In the last few days, the Court of Justice of the European Union (CJEU) has delivered two judgments imposing significant limitations on the systematic, unlimited disclosure of procurement information with commercial value, such as the identity of experts and subcontractors engaged by tenderers for public contracts; and beneficial ownership information. In imposing a nuanced approach to the disclosure of such information, the CJEU may have torpedoed ‘full transparency’ approaches to procurement and beneficial ownership open data.

Indeed, these are two classes of information at the core of current open data efforts, and they are relevant for (digital) procurement governance—in particular in relation to the prevention of corruption and collusion, which automated screening requires establishing relationships and assessing patterns of interaction reliant on such data [for discussion, see A Sanchez-Graells, ‘Procurement Corruption and Artificial Intelligence: Between the Potential of Enabling Data Architectures and the Constraints of Due Process Requirements’ in S Williams & J Tillipman (eds), Routledge Handbook of Public Procurement Corruption (forthcoming)]. The judgments can thus have important implications.

In Antea Polska, the CJEU held that EU procurement rules prevent national legislation mandating all information sent by the tenderers to the contracting authorities to be published in its entirety or communicated to the other tenderers, with the sole exception of trade secrets. The CJEU reiterated that the scope of non-disclosable information is much broader and requires a case-by-case analysis by the contracting authority, in particular with a view to avoiding the release of information that could be used to distort competition. Disclosure of information needs to strike an adequate balance between meeting good administration duties to enable the right to the effective review of procurement decisions, on the one hand, and the protection of information with commercial value or with potential competition implications, on the other.

In a related fashion, in Luxembourg Business Registers, the CJEU declared invalid the provision of the Anti-Money Laundering Directive whereby Member States had to ensure that the information on the beneficial ownership of corporate and other legal entities incorporated within their territory was accessible in all cases to any member of the general public—without the need to demonstrate having a legitimate interest in accessing it. The CJEU considered that the disclosure of the information to undefined members of the public created an excessive interference with the fundamental rights to respect for private life and to the protection of personal data.

In this blog post, I analyse these two cases and reflect on their implications for the management of (big) open data for procurement governance purposes, in particular from an anti-corruption perspective and in relation to the EU law data governance obligations incumbent on public buyers.

There is more than trade secrets to procurement confidentiality

In Antea Polska and Others (C-54/21, EU:C:2022:888), among other questions, the CJEU was asked whether Directive 2014/24/EU precludes national legislation on public procurement which required that, with the sole exception of trade secrets, information sent by the tenderers to the contracting authorities be published in its entirety or communicated to the other tenderers, and a practice on the part of contracting authorities whereby requests for confidential treatment in respect of trade secrets were accepted as a matter of course.

I will concentrate on the first part of the question on full transparency solely constrained by trade secrets—and leave the ‘countervailing’ practice aside for now (though it deserves some comment because it creates a requirement for the contracting authority to assess the commercial value of procurement information in the wider context of the activities of the participating economic operators, at paras 69-85). I will also not deal with the discrepancy between the concept of ‘trade secret’ under the Trade Secrets Directive and the concept of ‘confidential information’ in Directive 2014/24 (which the CJEU clarifies, again, at paras 51-55).

The issue of full transparency of procurement information subject only to trade secret protection raises an interesting question because it concerns the compatibility with EU law of a maximalistic approach to procurement transparency that is not peculiar to Poland (where the case originated) but shared by other Member States with a permissive tradition of access to public documents [for in-depth country-specific analyses and comparative considerations, see the contributions to K-M Halonen, R Caranta & A Sanchez-Graells, Transparency in EU Procurements. Disclosure Within Public Procurement and During Contract Execution (Edward Elgar 2019)].

The question concerns the interpretation of multiple provisions of Directive 2014/24/EU and, in particular, Art 21(1) on confidentiality and Arts 50(4) and 55(3) on the withholding of information [see my comments to Art 21 and 55 in R Caranta & A Sanchez-Graells, European Public Procurement. Commentary on Directive 2014/24/EU (Edward Elgar 2021)]. All of them are of course to be interpreted in line with the general principle of competition in Art 18(1) [see A Sanchez-Graells, Public Procurement and the EU Competition Rules (2nd edn, hart 2015) 444-445].

In addressing the question, the CJEU built on its recent judgment in Klaipėdos regiono atliekų tvarkymo centras (C‑927/19, EU:C:2021:700), and reiterated its general approach to the protection of confidential information in procurement procedures:

‘… the principal objective of the EU rules on public procurement is to ensure undistorted competition … to achieve that objective, it is important that the contracting authorities do not release information relating to public procurement procedures which could be used to distort competition, whether in an ongoing procurement procedure or in subsequent procedures. Since public procurement procedures are founded on a relationship of trust between the contracting authorities and participating economic operators, those operators must be able to communicate any relevant information to the contracting authorities in such a procedure, without fear that the authorities will communicate to third parties items of information whose disclosure could be damaging to those operators’ (C-54/21, para 49, reference omitted, emphasis added).

The CJEU linked this interpretation to the prohibition for contracting authorities to disclose information forwarded to it by economic operators which they have designated as confidential [Art 21(1) Dir 2014/24] and stressed that this had to be reconciled with the requirements of effective judicial protection and, in particular, the general principle of good administration, from which the obligation to state reasons stems because ‘in the absence of sufficient information enabling it to ascertain whether the decision of the contracting authority to award the contract is vitiated by errors or unlawfulness, an unsuccessful tenderer will not, in practice, be able to rely on its right .. to an effective review’ (C-54/21, para 50).

The Court also stressed that the Directive allows Member States to modulate the scope of the protection of confidential information in accordance with their national legislation, in particular legislation concerning access to information [Art 21(1) Dir 2014/24, C-54/21, para 56]. In that regard, however, the CJEU went on to stress that

‘… if the effectiveness of EU law is not to be undermined, the Member States, when exercising the discretion conferred on them by Article 21(1) of that directive, must refrain from introducing regimes … which undermine the balancing exercise [with the right to an effective review] or which alter the regime relating to the publicising of awarded contracts and the rules relating to information to candidates and tenderers set out in Article 50 and 55 of that directive … any regime relating to confidentiality must, as Article 21(1) of Directive 2014/24 expressly states, be without prejudice to the abovementioned regime and to those rules laid down in Articles 50 and 55 of that directive’ (C-54/21, para 58-59).

Focusing on Art 50(4) and Art 55(3) of Directive 2014/24/EU, the CJEU stressed that these provisions empower contracting authorities to withhold from general publication and from disclosure to other candidates and tenderers ‘certain information, where its release would impede law enforcement, would otherwise be contrary to the public interest or would prejudice the legitimate commercial interests of an economic operator or might prejudice fair competition’ (para 61 and, almost identically, para 60). This led the Court to the conclusion that

‘National legislation which requires publicising of any information which has been communicated to the contracting authority by all tenderers, including the successful tenderer, with the sole exception of information covered by the concept of trade secrets, is liable to prevent the contracting authority, contrary to what Articles 50(4) and 55(3) of Directive 2014/24 permit, from deciding not to disclose certain information pursuant to interests or objectives mentioned in those provisions, where that information does not fall within that concept of a trade secret.

Consequently, Article 21(1) of Directive 2014/24, read in conjunction with Articles 50 and 55 of that directive … precludes such a regime where it does not contain an adequate set of rules allowing contracting authorities, in circumstances where Articles 50 and 55 apply, exceptionally to refuse to disclose information which, while not covered by the concept of trade secrets, must remain inaccessible pursuant to an interest or objective referred to in Articles 50 and 55’ (paras 62-63).

In my view, this is the correct interpretation and an important application of the rules seeking to minimise the risk of distortions of competition due to excessive procurement transparency, on which I have been writing for a long time [see also K-M Halonen, ‘Disclosure rules in EU public procurement: balancing between competition and transparency’ (2016) 16(4) Journal of Public Procurement 528].

The Antea Polska judgment stresses the importance of developing a nuanced approach to the management, restricted disclosure and broader publication of information submitted to the contracting authority in a procurement procedure. Notably, this will create particular complications in the context of the design and rollout of procurement open data, especially in the context of the new eForms (see here, and below).

Transparency for what? Who really cares about beneficial ownership?

In Luxembourg Business Registers (joined cases C‑37/20 and C‑601/20, EU:C:2022:912, FR only—see EN press release on which I rely to avoid extensive own translations from French) the CJEU was asked to rule on the compatibility with the Charter of Fundamental Rights—and in particular Articles 7 (respect for private and family life) and 8 (protection of personal data)—of Article 30(5)(c) of the consolidated version of the Anti-Money Laundering Directive (AML Directive), which required Member States to ensure that information on the beneficial ownership of corporate and other legal entities incorporated within their territory is accessible in all cases to any member of the general public. In particular, members of the general public had to ‘be permitted to access at least the name, the month and year of birth and the country of residence and nationality of the beneficial owner as well as the nature and extent of the beneficial interest held.’

The CJEU has found that the general public’s access to information on beneficial ownership constitutes a serious interference with the fundamental rights to respect for private life and to the protection of personal data, which is exacerbated by the fact that, once those data have been made available to the general public, they can not only be freely consulted, but also retained and disseminated.

While the CJEU recognised that the AML Directive pursues an objective of general interest and that the general public’s access to information on beneficial ownership is appropriate for contributing to the attainment of that objective, the interference with individual fundamental rights is neither limited to what is strictly necessary nor proportionate to the objective pursued.

The Court paid special attention to the fact that the rules requiring unrestricted public access to the information result from a modification of the previous regime in the original AML Directive, which required, in addition to access by the competent authorities and certain entities, for access by any person or organisation capable of demonstrating a legitimate interest. The Court considered that the suppression of the requirement to demonstrate a legitimate interest in accessing the information did not generate sufficient benefits from the perspective of combating money laundering and terrorist financing to offset the significantly more serious interference with fundamental rights that open publication of the beneficial ownership data entails.

Here, the Court referred to its judgment in Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2022:601), where it carried out a functional comparison of the anti-corruption effects of a permissioned system of institutional access and control of relevant disclosures, versus public access to that information. The Court was clear that

‘… the publication online of the majority of the personal data contained in the declaration of private interests of any head of an establishment receiving public funds … does not meet the requirements of a proper balance. In comparison with an obligation to declare coupled with a check of the declaration’s content by the Chief Ethics Commission … such publication amounts to a considerably more serious interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter, without that increased interference being capable of being offset by any benefits which might result from publication of all those data for the purpose of preventing conflicts of interest and combating corruption’ (C-184/20, para 112).

In Luxembourg Business Registers, the CJEU also held that the optional provisions in Art 30 AML Directive that allowed Member States to make information on beneficial ownership available on condition of online registration and to provide, in exceptional circumstances, for an exemption from access to that information by the general public, were not, in themselves, capable of demonstrating either a proper balance between competing interests, or the existence of sufficient safeguards.

The implication of the Luxembourg Business Registers is that a different approach to facilitating access to beneficial ownership data is required, and that an element of case-by-case assessment (or at least of an assessment based on categories of organisations and individuals seeking access) will need to be brought back into the system. In other words, permissioned access to beneficial ownership data seems unavoidable.

Implications for open data and data governance

These recent CJEU judgments seem to me to clearly establish the general principle that unlimited transparency does not equate public interest, as there is also an interest in preserving the (relative) confidentiality of some information and data and an adequate, difficult balance needs to be struck. The interests in competition with transparency can be either individual (fundamental rights, or commercial value) or collective (avoidance of distortions of competition). Detailed and comprehensive assessment on a case-by-case basis is required.

As I advocated long ago, and recently reiterated in relation to the growing set of data governance obligations incumbent on public buyers, under EU law,

‘It is thus simply not possible to create a system that makes all procurement data open. Data governance requires the careful management of a system of multi-tiered access to different types of information at different times, by different stakeholders and under different conditions. While the need to balance procurement transparency and the protection of data subject to the rights of others and competition-sensitive data is not a new governance challenge, the digital management of this information creates heightened risks to the extent that the implementation of data management solutions is tendentially ‘open access’ (and could eg reverse presumptions of confidentiality), as well as in relation to system integrity risks (ie cybersecurity)’ (at 10, references omitted).

The CJEU judgments have (re)confirmed that unlimited ‘open access’ is not a viable strategy under EU law. It is perhaps clearer than ever that the capture, structuring, retention, and disclosure of governance-relevant procurement and related data (eg beneficial ownership) needs to be decoupled from its proactive publication. This requires a reconsideration of the open data model and, in particular, a careful assessment of the implementation of the new eForms that only just entered into force.