Made in accordance with Article 4(1) of the Statute of the European Ombudsman^[1]

Background to the complaint

1. In October 2021, the complainant asked the EDPB to give him public access to its preparatory documents leading to the adoption of its statement, guidelines and reply to an MEP regarding international transfers provided for under the GDPR. This included draft versions of documents, information notes and minutes of meetings where the documents were discussed.

2. The EDPB identified 103 documents falling under the scope of the complainant´s request^[2]. It granted full access to 17 of those documents, partial access to 16 documents and denied access to the remaining documents. In refusing access to the documents, the EDPB relied on the need to protect its decision-making process and personal data. The EDPB considered that there was no overriding public interest in the disclosure of the documents.

3. The complainant turned to the Ombudsman. He complained that the EDPB relied on the decision-making exception in an overly broad manner and that there is an overriding public interest justifying the disclosure of the documents. He also stated that he sought access to the documents in anonymised form.

4. The Ombudsman opened an inquiry and her team inspected the documents that had not been disclosed to the complainant, partially or in full. They also held a meeting with representatives of the EDPB[3].

5. During the course of the inquiry, the EDPB re-assessed the documents and granted wider partial access to two documents, which were provided to the complainant.

6. The EDPB argued that further disclosure of the documents would give rise to undue external pressure on the constituent members of its board if their views were made public, and that it would cause uncertainty or confusion for the public. Further, the EDPB stated that disclosure would impede its ability to provide a consistent interpretation of data protection rules, undermine its mission to speak with one voice and that it would interfere with its independent role. The EDPB further argued that disclosure would detract attention from the published version and would encourage stakeholders not to follow that final position. Finally, the EDPB claimed that its future position as regards negotiations on the US Foreign Account Tax Compliance Act (FATCA) would be undermined by the disclosure of the requested documents.

The Ombudsman's proposal for a solution

7. Having reviewed the documents in question, the Ombudsman found that the documents partially disclosed by the EDPB either fell outside the scope of the request, were subsequently released by the EDPB or solely preserved the identity of the author of the comment, which is not challenged by the complainant.

8. As regards the documents not disclosed in their entirety, the Ombudsman found that the EDPB had failed to give the complainant sufficiently broad access.

9. The Ombudsman acknowledged that the complainant’s request covered different types of preparatory documents, namely documents related to the drafting of EDPB Guidelines[4], on the one hand, and documents related to the drafting of an EDPB statement[5] and a reply to an MEP[6], on the other. The Ombudsman found that it was not clear how the decision-making process of the EDPB could be seriously undermined by the disclosure of these preparatory documents given their nature and content, and that the EDPB had failed to demonstrate, in actual and specific terms, the risks that would arise from granting broader access to these documents.

10. Based on her assessment of the documents at issue and her findings, the Ombudsman proposed that the EDPB conduct a fresh assessment of the complainant’s request for access and grant the widest possible access to those documents which had not been disclosed in their entirety.^[7]

11. The EDPB, in response to the Ombudsman’s solution proposal, maintained its position and refused further disclosure. It reiterated the arguments previously mentioned, and in addition claimed that disclosure of draft versions of the documents would harm the effective protection of personal data. The EDPB also relied upon the need to protect international relations as a reason to justify the non-disclosure of the documents at issue.^[8] Specifically, the EDPB explained that the international statement in question was adopted to invite Member States to assess and review their international agreements that involve transfers of personal data, including those relating to taxation. The EDPB stated that, based on its previous experience, the disclosure of anonymised versions of documents would not prevent the attribution of views to specific parties and thus disclosure would seriously harm its decision-making process. 

12. The solution proposal and the EDPB’s reply to the proposal were provided to the complainant and he again rejected the reasoning provided by the EDPB in maintaining its decision to refuse access.

The Ombudsman's assessment after the proposal for a solution

13. The EDPB is an independent EU body, composed of representatives of the EU national data protection authorities and the European Data Protection Supervisor (EDPS), together with the supervisory authorities of the EFTA EEA States with regard to GDPR-related matters. The European Commission and, with regard to GDPR related matters, the EFTA Surveillance Authority, have the right to participate in the activities and meetings of the Board without having voting rights.

14. The role of the EDPB is to contribute to the consistent application of data protection rules throughout the EU and to promote cooperation between the EU’s data protection authorities. To this end, the EDPB provides general guidance (including guidelines, recommendations and best practices) to clarify the law and to promote a common understanding of EU data protection laws. The EDPB also adopts opinions addressed to the Commission or to the National Supervisory Authorities. Finally, the EDPB can adopt binding decisions addressed to the National Supervisory Authorities, aimed at settling disputes arising between them when they cooperate to enforce the GDPR. The EDPB thus plays a key role when it comes to the consistent application and interpretation of EU data protection rules throughout the EU - an area of great public importance affecting a fundamental right.

15. The documents at stake in this inquiry can be divided into three categories, namely (i) draft versions of the EDPB statement 4/2021 on international agreements including transfers, (ii) draft versions of the reply to the MEP and (iii) draft versions of the EDPB Guidelines 2/2020.^[9] In its reply to the Ombudsman,  the EDPB explained that some of the preparatory documents are clean draft versions, meaning that they do not contain track changes or comments, some are draft versions which contain track changes without comments and others contain comments by either the EDPB’s members, the Secretariat of the EDPB or in some cases by the Commission.

16. The EDPB statement, in its final form, comprises an invitation and recommendation to Member States to review their existing international agreements to ensure that they comply with Union legislation and case law on data protection. The statement was prepared in response to a European Parliament Resolution of 5 July 2018 on the adverse effects of FATCA on EU citizens^[10] and the requests made by the complainants to the Article 29 Working Party^[11] in this respect.

17. The reply of the EDPB to the MEP arose from a letter sent by the MEP on 28 May 2021. In the final form of the letter, the EDPB explains the role of national supervisory authorities in monitoring and enforcing the GDPR and of the EDPB’s efforts to clarify the EU’s rules on international transfers of personal data through the adopting of its statement and guidelines.

18. It is important to clarify that the statement and the reply of the EDPB are not an interpretation of the provisions of the GDPR. They are formal responses of the Board to questions it received in which it restates the requirements under the GDPR and the Law Enforcement Directive (LED) in light of recent case-law. As such, the preparatory documents leading to the adoption of those responses and those of the Ombudsman’s previous case 386/2021/AMF, which concerned an EDPB guideline containing an authoritative interpretation of the GDPR, are not of the same nature.

19. The guidelines, on the other hand, seek to provide guidance to EEA public bodies as to the application of the GDPR regarding transfers of personal data for various administrative cooperation purposes to public bodies in third countries or to international organisations which are not covered by an adequacy finding. The guidelines thus contain an authoritative interpretation of the GDPR.

20. That said, the Ombudsman would like to emphasise that Regulation 1049/2001 applies to all documents held by the institutions,^[12] and is based on the assumption that “openness enables citizens to participate more closely in the decision-making process and guarantees that the administration enjoys greater legitimacy and is more effective and more accountable to the citizen in a democratic system”.^[13] This principle of transparency applies irrespective of whether the documents form part of the Union’s legislative process or not. Access to documents can be restricted only if one (or more) of a limited number of exceptions in Regulation 1049/2001 apply.^[14]

21. The EDPB, in this case, relied on several exceptions in Regulation 1049/2001 to refuse full access to the requested preparatory documents, namely on the need to protect its decision-making process, personal data, and the public interest as regards international relations.

22. In his complaint to the Ombudsman, the complainant does not contest the redaction of personal data in the documents he requested. There is therefore no need for the Ombudsman to assess whether the EDPB’s reliance on that exception was justified.

23. The main reason invoked by the EDPB to refuse access to the requested documents is to protect its decision-making process, by shielding its Board members from external pressure, to allow for frank discussion and the exchange of “uncensored opinions” within the Board. The EDPB is also concerned that the preparatory documents could be misinterpreted, thus affecting the clarity of the adopted document and creating confusion and ambiguity. Further the EDPB is concerned that disclosure of the preparatory documents showing views of the constituent members would undermine the authority or independence of the Board.

24. The arguments put forward by the EDPB on the existence of external pressure in relation to the preparatory documents remain vague and of a general nature. The Court has acknowledged that the protection of the decision-making process from targeted external pressure may constitute a legitimate ground for restricting access to documents. However, it has also emphasised that the reality of such external pressure “must be established with certainty” and that “evidence must be adduced to show that there was a reasonably foreseeable risk” for the decision in question to be substantially affected by that external pressure.^[15]

25. In any event, even if the existence of such external pressure were to be demonstrated, it is unclear how the capacity of the EDPB to exchange freely would be seriously undermined by such pressure, in particular given that the decision-making processes that led to the adoption of the statement and the guidelines had ended by the time the confirmatory decision was adopted.

26. In addition, the concerns of the EDPB that disclosure of draft documents, without explanation of the reasons behind those changes, would create confusion in the eyes of the public or that it would undermine its authority or independence are not substantiated.

27. The decision-making process within the EDPB necessarily involves the interplay of multiple actors at national and EU levels. The EDPB acknowledges that numerous actors participate in the drafting of its documents and in the interpretation of the GDPR and that this process involves exchanging views and negotiation. By their nature, proposals are designed to be discussed and the public is perfectly capable of understanding that positions exchanged in that context are liable to change and that the content is likely to be amended subsequently. This collaborative format is prescribed by the GDPR itself and is seen as ‘an intrinsic element’ to the functioning of the Board where final positions are adopted by majority vote and not unanimity. Thus the framework itself envisages that there will be dissenting positions within the Board.

28. The inspection of the preparatory documents showed that, as regards the draft statements and draft replies, these mostly contain editorial changes as well as clarifications or simplification of certain parts of the text, which do not appear particularly sensitive. The Ombudsman further notes that they do not include any interpretation of data protection rules nor illustrate differing views within the Board.

29. As regards the draft guidelines, the Ombudsman notes that some of the drafts comprise clean versions or contain editorial changes and, as with the draft statements and the draft replies to the MEP, clarify or simplify the text and do not appear particularly sensitive. In other instances, it is possible to identify differing views on the interpretation of data protection rules. However, the EDPB acknowledged that these exchanges of views or negotiations within the Board were an ‘intrinsic element’ of the functioning of the Board, including its adoption of guidelines. The Ombudsman does not see how, if the views of the authors are anonymised, such comments could be attributed to a specific author, in particular where there are no dissenting views in the public domain. On the contrary, disclosure of these preparatory documents would allow the public to better understand how an authoritative interpretation of the GDPR was reached. Neither is it established from a review of the documents how these could cause confusion for the public or how the authority of the Board would be jeopardised as the documents are clearly marked as drafts.

30. Concerning the assessment of an overriding public interest in disclosure, the EDPB claims that it has taken account of the transparency concerns of the complainant. It considered that the damage that would be done to its decision making process, resulting in particular from external pressure, outweighs any public interest in disclosure. However, it is not clear to the Ombudsman how the EDPB balanced the public interest in transparency in light of the fact that its guidelines provide an authoritative interpretation of the GDPR and should be subject to greater levels of transparency[16].

31. In view of the above analysis, the Ombudsman finds that the EDPB did not provide sufficiently convincing arguments to establish a ‘specific and actual risk’ to its decision-making process. However, even where such a risk could be established, the Ombudsman finds, as regards the EDPB’s guidelines, that they contain an authoritative interpretation of the GDPR and given the importance of personal data in the lives of EU citizens and business, there is an overriding public interest in granting wider and further disclosure.

32. As regards the EDPB’s argument in its reply to the Ombudsman’s solution proposal that disclosure of the documents at issue would harm international relations, the EDPB has not provided any justification for relying on this exception. The EDPB merely notes that, in its statement, it invited Member States to assess and review its international agreements that involve transfers of personal data, including those relating to taxation.

33. While the EU institutions enjoy a wide margin of discretion when deciding on what the protection of international relations calls for in terms of disclosure of documents, they are still required to demonstrate a ‘specific and actual risk’. The mere fact that the EDPB issued an invitation to Member States to assess and review its international relations does not in itself illustrate how, in specific and actual terms, international relations would be adversely affected if the documents were disclosed.

34. The Ombudsman has shared a separate confidential note with the EDPB, annexed to this recommendation, which includes a more detailed assessment on the nature and content of the preparatory documents in light of the exceptions invoked by the EDPB to deny access.

35. The EDPB further argued that the GDPR creates an additional exception to the right of public access to its documents based on the fact that it is an independent body. The Ombudsman considers that this interpretation is not supported by the terms of the GDPR when read as a whole nor by the case-law of the EU Courts^[17]. The GDPR expressly provides that the documents of the EDPB are subject to the terms of Regulation 1049/2001.

36. The EDPB has also made reference to its Rules of Procedure, which provide that the discussions of the Board can be deemed confidential. In this context, the Ombudsman notes that internal rules of procedure cannot take legal precedence over a Regulation. Any rules of procedure have to comply with Regulation 1049/2001^[18]. Therefore, the EDPB cannot avail itself of its Board’s Rules of Procedure to deny public access to documents if primary or secondary EU law requires their disclosure.

37. In light of the above, the Ombudsman finds that the EDPB’s application of the exceptions for the protection of its decision-making processes and of international relations constitutes maladministration. She therefore makes a corresponding recommendation below.

Recommendation

38. On the basis of the inquiry into this complaint, the Ombudsman makes the following recommendation to the EDPB:

The EDPB should grant the complainant the broadest possible access to the documents at issue.

The EDPB and the complainant will be informed of this recommendation. In accordance with Article 4(2) of the Statute of the European Ombudsman, the EDPB shall send a detailed opinion by 28 June 2023.

 

Emily O'Reilly
European Ombudsman

Strasbourg, 29/03/2023

 

[1]  Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2021.253.01.0001.01.ENG&toc=OJ%3AL%3A2021%3A253%3ATOC

[2] During the course of the inquiry, it transpired that no preparatory documents relating to one of the two EDPB statements were assessed at the initial and confirmatory stages. The Ombudsman encouraged the EDPB to treat these 141 documents as a separate public access request.

[3] https://www.ombudsman.europa.eu/en/doc/inspection-report/en/156600

[4] EDPB Guidelines 2/2020 on “Articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies”

[5] EDPB Statement 04/2021 on "International Agreements Including Transfers"

[6] reply available here: https://edpb.europa.eu/system/files/2021-07/edpb_letter_out2021-0119_intveld_igas.pdf

[7] For further information on the background to the complaint, the parties' arguments and the Ombudsman's inquiry, please refer to the full text of the Ombudsman's proposal for a solution.  

[8] Article 4(1)(a) 3rd indent of Regulation 1049/2001.

[9] Formal reply of the EDPB of 3 June 2022 which was shared with the complainant.

[10] http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P8-TA-2018-0316+0+DOC+XML+V0//EN&language=EN

[11] The Article 29 Working Party was an independent European working party that dealt with issues relating to the protection of privacy and personal data until 25 May 2018 (entry into application of the GDPR)

[12] Recital 11 of Regulation 1049/2001 regarding public access to European Parliament, Council and Commission documents: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32001R1049

[13] Recital 2 of Regulation 1049/2001.

[14] Article 1 of Regulation 1049/2001.

[15] Judgment of the Court of First Instance (Seventh Chamber) of 18 December 2008, Pablo Muñiz v Commission of the European Communities, Case T‑144/05, para. 86; Judgment of the General Court (Seventh Chamber, Extended Composition) of 22 March 2018, Emilio de Capitani v European Parliament, Case T‑540/15, para. 99.

[16] see case 386/2021/AMF

[17] See Article 76 GDPR; Judgment of the Court of Justice (Grand Chamber) of 19 June 2018, in the case of Baumeister, C‑15/16 para 46.

[18] Judgment of the General Court of 14 September 2022, in the joined Cases T‑371/20 and T‑554/20, Pollinis France v Commission, para 96 (under appeal)