Background to the complaint

1. In April 2018, the complainant requested public access to the European Commission’s internal Audit Report on the effectiveness of measures to handle manual interventions in its accrual-based accounting system (ABAC), and to related documents.

2. The Commission refused access to all the documents that it had identified as falling within the scope of the complainant’s request.

3. The complainant requested a review of this decision (she made a so-called ‘confirmatory application’) in June 2018.

4. The Commission extended the prescribed deadline for its reply and, shortly before the extended deadline expired, in July 2018, informed the complainant that it would not be able to meet the extended deadline. It did not indicate when the complainant could expect to receive a reply.

5. Not having received a substantive reply, the complainant turned to the Ombudsman in October 2018.

The inquiry

6. The Ombudsman opened an inquiry into the Commission’s failure to reply to the complainant’s request for review and asked the Commission to reply.

7. Following her intervention and then a reminder, the Ombudsman received the Commission’s reply to the complainant’s request for review, granting partial public access to ten documents[1]. The complainant then commented on the Commission's reply.

8. As the complainant questioned whether all of the redactions made by the Commission were justified, the Ombudsman decided to inquire also into the substance of the case.

9. To this end, the Ombudsman’s inquiry team inspected the requested documents and met with representatives of the Commission to obtain clarifications on its view, on which the complainant then commented.

Arguments presented to the Ombudsman

10. The Commission invoked the exceptions for the protection of the public interest as regards public security, of the commercial interests of a natural or legal person, and of the privacy and the integrity of the individual[2]. It argued that the requested documents contain information of an organisational, technical and risk-related nature, such as names of departments and persons whose tasks are related to the Commission’s ABAC, the technologies and instruments used, as well as technical details on their application, and details on protective measures and risk factors for the Commission’s ABAC. If disclosed, this information would allow the public to gain a global understanding of the Commission’s financial system, including its weaknesses. This would significantly increase the risk of a cyber-attack. Such an attack could negatively affect the commercial interests of beneficiaries and other contract partners of the Commission, for example, if sensitive business information was hacked. It would also jeopardise one of the Commission’s main tasks, namely the execution of the EU budget.

11. The complainant accepted that, in principle, certain parts of the documents must be redacted in order to prevent cyber-attacks on the Commission’s financial system. However, she was concerned that the redactions made are excessive, in that they go beyond what is necessary to achieve this goal. In her view, the Commission had redacted information that would not at all facilitate cyber-attacks, such as the number of users with privileged rights, or details on the weaknesses of the system that had been identified in the audit report. She argued that since the audit report is more than two years old, the auditors’ recommendations aimed at addressing those weaknesses should be implemented by now and the identified risks should no longer be real. The complainant, referring to two sample documents[3], also stated that some of the redacted information was already public.

12. The Commission argued that, even if similar information to that in the audit report had been published elsewhere, it would still be necessary to make the redactions. It stated that the documents were recent. In addition, it noted the nature, and the high level of accuracy and reliability of the audit report, and emphasised that the risk of a cyber-attack has been growing significantly during the last few years. The Commission said that the need to protect the public interest as regards public security and the commercial interests involved have increased. In addition, there is more information that has to be considered sensitive.

13.  Regarding the auditors’ recommendations to address the identified weaknesses, the Commission said that mitigating measures had been taken to lower the risks to an acceptable level. However, zero risk can never be achieved. Thus, it stated, some of the findings remain very sensitive and their disclosure would increase the security risk to the Commission’s financial system.

14. The complainant contended that, even if the information that is already public is comparatively old, it is still accurate, as the Commission does not seem to have changed its accounting system since 2006. In addition, the complainant provided further documents that are public and that, in her view, contain information that was redacted in the requested documents. She argued that EU staff are obliged to disclose information that is already public.

15. Finally, the complainant argued that one of the documents, an e-mail to the European Parliament, should be disclosed fully as it had not been marked as confidential at the time when it was sent.

16. The complainant did not object to the redaction of the personal data contained in the requested documents.

The Ombudsman's assessment

17. When applying the exceptions of Article 4(1)(a) of Regulation 1049/2001, including the exception for the protection of the public interest as regards public security, the institutions enjoy a wide margin of discretion[4]. Thus, the standard of review by the Courts, and consequently by the Ombudsman, “must be limited to verifying whether the procedural rules and the duty to state reasons have been complied with, whether the facts have been accurately stated and whether there has been a manifest error of assessment or a misuse of powers”[5].

18. The Commission provided the complainant with comprehensive explanations as to why it has redacted certain information on grounds of the exception for the protection of public security. These explanations appear to be reasonable. The documents do indeed contain very technical and detailed information on the Commission’s accounting system that, if published, would certainly convey a broad understanding of the Commission’s financial system. This detailed knowledge could facilitate cyber-attacks. The Commission was therefore justified in redacting the more specific information contained in the documents to prevent such criminal activities[6], while disclosing the more general information on its accounting system.

19. Having inspected the documents, the Ombudsman is satisfied that all redactions were necessary. Even though some of this information might be available elsewhere, it would be very useful to those planning a cyber-attack to have confirmation of its relevance and accuracy from an audit report. Thus, the Commission was justified to make the redactions concerned to limit the risk of a cyber-attack on its financial control systems.

20. Regarding the delay in this case, the Ombudsman considers that the length of time that has elapsed between the expiry of the extended deadline for the Commission’s reply to the complainant’s confirmatory application and the granting of partial access to the requested documents (almost four months) is unacceptable. The Commission did not indicate by when it would endeavour to reply to the complainant and, when it eventually replied, it mainly reiterated and elaborated on the arguments it had already put forward in its initial decision. The Ombudsman therefore finds that this delay constituted maladministration. However, the Ombudsman will not make a recommendation in this regard as this would serve no useful purpose at this stage.

Conclusion

Based on the inquiry, the Ombudsman closes this case with the following findings:

There has been no maladministration by the Commission in its partial refusal of public access.

The significant delay by the Commission in responding to the complainant’s request for review constituted maladministration.

The complainant and the Commission will be informed of this decision.

 

Emily O'Reilly

European Ombudsman

Strasbourg, 19/06/2019

 

[1] Overall, the Commission identified 12 documents, two of which were already publicly available.

[2] In accordance with Articles 4(1)(a), first indent, 4(2), first indent, and 4(1)(b) of Regulation 1049/2001 regarding public access to European Parliament, Council and Commission documents, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32001R1049&from=EN.  

[3] Two examples of texts on personal data protection (i.e. data protection notifications dating back to 2006).

[4] Judgment of the General Court of 11 July 2018, ClientEarth v Commission, T-644/16, paragraphs 23-25, http://curia.europa.eu/juris/document/document.jsf?text=&docid=203913&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=6019725..

[5] ibid, paragraph 25.

[6] Judgment of the Court of First Instance of 17 June 1998, Svenska Journalistförbundet v Council, T-174/95, http://curia.europa.eu/juris/document/document.jsf?text=&docid=43954&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=6016433.