Afgørelse i sag 320/2021/DDJ og 599/2021/DDJ om afslag fra Den Europæiske Unions Agentur for Retshåndhævelsessamarbejde (Europol) på aktindsigt i dokumenter vedrørende dets interaktioner med to virksomheder, der har leveret en dataanalyseplatform
Ügy 320/2021/DDJ - Vizsgálat megindítása Hétfő | 22 február 2021 - Határozat Hétfő | 14 június 2021
Ügy 599/2021/DDJ - Vizsgálat megindítása Szerda | 31 március 2021 - Határozat Hétfő | 14 június 2021
Sagerne vedrørte to begæringer om aktindsigt i dokumenter med nærmere oplysninger om Europols kontraktforhold og kommunikation med to virksomheder, der har leveret en dataanalyseplatform til agenturet. Europol gav helt eller delvis afslag på aktindsigt i de fleste af de dokumenter, der blev identificeret i den første begæring, idet Europol hovedsagelig gjorde gældende, at udbredelsen ville være til skade for beskyttelsen af offentlighedens interesser med hensyn til den offentlige sikkerhed. Europol gav afslag på aktindsigt i alle de dokumenter, der blev identificeret i den anden begæring, af hensyn til den offentlige sikkerhed og agenturets interne beslutningsproces.
På grundlag af en gennemgang af de ønskede dokumenter fandt Ombudsmanden, at de fleste af de oplysninger, de indeholdt, ville kunne skade beskyttelsen af offentlighedens interesser med hensyn til den offentlige sikkerhed, hvis de blev videregivet. Ombudsmanden fandt ikke, at der var grundlag for at fortsætte undersøgelsen for så vidt angår de meget begrænsede oplysninger, der ikke var omfattet af denne undtagelse.
Ombudsmanden konstaterede en række mangler i den måde, hvorpå Europol havde behandlet sagen, men konkluderede overordnet set, at Europol ikke havde gjort sig skyldig i fejl eller forsømmelser ved at give afslag på aktindsigt i de omhandlede dokumenter.
Background to the complaint
1. In 2012, Europol concluded a contract with a private consultancy concerning the development of a data analysis platform. In recent years, concerns have been raised about this platform, including as regards the processing of personal data.
2. In October and December 2020, the complainant – a researcher – submitted two requests for public access to documents to Europol relating to Europol’s contractual relations and communication with two consultancy companies involved in the development of the data analysis platform. In the second request, the complainant also requested access to documents relating to communication with Europol’s Management Board on this topic and to a number of operational plans.
3. In respect of the first request, Europol identified 63 documents as falling within the scope of the complainant’s request. It granted public access to parts of eleven documents and to two documents in their entirety. Europol refused access to the other documents. As regards the second request, Europol identified seven documents, all of which it refused access to.
4. The complainant asked Europol to review these decisions (by submitting ‘confirmatory applications’) in December 2020 and February 2021, raising several points of disagreement with Europol’s initial decisions.
5. In January and March 2021, Europol confirmed its initial decisions regarding both requests.
6. As he disagreed with Europol’s decisions, the complainant turned to the Ombudsman.
7. The Ombudsman opened an inquiry into Europol’s refusal to grant public access to the documents identified in the complainant’s requests.
8. In the course of the inquiry, the Ombudsman’s inquiry team examined the requested documents in view of the reasons provided by Europol for not disclosing them.
Arguments presented to the Ombudsman
Arguments presented by Europol
9. Regarding the first access to documents request made by the complainant, Europol invoked the exceptions for the protection of the public interest as regards public security, and the protection of the privacy and the integrity of the individual.
10. Concerning the documents to which only partial public access had been granted, Europol explained that it had redacted personal data as well as information on the technical details of Europol’s system and operating procedures. The release of such sensitive information, in the latter category, would have a negative impact on the internal work processes at Europol, Europol’s cyber resilience and related responses. It would also negatively affect the trust and cooperation between Europol and its partners, which is essential to Europol’s activities, and which therefore would prevent Europol from fulfilling its tasks.
11. Regarding the documents to which it denied public access in their entirety, Europol explained that these consisted of contractual documents, as well as correspondence, minutes of meetings, and reports. According to Europol, both these sets of documents contain information on technical details of Europol’s system(s) and its functionalities. The contractual documents identified also contain information on the specifications and requirements of Europol’s system and of Europol environments, operating procedures, business processes and workflows. The release of such sensitive information to the public would undermine the trust between Europol and its partners, which is essential to Europol’s activities, and which therefore would prevent Europol from fulfilling its tasks.
12. As regards the second request, Europol invoked the exceptions for the protection of the public interest as regards public security, protection of the privacy and the integrity of the individual, and protection of its decision-making process.
13. Europol refused access to three documents, relating to minutes of Management Board meetings and correspondence between Europol’s directorate and the Management Board, as they pertain to sensitive matters in relation to Europol’s systems, the release of which could hinder Europol’s ability to perform its tasks effectively.
14. In the case of one document, relating to correspondence between Europol’s directorate and the Management Board, Europol refused public access because its disclosure would reveal opinions for internal use as part of deliberations and preliminary consultations within Europol, thereby in turn undermining Europol’s decision-making process.
15. Regarding the last three documents identified, Europol indicated that they contain operational information, the release of which could affect the effectiveness of present and future operational activities of EU member states in their fight against serious crime. In addition, their disclosure would jeopardise the trust and cooperation between Europol and its partners, essential to Europol’s activities, thereby potentially hindering Europol’s ability to execute its tasks effectively.
Arguments presented by the complainant
16. The complainant argued that Europol applied the exceptions to the right of public access to documents – in so far as they were based on Articles 4(1) and 4(3) of the applicable rules – excessively restrictively, thereby acting against EU transparency standards and contrary to case law of the EU courts.
17. Due to the broad manner in which Europol seemed to have used justifications for non-disclosure, the complainant said that Europol did not base its refusal on 1) the foreseeable and more than purely hypothetical harm to one of the protected interests, and 2) a case by case analysis of the potential harm of disclosure. The complainant further argued that Europol failed to demonstrate how disclosure of the documents identified would actually undermine the proper fulfilment of its tasks.
18. The complainant argued that Europol failed to consider whether partial access could be granted. Europol further failed to consider that exceptions to the right to public access may apply only during the period when protection is justified on the basis of the content of the document.
19. Regarding the second request, the complainant contended that Europol should have assessed whether there was an overriding public interest in disclosure for the document that was refused to protect Europol’s decision-making process. The complainant noted that the company’s involvement in Europol’s work is of particular public interest, especially considering that it had been subject to media articles and inquiries by the European Data Protection Supervisor (EDPS). The complainant argued that Europol’s decision does not show that it had taken this into account.
20. Lastly, the complainant considered that Europol, by merely confirming its initial decision in one sentence, failed to comply with its obligation to review each argument put forward by an applicant in a confirmatory decision.
The Ombudsman's assessment
21. The Ombudsman recognises the importance of public scrutiny regarding the topic of data processing by law enforcement agencies. It should, however, be noted that the documents to which public access is sought in this case relate to the purchase and implementation of an IT platform to improve public security. It should also be noted that the EU’s specialised body overseeing the institutions’ compliance with data protection rules, the EDPS, has recently looked into how Europol processes personal data of individuals and has made several recommendations to Europol.
22. When applying the exceptions of Article 4(1)(a) of Regulation 1049/2001 (and thereby by analogy the relevant provision in the Europol rules on public access), including the exception for the protection of the public interest as regards public security, EU institutions enjoy a wide margin of discretion.
23. Having reviewed the documents in question, the Ombudsman finds the refusal of public access based on the exception of protecting the public interest as regards public security to be reasonable in respect of almost all redactions. The documents indeed refer to technical details of Europol’s security system and/or working procedures within Europol, disclosure of which could undermine public security.
24. In addition, the Ombudsman finds that the refusal to grant public access to one document, based on the need to protect Europol’s decision-making process, was, given the content of that document, justified. There is no obvious overriding public interest which would justify the disclosure of that document.
25. The Ombudsman notes that some very limited parts of the documents could have been better covered by the exception relating to the protection of commercial interests of a natural or legal person, for example information relating to pricing. There is no obvious overriding public interest which would justify the disclosure of this information. While from a formal legal perspective, it was an oversight by Europol not to invoke that exception, the Ombudsman does not consider it justified to continue her inquiry as regards these very limited redactions since it would be unlikely to give rise to broader public access.
26. From the documentation provided to the Ombudsman by Europol, which included a detailed description by Europol of how it handled the requests, the Ombudsman is further satisfied that Europol performed adequately a reassessment of its initial decision when it took its confirmatory decisions. The Ombudsman also considers that Europol has made an adequate assessment as to the question whether partial access could be granted to the documents at issue, evidenced by the fact that most of the framework contract between Europol and the consultancy companies was disclosed.
27. The Ombudsman considers, however, that Europol’s communication with the complainant could have been better. Specifically, Europol could have engaged better with the complainant in respect of his arguments raised in the confirmatory applications. While the Ombudsman understands that Europol may not have been able to reveal more information regarding the nature of the requested documents, it could have explained better its position on some of the arguments raised by the complainant, for example, to reassure the complainant that it had assessed, where relevant, whether there was an overriding public interest in disclosure.
Based on the inquiry, the Ombudsman closes this case with the following conclusion:
While there were a number of shortcomings in how Europol dealt with the complainant’s requests, overall there was no maladministration by Europol regarding the non-disclosure of the requested documents.
The complainant and Europol will be informed of this decision.
 See paragraph 21 below.
 Under Regulation 1049/2001 on public access to European Parliament, Council and Commission documents: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32001R1049.
 Europol, following a standard procedure, signed a contract with a consultancy company, including a US-based sub-contractor, aimed at providing a platform for an analysis system. Europol started operating this software as of 2016.
 Europol initially communicated to the complainant a number of 66 documents but explained to the Ombudsman in the course of the inquiry that some documents had been counted twice.
 One document identified in the request was already part of the complainant’s first access to documents request to Europol.
 The complainant requested: 1.“Details of any past or ongoing contractual agreements and terms of reference [between Europol and consultancy companies]; 2. Master Services Agreement (MSA) between Europol [and consultancy companies]; 3. Any exchanges (e.g. emails, including attachments) and meeting records (minutes, memos, agendas) involving Europol officials and representatives of the [consultancy companies] between January 2018-October 2020.”
 In accordance with Article 4(1)(a) and Article 4(1)(b) of the Management Board Rules on Public Access to Europol Documents; Europol’s implementing decision of Regulation 1049/2001, the exceptions of which in Article 4 are mostly identical to Regulation 1049/2001 (and which is available via the following link: https://www.europol.europa.eu/sites/default/files/documents/decision_of_the_mb_rules_applying_reg_1049_2001.pdf).
 The complainant requested a number of specific documents (including dates and file numbers) relating to: 1. Minutes of Europol’s Management Board meetings; 2. Correspondence between Europol’s directorate and the Management Board; 3.) Operational plans for Taskforce Fraternite and “Secondary Security Checks” at the EU external borders.
 In accordance with Article 4(3) of the Management Board Rules on Public Access to Europol Documents (see footnote 7).
 As per Article 4(5) of the Management Board Rules on Public Access to Europol documents (see footnote 7).
 As per Article 4(6).
 Cf. Article 4(3).
 A redacted version of the EDPS’ decision is available at: https://edps.europa.eu/data-protection/our-work/publications/investigations/edps-decision-own-initiative-inquiry-europols_en.
 See the decision of the European Ombudsman in case 1767/2018/MIG. Cf. also: Judgment of the General Court of 11 July 2018, ClientEarth v Commission, T-644/16, paragraphs 23-25 (http://curia.europa.eu/juris/document/document.jsf?text=&docid=203913&pageIndex=0&doclang=EN&mo%20de=lst&dir=&occ=first&part=1&cid=6019725).
 As per Article 4(2) of the Management Board Rules on Public Access (see footnote 7).