Made in accordance with Article 3(6) of the Statute of the European Ombudsman.^[1]

Background to the complaint

1. On 26 July 2018, the complainant asked the Innovation and Networks Executive Agency (INEA), to grant him public access to the complete documentation submitted by a public undertaking (the national cybersecurity authority of a Member State) in response to a call for proposals concerning the Enhanced National Cyber Security Services and Capabilities for Interoperability (eCSI).^[2]

2. On 1 August 2018, INEA replied to the complainant identifying the requested documents as the Grant application forms A to D submitted by the public undertaking. It refused to grant him public access on the basis of the commercial interests exception in Article 4(2), first indent, and the personal data exception in Article 4(1)(b) of Regulation 1049/2001.^[3]

3. On the same day, the complainant made a request for review (a so called “confirmatory application”) requesting INEA to review its previous refusal and to grant him public access to the requested documents.

4. On 7 August 2018, INEA consulted the public undertaking from which the requested documents originated, in accordance with Article 4(4) of Regulation 1049/2001.

5. On 21 August 2018, INEA confirmed its previous decision refusing public access to the requested documents.

6. On 7 October 2018, the complainant submitted a complaint to the Ombudsman.

The Ombudsman's proposal for a solution

7. The Ombudsman noted that, following the complainant’s request for review, INEA consulted the public undertaking from which the documents originated on the possibility of disclosing the requested documents. When doing so, INEA made a proposal for partial disclosure. It indicated the information which it considered was commercially sensitive and personal data, and which therefore should be redacted, and invited the public undertaking to provide its views on the suggested disclosure. The public undertaking indicated that it was not in agreement with the disclosure of the documents. The Ombudsman noted that INEA was not bound by the public undertaking opinion, as established in the case Terezakis v Commission.^[4]

8. The Ombudsman found that the requested documents contain a detailed description of the project. They also contain some technical information that appears to be the public undertaking’s methodology and know-how, as well as financial information concerning the estimated budget figures and costs of the project.^[5] The Ombudsman acknowledged the commercial value of this information and agreed that disclosing it to the competitors (via public access) would be likely to create an unfair advantage in future calls for tenders and proposals. The Ombudsman also concluded that the complainant has not established an overriding public interest in disclosure of the requested document that would justify denying the protection of the public undertaking’s commercial interests. Thus, the Ombudsman found that this information should be considered commercially sensitive, in accordance with Article 4(2), first intent, of Regulation 1049/2001.

9. However, the Ombudsman found that the requested documents contain some information, such as the scope and objectives of the proposed project, its relevance and the descriptions of activity, which do not appear to be commercially confidential, but rather general information about the project, in line with the publicly available call for proposals.^[6] The Ombudsman noted that not only is the call for proposals already publicly available, but so is also the project information, as confirmed by the complainant^[7] and INEA^[8]. In the light of that, the Ombudsman concluded that this information is not sensitive and its disclosure would not undermine the public undertaking’s commercial interests nor the intellectual property rights.

10. The Ombudsman considered that the complainant had not established the necessity of having personal data transferred^[9] and agreed that the personal data in the requested documents should be redacted, in line with Article 4(1)(b) of Regulation 1049/2001 and Article 8(b) of Regulation 45/2001.

11. Based on the above assessment, the Ombudsman proposed that INEA should partially disclose the requested Grant application forms A and D submitted by the public undertaking in the context of a call for proposals by the Connecting Europe Facility, redacting only information that it considers to be genuinely commercially sensitive or personal data requiring protection. The Ombudsman suggested that INEA’s initial proposal for partial disclosure (made in the course of the consultations) was the appropriate basis on which to proceed. The Ombudsman considered that, when disclosing the documents, INEA should follow the AKZO procedure and notify the decision in advance to the public undertaking, giving it the opportunity to mount a legal objection if it so wished.^[10]

The Ombudsman's assessment after the proposal for a solution

12. INEA rejected the Ombudsman’s proposal for partial disclosure of the Grant application forms A and D. In addition to its previous arguments, INEA provided further reasons for non-disclosure of the requested documents.

13. INEA noted that there is information on the scope and objectives of the project the eCSI project, which is publicly available, that “basically coincides” with the information included in the parts of the documents that the Ombudsman proposed should be disclosed. It argued that the administrative burden of implementing the Ombudsman’s proposal “would not weigh up against the Applicant’s possible interest in obtaining the already public information”. It considered that partial access would be meaningless since the information that could be disclosed is already public.^[11]

14. INEA also stressed that the project concerns cybersecurity, which is an area where confidentiality is essential. It noted that if the requested documents were to be disclosed, trust between the Commission and the relevant implementing actors would be breached and could lead to reluctance to apply for the grants in the future. It said that such actors provide, in their project proposals, details on their personnel and operations which, if disclosed, would enable external entities to understand their functioning. In addition, it noted that since some of the implementing actors are part of the security and intelligence infrastructure of the Member States. As a result, disclosure could also damage the cybersecurity of the Member States through targeted cyber-attacks.

15. The Ombudsman considers that the implementation of her proposal does not impose an administrative burden on INEA. The Ombudsman notes that when consulting the public undertaking from which the documents originated, INEA had already made an initial proposal for partial disclosure. The Ombudsman also notes that it in its proposal INEA indicated the information which was commercially sensitive and personal data. Therefore, the Ombudsman finds that granting partial access to the requested documents would not require significant additional work by INEA, as the work has already been done.

16. The Ombudsman also considers that the fact that information is already in the public domain does not mean that public access to the requested documents would be pointless. She notes that disclosure can only be deemed to be meaningless, or pointless, if the redactions are so extensive as to render a document “entirely deprived of its content”.^[12] This is not so in the present case. If any conclusion is to be drawn from the fact that certain information in the documents is already in the public domain, it is that the interests protected by Regulation 1049/2001 cannot be undermined by the disclosure of that information. 

17. The Ombudsman notes that the proposal for public disclosure concerns information, such as the scope and objectives of the project, its relevance and the descriptions of activities. The Ombudsman considers that this information does not appear to be sensitive. Rather, it is general information about the project in line with the publicly available call for proposals. The Ombudsman also considers the redaction of information concerning the public undertaking’s methodology and know-how, as well as financial information concerning the estimated budget figures and costs of the project, which may well be commercially sensitive information, to be justified.^[13] She also considers the redaction of personal data to be justified.^[14] Therefore, the Ombudsman finds that partial disclosure of the requested documents, would not undermine the trust between the Commission and the public undertaking.

18. The Ombudsman also finds that the national cybersecurity could not be undermined by partial disclosure, since the parts of the documents which should be disclosed contain information that is already public. In any event, that information does not contain detailed technical information which would enable external entities to understand the functioning of the national cybersecurity agencies and consequently damage the Member States’ cybersecurity.

19. In light of the above, the Ombudsman finds that the refusal by INEA to grant partial access to the documents constituted maladministration. She therefore makes a corresponding recommendation below, in accordance with Article 3(6) of the Statute of the European Ombudsman.

Recommendation

On the basis of the inquiry into this complaint, the Ombudsman makes the following recommendation to the Innovation and Networks Executive Agency:

The Innovation and Networks Executive Agency should partially disclose the requested Grant application forms A and D, redacting only information that is genuinely commercially sensitive or is personal data requiring protection.

The Innovation and Networks Executive Agency and the complainant will be informed of this recommendation. In accordance with Article 3(6) of the Statute of the European Ombudsman, INEA shall send a detailed opinion by 1 July 2019.

 

Emily O'Reilly

European Ombudsman

Strasbourg, 01/04/2019

 

[1] Decision of the European Parliament of 9 March 1994 on the regulations and general conditions governing the performance of the Ombudsman's duties (94/262/ECSC, EC, Euratom), OJ 1994 L 113, p. 15.

[2]  Enhanced National Cyber Security Services and Capabilities for Interoperability (eCSI), Action 2016-RO-IA-0128, available at INEA’s website: https://ec.europa.eu/inea/en/connecting-europe-facility/cef-telecom/2016-ro-ia-0128; Call for proposals concerning projects of common interest under the Connecting Europe Facility in the field of trans-European Telecommunication networks, CEF-TC-2016-3: Cyber Security, available at: https://ec.europa.eu/inea/sites/inea/files/2016-3_ceftelecom_calltext_cybersecurity_200916_final.pdf, Annex, Work programme 2016, available at: https://ec.europa.eu/inea/sites/inea/files/wp2016_adopted_20160303.pdf.

[3] Regulation 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32001R1049&rid=1.

[4] Judgment of the Court of First Instance of 30 January 2008 in Terezakis v Commission, T-380/04.

[5] Judgement of the General Court of 21 October 2010 in Agapiou Joséphidès v Commission and EACEA, T-439/08; Judgment of the Court of First Instance of 30 January 2008 in Terezakis v Commission, T-380/04.

[6] Call for proposals concerning projects of common interest under the Connecting Europe Facility in the field of trans-European Telecommunication networks, CEF-TC-2016-3: Cyber Security, available at: https://ec.europa.eu/inea/sites/inea/files/2016-3_ceftelecom_calltext_cybersecurity_200916_final.pdf, Annex, Work programme 2016, available at: https://ec.europa.eu/inea/sites/inea/files/wp2016_adopted_20160303.pdf.

[7] Contract notice, 2018/S 019-040409, available at: https://ted.europa.eu/udl?uri=TED:NOTICE:040409-2018:TEXT:RO:HTML.

[8] INEA’s website, available at: https://ec.europa.eu/inea/en/connecting-europe-facility/cef-telecom/2016-ro-ia-0128, https://ec.europa.eu/inea/en/connecting-europe-facility/cef-telecom/apply-funding/2016-cef-telecom-call-cyber-security-cef-tc-2016-3; the public undertaking’s website, available at: https://www.cert.ro/pagini/ecsi-page; the project dedicated website, available at: https://ecsi.cert.ro/; the Romanian Public Procurement System/Platform, available at: www.e-licitatie.ro; and Tenders Electronic Daily, available at: www.ted.europa.eu.

[9] In accordance with Article 2(a) of Regulation 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32001R0045.

[10] Judgment of the European Court of Justice of 24 June 1986 in AKZO Chemie BV and AKZO Chemie UK Ltd v Commission, Case 53/85, paragraph 29.

[11]INEA makes reference to the Judgments of the Court of First Instance of 12 July 2001 in Mattila v Council and Commission, T-204/99, paragraph 69 and of 20 March 2014; in Reagens v Commission, T-181/10, paragraph 161-175; judgments of the Court of First Instance of 19 July 1999 in Hautala v Council, case T-14/98 paragraph 30 and of 7 February 2002 in Kuijer v Council, T-211/00, paragraph 57.

[12] See Reagens v Commission, T-181/10, paragraph 172 and 175.

[13] In accordance with Article 4(2), first indent, of Regulation 1049/2001.

[14] In accordance with Article 4(1)(b) of Regulation 1049/2001.