The International Forum for Responsible Media Blog

EU Law, Freedom of Information and Data Protection – Part 2 – Aidan O’Neill QC

This is the second part of a three part post.  In this part Aidan O’Neill considers EU secondary legislation on access to documents.

The EU access to document regime applies only to the EU’s own institutions, bodies, offices and agencies.   Strictly it is not a freedom of information regime.  Instead as the General Court has stated:

[T]he concept of a document must be distinguished from that of information. The public’s right of access to the documents of the institutions covers only documents and not information in the wider meaning of the word and does not imply a duty on the part of the institutions to reply to any request for information from an individual” (Case T‑264/04 WWF European Policy Programme v. Council [2007] ECR II-911 at paragraph 76)

In any event, the protection and promotion of freedom of information by and within the Member States remains a matter for Member States to regulate.     EU law does not yet extend to giving a right of access to documents to held – in their own right rather than as agents for the EU –  by public authorities of the Member States, though Recital 15 of Regulation (EC) No 1049/2001 which is the central provision of the EU freedom of information regime, states:

“Even though it is neither the object nor the effect of this Regulation to amend national legislation on access to documents, it is nevertheless clear that, by virtue of the principle of loyal cooperation which governs relations between the institutions and the Member States, Member States should take care not to hamper the proper application of this Regulation and should respect the security rules of the institutions.”

Regulation (EC) No 1049/2001 avowedly aims at facilitating the “fullest possible public access to EU documents (see, for example, Case C‑139/07 P Commission v Technische Glaswerke Ilmenau 29 June 2010, paragraph 51).  This is (particularly in cases where the EU institutions are acting in a legislative capacity).  At the same time it seeks to preserve the “effectiveness” of the institutions’ decision-making process, by preserving the secrecy of the institutions’ internal consultations and deliberations where necessary to safeguard their ability to carry out their tasks (Article 4(3)). (Case T‑121/05 Borax Europe Ltd. v Commission [2009] II-27* (Summ. Pub.) at paragraphs 66-8, 70).

Somewhat tendentiously, it is claimed that the right of public access to documents of the EU institutions is related to the “democratic nature” of those institutions. (See for example Joined Cases C‑39/05 P and C‑52/05 P Sweden and Turco v Council [2008] ECR I‑4723, paragraph 34). Although the Regulation sets time limits within which to respond to document access request, failure on the part of the EU to comply with the time-limit laid down in that provision does not lead automatically to the annulment of the decision adopted after the deadline as this would merely cause the administrative procedure for access to documents to be reopened. Instead compensation for any loss resulting from the lateness of the institutional response may be sought through an action for damages (Joined Cases T‑355/04 and T‑446/04 Co-Frutta Soc. Coop. v. Commission, 19 January [2010] ECR II-nyr at paragraph 71).

Article 4 of the Regulation also sets out a series of possible permissible reasons for refusing access to (or selectively redacting) requested documentation.    As a derogation from the general principle of public access to documents held by the EU, these exception must be interpreted narrowly and applied strictly.   They include where disclosure would undermine the protection of the public interest as regards public security (Case C‑266/05 P Sison v Council [2007] ECR I‑1233), defence and military matters, international relations, and/or the financial, monetary or economic policy of the EU or of a Member State (See Joined Cases T‑3/00 and T‑337/04 Pitsiorlas v Council [2007] ECR II-4779) (Article 4(1)(a)).   Refusal may also be made on the basis of harm to the privacy and the integrity of the individual, having particular regard to the EU’s data protection legislation (Article 4(1)(b)).  And unless there is an overriding public interest in disclosure, the EU institutions are also required under Article 4(2) of the EU Regulation to refuse access to a document where its disclosure would undermine the protection of: commercial interests of a natural or legal person (Joined Cases T‑355/04 and T‑446/04 Co-Frutta Soc. coop. V. Commission, 19 January 2010)  including intellectual property, audits, legal advice, inspections, investigations and court proceedings  (Joined Case C-514,-528,-532/07P Sweden and Association de la Presse Internationale a.s.b.l. (API) v. Commission 21 September 2010)

In its decision in Sweden and Association de la Presse Internationale a.s.b.l. (API) v. Commission (Joined Cases C-514,-528,-532/07P Sweden and Association de la Presse Internationale a.s.b.l. (API) v. Commission 21 September 2010, para 156)  the Grand Chamber seemed to set little store by the idea of compliance with the principle of transparency in decision making – at least in the context of EU court proceedings – as being in itself of overriding public interest and summary dismissed “mere claims” made by API to the effect that the public’s right to be informed about important issues of EU law – such as those concerning competition, and about issues which are of great political interest raised by infringement proceedings against Member States – should “prevail over the protection of the court proceedings”.   Instead in the Grand Chamber’s views “it is only where the particular circumstances of the case substantiate a finding that the principle of transparency is especially pressing that that principle can constitute an overriding public interest capable of prevailing over the need for protection of the disputed documents and, accordingly, capable of justifying their disclosure.”

If an EU institution or body subject to the provisions of Regulation (EC) No 1049/2001 decides to refuse access to a requested document it must, in principle, explain how disclosure of that document could specifically and effectively undermine the interest protected by the Article 4 exceptions. However the Grand Chamber has also ruled that the EU institution may in refusing a specific document access request base its decisions “on general presumptions which apply to certain categories of document, as considerations of a generally similar kind are likely to apply to applications for  disclosure which relate to documents of the same nature.” (Joined Case C-514,-528,-532/07P Sweden and Association de la Presse Internationale a.s.b.l. (API) v. Commission 21 September 2010 at para74).

The Grand Chamber in the same case also appears to sets up a rather specious and spurious hierarchy of types of documents by which it claims, it can grade the degree of public interest in having access to them.   Documents relating to the legislative activities of an EU institution said to be the most important.  These are followed by documents relating to the administrative activities of the Commission which are said to be being of less public importance in terms of pubic and open access.   Finally documents relating to the “the judicial activities of the Court” are said to be of the least interest and importance to the public and hence access to these may be the more readily refused and such refusal the more easily justified (Ibid, para 60).   In any event, says the Grand Chamber the provisions of Regulation (EC) No 1049/2001 simply  do not apply to requests for court pleadings as these are documents relating to the court’s judicial activities and Article 15(3) TFEU applies the duty of transparency and document access to the EU Court “only when exercising “administrative tasks” as opposed to its judicial functions (Ibid, paras 77-84) noting that “if third parties were able, on the basis of Regulation No 1049/2001, to obtain access to those pleadings, the system of procedural rules governing the court proceedings before the EU Courts would be called into question” (Ibid, para 100).

In principle, the right of access also applies to EU documents relating to the common foreign and security policy and to police and judicial cooperation in criminal matters.   In principle the EU freedom of information regime  is not limited to not only to documents drawn up by the EU  institutions, but may also apply to documents received by them, albeit allowing for a Member State to request the Commission or the Council not to communicate to third parties a document originating from that State without its prior agreement.    But Member States do not have any general and unconditional right of veto on the disclosure of a document held by a Community institution simply because it originates from that Member State (C‑64/05 P Sweden v Commission [2007] ECR I‑11389, para 58).

The EU regulation sets up a two-stage administrative procedure in relation to dealing with access to documents requests, with the additional possibility of court proceedings being taken by a disappointed applicant before the EU Court or making a complaints to the European Ombudsman.  One may note in this regard the provision of Article 43 the Charter which state that “any citizen of the Union and any natural or legal person residing or having its registered office in a Member State has the right to refer to the European Ombudsman cases of maladministration in the activities of the institutions, bodies, offices or agencies of the Union, with the exception of the Court of Justice of the European Union acting in its judicial role.”

Data protection and EU Institutions

Regulation (EC) No 45/2001 was made by the EU legislature under reference Article 286 EC (what is now Article 16(2) TFEU, the provisions of which are outlined above).   Those protected under the regulations are those identified or identifiable individuals whose personal data are processed by EU institutions or bodies in any context whatsoever.   The regulation’s provisions do not apply to wholly anonymised data.  But it is not limited, for example, simply to those who are employed by the EU.

“Personal data” for the purposes of the Regulation is any information held on an individual; the Regulation does not apply to information held on a company or other legal person. (See Case T‑198/03 Bank Austria Creditanstalt v Commission [2006] ECR II‑1429 at paragraph 95) Particularly sensitive personal data is that which may disclose details of an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, health or sex life; the lawful processing of such information has to be either expressly consented to or otherwise shown to be specifically necessary for a legitimate purpose (Article 10(2), which may include for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services and be subject to the rules on medical confidentiality (Article 10(3).

Article 10(4) provides that data concerning an individual’s offences, criminal convictions or security measures or authorisations may only lawfully be processed if specifically properly authorised, whether under the Treaty or EU secondary legislation or by the European Data Protection Supervisor who is the independent supervisory authority set up under the Regulation authority to grant which exemptions, guarantees, authorisations and impose conditions relating to data processing operations to ensure compliance with the requirements of the regulations within the EU.   Data subjects may also complain to the European Data Protection Supervisor under Article 32(2) of alleged breach of the requirements of the regulations in relation to them.    The regulation also requires that in each EU institution or body one or more Data Protection Officers should ensure that the provisions of this Regulation are applied and should advise data controllers on fulfilling their obligations under it.

The regulation has the avowed dual aim of both ensuring the protection of individuals’ fundamental right to data privacy while facilitating– for purposes connected with the exercise of their respective legal competence – the free flow of personal data between Member States and the EU, and within the EU itself.   To this end the regulation seeks to ensure consistency in the relevant rules and procedures applicable in different EU legal contexts, for example in judicial cooperation in criminal affairs or co-operation between police and customs authorities.   Thus the substantive provisions of Article 4 the EU Regulation effectively mirror the general principles already set out in Article 5 of the Council of Europe Data Protection Convention 1981, by requiring in effect that personal data used by the EU institutions should be: obtained and processed fairly and lawfully; stored for specified and legitimate purposes and not used in a way incompatible with those purposes; adequate, relevant and not excessive in relation to the purposes for which they are stored; accurate and, where necessary, kept up to date; and preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.   The regulation also provides in: Article 13 for the data subject having a right of access to the information held on him; under Article 14 a right to obtain rectification of any errors therein; a right under Article 15 to block ad interim the use of data the accuracy, continued need for, or lawful retention of which is disputed; a circumscribed Article 18 right to object to the particular use of his data; and the right, under Article 16,  to have unlawfully or improperly held data erased from the record.

Article 32(1) confirms that the EU Court has jurisdiction to hear all disputes which relate to the provisions of this Regulation, including claims for damages and Under Article 32(4) any person who has suffered damage because of an unlawful processing operation or any action incompatible with this Regulation shall have the right to have the damage made good in accordance with Article 340 TFEU (formerly Article 288 EC).   Finally Recital 36 to the Regulation notes that the Regulation “does not aim to limit Member States’ room for manoeuvre in drawing up their national laws on data protection under Article 32 of Directive 95/46/EC.”

This is an edited extract from a forthcoming book “EU Law for UK Lawyers” by Aidan O’Neill QC, to be published by Hart in Spring 2011,  Aidan O’Neill QC is a Member of Matrix Chambers

1 Comment

  1. Patterson lawfirm

    I like this post.
    You have a brilliant idea and thoughts about legal issues.

Leave a Reply

© 2023 Inforrm's Blog

Theme by Anders NorénUp ↑

%d bloggers like this: