20]

23. In reply to the Ombudsman’s solution proposal, Europol decided to grant wider access to the documents.

24. As regards the exchanges between the Commission and Europol on the proposed CSAM Regulation, Europol granted wider public access to one of the two documents it had already partially disclosed and granted full or wider partial access to three of the four documents it had previously withheld in full. Europol maintained its refusal to grant access to one document in its entirety.

25. As regards the exchanges between Europol and Thorn, Europol removed some of its redactions in four documents.

The Ombudsman's solution proposal in case 2219/2024/OAM

26. Europol refused public access to seven exchanges with Thorn, covering the period 25 February 2023 - 1 May 2024, in their entirety.

27. In refusing access, Europol invoked the exception for the protection of the public interest as regards public security. It argued that the documents contain confidential information relating to “child safety ecosystem members” and “strategic information of operational relevance regarding Europol’s working methods in relation to the use of image classifiers”. Disclosure would undermine the proper fulfilment of Europol’s tasks, as it would jeopardise operational processes and activities of Europol. This, in turn, would negatively affect internal workflows, operational support activities and partners’ trust. In addition, for three of the seven documents, Europol invoked the exception for the protection of its decision-making process, arguing that disclosure would reveal internal opinions that are part of its deliberations and preliminary consultations related to law enforcement investigative tools. Europol identified no overriding public interest in the disclosure of the three documents.

28. Based on the inspection of the documents and Europol’s explanations in the initial and confirmatory replies, it was not readily clear to the Ombudsman that all seven documents at issue include sensitive information throughout, which, if disclosed, could harm the public interest as regards public security. The Ombudsman noted in this context Europol’s wide discretion (see paragraph 17 above), but that it is still required to demonstrate a ‘specific and actual risk’ to public security that is reasonably foreseeable and not purely hypothetical. Also in this case, she reminded Europol that it is not sufficient that the requested documents concern a protected interest.[21]

29. The Ombudsman further noted that it is difficult to see how all documents at issue in this case differ from the exchanges between Europol and Thorn at issue in her parallel inquiry 1372/2024/OAM, to which Europol granted partial access. Specifically, the Ombudsman found that one document was partially disclosed by Europol in the context of the access request subject to her parallel inquiry.

30. In refusing public access to three of the requested documents, Europol also invoked the need to protect an ongoing decision-making process. The Ombudsman considered that this exception seemed to be relevant in relation to two documents only, as these documents contain references to Europol’s consideration of specific tools.

31. In view of the above considerations, the Ombudsman proposed that Europol reconsider its position on the complainant’s request, with a view to granting the widest possible access to the documents.[22]

32. In reply, Europol granted partial access to five of the requested seven exchanges. As regards the remaining two exchanges, Europol considered that no access could be granted in order to protect the public interest as regards public security and Europol’s decision-making process linked with internal deliberations in relation to law enforcement investigative tools.

33. The Ombudsman asked the complainant to provide comments on the two solution proposals and on Europol’s replies. The complainant welcomed the additional access received. He however regretted that it took Europol so long to provide partial access to some of the documents, and only after the Ombudsman’s intervention.

34. As regards the exchanges with the Commission, while the complainant acknowledged that Europol has provided some additional reasons for non-disclosure, he considered that these are still vague and that Europol “failed to duly consider and give full weight to the legislative nature of the documents concerned”.

35. As regards the exchanges with Thorn, the complainant regretted the redactions maintained by Europol based on largely generic justifications. He doubted that some of the information Europol claimed to protect could be deemed as sensitive commercial information. He furthermore questioned whether all redactions made to protect the public interest as regards public security were justified.

The Ombudsman's assessment after the solution proposals

36. The Ombudsman welcomes the wider partial access that Europol has now granted to the requested documents.

37. Specifically, concerning the exchanges with the Commission, Europol:

• gave wider partial access to one document previously disclosed;
• maintained that no further access was possible for the second document previously disclosed;
• gave full access to one document (the flowchart), which it had previously refused to disclose in its entirety;
• gave partial access to two documents (one of the two documents concerning the legal text of the proposed CSAM Regulation and the briefing note), which it had previously refused to disclose in their entirety; and
• maintained that no access could be granted to one document (the other document concerning the legal text of the proposed CSAM Regulation).

38. Europol clarified that it merely provided technical expertise to assist the Commission in the context of the legislative proposal which the Commission had shared with Europol at its own discretion. It said that it did not, as argued by the Ombudsman in her solution proposal, share this information with the Commission “with the aim of informing and/or influencing the drafting of the legislative proposal”.

39. For those (parts of the) documents that Europol continues to withhold, Europol relied on the exceptions for the protection of public interest as regards public security, arguing that (full) disclosure could jeopardize trust and cooperation with Europol’s partners and thus hinder Europol’s tasks, and the protection of a decision-making process, as disclosure of the exchanges would undermine legislative discussions on the proposed CSAM Regulation. It said that the redacted parts of the two documents now partially disclosed contained "sensitive commentary" on the proposal, Europol's capabilities, tools, databases, and operational flow, such as information related to the Secure Information Exchange Network Application (SIENA). Europol further considered that the document refused in its entirety was an "early internal interim draft" prepared by the Commission, outlining various legislative options under consideration and containing sensitive information about these preliminary options.  

40. Concerning the remaining redactions, the Ombudsman considers Europol’s reliance on the exception for the protection of the public interest as regards public security not manifestly wrong, in view of Europol’s wide margin of discretion.

41. However, she regrets that Europol still relies on the exception to protect a decision-making process, that is, the negotiations on the proposed CSAM Regulation. This line of argumentation is not in line with existing case-law (see also paragraphs 14-16 above). According to the Court of Justice, “wider access” must be granted to EU legislative documents and any exceptions to it must be interpreted “all the more strictly” as “the possibility for citizens to scrutinise and be made aware of all the information forming the basis for EU legislative action is a precondition for the effective exercise of their democratic rights”.[23]

42. As regards the exchanges with Thorn, Europol:

• gave wider partial access to four of the nine documents at issue in case 1372/2024/OAM;
• granted partial access to five of the seven documents at issue in case 2219/2024/OAM, to which Europol previously refused public access in their entirety.

43. The Ombudsman recalls that the exchanges between Europol and Thorn are very short emails exchanged in the context of Europol’s activities to combat child sexual exploitation.

44. For the parts that Europol continues to withhold, it relied on the same exceptions as invoked in its initial and confirmatory decisions. In particular, Europol relied on the protection of the public interest as regards public security, in terms of safeguarding trust and cooperation with Europol’s partners. It also relied on the protection of commercial interests of a legal person, in terms of redacting information relating to intellectual property, and the protection of Europol decision-making process in relation to discussions on certain technological tools and projects.

45. Concerning the remaining redactions, the Ombudsman considers Europol’s position that some of these redactions are covered by the public security exception not manifestly wrong. However, the Ombudsman is still not convinced by Europol’s reliance on the other exceptions, particularly the protection of commercial interests. She notes, however, that the redactions covered by this exception are very limited and do not justify pursuing the matter further.

46. To conclude, the Ombudsman welcomes that Europol granted wider partial access to the documents, but notes, as detailed above, that she is not convinced by Europol’s continued reliance on the decision-making and commercial interest exceptions for some of the documents. Furthermore, despite her specific request to explain, in detail, how disclosure of the remaining redacted information would undermine one or several of the interests listed in Article 4 of Regulation 1049/2001, Europol has provided very limited additional explanations only.

47. Europol has therefore only partially accepted the solution proposals. In this context, the Ombudsman reminds Europol of a suggestion for improvement she recently made in the context of another inquiry with Europol.[24] Specifically, the Ombudsman suggested that Europol provide, in all its decisions refusing public access, sufficient reasoning to allow applicants for public access to documents to understand why access could not or could only partially be granted, taking into account the specific content of each document.

Conclusion

Based on the inquiries, the Ombudsman closes these cases with the following conclusion:

By agreeing to grant further public access to the documents requested by the complainant, Europol partially accepted the Ombudsman’s solution proposals.

The complainant and Europol will be informed of this decision.

Teresa Anjinho
European Ombudsman

Strasbourg, 28/11/2025

 

[1] More information about EMPACT available at: https://www.europol.europa.eu/crime-areas-and-trends/eu-policy-cycle-empact

[2] Under Regulation 1049/2001 regarding public access to European Parliament, Council and Commission documents: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32001R1049, applicable to Europol in accordance with its Management Board Decision of 13 December 2016: https://www.europol.europa.eu/sites/default/files/documents/decision_of_the_mb_rules_applying_reg_1049_2001.pdf.

[3] Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse, COM(2022)209 final: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A209%3AFIN.On 26 November 2025, the Council agreed to start negotiations with the European Parliament with a view to agreeing on the final regulation: https://www.consilium.europa.eu/en/press/press-releases/2025/11/26/child-sexual-abuse-council-reaches-position-on-law-protecting-children-from-online-abuse/.

[4] Article 4(1)(b) of Regulation 1049/2001.

[5] Article 4(3) of Regulation 1049/2001.

[6] Article 4(1)(a) first indent of Regulation 1049/2001.

[7] Article 4(2) first indent of Regulation 1049/2001.

[8] Article 4(4) of Regulation 1049/2001.

[9] Article 10 of the Treaty on European Union (TEU).

[10] Articles 1 and 10(3) TEU.

[11] Recital 6 of Regulation 1049/2001.

[12] See, to that effect, judgments of the Court of 1 July 2008, Sweden and Turco v Council, C‑39/05 P and C‑52/05 P, paragraph 46: http://curia.europa.eu/juris/liste.jsf?num=C-39/05&language=en, and of 17 October 2013, Council v Access Info Europe, C‑280/11 P, paragraph 33: http://curia.europa.eu/juris/liste.jsf?num=C-280/11&language=EN.

[13] Article 12(2) and Recital 6 of Regulation 1049/2001.

[14] Judgment of 25 January 2023, De Capitani v Council, Case T-163/21, paragraphs 83, 85, and 93: https://curia.europa.eu/juris/document/document.jsf?text=&docid=269684&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=26618867.

[15] See for example, judgment of 4 September 2018, ClientEarth v Commission, Case C-57/16 P, paragraphs 85, 88, 90-93: https://curia.europa.eu/juris/document/document.jsf?text=&docid=205322&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3693014.

[16] Judgment of the General Court of 11 July 2018, ClientEarth v Commission, T-644/16: http://curia.europa.eu/juris/document/document.jsf?text=&docid=203913&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=46943.

[17] Judgment of 27 November 2019, Izuzquiza and Semsrott v Frontex, Case T-31/18, paragraphs 61-65: https://curia.europa.eu/juris/document/document.jsf?text=&docid=221083&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=4082546.

[18] https://www.europarl.europa.eu/legislative-train/spotlight-JD22/file-combating-child-sexual-abuse-online.

[19] See in that regard, judgment of 25 January 2023, De Capitani v Council, Case T-163/21: https://curia.europa.eu/juris/document/document.jsf?text=&docid=269684&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3531724.

[20] European Ombudsman proposal for a solution in case 1372/2024/OAM, available at: https://www.ombudsman.europa.eu/solution/214483

[21] Same as footnote 17.

[22] European Ombudsman proposal for a solution in case 2219/2024/OAM, available at: https://www.ombudsman.europa.eu/solution/214484.

[23] Judgment of 4 September 2018, ClientEarth v Commission, Case C-57/16 P, paragraph 84: https://curia.europa.eu/juris/document/document.jsf?text=&docid=205322&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3693014.

[24] See closing decision in case 851/2024/SF, available at: https://www.ombudsman.europa.eu/en/decision/en/214746.