FOR PREVIEWING & TESTING PURPOSES ONLY.
This notification will disappear once the page will be published.
This link is available for less than 30 minutes.
  • Facile à lire
  • Taille du texte

Vous souhaitez déposer une plainte contre une institution ou un organe de l’Union européenne ?

Langue actuelle : 
  • English
Langues disponibles : 

The European Ombudsman's preliminary views on the European Commission's refusal to give public access to the risk assessment report of a large social media company on its compliance with the provisions of the Digital Services Act

President
European Commission

 

Dear President,

I am writing to share my preliminary views in this case and to clarify a number of questions that have arisen.

The case concerns the European Commission’s refusal to give public access to the 2023 risk assessment report drawn up by the provider of X, a very large online platform (VLOP) under the Digital Services Act (DSA).

At the initial stage, the Commission refused to give public access based on the need to protect the commercial interests of the platform concerned. The complainant then asked the Commission to review this decision, challenging the sensitive nature of the information contained in the document. He also argued that there is an overriding public interest in knowing what measures the platform is taking to address any risks.

Shortly afterwards, in December 2023, the Commission opened[1] a formal investigation into the platform’s compliance with the DSA. Specifically, the Commission considered that the platform had failed diligently to assess certain systemic risks in the EU stemming from the design and functioning of its systems or from the use of its services.

In June 2024, the Commission adopted a confirmatory decision, maintaining its refusal of access to the report at issue. In doing so, the Commission also invoked the need to protect its ongoing investigation under the DSA, arguing that a general presumption of confidentiality applied and that the two exceptions for the protection of commercial interests and for the protection of investigations were closely connected.

In its reply to the complaint, the Commission also stated that the preliminary findings issued in summer 2024 concerned only one part of its DSA investigation and that the remaining part is still at an early stage. In addition, it is unclear when the investigation will be completed. The Commission also explained that the platform concerned has to publish the risk assessment report at issue by 27 November 2024 and took the view that it is not in a position to disclose (any part of) the report before the expiry of this time line.

Based on the review of the information provided to my Office and the report at issue, my preliminary view is that it is unreasonable to apply a general presumption of confidentiality to a risk assessment report drawn up in accordance with Article 34 of the DSA.

As the Commission itself acknowledged, the case law has thus far not established that a general presumption may be applied to documents related to investigations under Article 66(1) of the DSA. The relevant case law could therefore at best be applied by analogy. However, the relevant parts of the DSA applicable to risk assessment reports deviate significantly from the circumstances in which the EU Courts have in the past established the possibility to make use of a general presumption.

Most notably, the case law on general presumptions is largely based on the fact that the relevant legal frameworks provide for restrictive access to the Commission’s administrative files and that disclosure would undermine the purpose of these privileged access rules. However, the same cannot be said for risk assessment reports under the DSA.

More specifically, as the Commission acknowledged, risk assessment reports must be made available to the public by the platform itself. Whilst the DSA allows[2] for certain information to be withheld when the platform publishes the report, given the obligation to publish, it does not appear reasonable from this provision that risk assessment reports would contain sensitive information throughout.

What is more, the time line for publishing the report starts running independently of whether or not an investigation under Article 66(1) of the DSA has been launched or is pending. Rather, the platform concerned is legally required to publish the report even if an investigation has been launched, or has not been completed by the deadline to make it public. In this case, the time line for publication will expire on 27 November 2024. However, based on the information provided by the Commission, it seems impossible that its investigation will have been completed by then. As the DSA does not provide for a suspension or an extension of the relevant time line in cases where there is an investigation, it seems unreasonable that risk assessment reports have to be withheld in their entirety while an investigation under Article 66(1) of the DSA is ongoing.

For the same reason, the fact that the rights of defence of the parties concerned encompass the right to access the Commission’s file cannot be reasonably understood to prohibit public disclosure of the risk assessment report.

As regards the requirement for professional secrecy laid down in Article 84 of the DSA, I note that this covers sensitive information only. This, however, does not mean that all information the Commission obtains under the DSA should, as such, be considered as confidential.

Based on this, I am not convinced that the Commission was justified in applying a general presumption of confidentiality to the risk assessment report at issue, a document that the co-legislators determined should be shared with the public, and it is my preliminary view that doing so constituted maladministration.

Accordingly, I consider that the Commission should have assessed the content of the report in order to decide whether public access, including partial access, can be given. To this end, the Commission could have consulted the platform concerned to obtain its views on the extent to which it might consider the report to be commercially sensitive.

In addition, I do not consider that the imminent expiry of the time line for the platform to make the report public renders an assessment by the Commission at this stage obsolete. Even if the platform makes the report public within the prescribed time line, it will not conduct the same assessment in terms of proactive publication as the Commission when replying to a request for public access to documents under Regulation 1049/2001. In that context, the platform’s view on the extent to which the report should be disclosed to the public might differ from the Commission’s position following an assessment under Regulation 1049/2001.

Nevertheless, I appreciate that the DSA is a relatively new framework that poses legal questions that have not yet been discussed. For this reason, I would be grateful if the Commission could reply also to the following questions:

1. Does the Commission (or any other entity) monitor the timely publication of risk assessment reports by VLOPs? If yes, what steps does it take if a platform fails to publish the report on time?

2. If a VLOP withholds parts of a risk assessment report when it publishes it, does the Commission assess whether the redactions are in line with Article 42(5) of the DSA? If yes, what are the consequences if it considers the redactions made by the platform to be excessive?

3. How does the Commission, generally, understand the relationship between proactive and reactive transparency of risk assessment reports under the DSA?

4. How does the Commission interpret Article 42(5) of the DSA in light of Regulation 1049/2001 and the exceptions under Article 4 thereof?

I would be grateful to receive the Commission's reply to my preliminary views and questions by 17 February 2025.[3]

Finally, I would be grateful if the Commission could inform my Office if it considers any information contained in this letter confidential, if possible by 22 November 2024. Should the Commission confirm that the letter contains no confidential information, I intend to share it with the complainant and to publish it on the Ombudsman’s website.

Yours sincerely,

Emily O'Reilly
European Ombudsman

Strasbourg, 15/11/2024

 

[1] In accordance with Article 66(1) of the DSA.

[2] Article 42(5) of the DSA.

[3] If you wish to submit documents or information that you consider to be confidential, and which should not be disclosed to the complainant, please mark them ‘Confidential’. Encrypted emails can be sent to our dedicated mailbox.