Recommendation of the European Ombudsman in case 1676/2017/KM on the European Commission’s handling of requests for access to documents on how it deals with and tries to prevent the unauthorised disclosure of its documents
Case 1676/2017/THH - Opened on Wednesday | 27 September 2017 - Recommendation on Friday | 15 December 2017 - Decision on Tuesday | 03 July 2018 - Institution concerned European Commission (Maladministration found )
Made in accordance with Article 3(6) of the Statute of the European Ombudsman
The case concerned two requests for access that the complainant made in February and March 2017. One was for documents on security inquiries conducted by the Commission into possible security breaches (“leaks”) and the other for minutes of weekly meetings of the heads of cabinet and the directors general relating to the issue of leaks.
Following an inspection of the relevant documents by her inquiry team, the Ombudsman found that the Commission had interpreted both requests in an excessively restrictive manner. The result was that the complainant did not obtain access to documents or parts of documents that, in the Ombudsman’s view, did fall within the scope of his requests. She therefore recommends that the Commission review its decision without further delay.
The background to the complaint
1. The complainant, a researcher at a German university, was conducting research on how the European Commission handles “leaks”, that is, the unauthorised disclosure of documents by its own staff. He asked the Commission for access to relevant documents from 2006 to 2016. He made two related requests.
2. In his first request, registered on 23 February 2017, he referred to the Commission Decision on Security in the Commission, Article 13 of which “foresees potential security inquiries in case of potential leakage, mishandling or compromise of sensitive non-classified information”, which according to paragraph 8 of that Article, “shall be documented”. The complainant asked for all documents reporting such or similar inquiries for the period 2006 to 2015. Alternatively, he asked the Commission to provide him with relevant overview statistics such as the number of inquiries and the number of successful inquiries. The Commission registered this request on the same day and gave it the reference number GESTDEM 2017/1107. On 16 March 2017, the Commission refused access. It stated that this was based on Article 9 of the Access to Documents Regulation (which relates to sensitive documents) and the protection of the purpose of security inspections, investigations and audits (that is, the exception set out in Article 4 paragraph 2 of the Regulation).
3. The complainant asked the Commission to review that decision. He stated that “in view of the potentially high sensitivity of some of the documents requested and in view of the potential administrative burden in checking a large amount of documents under my request…I am glad to limit my request under Regulation 1049/2001…for example by specifying a timeframe of the request or by limit the request on the last part of the request (Docs containing overview statistics incl. number of enquiries, number of (non-)successful inquiries) should these latter documents exist.”
4. The Commission first promised a reply by 7 April 2017 but extended the time limit to 4 May 2017. The complainant sent a reminder and was sent a holding letter. On 8 May 2017, the Commission emailed stating that it had finalised the assessment, but that formal approval was still pending. It hoped to be able to send a reply by end May. The complainant sent another reminder. On 25 July 2017, the Commission sent another holding letter apologising for the delay and promising a reply by mid-September. The complainant then sent a final reminder, stating that he was under time pressure to submit his “final research output” and asking if there was any chance he might receive final replies for one or both requests within the coming days.
5. On 22 September 2017, the complainant turned to the Ombudsman because he had not received a reply from the Commission.
6. The complainant’s second request, which was registered on 3 March 2017, was a request for “all minutes of the weekly meetings of Chefs de Cabinet and of the weekly meetings of Directors-General for 2006-2015 during which information/document leaks (or similar, referring to unauthorised disclosures) from the Commission or anti-leak measures were discussed.” He added that he “only request access to those parts of the documents covering these instances and/or their context”. The Commission registered this as two requests, one for the weekly meetings of the heads of cabinet (GESTDEM 2017/1381) and one for the weekly meetings of the Directors-General (GESTDEM 2017/1493). The complainant’s request was registered on 3 March 2017.
7. On 30 March 2017, the Commission granted wide partial access to the weekly meetings of the Directors-General (GESTDEM 2017/1493).
8. In relation to GESTDEM 2017/1381 (the meetings of Heads of Cabinet), the Commission extended the time limit to 19 April 2017. On 14 April 2017, it sent a holding reply without providing a date on which the complainant might expect a reply. The complainant sent two reminders. On 29 May 2017, the Commission sent an email apologising for the fact that “the research took us more time than we thought” and indicating that the reply was now “validated and signed” and should reach the complainant “very soon”.
9. The Commission sent its reply to the initial application on 31 May 2017.
10. It identified a list of 72 documents that “contain parts falling under the scope of your requests”. It rejected the request for access to those documents, arguing that they referred to internal reflections regarding the sensitive matter of leaks of Commission documents and internal measures to avoid such leaks. The complainant had not argued an overriding public interest in disclosure and neither had the Commission identified one. The Commission also relied on the protection of public security, noting that this cannot be set aside by an overriding public interest.
11. The complainant asked the Commission to review this decision.
12. The Commission promised a reply by 4 July 2017 but extended this time limit to 26 July 2017. On 25 July 2017, the Commission sent a holding letter but did not set a new date.
13. The complainant sent a reminder on 13 September 2017. He complained to the Ombudsman on 22 September 2017 because he had not received a reply.
14. The Ombudsman opened an inquiry into the complaint and identified the following allegations made by the complainant:
1) The Commission has failed to respect the time limits for dealing with all three registered requests for access both at initial and at review stage.
2) The Commission’s initial decisions to refuse access were wrong.
15. The complainant stated that the Commission should grant the widest possible access to the documents requested under references GESTDEM 2017/1107 and GESTDEM 2017/1381, and do so as soon as possible.
16. The Ombudsman’s inquiry team carried out an inspection of the relevant documents and asked the Commission for some clarifications. The Ombudsman had asked the Commission to provide any views in addition to the position expressed in its replies to the complainant within fifteen working days. The Commission replied to the complainant’s requests for review and forwarded these to the Ombudsman.
Failure to grant the fullest possible access
Arguments presented to the Ombudsman
GESTDEM 2017/1107 - access to security inquiries
17. In its reply to the complainant’s request for review, the Commission stated that, “taking into account [the complainant’s] proposal to narrow down the temporal scope of [his] request (the entry into force of the Commission Decision 443/2015 on Security in the Commission of 13 March 2015)”, it had identified six security inquiries “in the period March 2015 until the registration of your confirmatory application”. The following types of documents fell “under the narrowed scope” of the request:
“1) Notes from concerned Directorates-General reporting a leak of sensitive information and requesting support to assess allegations against EC staff members;
2) Internal correspondence between DG HR and the Investigation and disciplinary Office of the Commission (IDOC);
3) Internal notes from DG HR, Security Directorate to the concerned Directorates-General on the state of play of the investigations, on the technical analysis, analysis of evidence, inquiry mandated from the Director-General of HR;
4) Open source intelligence documents (‘osint documents’);
5) Notes on investigation strategy and means;
6) Witness statements; and
7) Final investigation reports and transmission notes.”
18. The Commission refused access to them all, based on Article 4(1)(a), first indent (protection of the public interest as regards public security), Article 4(2), third indent (protection of the purpose of inspections, investigations and audits), Article 4(3) (protection of the decision-making process) and Article 4(1)(b) (protection of privacy and the integrity of the individual) of the Access to Documents Regulation.
19. The Commission argued that the concept of public security includes “the security of persons, assets and information in the Commission.” Its Security Rules stated the objective of security as “to enable the Commission to operate in a safe and secure environment by establishing a coherent, integrated approach as regards its security, providing appropriate levels of protection for persons, assets and information commensurate with identified risks, and ensuring efficient and timely delivery of security.”
20. The requested documents concern security inquiries in relation to the unauthorised disclosure of sensitive but non-classified information. The Commission said that it was under a duty to protect sensitive information which “shall only be released to those individuals, authorised Commission staff, who have a 'need-to-know'.” These staff conduct their security inquiries independently and gather information from all relevant sources, including witnesses and perpetrators, as well as other institutions and also Member States. The disclosure of documents that contain sensitive information on security in the Commission “would seriously undermine the effectiveness of the Commission in the performance of its security-related tasks as it would reveal the counter-intelligence measures of the Commission protecting the security of its information”.
21. As regards the protection of the purpose of investigations, the Commission stated that the documents “contain intelligence on cases/investigations, identify the risks to security, as well as provide the overview of the security inquiry, detail its specific investigative steps ... specific (personal) data ... specific methods, tools and formats ... investigative techniques employed, the data analysed, evidence gathered ..., the findings of the inquiry, as well as security measures taken and proposed... [and] witness statements”. It added that the purpose of Commission's security inquiries is to establish whether, and which, security measures need to be taken in order to ensure the security in the Commission, and to identify, prevent and mitigate risks to said security.
22. The Commission stated that the Security Rules “make no provision for access to the documents” on a security inquiry file, neither for the persons concerned by a security inquiry nor for any interested third parties. This is because there is “a serious risk that the integrity of the conduct of security inquiries would be hampered and the implementation of the (follow-up) security measures undermined if the documents of such inquiries were disclosed to the public”. Such disclosure would, firstly, give “an exclusive insight into the inner workings of a security inquiry and the know-how used during this process” and would allow persons under investigation “to anticipate the way in which similar security inquiries will be conducted, and [thus to] pre-empt or counteract the said inquiries.” Furthermore, the “prospect of disclosure” would deter those carrying out the inquiries “from expressing their opinion independently”. This would “seriously undermine the effectiveness of the Commission in the performance of its security related tasks”. Secondly, the Commission had to protect the confidentiality of witness statements and other information, also with a view to protecting the presumption of innocence.
23. On the protection of the decision-making process, the Commission stated that all documents apart from the ‘Open source intelligence documents’ and the witness statements ((4) and (6)) contained preliminary assessments and “reflect the internal process of conducting of security inquiries”. They “form part of preliminary deliberations in the course of the decision-making process”. Disclosing them would reveal the Commission’s methodology and strategy and would thus seriously undermine the decision-making process with regard to the future procedural steps which the Commission might have to take.
24. On the protection of privacy, the Commission argued that all documents related to identified or identifiable individuals. They contained “the names, contact data, professional and personal background, personal opinions, as well as information on the (electronic) telecommunications behaviour of non-senior members of Commission staff and other individuals.” Disclosure of evidence provided by witnesses would make these witnesses identifiable to the public, including the persons investigated. The Commission referred to case law of the European Court to state that it is for the applicant to demonstrate a need to have personal data transferred. The complainant had referred to his “publicly funded research” but this did not “establish the public necessity of accessing personal data”; his “alleged interest would be of a private, rather than public, nature” and did “not suffice to establish the necessity of having the data in question made publicly available”.
25. The complainant had also made an alternative request, namely, for “documents containing overview statistics” on such inquiries. He had repeated this request in his confirmatory application. The Commission said it had, however, not found any such documents. Given that the Access to Documents Regulation only applied to existing documents, it was not in a position to handle this part of his request. It referred the complainant, however, to the 2015 Human Resources report and to IDOC’s annual activity report 2016.
26. It was unable to grant “meaningful partial access” without undermining the interests described above. The complainant had argued that “access to the documents requested is the only way that this public interest research can be reasonably successful without having to incite Commission officials to reveal otherwise non-public information in the course of interviews.” The Commission considered that this was an “individual interest” which could thus not be taken into account when assessing whether there was an overriding public interest.
27. The complainant’s main objection to the Commission’s reply was that it had used “an offer I made in my confirmatory application to limit my request” in a way “that effectively re-interprets my request, and has defined the period for which they provide feedback without consulting me.” He notes that he had made this offer “in the spirit of compromise” but wonders whether the Commission has interpreted it the way it did in order to limit access. He points out that his request, originally, was for documents from 2006 to 2015. The Commission, instead, assessed documents from 2015 to 2017. The complainant notes that some of the exceptions that the Commission relied upon to deny access, such as security interest or the protection of decision-making, may not apply to documents that are now over a decade old.
28. The complainant also objects to the Commission’s rejection of this “larger argument for public access” and reference to his “individual” interest in the documents. He noted that he had to make his arguments in the abstract and hypothetically because the Commission had not identified documents in its reply to the initial request.
GESTDEM 2017/1381 - access to minutes of head of cabinet meetings
29. In its reply to the complainant’s review request, the Commission stated that the Secretariat-General had “re-examined the content of the 72 documents identified at the initial stage and established that some of these documents do not contain any information relating to leaks or unauthorised disclosures.” They therefore, the Commission said, fall outside the scope of the request.
30. The remaining 27 documents were not exclusively about leaks but also dealt with different and unrelated subject matters. Where this was the case, the parts of the documents that fell outside the scope of the request had been removed from the documents that were released to the complainant.
31. The complainant stated that he was ready to believe that the checks by the Transparency Unit were correct. He noted that the smaller number was closer to the number of documents he had received for his parallel request for access to the minutes of the weekly meetings of the Directors-General. However, he could not “get [his] head around how 45 documents could be mis-identified if a proper check of the documents was conducted, unless [his] request was systematically misunderstood” at the initial stage.
32. As to content, the complainant stated that he had the impression that the documents produced by the current Commission (dating from 2014 and later) were more heavily redacted than the older ones, and provided less context to the leaks than older documents. Except in one instance, it was impossible to deduce, from the partial access he obtained, to which policy discussions the respective leaks were linked or whether this was part of a general discussions on leaks and anti-leak measures. He argued that the Commission should grant access to some more of this context, such as by showing the agenda heading, or the entire paragraph, to allow an understanding of the policy area concerned. He noted that this had been done in the older documents. The complainant noted that the Commission had not specifically explained why it had redacted this context. He found this surprising because he had explicitly asked for access to the context of the leaks. He “would therefore expect to receive at least a little more access to provide the necessary context in which these leaks were discussed.”
33. The Ombudsman’s inquiry team asked the Commission for unredacted versions of two of the documents they had sent to the complainant in redacted form and two of the documents identified at initial stage but then considered out of scope. It also asked the Transparency Unit to explain the process by which they had reduced the number of documents from 72 to 27. The Transparency Unit replied that it had read all 72 documents.
The Ombudsman's assessment leading to a recommendation
GESTDEM 2017/1107 - security inquiries
34. The complainant had asked for access to “all documents reporting this or similar types of inquiries for 2006-2015”; the word “this” in that sentence can be taken to mean “security inquiries” as defined in the 2015 Commission decision, to which the complainant referred in the same paragraph. In his review request, he did state that he was ready to limit his request, “for example by specifying a timeframe of the request”. The Commission reacted to this by “taking into account your proposal to narrow down the temporal scope of your request (the entry into force of the Commission Decision 443/2015 on Security in the Commission of 13 March 2015)”
35. This is clearly an excessive response to the complainant’s words. What the complainant did was to specify a time frame - in other words, he made an offer to make a proposal (or to consider a proposal from the Commission.) The Commission’s decision to interpret his offer as “a proposal to narrow down the temporal scope” of his request and unilaterally to narrow down its scope, was unreasonable and wrong. Without consulting the complainant, it decided to limit its assessment to documents that were drawn up after the entry into force of the 2015 Commission Decision. The complainant had clearly said that he was interested in documents concerning inquiries for the period 2006-2015.
36. Article 6(3) of the Access to Documents Regulation gives institutions the option to “confer with the applicant informally, with a view to finding a solution” where the request relates to a very large number of documents. The case law has clarified that, if an applicant rejects reasonable attempts at finding such a solution, the institutions can implement one unilaterally. However, in this instance there is no evidence of the Commission having “conferred” with the applicant. Instead, the Commission simply decided to take his proposal to specify a shorter timeframe as an invitation to reduce considerably the scope of the request.
37. Furthermore, in the context, there could be no reason to believe that considering documents for the period 2015-2017 was consistent with a request for documents for the period 2006-2015. It is true that the complainant referred to the Commission’s 2015 Decision, but he clearly asked for documents reporting security inquiries conducted under the 2015 Decision “or similar types of inquiries” for 2006-2015. The Commission’s decision to limit the scope of its assessment to inquiries based on the 2015 Decision, and therefore subsequent to it, and to go beyond the period originally specified by the complainant to 2017 was plainly wrong. This is a clear instance of maladministration.
38. Furthermore, as regards the Commission’s interpretation of the concept of public security to include “the security of persons, assets and information in the Commission”, this is excessively broad. “Public security” relates to societal threats, such as terrorism, and the national security of a Member States, rather than internal security risks within an institution or organisation.
GESTDEM 2017/1381 - access to minutes of head of cabinet meetings
39. When the Commission first looked at the complainant’s request, it identified 72 relevant documents. Following his request to review the decision, it corrected that figure to 27. The complainant expressed surprise at this.
40. When the Commission’s Secretariat-General deals with a review request, it conducts what it calls a “fresh review” of the initial reply. This involves a re-examination of the documents that were initially identified, which can lead to an increase or a decrease of the number of documents that are considered relevant. The Ombudsman sees no issue with this approach in principle. In this case, the Commission seems to have conducted this reassessment thoroughly and correctly. The Transparency Unit confirmed that it had read all 72 documents initially identified in order to determine whether they were indeed relevant. The Commission’s conclusion was supported by the Ombudsman’s inquiry team’s inspection of two of the documents that the Transparency Unit considered to be out of scope. One of these minutes reports a reminder to all present at the meeting that they are bound by a duty of confidentiality; the other, a reminder that a topic under discussion requires “collegiality, determination and discipline, including in matters of public communication”. While it is thus understandable that these documents were considered relevant in the first instance, the decision to consider them outside the scope of the request, following a review, is also justified. The Ombudsman therefore does not consider that further inquiries into this aspect are necessary.
41. The Ombudsman’s inquiry team also inspected two documents to which the Commission granted partial access, namely SEC_2010_1920 and RCC_2015_2139.
SEC_2010_1920 - minutes of the meeting of the Heads of Cabinet of 31 May 2010
42. The complainant was given access to the following two sentences on the middle of page 6 that dealt with leaks: The Head of Cabinet of the President: [Out of scope] “He also stressed the need to preserve the confidentiality of the preparatory work in this kind of cases. He stressed that reminders to this end had been issued repeatedly, and regretted that further leaks could potentially damage the image of the institution, which was already under significant pressure due to the crisis.” ]»
43. The text taken out, marked as out of scope, provides the context in which these remarks were made. Moreover, the part to which the complainant was granted access is followed by remarks from other interveners that also clearly relate to leaks.
RCC_2015_2139 - minutes of the meeting of the Heads of Cabinet of 21 September 2015
44. The complainant was given access to one sentence from page 14: “The Head of the President's Cabinet underlined the importance of avoiding any leaks”. This sentence is part of a paragraph that provides a background to the policy area in relation to which this statement was made, and provides more relevant detail.
45. The Ombudsman must therefore conclude that the Commission was overly restrictive when it determined that the parts that it redacted were outside the scope of the complainant’s request for access, which expressly mentioned the context of the discussions on leaks. This is an instance of maladministration.
46. The Ombudsman finds that the Commission wrongly limited the scope of both requests under investigation. This constituted maladministration. She therefore makes an appropriate recommendation below, in accordance with Article 3(6) of the Statute of the European Ombudsman.
47. The Ombudsman has commented positively, on many occasions, on the increased transparency of the Juncker Commission. She therefore finds it disappointing that a citizen engaged in legitimate academic work should have had such a poor experience to date in his request for access to documents. The complainant has shown persistence, but other citizens might understandably have given up when confronted with such delays and retained an unfavourable view of the openness and accountability of a key EU institution. The Commission must always take into account the reputational risks of dealing with legitimate requests in a manner that falls short of the high standards expected.
On the basis of the inquiry into this complaint, the Ombudsman makes the following recommendation to the Commission:
The Commission should reassess, without further delay, the complainant’s requests with a view to granting broader access, based on a correct reading of the scope of the complainant’s requests for access to documents, which should be reduced only in consultation with the complainant, and in the light of the Ombudsman’s comments on the public security exception.
The Commission and the complainant will be informed of this recommendation. In accordance with Article 3(6) of the Statute of the European Ombudsman, the Commission shall send a detailed opinion by 15 March 2018. The detailed opinion could consist of the acceptance of the recommendation and a description of how it has been implemented.
 Decision of the European Parliament of 9 March 1994 on the regulations and general conditions governing the performance of the Ombudsman's duties (94/262/ECSC, EC, Euratom), OJ 1994 L 113, p. 15.
 Commission Decision 2015/443 of 13 March 2015 on Security in the Commission, OJ 2015 L 72, p. 41
 Translated from the original French text which states as follows: «Le chef de cabinet de M. le PRESIDENT : [out of scope] « Il insiste par ailleurs sur la nécessité de préserver la confidentialité des travaux de préparation de ce type de dossiers. Il souligne que des rappels à cet égard sont intervenus à plusieurs reprises et déplore que de nouvelles fuites risquent de porter préjudice à l’image de l’institution, alors même qu’avec la crise celle-ci est soumise à d’importantes pressions. »