COMPLAINT: 274/2021/TE

Case title: The European Data Protection Supervisor's refusal to grant public access to documents related to a report concerning the Schrems II judgment

Date: Wednesday, 24 February 2021

Remote meeting via WebEx

Present

Representatives from the European Ombudsman

· Ms Rosita Hickey, Director of Inquiries, Directorate of Inquiries

· Ms Tanja Ehnert, Case Handler, Directorate of Inquiries

· Ms Francesca Abbo, Trainee

Representatives from the European Data Protection Supervisor

· Director

· Deputy Head of Supervision and Enforcement Unit

· Legal Officer, Supervision and Enforcement Unit

· Data Protection Officer

· Transparency Officer 

Introduction and procedural information  

The meeting was organised pursuant to Article 3.2 of the Statute of the European Ombudsman and Article 4 of the European Ombudsman’s Implementing Provisions.

The meeting started at 3:00pm and finished at 4:00pm.

After introductions, the Ombudsman’s inquiry team explained the process and deadlines that apply to the Ombudsman’s Fast-Track procedure for public access to document complaints. It also noted that the European Data Protection Supervisor (EDPS) will have the opportunity to review and comment on the draft meeting report and that a copy of the final report will be shared with the complainant for comments.

The Ombudsman’s inquiry team also informed the EDPS representatives that, if they want to provide the Ombudsman with any documents that they consider to be confidential, no access may be granted to third parties without the EDPS´s prior agreement. In particular, the Ombudsman cannot disclose to the complainant any document that falls within the scope of the public access request. Information and documents of this kind will be deleted from the Ombudsman’s files shortly after the inquiry has ended.

Purpose of the meeting

The inquiry concerns the EDPS’s refusal to grant public access to the following documents:

a) the mapping exercise identifying which ongoing contracts, procurement procedures and other types of cooperation involve transfers of data that the EDPS carried out for itself, in the context of its ‘Strategy for Union institutions, offices, bodies and agencies to comply with the Schrems II ruling’;

b) a copy of any privacy assessment, including data protection impact assessments, carried out by the EDPS for the use by the EDPS of the following tools: Microsoft Office365, Microsoft Teams, Zoom, Cisco WebEx, Skype.

In the context of the Ombudsman’s inquiries into access to documents complaints, meetings between the Ombudsman’s inquiry team and the institution concerned usually take place following the inspection of documents covered by the inquiry.

In this case, the EDPS requested an early meeting to provide information on the subject matter of the complaint.

 

Information exchanged

1. Background information regarding the public access request

The EDPS explained the background of the case, in particular the preliminary ruling of the Court of Justice of the European Union of 16 July 2020, known as the Schrems II judgment.^[1] The ruling concerned the European Commission’s Decision 2010/87/EU^[2] on standard contractual clauses for data transfers to third countries and, in particular, the level of protection ensured in the United States (‘Privacy Shield’). The Court declared invalid Commission Implementing Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield.

This landmark decision has had a considerable impact on personal data protection and the way personal data can be transferred to third countries, in particular to the United States. It has implications for all transfer tools, including tools used by European Union institutions, bodies, offices and agencies (hereafter ‘EU bodies’) on the basis of Chapter V of Regulation 2018/1725. The EDPS representatives pointed out that data transfers to the United States constitute a prominent part of all data transfers originating from EU bodies. Following this judgment, the EDPS is currently analysing if there is a compliance gap by EU bodies with the EU Charter of Fundamental Rights as well as applicable EU data protection legislation, as interpreted by the Court of Justice.

2. The mapping exercise carried out by the EDPS

Following the Schrems II judgment, the EDPS, in its function as data protection supervisor, reflected on how to proceed in order to accompany EU bodies in ensuring compliance with the judgment. To this end, the EDPS adopted the "Strategy for Union institutions, offices, bodies and agencies to comply with the Schrems II ruling".

As part of this strategy, on 5 October 2020, the EDPS ordered EU bodies to complete a mapping exercise identifying which on-going contracts, procurement procedures and other types of cooperation involve transfers of data. EU bodies were ordered to report to the EDPS, for certain types of transfers, any specific risks and gaps identified by 15 November 2020. The EDPS is currently in the process of analysing these reports. In carrying out this task, the EDPS is using its investigative powers under Article 58(1) of Regulation 2018/1725.[3]

The EDPS representatives stressed the institution’s ’double-hatted’ role in that regard. The EDPS is not only the data protection supervisor, but it is also, as an EU administration, a ’controller’ within the meaning of Article 3(8) of Regulation 2018/1725. In its function as controller of personal data, the EDPS was therefore also subject to the order and conducted the mapping exercise for its own administration.

The EDPS representatives explained that the mapping exercise is only the first phase of the above-mentioned strategy. The findings of this mapping exercise may lead to further enforcement actions, which will be defined on the basis of the reports submitted by EU bodies, including the report of the EDPS itself. The analysis of the reports and the investigation is ongoing.

Given the importance of and public interest in the Schrems II judgment, as well as the need for full compliance by EU bodies with the judgment, it was of particular importance for the EDPS to communicate its strategy to the public. In this context, the EDPS published a public version of its strategy on 29 October 2020[4].The EDPS is constantly reflecting on how to keep the public informed of any developments in its investigation, without prejudicing the outcome.

At the same time, it is crucial for the EDPS at this stage not to release any information on the findings of the mapping exercise as the analysis is ongoing and it could jeopardise the next steps of the ongoing investigation. The EDPS first needs to examine the information it has collected

The EDPS stressed that refusing access was necessary to protect the EDPS’s independence in the conduct of its investigation, so that on the basis of the reports, the EDPS can establish its benchmarks for the next phases of the strategy (in particular identification of compliance objectives and enforcement targets). Granting access to EU bodies’ reports (including that of the EDPS) could be problematic and hinder the EDPS’s margin of manoeuvre in the way it decides its actions as a supervisor.

The EDPS representatives pointed out that, when replying to the access to documents request, the EDPS was acting as the supervisor and not as the controller of personal data. It took the view that granting public access to the EDPS mapping exercise at this stage is likely to seriously undermine the ongoing investigation. However, the refusal to grant access to these documents does not mean that, at a later stage, it will not reconsider partial or, if possible, full disclosure of the requested documents.

3. Privacy assessments carried out by the EDPS on conferencing tools

The complainant also requested public access to “any privacy assessment, including data protection impact assessments (DPIAs), carried out by the EDPS for the use by the EDPS of the following tools: Microsoft Office365, Microsoft Teams, Zoom, Cisco WebEx, Skype.”

The EDPS representatives clarified that, from the tools mentioned in the access request, the institution is only using WebEx. They further stated that the EDPS Technology and Privacy Unit (TP) carried out a privacy assessment in the context of the COVID-19 pandemic, prior to the Schrems II judgment, in response to an increase in teleworking of its staff. The scope of this assessment was significantly broader than the access to document request and included assessments on various audio video online tools available on the market, beyond the limited tools used by the EDPS.

The EDPS identified a certain number of documents that could be included in this second part of the complainant’s access request. The reason for its refusal to grant access is that the assessment is continuously ongoing and some of these documents are particularly relevant in the context of the above-mentioned ongoing investigation. Some parts of the assessment were adapted to reflect the Schrems II judgment and concern tools also reported by the EDPS and other EU bodies, thus potentially qualifying as an enforcement target. Therefore, although the assessment has been launched before the start of the investigation, it may reveal the position of the EDPS in relation to specific IT tools used by EU bodies. Granting access to these documents at this stage would limit the EDPS’s margin of manoeuvre in conducting the investigation. It should also be underlined that the TP unit, as part of the EDPS as a supervisory authority, provides advice on technological aspects while the EDPS acts in its supervisory capacity. As such, the assessment conducted on certain tools available on the market could be employed in the context of the EDPS Schrems II strategy.

Having said that, some of the identified documents could be disclosed if sensitive information linked to the investigation were redacted. The EDPS, however, needs to ensure that the information disclosed does not affect the EDPS’s independence and investigative role.

The EDPS representatives further explained that the complainant had been invited to discuss the matter directly. The complainant preferred any discussion on her access request to be in writing. The only communication channel between the EDPS and the complainant was by e-mail and all correspondence was published on the AsktheEU website.

4. The confidentiality of the requested documents

The EDPS had taken note of the Ombudsman’s request that the documents covered by the public access request be shared with the Ombudsman’s Office. The EDPS expressed concerns related to its independence as a supervisory authority. As all EU bodies, including the European Ombudsman’s Office, are under investigation to ensure their compliance with the Schrems II judgment, it is important that the EDPS ensures equal treatment of EU bodies and does not grant the Ombudsman’s Office privileged access to the documents concerning the ongoing investigation.

Consequently, the EDPS representatives specifically requested that access to the documents in question within the Ombudsman’s Office be restricted as much as possible, in any case to the Directorate of Inquiries.

The Ombudsman’s inquiry team reassured the EDPS that confidential documents can be viewed only on a ‘need to know’ basis within the Ombudsman’s Office. That having been said, the inquiry team noted that they would reflect further to determine whether specific additional measures should be adopted in this case.

Conclusion of the meeting

The Ombudsman’s inquiry team thanked the EDPS representatives for their input. In turn, the EDPS representatives thanked the Ombudsman’s inquiry team for the opportunity to provide further clarifications on the inquiry.

As a next step in this inquiry, the Ombudsman will examine how best to inspect the documents in question, respecting the particular confidentiality needs expressed by the EDPS under point 4 above.

Brussels, 11 March 2020

Rosita Hickey                                                                                          Tanja Ehnert

Director of Inquiries                                                                                Case handler

 

[1] Judgment of the Court (Grand Chamber) of 16 July 2020, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, Request for a preliminary ruling from the High Court (Ireland), Case C-311/18, available at: http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=12312155

[2]  Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087

[3] Regulation 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=en

[4] Available at: https://edps.europa.eu/data-protection/our-work/publications/papers/strategy-union-institutions-offices-bodies-and_en