Ref. Ares(2020)7713635 - 17/12/2020
EUROPEAN COMMISSION
Brussels, 26.9.2019
C(2019) 7069 final
Netzpolitik.org
rue de la Loi 155
1000 Brussels
Belgium
DECISION OF THE EUROPEAN COMMISSION PURSUANT TO ARTICLE 4 OF THE
IMPLEMENTING RULES TO REGULATION (EC) NO 1049/20011
Subject:
Your confirmatory application for access to documents under
Regulation (EC) No 1049/2001 - GESTDEM 2019/4113
Dear
,
I refer to your letter of 26 August 2019, registered on the same day, in which you
submitted a confirmatory application in accordance with Article 7(2) of Regulation (EC)
No 1049/2001 regarding public access to European Parliament, Council and Commission
documents2 (hereafter ‘Regulation (EC) No 1049/2001’).
1.
SCOPE OF YOUR REQUEST
In your initial application of 16 July 2019, addressed to the Directorate-General for
Communications Networks, Content and Technology, you requested access to
‘[i]nvitations to Commission officials and all other documents relating to an event called
“Internet of things: fast forward to the future” organised by Vodafone on April 29 in
Brussels’.
The European Commission has identified the following documents as falling under the
scope of your request, all registered under reference Ares(2019)5393614:
Email ‘Keynote speaking invitation’ from Nove dated 13 March 2019,
(hereafter ‘document 1’);
Email ‘Keynote speaking invitation’ from Nove dated 13 March 2019,
(hereafter ‘document 2’);
1
Official Journal L 345 of 29.12.2001, p. 94.
2
Official Journal L 145 of 31.5.2001, p. 43.
Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË - Tel. +32 22991111
Vodafone Presentation: ‘A new European policy approach to IoT’ of
March 2019, (hereafter ‘document 3’);
Email ‘Follow-up to a meeting’, from Nove dated 5 April 2019, (hereafter
‘document 4’), which includes the following annexes:
o
Vodafone
IoT
Barometer
2018
final
report,
(hereafter
‘document 4.1’);
o
Vodafone Business 2019 IoT Barometer Main Report, (hereafter
‘document 4.2’);
o
Analysys Mason Report for Vodafone on 5G and Net neutrality v4,
(hereafter ‘document 4.3’);
o
Hogan-Lovells - A comparison of IoT regulatory uncertainty in the
EU, China and the United States, (hereafter ‘document 4.4’);
Email ‘Invitation to Vodafone’s IoT Conference’ from Nove dated 11
April 2019, (hereafter ‘document 5’), which includes the following
annexes:
o
Vodafone IoT Conference – Agenda 29th April, (hereafter
‘document 5.1’);
o
Future EU IoT policy framework April 2019, (hereafter
‘document 5.2’);
Email ‘Invitation – Internet of Things: fast forward to the future – More
speakers confirmed’ from Vodafone dated 10 April 2019, (hereafter
‘document 6’;
Email ‘Follow-up to our meeting’ from Nove dated 15 April 2019,
(hereafter ‘document 7’), which includes the following annex:
o
Vodafone IoT Barometer follow-up – the European story – Final
(9th April), (hereafter ‘document 7.1’);
Email ‘Vodafone IoT event – April 29’ from Nove dated 15 April 20193,
(hereafter ‘document 8’), which includes the following annex:
o
Realising the potential of IoT data – report for Vodafone-min,
(hereafter ‘document 8.1’);
Email ‘Vodafone – EU Future IoT Framework event – Useful Information
for POD’ from Nove dated 25 April 2019, (hereafter ‘document 9’), which
includes the following annex:;
o
Vodafone IoT Conference: Useful information, (hereafter
‘document 9.1’);
3 This email has three annexes, some of which have been included in previous communications. This.
annex 1 is document 4.4 and annex 3 is document 7.1.
2
Internal briefing prepared for Vodafone IoT event of 29 April 2019,
(hereafter ‘document 10’);
Back to office report prepared following the Vodafone IoT event of 29
April 2019, (hereafter ‘document 11’);
Email: ‘Internet of Things: Fast Forward to the Future’ from Vodafone
dated 1 May 2019, (hereafter ‘document 12’).
In its initial reply of 26 August 2019, the Directorate-General for Communications
Networks, Content and Technology:
- Granted full access to documents 4.4, 7.1 and 8.1;
- Granted partial access to the rest of the documents based on the exceptions of
Article 4(1)(b) (protection of privacy and integrity) and 4(2), first indent
(protection of commercial interests)4 of Regulation (EC) No 1049/2001.
In your confirmatory application, you request a review of this position. Specifically, you
only contest the redaction of personal data, so the scope of the confirmatory request will
be limited to this issue. You underpin your request with arguments, which I will address
in the corresponding sections below.
2.
ASSESSMENT AND CONCLUSIONS UNDER REGULATION (EC) NO 1049/2001
When assessing a confirmatory application for access to documents submitted pursuant
to Regulation (EC) No 1049/2001, the Secretariat-General conducts a fresh review of the
reply given by the Directorate-General concerned at the initial stage.
Following this review, I regret to inform you that I have to confirm the initial decision of
Directorate-General for Communications Networks, Content and Technology to refuse
access to personal data, based on the exceptions of Article 4(1)(b) (protection of privacy
and integrity) of Regulation (EC) No 1049/2001, for the reasons set out below.
2.1. Protection of privacy and the integrity of the individual
Article 4(1)(b) of Regulation (EC) No 1049/2001 provides that ‘[t]he institutions shall
refuse access to a document where disclosure would undermine the protection of […]
privacy and the integrity of the individual, in particular in accordance with Community
legislation regarding the protection of personal data’.
4 This exception only applies to parts of document 10.
3
In its judgment in Case C-28/08 P
(Bavarian Lager)5, the Court of Justice ruled that
when a request is made for access to documents containing personal data, Regulation
(EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000
on the protection of individuals with regard to the processing of personal data by the
Community institutions and bodies and on the free movement of such data6
(hereafter ‘Regulation (EC) No 45/2001’) becomes fully applicable.
Please note that, as from 11 December 2018, Regulation (EC) No 45/2001 has been
repealed by Regulation (EU) 2018/1725 of the European Parliament and of the Council
of 23 October 2018 on the protection of natural persons with regard to the processing of
personal data by the Union institutions, bodies, offices and agencies and on the free
movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No
1247/2002/EC7 (hereafter ‘Regulation (EU) 2018/1725’).
However, the case law issued with regard to Regulation (EC) No 45/2001 remains
relevant for the interpretation of Regulation (EU) 2018/1725.
In the above-mentioned judgment, the Court stated that Article 4(1)(b) of Regulation
(EC) No 1049/2001 ‘requires that any undermining of privacy and the integrity of the
individual must always be examined and assessed in conformity with the legislation of
the Union concerning the protection of personal data, and in particular with […] [the
Data Protection] Regulation’.8
Article 3(1) of Regulation (EU) 2018/1725 provides that
personal data ‘means any
information relating to an identified or identifiable natural person […]’.
As the Court of Justice confirmed in Case C-465/00 (
Rechnungshof), ‘there is no reason
of principle to justify excluding activities of a professional […] nature from the notion of
private life’.9
Documents 1, 2, 3, 4, 4.1, 4.2, 4.3, 5, 5.1, 5.2, 6, 7, 8, 9, 9.1, 10, 11 and 12 contain
personal data such as the names and initials of persons who do not form part of the senior
management of the European Commission, as well as representatives of Vodafone and
other companies. In addition, document 4.1 contains a handwritten signature.
The names10 of the persons concerned as well as other data from which their identity can
be deduced undoubtedly constitute personal data in the meaning of Article 3(1) of
Regulation (EU) 2018/1725.
5
Judgment of the Court of Justice of 29 June 2010,
European Commission v The Bavarian Lager Co.
Ltd (hereafter referred to as
‘European Commission v The Bavarian Lager judgment’) C-28/08 P,
EU:C:2010:378, paragraph 59.
6
Official Journal L 8 of 12.1.2001, page 1.
7
Official Journal L 205 of 21.11.2018, p. 39.
8
European Commission v The Bavarian Lager judgment,
cited
above, paragraph 59.
9
Judgment of the Court of Justice of 20 May 2003,
Rechnungshof and Others v Österreichischer
Rundfunk, Joined Cases C-465/00, C-138/01 and C-139/01, EU:C:2003:294, paragraph 73.
10
European Commission v The Bavarian Lager judgment, cited above, paragraph 68.
4
Pursuant to Article 9(1)(b) of Regulation (EU) 2018/1725, ‘personal data shall only be
transmitted to recipients established in the Union other than Union institutions and bodies
if ‘[t]he recipient establishes that it is necessary to have the data transmitted for a specific
purpose in the public interest and the controller, where there is any reason to assume that
the data subject’s legitimate interests might be prejudiced, establishes that it is
proportionate to transmit the personal data for that specific purpose after having
demonstrably weighed the various competing interests’.
Only if these conditions are fulfilled and the processing constitutes lawful processing in
accordance with the requirements of Article 5 of Regulation (EU) 2018/1725, can the
transmission of personal data occur.
In Case C-615/13 P
(
ClientEarth), the Court of Justice ruled that the institution does not
have to examine by itself the existence of a need for transferring personal data.11 This is
also clear from Article 9(1)(b) of Regulation (EU) 2018/1725, which requires that the
necessity to have the personal data transmitted must be established by the recipient.
According to Article 9(1)(b) of Regulation (EU) 2018/1725, the European Commission
has to examine the further conditions for the lawful processing of personal data only if
the first condition is fulfilled, namely if the recipient establishes that it is necessary to
have the data transmitted for a specific purpose in the public interest. It is only in this
case that the European Commission has to examine whether there is a reason to assume
that the data subject’s legitimate interests might be prejudiced and, in the affirmative,
establish the proportionality of the transmission of the personal data for that specific
purpose after having demonstrably weighed the various competing interests.
In your confirmatory application, you argue that it is necessary to have the personal data
transmitted in the public interest, claiming the existence of a possible conflict of interest
in a former Commission official, currently working for Vodafone, which you wish to
expose You include in your communication a link to an online article on this topic.
However, you do not bring forth any evidence to support your claim that it is necessary,
under the present circumstances, to transfer to you the personal data contained in these
documents.
Moreover, notwithstanding the absence of necessity for the transfer of the personal data
at stake, the European Commission examined whether there is a reason to assume that the
data subjects’ legitimate interests might be prejudiced by their transmission and
concluded that there is a real and non-hypothetical risk that such public disclosure would
harm their privacy and subject them to unsolicited external contacts.
As to the handwritten signature appearing in document 4.1, which constitute biometric data,
there is a risk that their disclosure would prejudice the legitimate interest of the person
concerned.
11 Judgment of the Court of Justice of 16 July 2015,
ClientEarth v European Food Safety Agency, C-
615/13 P, EU:C:2015:489, paragraph 47.
5