Tem uma queixa contra uma instituição ou organismo da UE?

Línguas disponíveis:
  • ENEnglish

Decision on the European Data Protection Supervisor’s (EDPS) refusal to grant public access to documents related to a report concerning the Schrems II judgment (case 274/2021/TE)

The case concerned the European Data Protection Supervisor’s (EDPS) refusal to grant public access to documents related to an investigation into the EU institutions’ compliance with the Schrems II ruling. In that judgment, the Court of Justice ruled on the adequacy of the protection provided by the EU-US Privacy Shield, with considerable consequences for the way personal data can be transferred to third countries, in particular to the United States. The EDPS took the view that disclosing the documents would undermine an ongoing decision-making process.

The Ombudsman’s inquiry team inspected the documents in question and found that, while it is reasonable to consider that the disclosure of some information contained in those documents is likely to undermine the purpose of investigations, several documents also contain information that cannot reasonably be understood to undermine that purpose. The Ombudsman therefore proposed to the EDPS to review its position on the complainant’s request, with a view to granting the widest possible public access.

In its reply, the EDPS agreed to grant partial public access to some of the documents identified. It refused access to two documents, arguing that these documents contain information about the EDPS’s internal methodologies and that their disclosure could compromise the effective use of the EDPS’s means of investigation in the future. By agreeing to grant partial public access to the documents at issue, the Ombudsman considers that the EDPS has resolved the complaint. She therefore closed the case.

Background to the complaint

1. In July 2020, the Court of Justice of the European Union ruled in the Schrems II case.[1] The ruling concerned the European Commission’s decision[2] on standard contractual clauses for data transfers to third countries and, in particular, the level of protection ensured in the United States (the so-called ‘Privacy Shield’). The Court declared invalid a Commission implementing decision[3] on the adequacy of the protection provided by the EU-US Privacy Shield, with considerable consequences for the way personal data can be transferred to third countries, in particular to the United States.

2. Following the Schrems II ruling, the European Data Protection Supervisor (EDPS) adopted a “Strategy for Union institutions, offices, bodies and agencies to comply with the Schrems II ruling”. As part of this strategy, on 5 October 2020, the EDPS ordered EU institutions, bodies, offices and agencies (hereafter ‘EU institutions’) to complete a ‘mapping exercise’ identifying which ongoing contracts, procurement procedures and other types of cooperation involve data transfers. EU institutions were ordered to report to the EDPS by 15 November 2020 any specific risks and gaps identified.

3. On 3 November 2020, the complainant requested public access to several documents held by the EDPS. The request consisted of two parts:

  • first, the complainant sought access to the mapping exercise that the EDPS carried out for itself (hereafter ‘EDPS mapping exercise’); and
  • second, the complainant asked for a copy of any privacy assessment, including data protection impact assessments (DPIAs), carried out by the EDPS for the use by the EDPS of the following tools: Microsoft Office365, Microsoft Teams, Zoom, Cisco Webex, Skype.

4. On 14 January 2021, the EDPS refused access to the documents it identified, based on the exception in the EU rules on public access to documents which concerns the protection of the decision-making process.[4] The EDPS explained that the documents “are part of an ongoing procedure, where the decision is not yet taken by EDPS”. The EDPS confirmed, however, that it had carried out a mapping exercise and prepared a related report.

5. On 22 January 2021, the complainant asked the EDPS to review its decision, by introducing what is known as a ‘confirmatory application’. The complainant argued that:

  • The EDPS’s statement that it has prepared a report on the EDPS mapping exercise is incompatible with the claim that the documents are part of an ongoing procedure. As the other institutions were requested to finalise their mapping exercise by 15 November 2020, it would be surprising if the EDPS mapping exercise has not been finalised yet.
  • The EDPS did not provide information on the existence of any documents regarding the second part of her access request, related to the privacy assessments. It should have at least provided a list of the documents identified as falling within the scope of that part of the request.
  • The exception in the EU rules on public access to documents must be interpreted and applied strictly. The EDPS did not provide any explanation of how disclosure would seriously undermine the decision-making process.
  • Finally, even if disclosure undermined the EDPS’s decision making process, there would be an overriding public interest in disclosure. Regarding the EDPS mapping exercise, the public must be able to verify that the EDPS is leading by example. Regarding the privacy assessments, there is an overriding public interest in knowing which IT tools the EDPS uses internally and what the outcome of any analysis was prior to the adoption of the tools. If the EDPS is using any of the tools (Microsoft Office365, Microsoft Teams, Zoom, Cisco Webex, Skype), the corresponding privacy assessment could provide a reference and gold standard for other institutions.

6. On 8 February 2021, the EDPS confirmed its initial decision, noting that the requested documents were part of an ongoing decision-making process and that the outcome of that process would be jeopardised by the documents’ disclosure. The EDPS also noted that it could not confirm the existence or number of any other documents that may fall within the scope of the request “as they are part of ongoing procedures and thus their status or number is still pending”.

7. Dissatisfied with the EDPS’s decision, the complainant turned to the Ombudsman on 9 February 2021.

The Ombudsman's proposal for a solution

8. On 24 February 2021, the Ombudsman’s inquiry team first met[5] with EDPS staff to discuss the documents at issue and their relevance for the investigation the EDPS is conducting regarding the EU institutions’ compliance with the Schrems II ruling. On 29 March 2021, a second meeting[6] took place at which the Ombudsman’s inquiry team inspected the documents at issue in this inquiry.

9. Based on an analysis of the inspected documents, the Ombudsman proposed a solution to the EDPS on 26 April 2021. In her solution proposal, the Ombudsman considered that:

· The document identified by the EDPS as falling within the scope of the first part of the complainant’s access request, that is, the report on the EDPS mapping exercise, is part of an investigation into the EU institutions’ compliance with the Schrems II ruling. This investigation, which is based on the EDPS’s investigative powers,[7] is ongoing. The analysis of the reports on the mapping exercise, submitted by EU institutions, including the EDPS, is the first phase of that investigation. This first phase of the investigation has not yet been concluded.  

  • In view of this, the Ombudsman considered it reasonable for the EDPS to conclude that disclosing the report on the EDPS mapping exercise is likely to undermine the purpose of the ongoing investigation, as protected by Article 4(2), third indent, of the EU rules on access to documents. The Ombudsman could not identify an overriding public interest in disclosure, at this stage in the investigation, and welcomed that the EDPS committed during the meetings with her inquiry team to reconsider (partial) access at a later stage.
  • As regards the second part of the complainant’s access request, that is, the disclosure of any privacy assessment the EDPS conducted of several online tools, the Ombudsman welcomed the EDPS’s agreement to share with the complainant the report on the second meeting her inquiry team held with the EDPS. The inspection report contains a list of the five documents that the EDPS had identified as falling within the scope of the second part of the complainant’s access request.[8]
  • As regards the substance of the five identified documents, the Ombudsman noted that they relate to (updates of) a privacy assessment conducted by the EDPS in the context of the COVID-19 pandemic, prior to the Schrems II judgment. Some parts of the assessment were adapted in the aftermath of the Schrems II judgment and concern tools also reported by the EDPS and other EU institutions as part of the mapping exercise, thus potentially qualifying as an enforcement target.
  • The Ombudsman therefore found it reasonable for the EDPS to consider that, although the assessment had been initiated before the start of the investigation, it may, in parts, reveal the position of the EDPS in relation to specific IT tools used by EU institutions. She therefore agreed that granting access to those parts of the assessment at this stage could limit the EDPS’s margin of manoeuvre in conducting the ongoing investigation.
  • At the same time, the Ombudsman found that it was difficult to see how some of the information contained in the five identified documents relates to the ongoing investigation. Nor is it clear how disclosure of that information would reveal the position of the EDPS in relation to specific IT tools used by EU institutions.

10. In view of these considerations, the Ombudsman proposed that the EDPS review its position on the second part of the complainant’s public access request, with a view to granting the widest possible public access to the five identified documents.

11. In its reply to the Ombudsman’s solution proposal,[9] the EDPS agreed to review its position on the second part of the complainant’s public access request. Following this review, the EDPS granted partial public access to three of the identified documents and refused access to the remaining two documents. The EDPS also identified an additional document as falling within the scope of the request and granted partial access to it.

12. In refusing access to two of the identified documents - entitled ’EDPS inspection tools’ and ‘EDPS inspection tools v.2’ - the EDPS argued that these documents “fall within the exceptions of Article 4(2), third indent, of Regulation 1049/2001 as they contain details of the working tools and methods utilized during our inspections. In this regard, the disclosure of the said documents containing information about the EDPS’s internal methodologies could compromise the effective use of the EDPS’s means of investigation in the future.”

13. The EDPS granted partial public access to the other four documents, redacting personal data of EDPS staff members.

14. The complainant commented that she was satisfied with the Ombudsman’s proposal and the solution achieved.

The Ombudsman's assessment after the proposal for a solution

15. The Ombudsman welcomes the EDPS’s positive response to her solution proposal.

16. She notes that the EDPS agreed to disclose four documents after redacting personal data of staff members. As the complainant does not wish to have access to personal data, there is no need for the Ombudsman to examine if the redactions are justified.

17. The Ombudsman further notes that the EDPS refused access to the two versions of the document ‘EDPS inspection tools’. In her solution proposal, the Ombudsman had identified certain incidental information in that document as not being related to the ongoing investigation. Nor did it seem that disclosing the information would reveal the position of the EDPS in relation to specific IT tools used by EU institutions. However, as the information that the Ombudsman identified was of an incidental nature, and given that the complainant is satisfied with the solution achieved, the Ombudsman considers that the EDPS has resolved the complaint by agreeing to grant partial access to the documents identified as falling within the scope of the second part of the complainant’s access request.

Conclusion

Based on the inquiry, the Ombudsman closes this case with the following conclusion:

The Ombudsman welcomes the EDPS’s positive reply to her solution proposal. By agreeing to grant partial public access to the documents identified as falling within the scope of the second part of the complainant’s request, the EDPS has resolved the complaint.

The complainant and the European Data Protection Supervisor will be informed of this decision.

 

Emily O'Reilly
European Ombudsman


Strasbourg, 20/08/2021

 

[1] Judgment of the Court (Grand Chamber) of 16 July 2020, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, Request for a preliminary ruling from the High Court (Ireland), Case C-311/18, available at: http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=12312155

[2] Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087

[3] Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.207.01.0001.01.ENG

[4] Article 4(3) of Regulation 1049/2001 regarding public access to European Parliament, Council and Commission documents: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32001R1049

[5] The meeting report is available here: https://www.ombudsman.europa.eu/en/report/en/145806

[6] The inspection report is available here: https://www.ombudsman.europa.eu/en/report/en/145807

[7] Article 58(1) of Regulation 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32018R1725

[8] The list is included in the inspection report, available here: https://www.ombudsman.europa.eu/en/report/en/145807

[9] Available here: https://www.ombudsman.europa.eu/en/correspondence/en/145805