Case title: The European Data Protection Board’s refusal to grant public access to documents concerning international data transfers

Date: Thursday, 05 May 2022

Remote meeting through Webex

European Ombudsman

· Mr Fergal O’Regan, Chief Legal Expert

· Ms Jennifer King, Legal Expert

· Ms Tanja Ehnert, Inquiries Coordinator

· Ms Angela Marcos Figueruelo, Inquiries Officer

· Mr Federico Narducci, Inquiries Trainee

European Data Protection Board’s Secretariat (EDPB SEC)

· Head of Unit

· Head of Internal Compliance

· Transparency Officer

· 1 Legal Officer currently involved in dealing with public access to documents requests

Introduction and procedural information

After introductions, the Ombudsman inquiry team outlined the legal framework that applies to meetings held by the Ombudsman. In particular, the inquiry team explained that a draft report on the meeting will be shared with the EDPB SEC to ensure that it was factually accurate and complete. The meeting report will then be finalised, included in the file and shared with the complainant.

The inquiry team explained that the Ombudsman cannot disclose any information identified by the EDPB as confidential, neither to the complainant nor to any other person outside the Ombudsman’s Office, without the EDPB SEC’s prior consent^[1].

Purpose of the meeting

The inquiry concerns the EDPB’s refusal to grant full public access to documents concerning international data transfers. The complainant in this case had requested access to:

“preparatory documents containing Data Protection Authority Statements, questions, opinions and concerns leading to the adoption of EDPB documents identified as:

*EDPB Statement 04/2021 on "International Agreements Including Transfers^[2].

* EDPB guidelines 02/2020 on "articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies^[3]

* EDPB Statement 01/2019 on "the US Foreign Account Tax Compliance Act (FATCA)^[4]

* EDPB Response to Dutch MEP Sophie in't Veld dated 07 July 2021, with reference OUT2021-0119^[5]

(“preparatory documents” meaning: (i) draft versions of the documents, as well as (ii) minutes of meetings where the documents were discussed)”.

Prior to the meeting, the EDPB transmitted copies of the relevant documents and its written observations to the Ombudsman.

The purpose of the meeting was to understand better the assessment of the EDPB and the reasons behind the refusal to disclose (parts of) the requested documents. 

Information exchanged

Documents falling within the scope of the request

The inspection of the documents by the Ombudsman inquiry team revealed that the EDPB had not identified any relevant “preparatory documents containing Data Protection Authority Statements, questions, opinions and concerns leading to the adoption of EDPB Statement 01/2019 on the US Foreign Account Tax Compliance Act (FATCA)” as falling within the scope of the complainant’s request in its initial and confirmatory decisions.

Upon request, the EDPB confirmed that several documents had not been identified as falling within the scope of the complainant’s request and asked the Ombudsman inquiry team for guidance on how to address the issue. Following the meeting, on 15 May 2022, the Office of the European Ombudsman encouraged the EDPB to register a new separate request for public access to the relevant documents and to deal with this new request under the provisions of Regulation 1049/2001. The analysis of those documents by the EDPB will therefore not form part of the ongoing Ombudsman inquiry. The EDPB SEC explained that this oversight was due to human error in the EDPB SEC. This, it said, is the consequence of the increasing volume and complexity of access to document requests received by the EDPB, resulting in a considerable workload for its Secretariat and calling for additional human resources.

The EDPB’s refusal to grant (full) public access to some of the identified documents

The Ombudsman inquiry team made reference to the Ombudsman’s solution proposal in case 386/2021/AMF on the EDPB’s decision not to grant public access to the preparatory documents related to its guidelines on the processing of personal data in the context of the provision of online services to data subjects[6]. The Ombudsman considered, in the context of that previous inquiry, that the EDPB guidelines set out “an authoritative interpretation” of the provisions of the GDPR and have a significant bearing on its application. Given the importance of the GDPR, the Ombudsman took the view, in that previous inquiry, that the public has an interest in knowing how an authoritative interpretation of its provisions was decided and therefore asked the EDPB to grant the widest possible access to the requested documents. The EDPB SEC representatives recalled that the Ombudsman had also acknowledged that, in that case, that it was already in the public domain that there were dissenting voices on how to interpret the concept of “necessity” under Article 6(1)(b) of the GDPR among the National Supervisory Authorities (NSAs) in the process of adopting the EDPB guidelines 2/2019. This was an important element for the EDPB when it agreed to the Ombudsman’s solution proposal to grant wider public access to the anonymised views of the NSAs. The EDPB SEC representatives emphasised the need to assess every request for public access to documents individually, and highlighted that the facts in case 201/2022/AMF were different from case 386/2021/AMF, in particular in relation to information being already in the public domain for the latter case.

The EDPB SEC representatives also pointed out that, in case 386/2021/AMF, the complainant had requested public access to preparatory documents for EDBP guidelines 2/2019, but that the present case not only covered preparatory documents for EDPB guidelines 2/2020 but also preparatory documents for an EDPB Statement and a response to a Member of the European Parliament.

The Ombudsman inquiry team noted that, as a general remark, it is beneficial for the public to understand the functioning of the decision-making process of an EU institution by knowing the opinions of the persons authorised to take part in that decision-making process. The question is whether there are reasons to presume that the decision-making process of the institution would be seriously undermined by the public disclosure of those opinions. And, even if it was established that an institution’s decision-making process were to be seriously damaged by the disclosure of such documents, there might still be an overriding public interest in disclosure^[7]. In this context, the Ombudsman inquiry team noted that it is essential to understand the nature of the process leading to the adoption of EDPB guidance documents.

The EDPB SEC representatives noted that EDPB guidelines are to provide consistency and legal certainty on the interpretation of the GDPR. According to the EDPB, the disclosure of the different opinions contained in the preparatory documents would not allow it to fulfil this role and would lead to confusion for the public.

The EDPB SEC representatives considered that the decision-making process within the EDPB cannot be compared to the discussions of EU institutions in the context of legislative procedures. The EDPB SEC representatives stressed that the EDPB is an EU body in charge of ensuring the consistent application of the GDPR, which is composed of the national data protection regulators. They also highlighted that the legislator, when adopting the GDPR, provided the EDPB with the possibility to have confidential exchanges when the EDPB deems it necessary. The EDPB SEC representatives added that, if unconditional public access was granted to all preparatory documents, NSAs would be reluctant to put forward their views and comments, which would seriously impair the EDPB’s ability to achieve its tasks set out by the GDPR. The EDPB SEC representatives also noted that EDPB guidelines are developed at a technical level, and the positions exchanged (often at staff level) during the drafting stages might not reflect the official position of the NSAs represented in the Board, given that these drafting proposals are made on the spot during meetings. These positions subsequently need to be confirmed when the draft is at a more mature stage in order to have the official positions of the individual NSAs.

The Ombudsman inquiry team noted that the request in the ongoing inquiry concerned draft versions of documents that had already been adopted by the EDPB. In addition, the complainant had stated that he would accept having access to anonymised versions of the contributions of the EDPB members. The Ombudsman inquiry team therefore asked the EDPB representatives to provide concrete examples as to how its decision-making process would be seriously undermined by granting wider public access to the requested documents where they were so anonymised.

The EDPB SEC representatives replied that in the past it was possible for the public to identify the authors of the contributions in the preparatory documents, even when these were disclosed in an anonymised form. The authors of these contributions can then be subject to external pressure from companies and interest groups. The EDPB SEC representatives stressed that such disclosure would result in EDPB members being reluctant to share their views, and consequently would prevent an open and free discussion. The EDPB SEC representatives added that, even if the preparatory documents were to be fully disclosed, it would cause confusion for the public, as drafts do not necessarily explain why a specific change was made, or why something was drafted in a certain way. They also pointed out that there is a risk that the disclosure of individual and preliminary views could affect the authority of the EDPB as a whole, whilst it has the mission to provide a consistent application of the GDPR.

The EDPB SEC representatives emphasised the need to balance and protect the right to transparency and the right to data protection. In this regard, granting public access to the requested documents would weaken legal certainty and consistency when it comes to the interpretation of the GDPR and, as a consequence, the right to data protection would be damaged.

Procedure for the adoption of guidelines

Upon request, the EDPB SEC representatives explained the EDPB’s internal practice for adopting its guidelines. According to this practice, the members of the EDPB’s subgroup in charge of a specific set of guidelines exchange comments on the draft prepared by a drafting team and on proposals made directly in meetings. It is common practice that the version of the draft being discussed during a meeting is displayed on a screen. It is often the EDPB Secretariat that records in real time these oral exchanges in the draft. As those discussions relate to concrete proposals made during meetings, they reflect the position at technical level of the staff of the EDPB members, which does not necessarily reflect the official position of their hierarchy that will have to be confirmed later on. Moreover, the EDPB SEC representatives were of the view that these drafts do not give an accurate picture of the entire discussion, as they are just ‘snapshots’ of the process and some changes may not always be done in a fully articulated way when performed ‘live’ during meetings. The EDPB SEC representatives therefore consider that someone who has not attended that meeting or at least followed the discussions within the EDPB on that topic would have difficulties to understand the context of the comments and suggested amendments. The EDPB SEC representatives restated that there is a risk, if public access is granted to preparatory documents, that future discussions would be affected, as NSAs would not express their views freely and this would severely impact the EDPB’s ability to achieve its tasks.

Finally, the EDPB SEC representatives noted that these documents are all, in one way or another, linked to the EDPB’s ongoing work on FATCA^[8], which could also be affected by their disclosure.

Conclusion of the meeting

The Ombudsman inquiry team thanked the EDPB SEC’s representatives for the explanations provided. The meeting then ended.

 

Brussels, 31 May 2022

 

Angela Marcos Figueruelo                                                                                 Jennifer King

Inquiries Officer                                                                                                 Legal Expert

Directorate of Inquiries                                                                                      Directorate of Inquiries

 

[1] Article 4.8 of the European Ombudsman’s Implementing Provisions.

[2] Available at: https://edpb.europa.eu/our-work-tools/our-documents/other-guidance/statement-042021-international-agreements-including_en

[3] Available at: https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-22020-articles-46-2-and-46-3-b_en

[4] Available at: https://edpb.europa.eu/our-work-tools/our-documents/statements/edpb-statement-012019-us-foreign-account-tax-compliance-act_en

[5] Available at: https://edpb.europa.eu/system/files/2021-07/edpb_letter_out2021-0119_intveld_igas.pdf

[6] Guidelines 2/2019 of the EDPB, available at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en

[7] In accordance with Article 4.3 of Regulation 1049/2001

[8] US Foreign Account Tax Compliance Act.