It is crucial to know what the European institutions are up to in order to ensure that citizens’ fundamental rights are respected. Democracy requires vigilance and vigilance requires access to information. It is precisely for this reason that freedom of information legislation exists. Since the entry in force of Regulation 1049/2001 setting up the EU bodies public registers of documents, Europeans are able to request access to documents from the European institutions. EDRi has frequently been making use of Regulation 1049/2001 to shine light on their activities. Our work on exposing the lack of transparency of the ACTA negotiations or the flaws of the CleanIT project shows just how important access to documents is. However, this access to information is now likely to become more burdensome.
Now, new barriers are being put in place to make it even more difficult to gain access to European Commission documents. In April 2014, an internal note was circulated by the European Commission in order to announce a change in policy. The Commission argues that it has “increasingly confronted with cases where applicants seem to hide behind false identities”. Strangely enough though, in its latest report on access applications dated July 2013, the Commission neither mentions abusive requests nor gives statistics on requests by applicants hiding behind false identities, let alone why this would be a problem. Moreover, the European Commission explains that the number of applications has dropped compared to previous years: “the flow of access requests at the initial stage decreased in number of applications” and “the number of replies was 5274 in 2012 in comparison with 6055 in 2011”.
On 16 June 2014, EDRi therefore lodged two complaints to the European Data Protection Supervisor (EDPS) against the European Commission. The first complaint was that this new procedure is in breach of EU data protection law because the Commission is asking for unnecessary personal information. The second complaint concerns the lack of basic standards to ensure secure communications with the Commission’s website.
EDRi asked the EDPS to assess, in the absence of any evidence presented by the Commission showing that additional data collection and processing is necessary, if the collection is excessive and, consequently, is contrary to Articles 4.1.c and 5 of Regulation 45/2001 (which establishes standards for the protection of personal data processed by the EU institutions and bodies).
EDRi’s second complaint concerned the European Commission’s online form for the submission of access-to-documents requests. The electronic form used by the European Commission for receiving document access requests collects personal data via a non-encrypted form over a page that is not equipped with an SSL connection. EDRi therefore asked the EDPS to assess whether this non-existent security constitutes a breach of Article 22 of Regulation 45/2001, in that it fails to implement appropriate technical measures to ensure a level of security for the personal data transmitted via that form.
EU Commission’s note to heads of unit (19.03.2014)
EU Commission’s access-to-documents electronic form
EU Commission report on access to documents requests (10.07.2013)
Parliament responds to EDRi’s ACTA document request
CleanIT – Example if data made available under freedom of information request