European Data Protection Supervisor edps@edps.europa.eu

Strasbourg, 26/04/2021

Complaint 274/2021/TE

 

Subject: Proposal for a solution in the above case on the EDPS's refusal to grant public access to documents related to a report concerning the Schrems II judgment

Dear Mr Y,

I am writing to seek a solution to this case, brought to my Office by Ms X, on 9 February 2021.

The case concerns a request for public access to documents held by the European Data Protection Supervisor (EDPS). The access request consists of two parts. Its first part concerns documents relating to the EDPS mapping exercise following the Schrems II judgment, identifying which ongoing contracts, procurement procedures and other types of cooperation involve data transfers. In the second part of her access request, the complainant asked for copies of any privacy assessment, including data protection impact assessments, carried out by the EDPS for the use by the EDPS of several online tools.^[1]

The EDPS refused access to the requested documents, based on Article 4(3), first indent, of Regulation 1049/2001, noting that “[t]he specifically requested documents, although under different circumstances could be regarded as finalised state, are integral and inseparable part of a larger ongoing decision-making process. Revealing the documents at this stage will serious undermine the trust and spirit of cooperation among the European Institutions and will jeopardise the outcome of the process. Consequently, the harm to the interests of the public will be greater than any possible benefits”. The EDPS also noted that it could not confirm the existence or number of any other documents that may fall within the scope of the request “as they are part of ongoing procedures and thus their status or number is still pending”.

My inquiry team met with members of your staff to discuss the case. It also examined the documents at stake in this inquiry.

Our examination showed that the document identified by the EDPS as falling within the scope of the first part of the complainant’s access request, that is, the report on the mapping exercise submitted by the EDPS as data controller to the EDPS as data supervisor, is part of an investigation into the EU bodies’ compliance with the Schrems II judgment. This investigation, which is based on the EDPS’s investigative powers under Article 58(1) of Regulation 2018/1725, is currently ongoing. I understand that the analysis of the reports on the mapping exercise, submitted by EU bodies (including the EDPS), is the first phase of that investigation. This first phase of the investigation has not yet been concluded and further enforcement actions may follow based on the analysis.

In light of the above, I consider it reasonable for the EDPS to conclude that disclosure of the report on the EDPS mapping exercise is likely to undermine the purpose of the ongoing investigation, as protected by Article 4(2), third indent, of Regulation 1049/2001. I note - and welcome - that the EDPS committed during the meeting with my inquiry team to reconsider partial or, if possible, full disclosure of the document at a later stage.

As regards the second part of the complainant’s access request, that is, the disclosure of any privacy assessment the EDPS conducted of several online tools, I note that the EDPS stated in its confirmatory decision that it could not confirm the existence or number of any other documents that may fall within the scope of the request “as they are part of ongoing procedures and thus their status or number is still pending”.

I welcome that the EDPS has now agreed that I share with the complainant my report on the inspection meeting of 29 March 2021, a copy of which is attached to this letter. The report includes a list of documents that the EDPS has identified as falling within the scope of the second part of the complainant’s access request.

As regards the substance of the identified documents, I understand that these documents relate to (updates of) a privacy assessment conducted by the EDPS in the context of the COVID-19 pandemic, prior to the Schrems II judgment. I also understand that the scope of this assessment was significantly broader than the access to document request of the complainant and included assessments of various audio video online tools available on the market, beyond the limited tools used by the EDPS.

I further understand that some parts of the assessment were adapted in the aftermath of the Schrems II judgment and concern tools also reported by the EDPS and other EU bodies as part of the mapping exercise, thus potentially qualifying as an enforcement target. Therefore, it is reasonable for the EDPS to consider that, although the assessment has been launched before the start of the investigation, it may, in parts, reveal the position of the EDPS in relation to specific IT tools used by EU bodies. I therefore agree that granting access to those parts of the assessment at this stage may limit the EDPS’s margin of manoeuvre in conducting the ongoing investigation.

Having said that, the identified documents also contain information where it is difficult to see how it relates to the ongoing investigation, nor does it seem that the information’s disclosure would reveal the position of the EDPS in relation to specific IT tools used by EU bodies (see Annex for examples of such information).

My proposal to you is therefore that the EDPS now reviews its position on the second part of the complainant’s public access request, taking into account my above observations, with a view to granting the widest possible public access to the identified documents.

I would be grateful to receive your reply by 15 June 2021. Once we have received your reply to the proposal, we will send a copy of it to the complainant together with a copy of the proposal.

Yours sincerely,

Emily O'Reilly

European Ombudsman

 

Enclosure: Copy of the Report on inspection

Annex

Examples of information included in the identified documents where it is difficult to see how it relates to the ongoing investigation, nor does it seem that the information’s disclosure would reveal the position of the EDPS in relation to specific IT tools used by EU bodies:

• in document ‘Note to the file - Assessment of videoconference and webinar tools for the EDPS’ (updated 29 May 2020): the sections ‘Background’, ‘Purpose’, ‘Scope’, ‘Methodology’, ‘Use cases and their requirements’, the names of the preselected tools (as far as they are covered by the complainant’s access request) and parts of the section on ‘Tools features and requirements vs use cases’;

• in document ‘EDPS inspection tools’ (draft and final version):

• in excel sheets ‘VC tools’ (v.1.2 and v.1.3): columns A to R (as regards the tools covered by the complainant’s access request).

 

[1] The complainant mentions Microsoft Office365, Microsoft Teams, Zoom, Cisco WebEx and Skype.