One of the more obscure and curious stories about the Copyright Directive that does not seem to have been picked up on came up at the end of April 2020 and involves a request for access to a Commissioner's email account...
TL;DR: Someone went fishing for emails sent/received by someone within the Commission relating to article 17 Copyright Directive 2019/790 (previously article 13 in the draft law). The European Commission ("EC") and European Ombudsman ("EO") disagreed about which piece of legislation outweighs the other:
(1) Public access to European Parliament, Council and Commission documents EC 1049/2001 - supports the principal of transparency and openness of EU bodies.
(2) GDPR 2016/679 - protects individuals in relation to the processing of personal data.
The EC said GDPR, the EO said that access rights trumped GDPR (and indeed there was more flexibility available to the EC to comply with the request. As such, the EO found maladministration on the part of the EC.
A brief overview is set out below but this seems to raise more questions than answers:
Who requested this? And why?
What do they think is contained in the email (is it the rumoured "handshakes" with certain stakeholders on certain drafting points)?
What is in the emails??
Is the EC's position actually correct?
Why did the EC refuse to offer alternative options?
What is the Ombudsman going to do next?
- An applicant made a request for “[a] copy of the inbox and outbox correspondence of [X] related to Article 13 of the Copyright in the Digital Single Market Directive” to the EC in accordance to the EU rules on public access to documents.
- The EC denied the applicant access based on the protection of privacy, because the email requested would have originated or been sent to an individual and constituting (various) 'personal data' under GDPR, and it would then have to process the official's personal data. The EC contended that it only does so in exceptional circumstances and even if it processed the data, the applicant failed to establish the necessity required for such processing (and disclosure).
- The applicant complained to the EO on 7 June 2018. The EO took the view that the applicant requested for 'documents' related to a subject matter and is not 'personal data', hence does not constitute an act of 'processing personal data'. Even if it is found to be an act of 'processing personal data', the EC is still legally obliged to comply with the applicant's request.
- The EO further proposed for EC to identify and retrieve any relevant document stored in staff email account and search its document register for any relevant documents, and then assess whether or not to disclose them in accordance to the EU rules on public access to documents.
- The EC rejected the EO's proposal, and argued that 'private life’ cannot be taken to mean that the professional or commercial activities of either natural or legal persons are excluded, and stood its ground that the emails constituted 'personal data'. For the same reasons as before, it refused to provide the applicant with the requested information.
- The EO deemed the Commission’s approach a maladministration and sets a dangerous precedent for future access to documents requests, because documents won't be accessible unless they are transferred to permanent non-personal EC databases. The EO also stated that the EC could have asked officials to search their own inbox for the requested documents given this not be an act of 'processing personal data' as a person cannot infringe their own DP rights.
Conclusion Based on the inquiry, the Ombudsman closes this case with the following conclusion: The Commission’s failure to ask an official to identify and retrieve e-mails in the official’s work email in-box, so as to allow the Commission to assess whether the emails could be disclosed in response to a request for public access to document, is maladministration.