Background to the complaint

1. The complainant requested public access to a dataset containing company names and details held in the Business Registers Interconnection System (BRIS), which is administered by the European Commission. BRIS interconnects the business registers of EU Member States, in accordance with the BRIS Directive^[1].

2. BRIS is composed of the:

1. business registers of EU Member States,
2. European central platform as a back-end electronic database and
3. European e-Justice Portal, which provides the user interface of BRIS through the “Find a company”-page.^[2]

3. While the original data are stored on the business registers of EU Member States, the European central platform indexes some basic company information from the national registers to allow its search engine to work. This central 'Legal Entity Data' (LED) contains – for EU Member States that participate – an indexed copy of a limited list of company data[3].

4. The complainant initially requested public access to a dataset containing all company names and details kept in relation to the European central platform. In challenging the Commission’s initial rejection of his request (by making a ‘confirmatory application’), the complainant specified that he was asking for public access to the LED dataset.

5. In reply, the Commission refused access to the requested dataset, arguing that it does not hold any document that would correspond to the description given by the complainant. The Commission said that the requested dataset does not qualify as an ‘existing document’ under the EU legislation on public access to documents, as interpreted by the EU courts^[4]. This is because the requested data cannot be retrieved as part of the normal operations of the BRIS IT-system, using normal IT tools.

6. Disappointed with the Commission’s decision and explanation, the complainant turned to the Ombudsman.

The inquiry

7. The Ombudsman opened an inquiry into the Commission’s position that it does not hold any document that would correspond to the description given in the complainant’s access request.

8. In the course of the inquiry, the Ombudsman received the reply of the Commission. The Ombudsman asked the complainant for comments on the reply, but did not receive any.

Arguments presented to the Ombudsman

By the complainant

9. The complainant claimed that the Commission could carry out a ‘data dump’, to extract the dataset requested from the European central platform and provide public access to it. This, according to the complainant, would be comparable to making a back-up of the data.

10. The complainant argued that no substantial investment or substantial amount of programming work would be required to perform such a ‘data dump’. Nor would it require a substantial alteration either to the organisation of the electronic database or to the search tools currently available for the extraction of data. This is because such back-up files are created regularly for IT-systems as part of daily maintenance.

11. The complainant said that redacting some of the data from the resulting dataset, for example due to the need to anonymise the data, does not amount to the creation of a new document.

12. In addition, the complainant argued that the dataset in question is a subset of company data identified as a high-value dataset in Annex 1 of the Open Data Directive^[5]. Thus, according to the complainant, once the implementing Regulation under that Directive is adopted, the requested data will be publicly available. The complainant claimed that this supported his request for public access, as, in the future, the content of this dataset would be made publicly available.

By the Commission

13. In its written reply to the Ombudsman, the Commission said that, to facilitate searches, BRIS’s central data platform indexes some basic company information retrieved from the national business registers (the central LED; see paragraph 3). Those data are not meant to be extracted. Their extraction would require additional IT developments of the BRIS IT system. Writing a new programme would be needed to extract the bulk index data and to provide it in a readable format. This would include the need to perform the programming of new Structured Query Language (SQL) queries. That, in turn, would expose internal technical code keys that, in accordance with the Commission data security policies, cannot be shared with the public, as they could be used for cyber-attacks, and especially targeted SQL code injection.

14. In reply to the complainant’s suggestion that he could receive a copy of the system back-up, by the performance of a ‘data dump’, the Commission noted that IT systems cannot share their back-ups without irremediably compromising the security of the system itself and the public service it provides. Moreover, a system back-up contains other data (personal data, confidential data and protected information) which cannot be disclosed to the public for data privacy and security reasons.

15. The Commission also noted that the information requested by the complainant is already publicly available both on the European e-Justice Portal and in the national business registers. Therefore, the complainant has already access to this specific company data, but asks the Commission to aggregate this data. In the Commission’s view, the fact that this data is already publicly available satisfies in full the objectives of transparency and openness.

16. As regards the complainant’s reference to the Open Data Directive, the Commission explained in its reply that this Directive establishes rules governing the re-use for commercial and non-commercial purposes of existing documents held by national public sector bodies and national public undertakings of EU Member States.^[6] It clarified that, while the information held by business registers of EU Member States falls under scope of application of the Open Data Directive, the BRIS does not. The Commission thus considers that the Open Data Directive, including the upcoming implementing act, cannot provide any justification for accessing information on a Commission system.

The Ombudsman's assessment

17. The objective of the EU legislation on public access to documents is ‘to ensure the widest possible access to documents’.[7] Any exception to the fundamental right of public access must be narrowly construed and applied. The right of public access applies to documents, which are in the possession of an EU institution, meaning documents drawn up or received by it, in all areas of activity of the Union.

18. A document means ‘any content whatever its medium (written on paper or stored in electronic form or as a sound, visual or audio visual recording)’ [8] and thus in principle includes documents created by extracting information from electronic databases. However, the right of public access applies only as regards existing documents and there is no obligation on the institution to create a new document from information or other documents in its possession.[9]

19. In relation to electronic databases, the Court of Justice has found that information extracted may constitute an existing document where it can be extracted using normal or routine search tools and where there is no requirement for substantial investment on the part of the institution to extract that information. It stated that the determination of what is an existing document must be made based on a criterion adapted to the technical specificities of those databases, in line with the objective of the EU legislation on public access to documents to ensure the widest possible access.[10]

20. It is therefore necessary to assess on a case-by-case basis whether the dataset requested can be considered as an existing document under the EU legislation on public access to documents, based on the nature of the database itself, the extent of any investment required for extraction and the principle that disclosure should be granted to the widest extent possible.[11]

21. The Commission argued in this case that the requested dataset does not qualify as an existing document according to EU legislation[12], because it could not be retrieved as part of the normal operations of the BRIS IT-system and by using normal IT tools. Instead, it said, extracting the technical dataset would require additional programming. Consequently, the Commission refused access because it does not hold any documents that would correspond to the description given by the complainant.

22. The complainant claimed that the dataset requested could be extracted from BRIS by means of a ‘data dump’. This, according to the complainant, would not require a substantial investment of resources or amount of programming, as this process of extraction is akin to making a security back-up.

23. The Ombudsman understands that the technical dataset in this case originates from one database, namely the European central platform.[13] Notwithstanding, the Commission said that the dataset is stored across ‘multiple complex data structures’. It also mentioned that the European central platform was not designed for information to be extracted from it. As a result, the Ombudsman accepts as reasonable the Commission’s argument that it would require additional IT developments, including writing new programming to extract the bulk index data and provide it under a readable format for the complainant. The Commission also makes the point that the requested dataset exists only to support the technical functioning of the BRIS and is not accessible by Commission officials aside from those providing IT support, so outside the normal operations (including search functions) of the platform.

24. Given the specificities of the database in question, and contrary to the claim of the complainant, substantial investment would be required on the part of the Commission to extract the technical dataset from the platform and present it to the complainant in a readable format. Further, the Commission has explained that regardless of whether the information can be so extracted, its disclosure could jeopardise the integrity and security of the database itself and raise privacy and public security concerns. In those circumstances, the Commission’s arguments appear to be reasonable.

25. It is unfortunate that the Commission did not provide these additional explanations as regards public security to the complainant in its confirmatory decision and only subsequently in its reply to the Ombudsman.

26. As regards the complainant’s reference to the Open Data Directive, the Commission is correct to state that the Open Data Directive is applicable only to data held by national public sector bodies and national public undertakings of EU Member States and that it does not apply to interconnecting systems at EU-level, such as BRIS.

Conclusion

Based on the inquiry, the Ombudsman closes this case with the following conclusion[14]:

There was no maladministration by the Commission.

The complainant and the Commission will be informed of this decision.

 

Rosita Hickey
Director of Inquiries

Strasbourg, 28/02/2023

 

[1] Directive 2012/17/EU of the European Parliament and of the Council of 13 June 2012 amending Council

Directive 89/666/EEC and Directives 2005/56/EC and 2009/101/EC of the European Parliament and of the

Council as regards the interconnection of central, commercial and companies registers, now codified in the

Codified Company Law Directive (EU) 2017/1132. See: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32012L0017.

[2] See: https://e-justice.europa.eu/489/EN/business_registers__search_for_a_company_in_the_eu. The European e-Justice Portal serves as the European electronic access point (EAP).

[3] Only for participating EU Member States.

[4] See Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents. See: https://eur-lex.europa.eu/legal-content/NL/ALL/?uri=CELEX%3A32001R1049 and the judgment of the Court of 11 January 2017, Rainer Typke v European Commission, C-491/15 P, EU:C:2017:5, https://eur-lex.europa.eu/legal-content/GA/TXT/?uri=CELEX:62015CJ0491.

[5] Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and

the re-use of public sector information. See: https://eur-lex.europa.eu/eli/dir/2019/1024/oj.

[6] See Article 1(1) of the Directive (link in footnote 3.

[7] See recital 4 and Article 1(a) of Regulation 1049/2001, which is linked in footnote 4.

[8] See Article 3(a) of Regulation 1049/2001, which is linked in footnote 4.

[9] See paragraph 25 of Typke case (C-491/15 P), which is linked in footnote 4.

[10] Idem, paragraph 35.

[11] The Advocate-General in the Typke case has provided a non-exhaustive list of examples of what could entail a substantial investment in this context, including situations where:

• new values have to be added to the existing database, such as new fields, indexes or identifiers;

• complex, cross-database searches and operations are necessary, or

substantial alterations to the very structure of a database would be required, such as new coding or indexing of the database, see Opinion of Advocate General Bobek delivered on 21 September 2016. Rainer Typke v European Commission. See: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62015CC0491.

[12] Regulation (EC) No 1049/2001, which is linked in footnote 4.

[13] The Typke case, on the other hand concerned several databases where SQL code was required in order to extract the information requested into a document from multiple non-connected sources.

[14] This complaint has been dealt with under delegated case handling, in accordance with the Decision of the European Ombudsman adopting Implementing Provisions