FOR PREVIEWING & TESTING PURPOSES ONLY.
This notification will disappear once the page will be published.
This link is available for less than 30 minutes.
  • Facile à lire
  • Taille du texte

Vous souhaitez déposer une plainte contre une institution ou un organe de l’Union européenne ?

Langue actuelle : 
  • English
Langues disponibles : 

Recommendation on the European Commission's refusal to give public access to the risk assessment report drawn up by a large social media company on its compliance with the Digital Services Act (case 1746/2024/MIG)

The complainant asked the European Commission for public access to the risk assessment report for 2023 of a large social media platform on its compliance with the provisions of the Digital Services Act (DSA). Annual reporting is part of the obligations of 'very large online platforms' under the DSA. The Commission refused access to the report, referring to an exception under the EU legislation on public access to documents (Regulation 1049/2001). Specifically, the Commission argued that it could be presumed that disclosure of the report would undermine the commercial interests of the platform as well as its ongoing investigation into the platform's compliance with its obligations under the DSA. The Commission thus did not individually assess the report in view of its possible disclosure.

The Ombudsman inquiry team inspected the report at issue. Based on the inspection, the Ombudsman shared her preliminary view with the Commission that it is unreasonable to apply a general presumption of non-disclosure to a risk assessment report drawn up under the DSA. The Ombudsman considered that the circumstances in which the EU courts have recognised the possibility to use a general presumption are very different from the rules that apply to risk assessment reports. In view of this, the Ombudsman’s preliminary view was that the Commission’s reliance on a general presumption constituted maladministration.

In reply to the Ombudsman, the Commission maintained its view, adding that the use of a general presumption had been justified also in light of the need to protect the purpose of the independent audit on the platform’s compliance with its obligations under the DSA that had been ongoing at the time of its decision on the access request.

The Ombudsman was not convinced that the need to protect the purpose of the audit was such as to justify the Commission’s application of a general presumption of non-disclosure. While the legislator linked the timeline for the proactive publication of the risk assessment report to the completion of the independent audit, this does not imply that requests for public access under Regulation 1049/2001 must be rejected before that date. Rather, if the platform concerned has not yet published the risk assessment report proactively when there is a public access request for its disclosure, the Commission should take this into account in its assessment under Regulation 1049/2001. If it is not clear whether public access can be granted, the Commission should consult the platform to obtain its views on whether any of the exceptions provided for in Article 4 of Regulation 1049/2001 might apply.

The Ombudsman thus found that the Commission’s application of a general presumption of non-disclosure to the risk assessment report at issue constituted maladministration. She recommended that the Commission conduct an individual assessment of the document with a view to granting the widest access possible, in line with Regulation 1049/2001.

made in accordance with Article 4(1) of the Statute of the European Ombudsman[1]

Background to the complaint

1. Under the Digital Services Act[2] (DSA), providers of ‘very large online platforms’ and ‘very large online search engines’[3] should, once per year, diligently identify and assess the systemic risks stemming from their services. This assessment should include risks such as the dissemination of illegal content and disinformation as well as negative effects for the exercise of fundamental rights, on electoral processes or in relation to gender-based violence and the protection of minors.[4]

2. In addition, at least once per year, an independent audit is to be carried out to assess the compliance of providers of designated online platforms and search engines with their obligations under the DSA.[5]

3. The designated platform’s risk assessment report and the audit report by the independent auditor are to be made public.[6]

4. Where risks are identified, the provider of the designated platform (and/or search engine) concerned has to put in place mitigating measures to address those risks.

5. The European Commission monitors and enforces the compliance of very large online platforms with their obligations under the DSA.

6. In April 2023, the Commission designated ‘X’ (formerly ‘Twitter’) as a ‘very large online platform’. As a result, the provider of the platform had to ensure, within four months, that it complies with its obligations under the DSA.[7] This included the obligation to carry out an annual risk assessment and to report on it to the Commission.

7. On 14 September 2023, the Commission received the report on X’s first annual risk assessment under the DSA.

8. On 26 September 2023, the complainant, a journalist, made a request[8] for public access to documents to the Commission, asking for disclosure of X’s risk assessment report.

9. On 8 November 2023, the Commission refused to give public access, relying on the need to protect the commercial interests of the platform concerned.[9]

10. The complainant then asked the Commission to review its decision to refuse to give public access (he made a ‘confirmatory application’).

11. In December 2023, based on its assessment of the platform’s risk assessment report (and other elements), the Commission opened a formal investigation[10] into the platform’s compliance with its obligations under the DSA. Specifically, the Commission considered that the platform had failed diligently to assess certain systemic risks in the EU stemming from the design and functioning of its systems and the use of its services.

12. In June 2024, the Commission adopted a confirmatory decision on the complainant’s access request, maintaining that the risk assessment report could not be disclosed. In doing so, the Commission also invoked the need to protect its ongoing investigation under the DSA, arguing that a general presumption of non-disclosure applied and that the two exceptions for the protection of commercial interests and for the protection of the purpose of investigations were closely connected.

13. In July 2024, the Commission issued preliminary findings of non-compliance in the context of its DSA investigation, identifying three grievances.[11]

14. In September 2024, dissatisfied with the Commission’s refusal to provide public access, the complainant turned to the Ombudsman.

The inquiry

15. The Ombudsman opened an inquiry into the Commission’s decision to refuse to give public access to the risk assessment report at issue under the EU legislation on public access to documents (Regulation 1049/2001[12]).

16. During the inquiry, the Ombudsman received the Commission’s reply on the complaint. The Ombudsman inquiry team also inspected the risk assessment report at issue.

Arguments presented

17. In its confirmatory decision, the Commission argued that disclosure of the risk assessment report would undermine the purpose of its investigation under the DSA, namely ensuring contestable and fair markets in the digital sector across the EU where gatekeepers offer designated services, to the benefit of business users and end users.

18. More specifically, the Commission said that the provider of the platform concerned had not yet published the risk assessment report and that the platform had a legitimate interest in the Commission using the information it shares with it for the purpose intended by the DSA only.

19. The Commission noted that its investigation under the DSA was still ongoing. In view of this, the Commission argued that the present case “entails [the] type of situation” based on which the EU courts have recognised the possibility to apply a general presumption of non-disclosure.[13]

20. Firstly, the Commission argued that the risk assessment report at issue forms part of a category of similar documents (its DSA investigation file) to which the exceptions for the protection of the purpose of investigations and of commercial interests manifestly apply.

21. Secondly, this category of documents falls within the scope of a sectoral legal framework that contains specific accessibility rules (similar to the rules on antitrust, State aid and merger control). In particular, in DSA investigations, the Commission’s decision has to be based on a complex assessment of facts collected during the investigation. To that end, the Commission enjoys similar investigative powers to those in the field of competition law and the undertakings at issue have similar commercial interests that are protected in those procedures. In that regard, the Commission referred to the following provisions:

· Article 79(4) of the DSA, which sets out a right of the ‘parties concerned’ to have access to the Commission’s file, meaning that uninvolved third parties do not have any right of access, and

· Article 84 of the DSA, which requires professional secrecy of information obtained in the context of an investigation, meaning that the platforms concerned have a legitimate right to expect that the information they provide to the Commission will not be disseminated further.

22. Disclosure, the Commission concluded, would undermine those privileged access rules.[14]

23. Thirdly, the Commission considered that disclosure would undermine the proper operation of the DSA investigation and thus its objective, implying that it would lead to undue interventions by third parties.[15]

24. Fourthly, the Commission said that it is likely to gather commercially sensitive information in the context of an investigation under the DSA. This might entail information related to a platform’s internal organisation, functioning, business practices and conducts, and activities and strategies in relation to potential risks. The fact that the DSA obliges undertakings to publish their risk assessment reports, while permitting them to redact ‘confidential information’ in the public version of the report, illustrates this point.

25. The Commission concluded that disclosure of the risk assessment report would undermine the mutual trust between the Commission and the designated platforms concerned as well as potential informants, as these parties would become reluctant to cooperate. Ultimately, this loss of trust would undermine the Commission’s ability effectively to enforce the DSA. The two exceptions for the protection of commercial interests and the purpose of investigations, it said, are therefore closely connected in this case.

26. Finally, the Commission took the view that there is no overriding public interest in disclosure and that the public interest is better served by ensuring the conclusion, in all serenity, of its DSA investigation.

27. The complainant considered the Commission’s use of a general presumption to be unsubstantiated and contrary to the principles of openness and transparency. He argued that there is a fundamental difference between the type of information collected in competition cases and in investigations under the DSA, and that the unique nature of DSA investigations, which concern public safety, democratic participation and the exercise of fundamental rights, require an increased level of transparency and public scrutiny.

28. The complainant also argued that the fact that the Commission opened an investigation amplifies the need for transparency as non-disclosure prevents the public from making informed judgments about the safety of the use of the platform’s services.

29. As a general point, the complainant stated that the Commission seems to apply the general presumption also in cases where it had not opened a formal DSA investigation, referring to two other, similar requests for public access to documents that the Commission had denied.

30. The complainant concluded that the use of a general presumption would mean “that nearly any interaction that the Commission had with the largest technology companies over the past years could vanish behind the veil of non-disclosure”. This would make the work of journalists more difficult, including in their role as “social watchdogs”, as recognised by the European Court of Human Rights.

31. Concerning the need to protect the commercial interests of the platform concerned, the complainant deemed the Commission’s arguments not sufficiently specific. He also contended that the rules on the publication of risk assessment reports do not establish unconditional confidentiality of any information that undertakings share with the Commission under the DSA.

32. Finally, the complainant argued that there is an overriding public interest in disclosure, in that it would help the public navigate the risks related to the use of the services of the platform concerned. In this regard, he noted that public institutions across Europe had considered ceasing their use of the platform’s services due to disinformation concerns, and that some had done so. Disclosure, he said, would thus also help public authorities to decide whether the platform is an appropriate place for public announcements.

33. When it replied to the complaint in October 2024, the Commission provided an update on the state of play of its DSA investigation. It said that it had had several exchanges with the provider of the platform concerned and that it had issued preliminary findings. However, these preliminary findings concerned only some of the issues identified, so that the DSA investigation was still fully ongoing.

34. The Commission also informed the Ombudsman that the independent audit report had been adopted in August 2024 and that the platform would have to publish its risk assessment report by 27 November 2024. The Commission took the view that disclosure of the platform’s risk assessment report under Regulation 1049/2001, before the expiry of this timeline, would undermine the platform’s commercial interests.

The Ombudsman's preliminary views

35. On 15 November 2024, the Ombudsman shared her preliminary view[16] with the Commission that it is unreasonable to apply a general presumption of non-disclosure to a risk assessment report under the DSA, based on the need to protect the purpose of an investigation into the platform’s compliance with the DSA and the need to protect commercial interests.

36. Specifically, the Ombudsman considered that the rules that apply to risk assessment reports deviate significantly from the circumstances in which the EU courts have established the possibility to make use of a general presumption. Most notably, the DSA does not provide for privileged access rules to risk assessment reports but requires platforms to publish those reports, independently of whether there is an ongoing DSA investigation by the Commission.

37. In addition, the Ombudsman considered that, while the DSA indeed allows[17] for certain information to be withheld when a platform publishes its risk assessment report, it is unreasonable to conclude from this provision - and given the obligation to publish the report - that risk assessment reports contain sensitive commercial information throughout.

38. The Ombudsman also asked the Commission to reply to a set of questions that the legal framework of the DSA raises.

39. On 27 November 2024, that is, on the date of the expiry of the prescribed time limit, the platform concerned published a redacted version of the risk assessment report at issue.[18]

40. The complainant commented on the publication of the risk assessment report, taking the view that “key parts” of the report had been redacted.

41. In March 2025, the Commission replied[19] to the Ombudsman’s preliminary views, reiterating its position that the risk assessment report at issue forms part of its DSA investigation file and, thus, that a general presumption of non-disclosure applies, based on the need to protect the commercial interests of the platform concerned as well as the purpose of the ongoing DSA investigation.

42. In addition, the Commission stated that the DSA and Regulation 1049/2001 have consistent objectives. More specifically, the DSA has several transparency provisions that are critical to enabling increased public scrutiny and accountability, which, in turn, are instrumental to the broader goal of the DSA, namely ensuring a safe, predictable and trusted online environment, where fundamental rights are protected. In this context, the Commission stated that the publication of the risk assessment report and the audit report are key to understanding how providers of very large online platforms identify, analyse, and mitigate systemic risks stemming from their services.

43. While acknowledging the “prominent public interest” that the provisions of the DSA reflect, the Commission noted that these rules also protect certain information that designated platforms may redact from the public version of their risk assessment reports. This illustrates that risk assessment reports may contain commercially sensitive information.

44. The Commission also argued that the confidentiality of risk assessment reports had to be ensured throughout the procedure: upon receipt of the report by the Commission to protect its decision-making as to whether opening an investigation is warranted and after opening an investigation under the DSA to ensure an impartial and effective procedure and a proper engagement with the platform. The Commission also took the view that this includes the time after the publication of the risk assessment report by the platform concerned.

45. Overall, the Commission contended that disclosure of the report, at any stage, would (i) circumvent the transparency reporting system set out in the DSA, (ii) jeopardise the purpose of its DSA investigations and (iii) evade the specific access to the file and confidentiality rules laid down in the DSA. The Commission also noted that, according to Recital 85 of the DSA, “subsequent risk assessments [are expected to] build on each other and show the evolution of the risks identified.”

46. Furthermore, the Commission contended that disclosure of the risk assessment report would undermine the purpose of an audit under Article 37 of the DSA, including the follow-up to it. It argued that “public reactions to the risk assessment reports may cause interferences with the work of the auditors who have to analyse them as part of their auditing exercise, as well as with the providers’ possibility to implement audit recommendations or alternative measures to address potential non-compliance,” as identified in the audit report.

47. Finally, the Commission stated that its rules[20] on how it implements Regulation 1049/2001 “recognise” that a general presumption of non-disclosure applies to documents being part of DSA procedures.

48. As regards the set of questions shared by the Ombudsman, the Commission stated that, generally, it monitors the timely publication of risk assessment reports by providers of very large online platforms and assesses the redactions they make and the ‘statement of reasons’ in which they have to justify any redactions. The Commission also considered that the redactions that platforms may make in the public version of their risk assessment reports under the DSA would mirror the exceptions from transparency laid down in Article 4 of Regulation 1049/2001.

49. Following the Commission’s reply, the Ombudsman gave the complainant the opportunity to provide comments, including on her preliminary views.

50. In response, the complainant noted that the Commission had explicitly recognised a particularly prominent public interest in knowing how providers identify and mitigate systemic risks and that this should be considered an overriding public interest in disclosure.

51. The complainant also reiterated his position that the DSA is distinct from EU competition rules and stated that the application of a general presumption of non-disclosure would mean that risk assessment reports would become available to the public only with a significant delay.

52. Further, the complainant argued that the Commission seemed to apply the DSA without giving effect to the right to access EU documents under Regulation 1049/2001.

53. Finally, the complainant said that the Commission seemed to be willing to assess redactions made by providers of large online platforms only once they have published their risk assessment report. In the complainant’s view, this would be insufficient for the purpose of transparency.

The Ombudsman's assessment after the Commission’s reply to the preliminary views

54. The DSA establishes a specific transparency regime for risk assessments to be carried out annually by very large online platforms.

55. Specifically, the DSA requires designated platforms to publish their risk assessment report at the latest three months after the completion of the annual independent audit on the respective platform’s compliance with its obligations under the DSA.[21] These provisions on proactive transparency in the DSA need to be reconciled with the reactive transparency regime established by Regulation 1049/2001 that applies where the Commission receives a request for public access to risk assessment reports drawn up under the DSA. Neither of the two legal frameworks prevails over the other.

56. Under Regulation 1049/2001, EU institutions have to conduct, in principle, a concrete and individual assessment of the content of each requested document in order to decide whether public access can be granted, either in full or in part.[22] 

57. As an exception to this rule, the EU courts have recognised that the EU institutions may apply a general presumption of non-disclosure to certain categories of documents to which similar considerations as to why they cannot be disclosed manifestly apply. In that case, the institution concerned does not have to examine the specific content of the requested documents.

58. This case-law includes, for example, documents in the Commission’s administrative file on the review of State aid[23], documents exchanged between the Commission and the notifying parties or third parties in the context of merger control procedures[24], documents related to the ongoing pre-litigation phase of an infringement procedure[25], and documents related to ongoing investigations by the European Anti-Fraud Office (OLAF)[26].

59. What these procedures have in common is that the sectoral rules by which they are governed do not provide for a right of third parties to access the Commission’s respective administrative file. In addition, the Commission is bound by confidentiality. Accordingly, the relevant sectoral legal frameworks, first and foremost, aim to ensure respect for professional secrecy in the relevant procedures. Their objective is thus very different from the objective of Regulation 1049/2001, which is to ensure the greatest possible transparency of, among other things, the EU administration’s decision-making. Therefore, the courts considered that if the public were to access the Commission’s administrative file in those cases (on the basis of Regulation 1049/2001), this would call into question the system established by those rules, and, therefore, undermine the very purpose of those investigations (and, in some cases, also commercial interests).

60. The Commission argued that the transparency regime established by the DSA is of an equally restrictive nature and that, therefore, the case-law on general presumptions of non-disclosure applies, by analogy, to risk assessment reports drawn up under the DSA. Specifically, the Commission argued that the fact that, under the DSA, the ‘parties concerned’ have a right[27] to access its investigation file means that the wider public is excluded from such access. In addition, based on the requirement of professional secrecy[28], providers of very large online platforms legitimately expect that the Commission does not disclose any information that they share with it. The Commission also referred to the possibility that platforms may redact[29] certain information before publishing their risk assessment reports.

61. The Ombudsman maintains her position that the rules that apply to risk assessment reports drawn up under the DSA by very large online platforms deviate significantly from the circumstances in which the EU courts have recognised the possibility to make use of a general presumption of non-disclosure.

62. In general, contrary to the sectoral legal frameworks in relation to which the EU courts have recognised that a general presumption may be applied, the DSA emphasises the importance of transparency and accountability of online services. As regards very large online platforms, the DSA acknowledges that, due to their special role and reach, there is a need for an increased level of transparency and public scrutiny.[30] In order to achieve those goals, dedicated platforms have to disclose a significant amount of information, including information that could be regarded as commercially sensitive, such as the number of their monthly recipients in each Member State.[31]

63. In the same vein, designated online platforms have to publish their annual risk assessment report and they have to do so at the latest three months after the completion of the independent audit.[32] Notably, the publication is to take place irrespective of whether the Commission has opened an investigation into the compliance of the platform concerned with its obligations under the DSA, whether such an investigation is ongoing or whether the Commission has yet to take a decision on the possible opening of an investigation.

64. As this case illustrates, it is not unlikely that the prescribed time limit for the publication of the risk assessment report expires before the Commission can conclude its investigation. In fact, it seems that, in the majority of cases where the Commission decides to open an investigation, (a redacted version of) the risk assessment report will be made public before an investigation is opened or while the investigation is still ongoing. In other words, the legislator seems to have considered that the protection of the Commission’s enforcement efforts is without prejudice to the transparency and public scrutiny of risk assessment reports.

65. The Ombudsman acknowledges that the DSA allows for certain information to be withheld when a designated platform publishes its risk assessment report, including commercially sensitive information. However, given that the report must be made public at some point, it is unreasonable to consider that risk assessment reports would contain sensitive commercial information throughout. There in nothing in the wording of the relevant provisions of the DSA that could support such an interpretation. For the same reason, platforms cannot legitimately expect that their risk assessment reports would be covered in their entirety by the principle of professional secrecy.

66. The Ombudsman therefore maintains her view that it is unreasonable to apply a general presumption of non-disclosure to risk assessment reports drawn up under the DSA, based on the need to protect the purpose of a DSA investigation and/or the need to protect commercial interests.

67. In reply to the Ombudsman’s preliminary views, the Commission additionally argued that disclosure of the risk assessment report at issue, at the time of the confirmatory decision, would have undermined the then ongoing independent audit into the platform’s compliance with its obligations under the DSA.

68. The audit report in this case was finalised in August 2024. Therefore, when the Commission adopted its confirmatory decision on the complainant’s access request in June 2024, the audit was still ongoing.

69. However, according to Article 42(4) of the DSA, very large online platforms may decide to publish their risk assessment report before the independent audit has been completed. The relevant provision requires that the publication of the risk assessment report takes place at the latest three months following the completion of the audit. It does not prohibit the report’s earlier publication.

70. While the legislator thus linked the timeline for the proactive publication of the risk assessment report to the completion of the independent audit, this does not imply that requests for public access under Regulation 1049/2001 must necessarily be rejected before that date, thus giving rise to the application of a general presumption of non-disclosure. Rather, if the platform concerned has not yet published the risk assessment report proactively, the Commission should take this into account in its assessment of the document under Regulation 1049/2001 and, if it is not clear whether public access can be granted, the Commission should consult the platform to obtain its views on whether any of the exceptions provided for in Article 4 of Regulation 1049/2001 might apply. This will also give the platform the possibility to react to the access request and, if it so wishes, to publish its risk assessment report earlier than it might have intended.

71. This view is supported by the following observations.

72. First, as stated above, there is nothing in Article 42(4) of the DSA that would prevent platforms from publishing their risk assessment reports before the completion of the independent audit. In fact, it would seem that, for the most recent period, several designated platforms/search engines have already published their risk assessment reports although the second independent audit has not yet been completed.  

73. Second, the Ombudsman notes that, in this case, the Commission published[33] detailed information on its investigation into the platform’s compliance with its obligations under the DSA, including on the specific issues that it is assessing and on its preliminary findings of non-compliance, before the audit had been completed. In this context, it is difficult to see how (partial) disclosure of the platform’s risk assessment report could have undermined the then ongoing independent audit.

74. Finally, the Ombudsman notes that, from now on, designated platforms will have to conduct a risk assessment on an annual basis. In the light of the time that the procedure before the Commission and the independent audit can take, the risk assessment reports of one platform might cover similar topics each year. The use of a general presumption could thus lead to a situation where the Commission does not assess a risk assessment report under Regulation 1049/2001 for a significant period of time, even though the scope of the DSA investigation, whose purpose the Commission intends to protect, is much more limited than the scope of a risk assessment report. Therefore, the application of a general presumption of non-disclosure could prevent the transparency and public scrutiny of very large online platforms that the legislator deemed essential. In other words, the use of a general presumption risks undermining one of the key objectives of the DSA, transparency.

75. In light of the above, the Ombudsman considers that it is unreasonable to apply a general presumption of non-disclosure to risk assessment reports under the DSA, and that the Commission should have carried out an individual assessment of the report at issue at the time when it considered the complainant’s confirmatory application. The Ombudsman thus confirms her preliminary view that the Commission’s use of a general presumption of non-disclosure constituted maladministration.

76. The Ombudsman notes that a redacted version of the risk assessment report at issue in this inquiry has in the meantime been disclosed by the platform concerned, in line with its obligations under Article 42(4) of the DSA. It can therefore be presumed that the Commission has already assessed the redactions made by the platform, in light of the exceptions set out in Article 42(5) of the DSA. In this context, the Ombudsman is encouraged to learn about the Commission’s view that the redactions that designated platforms may make under the DSA should mirror the exceptions to public access in Article 4 of Regulation 1049/2001. This seems to imply that the risk assessment report at issue has in the meantime been disclosed to the public to the extent that the Commission considers access could be provided under Regulation 1049/2001. However, the Commission’s assessment in this regard has not been shared and, thus, could not be reviewed.

77. The Ombudsman notes that the complainant has challenged the redactions made by the platform concerned and has argued that they appear excessive. The proactive publication of a redacted version of the risk assessment report at issue by the platform concerned has thus not resolved the complaint. In view of this, the Ombudsman considers it necessary to continue the inquiry and to make the following recommendation to the Commission: The Commission should conduct a concrete and individual assessment of the risk assessment report at issue with a view to granting the widest public access possible, including to those parts of the report that have been redacted in the version that was published by the platform concerned. If the Commission concludes that no access can be granted to certain parts of the report, it should explain, why, specifically and actually, their disclosure is prevented in light of the exceptions laid down in Article 4 of Regulation 1049/2001.

78. Finally, the Ombudsman notes that the Commission’s new detailed rules[34] for the application of Regulation 1049/2001, adopted after the confirmatory decision in this case, are currently contested before the General Court.[35] The detailed rules provide for the possibility to apply a general presumption of non-disclosure to “documents being part of procedures under the DSA”. Unless and until the Court issues its judgment on the legality of these rules, the Ombudsman will not take a position on the detailed rules as such. As the detailed rules must in any case remain in line with Regulation 1049/2001,[36] the Ombudsman will continue to assess the compliance of individual confirmatory decisions adopted by the Commission, which are brought to her attention, with Regulation 1049/2001, as interpreted by the EU courts, and the principles of good administration.

Recommendation

On the basis of the inquiry into this complaint, the Ombudsman makes the following recommendation to the Commission:

The European Commission should conduct a concrete and individual assessment of the risk assessment report at issue with a view to granting the widest public access possible, including to those parts of the report that have been redacted in the version that was published by the platform concerned. If the Commission concludes that no access can be granted to certain parts of the report, it should explain, why, specifically and actually, their disclosure is prevented in light of the exceptions laid down in Article 4 of Regulation 1049/2001.

The Commission and the complainant will be informed of this recommendation. In accordance with Article 4(2) of the Statute of the European Ombudsman, the Commission shall send a detailed opinion by 3 February 2026.

Teresa Anjinho
European Ombudsman


Strasbourg, 03/11/2025

 

[1] Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2021.253.01.0001.01.ENG&toc=OJ%3AL%3A2021%3A253%3ATOC.

[2] Regulation 2022/2065 on a Single Market For Digital Services (Digital Services Act): http://data.europa.eu/eli/reg/2022/2065/oj.

[3] Online platforms and online search engines are considered “very large” if the number of average monthly active users of their service within the European Union is 45 million or more, Article 33 of the DSA.

[4] See Article 34 of the DSA.

[5] See Article 37 of the DSA.

[6] See Article 42(4) and (5) of the DSA.

[7] According to Articles 34(1) and 33(6), second subparagraph of the DSA.

[8] Under Regulation 1049/2001 regarding public access to European Parliament, Commission and Council documents: http://data.europa.eu/eli/reg/2001/1049/oj.

[9] In accordance with Article 4(2), first indent of Regulation 1049/2001.

[10] In accordance with Article 66(1) of the DSA. The file number is DSA.100.100.

[11] https://digital-strategy.ec.europa.eu/en/news/commission-sends-preliminary-findings-x-breach-digital-services-act.

[12] See footnote 8 above.

[13] The Commission referred, amongst other case-law, to the Judgment of the Court (Grand Chamber) of 29 June 2010, Commission v Technische Glaswerke Ilmenau, C-139/07 P, paragraph 54: https://curia.europa.eu/juris/document/document.jsf?text=&docid=84749&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1621734.

[14] The Commission referred, amongst other case-law, to the Judgment of the Court of 27 February 2014, Commission v EnBW, C-365/12 P, paragraphs 81 ff: https://curia.europa.eu/juris/document/document.jsf?text=&docid=148392&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1621734.

[15] The Commission referred, amongst other case-law to the Judgment of the General Court of 26 May 2016, International Management Group v Commission, T-110/15, paragraph 32: https://curia.europa.eu/juris/document/document.jsf?text=&docid=178781&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1645716.

[16] The full text of the Ombudsman’s preliminary views is available at: https://www.ombudsman.europa.eu/en/doc/correspondence/en/199731.

[17] Article 42(5) of the DSA.

[18] See: https://transparency.x.com/en/reports/dsa-risk-assessment-report.

[19] The full text of the Commission’s reply to the Ombudsman’s preliminary views is available at:

https://www.ombudsman.europa.eu/doc/correspondence/214482.

[20] See the Commission’s detailed rules for the application of Regulation 1049/2001 regarding public access to European Parliament, Council and Commission documents: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202403080#anx_1:~:text=p.%C2%A060).-,ANNEX,Council%20regarding%20public%20access%20to%20European%20Parliament%2C%20Council%20and%20Commission%20documents,-Whereas%3A

[21] Article 42(4) of the DSA.

[22] See, for example, Judgment of the Court of first Instance of 13 April 2005, Verein für Konsumenteninformation v Commission, T-2/03, paragraphs 69 ff.: https://curia.europa.eu/juris/document/document.jsf?text=&docid=60314&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=59073.

[23] Judgment of the Court of 29 June 2010, Commission v Technische Glaswerke Ilmenau, C‑139/07 P: https://curia.europa.eu/juris/document/document.jsf?text=&docid=84749&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=267909.

[24] Judgment of the Court of 28 June 2012, Commission v Agrofert, C-477/10 P: https://curia.europa.eu/juris/document/document.jsf?text=&docid=124461&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=267626.

[25] Judgment of the Court of 14 November 2013, LPN v Commission, C-514/11 P and C-605/11 P: https://curia.europa.eu/juris/document/document.jsf?text=&docid=144492&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=8482072.

[26] Judgment of the General Court of 1 September 2021, Homoki v Commission, T-517/19: https://curia.europa.eu/juris/document/document.jsf?text=&docid=245503&pageIndex=0&doclang=FR&mode=lst&dir=&occ=first&part=1&cid=6145602.

[27] Article 79(4) of the DSA.

[28] Article 84 of the DSA.

[29] Article 42(5) of the DSA.

[30] See, for example, recitals (65) and (100) of the DSA.

[31] See Article 42(3) of the DSA.

[32] Article 42(4) of the DSA.

[33] On 18 December 2023, the Commission informed the public about the opening of an investigation, see: https://ec.europa.eu/commission/presscorner/detail/en/ip_23_6709. On 12 July 2024, the Commission made public its first preliminary findings, see: https://ec.europa.eu/commission/presscorner/detail/en/ip_24_3761.

[34] See footnote 20 above.

[35] Case T-146/25, De Capitani and Others v Commission: https://curia.europa.eu/juris/liste.jsf?lgrec=fr&td=;ALL&language=en&num=T-146/25&jur=T and case T-641/25, ClientEarth v Commission: https://curia.europa.eu/juris/liste.jsf?lgrec=fr&td=;ALL&language=en&num=T-641/25&jur=T.

[36] In line with Article 15(3) of the Treaty on the Functioning of the European Union, which requires each institution, body, office or agency to “elaborate in its own Rules of Procedure specific provisions regarding access to its documents, in accordance with the regulations referred to in the second subparagraph”. The General Court held that Rules of Procedure adopted by the Commission (in Joined Cases T-371/20 and T-554/20, Pollinis v Commission, paragraph 93) or conclusions adopted by the Council (in case T-255/24, Nouwen v Council, paragraph 103) must remain in line with Regulation 1049/2001. In the latter case, the Court held that “[t]he scope of the obligations incumbent upon an EU institution under Regulation No 1049/2001, as interpreted by the Courts of the European Union, cannot depend on the content of acts, such as the Council’s conclusions, adopted by the institution concerned itself”.