Deciziei în cazul 2682/2008/(MAD)(TN)ELB - Presupusul refuz nejustificat de a acorda acces la informaţii

The background to the complaint

1. The complaint concerns a request for information about absences of MEPs due to medical grounds.

2. The complainant requested statistics from the European Parliament concerning medical certificates submitted by MEPs. Parliament refused access to the requested information.

3. The complainant therefore turned to the Ombudsman.

The subject matter of the inquiry

4. The complainant alleged that Parliament wrongly denied access to the requested information.

5. The complainant claimed that Parliament should provide him with the requested information.

The inquiry

6. On 5 October 2008, the complainant addressed his concerns to the Ombudsman. On 25 November 2008, the Ombudsman opened an inquiry and forwarded the complaint to Parliament, which sent its opinion to the Ombudsman on 26 February 2009. The opinion was forwarded to the complainant, who did not submit any observations.

7. On 15 January 2010, the Ombudsman consulted the European Data Protection Supervisor (EDPS). The Ombudsman forwarded the EDPS' reply to Parliament and the complainant. The complainant did not submit any observations and Parliament declined to comment on the views expressed by the EDPS.

The Ombudsman's analysis and conclusions

A. Alleged wrongful denial of access to the requested information and related claim

Arguments presented to the Ombudsman

8. The complainant stated that he contacted Parliament to obtain statistics about medical certificates submitted by MEPs to Parliament. He wished to obtain aggregate statistics for MEPs dating from the 1999-2004 and 2004-2009 legislatures. He did not ask for the names of MEPs or the periods of absence, but rather for anonymous, general figures grouped by Member State. Parliament replied that no such data had been compiled and therefore no estimate could be given. It noted that such information is not required by its rules of procedure and is not collected because it would create an unnecessary administrative burden for Parliament's services. According to the complainant, Parliament's reply was unjustified. He considered it impossible that Parliament does not possess such information, since it is needed to calculate MEPs' salaries. He criticised Parliament for its allegedly non-transparent behaviour.

9. In its opinion to the Ombudsman, Parliament explained that the information requested by the complainant has not been compiled and is therefore not contained in any document. It does not, therefore, fall under Regulation 1049/2001 concerning access to documents held by the EU institutions[1]. It further underlined that there is no general right of access to information (as opposed to a general right of access to documents). The only obligations on officials and other servants in this regard are contained in the provisions of the Code of Conduct[2]. Point III.A. 7-8 of the Code of Conduct provides:

"7. Officials and other servants working for departments dealing with the public must answer questions as and when permitted by the procedures laid down by regulation and administrative practices.

8. Unclear or factually incorrect questions must be returned to their sender with a request for further clarification."

According to Parliament, its reply to the complainant was therefore correct. The above provisions imply that there was no obligation to gather this information under the rules of procedure or to produce it on the basis of the principle of good administrative practice (since doing so would result in disproportionate burden).

10. With regard to the complainant's argument that Parliament has to keep data concerning medical certificates submitted by MEPs in order to determine their salaries, Parliament emphasised that it does not pay MEPs' salaries directly. Until the Members' Statute came into force in July 2009, MEPs' salaries were paid directly by the relevant authorities in their own countries. In accordance with existing legislation, Parliament's administration pays subsistence allowances to MEPs who are present at the institution's meetings and official events. As a result, the administration must be able to record the days when MEPs are present and therefore eligible for reimbursement. It keeps these data in a database. However, data concerning the number of medical certificates submitted, broken down by MEP or nationality, cannot be easily extracted from the database. Such data would need to be sorted and extracted manually. This constitutes, in Parliament's view, a disproportionate administrative burden which goes against the principle of good administrative practice.

11. Parliament went on to argue that, irrespective of the administrative burden that producing the requested data would create, it would not be appropriate to produce such data. Medical data are sensitive by nature, even if they relate only to certain categories of people and not to specific individuals. By providing different data sets (by gender, nationality or otherwise), which themselves are not sensitive, the institution would risk revealing private information through the combination of data or allow unjustified conclusions to be drawn.

12. As regards the particular request made by the complainant, that is, the production of statistics broken down by nationality, although statistical aggregations of data are not generally considered to constitute personal data, individuals may, nevertheless, become identifiable in Member States, such as Malta, Luxembourg, Cyprus and Estonia, which have small populations. This argument is strengthened by the fact that the data requested relate to health. Parliament concluded that it acted correctly and in accordance with the Code of Conduct of officials and other servants of the European Parliament. It summarised its position by underlining that it does not collect the requested data and that such data cannot be produced without creating a considerable administrative burden. Finally, it added, gathering the requested data would be inappropriate, given their private nature.

The consultation of the EDPS

13. The Ombudsman consulted the EDPS on the following questions:

• Would the release of information about medical absences of MEPs, broken down by nationality, risk encroaching upon the privacy of individual MEPs?

• Would the answer to this question be different for data relating to MEPs from Member States that have a "large" number of MEPs? If the answer to this question is yes, how many MEPs must a Member State have in order for that Member State to be classified, for the purposes of the present inquiry, as a Member State that has a "large" number of MEPs?

• Would the answer to the first question be different if, rather than breaking down the data by nationality, the data concerning MEPs from a number of Member States were provided in consolidated form? How many MEPs would have to be represented in the consolidated list in order to eliminate (any) concerns in relation to the privacy of individual MEPs?

14. The EDPS replied jointly to the three questions and made the following comments and observations. According to Article 2(a) of Regulation 45/2001[3], personal data mean "any information relating to an identified or identifiable natural person". Article 2(a) furthermore states that an identifiable person is one "who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity". Recital 26 of Directive 95/46/EC[4] stipulates that "to determine whether a person is identifiable, account should be taken of all means likely reasonably to be used either by the controller or by any other person to identify the said person."

15. Since the information requested by the complainant is not information relating to individual MEPs, but information relating to groups of MEPs in aggregated form per country, the crucial question is whether such information would still allow individual MEPs to be identified, thereby risking a potential encroachment of their privacy. In other words, whether that information could also relate to individual MEPs as identifiable persons in this respect. Whether, therefore, persons who are not mentioned by name can still be identified by applying the standards provided in Regulation 45/2001, notably: "all means likely reasonably to be used either by the controller or by any other person", ultimately depends on the specific circumstances surrounding each case.

16. In this respect, it is indeed relevant whether the aggregated data requested by the complainant concern either a few or a large number of persons. In general, it is true that the smaller the number of persons, the higher the likelihood that an individual will be identified. It is, however, not possible to define in abstracto the decisive number of MEPs, since other elements might also be relevant. Information in the public domain could, in combination with the information requested, lead the complainant or any other third party to find out which individual MEPs the data refer to. It may also be that any other information, only available to the complainant or a third party, would allow them to draw conclusions regarding one or more particular MEPs. The latter scenario would of course have to be more than purely speculative to be relevant in this context.

17. A careful analysis of the specific circumstances and their context is therefore required. The EDPS is not in a position to perform this analysis. In general, however, applying the standards referred to above, one may assume that merely divulging the total number of days during which MEPs from the different countries have been absent for medical reasons would not constitute information relating to identifiable natural persons. This applies even if five or six MEPs are concerned, as in the case of certain Member States. It is, first of all, up to the European Parliament to assess whether circumstances are present which might rebut this presumption. If such circumstances are not found to exist, privacy and data protection considerations do not stand in the way of the public disclosure of such information.

18. According to Article 10(1) of Regulation 45/2001[5], the processing of medical data is, in principle, prohibited. This prohibition can be lifted if the person involved consents to the processing, or, in certain other situations listed in paragraphs 2 and 3. Article 10(4) contains additional exceptions, but this provision can be applied only in special situations involving substantial public interest. This does not appear to apply to the present situation.

19. To sum up, the EDPS stated that the aggregated data requested cannot be assumed to relate to identifiable persons, even if they only concern five or six persons. If, due to specific circumstances, individual MEPs and their medical absences can be identified from the data requested by the complainant, the public disclosure of the information must be prohibited on the basis of Article 10 of Regulation 45/2001. In such a situation, other solutions may be found, such as generalising the information in such a way that individual MEPs can no longer be identified in this respect.

20. Parliament refused to comment on the EDPS' reply. It pointed out that, under Article 10 of Regulation 45/2001, there is no obligation to release such information – which in any case does not exist at present – unless reasons of substantial public interest are invoked. As indicated by the EDPS, this does not seem to apply to the present situation.

21. The complainant did not submit any observations on the EDPS' reply.

The Ombudsman's assessment

22. It is good administrative practice for the EU institutions to provide information requested by citizens unless there are valid reasons for refusing to do so[6].

23. The protection of privacy is a fundamental right enshrined in Article 7 of the Charter of Fundamental Rights[7] and Article 8 of the European Convention of Human Rights[8].

24. The EU courts have stated that "the right to respect for private life, embodied in Article 8 of the ECHR and deriving from the common constitutional traditions of the Member States, is one of the fundamental rights protected by the legal order of the Community. It includes in particular a person's right to keep his state of health secret."[9]

25. Article 2(a) of Regulation 45/2001 defines "personal data" as any information relating to an identified or identifiable natural person.

26. Article 2(b) of Regulation 45/2001 defines "processing of personal data" as "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction."

27. It is not disputed that Parliament has information in its database concerning the medical absences of individual MEPs. Each piece of raw data in Parliament's database concerning MEPs absences on medical grounds constitutes "personal data" within the meaning of Article 2(a) of Regulation 45/2001.

28. It is also clear that Parliament does not have the statistics requested by the complainant. Parliament states that, in order to produce the statistics requested by the complainant, it would have to extract from its database information concerning the medical absences of individual MEPs. It would have to use this information to produce the requested statistics manually. These two processes, namely, retrieval and use, clearly fall within the definition of "processing of personal data" within the meaning of Article 2(b) of Regulation 45/2001, cited in paragraph 26 above.

29. Article 5 of Regulation 45/2001 states that:

"personal data may be processed only if:

(a) processing is necessary for the performance of a task carried out in the public interest on the basis of the Treaties ... or other legal instruments adopted on the basis thereof or in the legitimate exercise of official authority vested in the Community institution or body or in a third party to whom the data are disclosed, or

(b) processing is necessary for compliance with a legal obligation to which the controller is subject, or

(c) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, or

(d) the data subject has unambiguously given his or her consent, or

(e) processing is necessary in order to protect the vital interests of the data subject."

30. Article 10(1) of Regulation 45/2001, which deals with the protection of personal data by the EU institutions, states that:

"The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life, is prohibited."

Data on the absences of MEPs on medical grounds clearly fall within the scope of Article 10(1).

31. Given that such personal data are particularly important and sensitive, Article 10 establishes an even stricter regime as regards the processing thereof. It states that the processing of such data is prohibited unless:

"(a) the data subject has given his or her express consent to the processing of those data, except where the internal rules of the Community institution or body provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his or her consent, or

(b) processing is necessary for the purposes of complying with the specific rights and obligations of the controller in the field of employment law insofar as it is authorised by the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof, or, if necessary, insofar as it is agreed upon by the European Data Protection Supervisor, subject to adequate safeguards, or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his or her consent, or

(d) processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims, or

(e) processing is carried out in the course of its legitimate activities with appropriate safeguards by a non-profit-seeking body which constitutes an entity integrated in a Community institution or body, not subject to national data protection law by virtue of Article 4 of Directive 95/46/EC, and with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of this body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects."

Further exceptions, which would allow the processing of personal data falling under Article 10, include:

(1) where the processing of data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services and is carried out by a health professional subject to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy; or

(2) where, subject to the provision of appropriate safeguards, there are reasons of substantial public interest; or

(3) where, subject to the provision of appropriate safeguards, the processing of data relates to offences, criminal convictions or security measures.

32. The Ombudsman is not convinced that any justification exists, in accordance with Article 10 of Regulation 45/2001, for the processing of the personal data at issue in the present inquiry. In particular, the Ombudsman notes that MEPs have not given their express consent to such processing. Specifically, MEPs have not given their express consent for Parliament (i) to extract their personal data from the database and (ii) to use these personal data to produce statistics. Further, the Ombudsman notes, such processing is not necessary for the purposes of complying with Parliament's specific rights and obligations in the field of employment law. Indeed, it should be noted that MEPs do not have an employment relationship with Parliament.

33. As such, the Ombudsman concludes that (i) the retrieval of the personal data, and (ii) their use in order to produce statistics constitute "processing of personal data" in a manner which infringes the rules set out in Regulation 45/2001.

34. In addition to the retrieval of personal data from the database, and their use in order to produce statistics, the complainant also requests that the statistics be transferred to him. It must, in this context, be examined if that transfer also constitutes processing of "personal data". In this respect, a key question is whether individual MEPs can be identified from the statistics. If this were the case, the statistics would also be "personal data" within the meaning of Article 2(a) of Regulation 45/2001, and their transfer would be "processing of personal data" within the meaning of Article 2(b) of Regulation 45/2001.

35. As noted by the EDPS, specific circumstances might still enable the identification of individual MEPs even if only aggregated statistical data were disclosed.

36. Given that MEPs are public figures, the public in general are already aware of many details concerning their lives, including, potentially, their medical status. Specific members of the public, especially those in the political sphere, are likely to be aware of even more details in this regard. In these specific circumstances, the number of days a particular MEP has been absent on medical grounds could be more easily deduced from statistical information relating to the total number of days MEPs of a given nationality have been absent on the same grounds. Such a conclusion would be drawn even more easily, given that the total number of days an MEP is for whatever reason present or absent from Parliament is already public information. In such circumstances, it cannot be ruled out that the transfer of the requested statistics would also constitute processing of "personal data". Consequently, the transfer should also be prohibited.

37. Given that, as described in paragraph 33 above, the retrieval of personal data and their use in order to produce statistics constitute the processing of personal data in a manner which infringes the rules set out in Regulation 45/2001, it is not necessary, in order to find that Parliament was justified in refusing the complainant's request for information, for the Ombudsman to reach any definitive conclusion as regards whether the transfer of statistics to the complainant would also infringe the rules set out in Regulation 45/2001.

38. On the basis of the above, the Ombudsman concludes that there has been no maladministration by Parliament.

B. Conclusion

On the basis of his inquiry into this complaint, the Ombudsman closes it with the following conclusion:

There has been no maladministration by Parliament.

The complainant and Parliament will be informed of this decision.

 

P. Nikiforos Diamandouros

Done in Strasbourg on 8 December 2010

---

[1] Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ 2001 L 145, pp. 43-48).

[2] Code of Conduct - Guide to the obligations of officials and other servants of the European Parliament, Bureau decision of 7 July 2008.

[3] Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ 2001 L 8, pp. 1–22).

[4] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, pp. 31–50).

[5] Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, cited above at footnote 3.

[6] Decision of the Ombudsman on complaint 1402/2002/GG.

[7] Article 7 states the following: "Everyone has the right to respect for his or her private and family life, home and communications."

[8] Article 8 states the following: "Everyone has the right to respect for his private and family life, his home and his correspondence."

[9] Case C-404/92 P X v Commission [1994] ECR I-4737, paragraph 17. See also Case C-62/90 Commission v Germany [1992] ECR I-2575. Paragraph 23 states the following: "The right to respect for private life and, as one of its aspects, the right to the protection of medical confidentiality constitute fundamental rights protected by the legal order of the Community."