How New EU Access to Documents Rules Can Reduce Transparency and Shield Big Tech

After a series of high-profile court defeats, the European Commission has tightened internal rules and guidance governing access to documents. The Commission's December 2024 Rules of Procedure, together with internal working papers seen by Privacy International, disclose that the new rules extend a formal presumption of confidentiality to proceedings under the Digital Markets Act and Digital Services Act without citing any supporting court authority. Civil-society groups warn that these changes weaken public oversight at a time when lobbying by large technology companies is intensifying.

Inside the story

In early 2021, as the EU raced to secure COVID-19 vaccines, informal exchanges between Ursula von der Leyen, the President of the European Commission, and pharmaceutical executives became a matter of public interest. Journalists later sought records of those exchanges under the EU’s access to documents law, Regulation (EC) No 1049/2001, which is intended to give “the fullest possible effect” to the public’s right of access to documents held by EU institutions.

In May 2022, New York Times reporter Matina Stevis-Gridneff asked the Commission to disclose text messages exchanged between von der Leyen and Pfizer’s CEO. The Commission replied that it held no such documents. This response was puzzling as both parties had publicly acknowledged that exchanges had taken place.

Stevis-Gridneff challenged the Commission’s response; in May 2025 the General Court (Grand Chamber) found in that the Commission had not provided “any plausible explanation” for why it had not found the documents. On the contrary, the applicant had produced “relevant and consistent evidence” explaining the existence of the text messages. Something had clearly gone wrong. As the Court put it, the Commission cannot “simply claim that the requested documents could not be found” in order to evade its obligations under EU transparency law.

This episode exposed deeper structural problems in how Regulation 1049/2001 is applied, particularly the increasing reliance on presumptions that allow institutions to withhold entire categories of documents from public scrutiny.

Power, secrecy and public control

EU institutions regulate markets and services that affect almost all aspects of daily life, from vaccine rollouts to consumer rights to digital platforms that shape how information flows. Transparency is the mechanism that allows ordinary citizens, journalists and civil-society organisations to scrutinise whether institutional decisions genuinely serve the public interest or instead favour powerful private actors.

When institutions build barriers to that transparency, such as broad presumptions of confidentiality, the balance shifts: the burden of proof moves from the institution to the requester, secrecy becomes the default, and entire classes of documents can be withheld without meaningful, document-specific justification.

This is not an abstract problem. The tech sector spends heavily to influence EU policy: research by Corporate Europe Observatory (CEO) and LobbyControl has documented the digital industry’s rising lobbying spend in Brussels, which exceeds €150 million annually. Where corporate influence reaches this scale, transparency over contacts, evidence and internal deliberations becomes essential to democratic accountability.

Regulation 1049/2001, exemptions and the rise of presumptions

Regulation 1049/2001, adopted in 2001, grants the public access to documents “drawn up or received” by EU institutions. Its purpose, set out in Article 1 of the Regulation, is to strengthen democratic legitimacy, improve decision-making, and enable effective public participation by ensuring that institutional activity is open to scrutiny. When the system functions properly, access to documents allows the public to understand not only final outcomes, but also how and why decisions are made.

The Regulation also lists an exhaustive set of exceptions, set out in Article 4, covering interests such as public security, defence, privacy, commercial interests, international relations and the protection of decision-making processes. In principle, these exceptions must be interpreted strictly and applied on a document-by-document basis. This is a requirement the Court of Justice has repeatedly affirmed.

Over time, however, EU case law has recognised rebuttable presumptions of confidentiality for certain categories of documents, such as materials relating to ongoing antitrust investigations. These presumptions, which were established by the Court of Justice in cases including Commission v Technische Glaswerke Ilmenau (C-139/07 P) and Commission v Agrofert Holding (C-477/10 P), allow EU institutions to refuse disclosure without engaging in detailed and document-specific reasoning.

However, treating whole categories of documents as confidential by presumption undermines the Regulation’s purpose: it shifts the evidential burden onto applicants, who must produce evidence to rebut a presumption they cannot access directly. Requests for documents can be rejected with minimal explanation, leaving the public unable to understand or challenge the reasoning behind refusals.

In this way, presumptions function as barriers layered on top of existing barriers, narrowing practical access to information even where the law formally guarantees it.

From exceptional tool to administrative routine

The Commission’s reliance on presumptions is neither isolated nor confined to public health matters. Over time, it has incorporated these approaches into internal rules, guidance and procedural documents, particularly in the fields of competition enforcement and merger control.

Internal guidance on inspections, investigations and audits makes that administrative turn explicit: even where the EU courts have “not (yet)” established a general presumption for categories such as anti-dumping investigations, IDOC investigations, Court of Auditors or Internal Audit Service material, THEMIS/COMPLAINTS files or rule-of-law budget-conditionality procedures, the Commission says it is its practice to refuse access without an individual assessment while the relevant exercise is ongoing. That is a significant admission: the presumption technique appears to be applied not only in cases where the courts have endorsed it but also used by analogy as an internal administrative shortcut.

While EU law formally recognises access to documents as a fundamental principle, the cumulative effect of internal administrative practice has often been to prioritise confidentiality over openness. This tension has been noted repeatedly by oversight bodies.

The European Ombudsman, the EU body tasked with investigating maladministration in EU institutions, has on multiple occasions raised concerns about the European Commission’s handling of public access to documents, focusing in particular on delays in responding to requests, restrictive interpretations of Regulation 1049/2001 and the treatment of certain communications as falling outside the scope of the access-to-documents regime. In 2024, the Ombudsman criticised the Commission’s refusal to follow recommendations to disclose documents relating to meetings with a private provider of child-safety technologies, underlining the public interest in understanding how stakeholder input influences EU legislation.

A political response after a court loss

Following the General Court’s ruling in Case T-36/23, the Commission published its report on the application of Regulation 1049/2001 and moved to revise its internal access-to-documents rules. Civil-society organisations argue that, rather than simply clarifying existing practice, these revisions formalise restrictive interpretations of the law and expand the Commission’s discretion to refuse disclosure.

In December 2024 the European Commission adopted a comprehensive new set of internal rules for the application of Regulation 1049/2001, annexed to its Rules of Procedure. Among other things, the new rules narrow the operational definition of what constitutes a document the Commission “holds” for access purposes, explicitly restrict access requests to EU citizens and persons residing or registered in a Member State and, most significantly, create for the first time a formal standing catalogue of document categories subject to a general presumption of non-disclosure, reversing the usual burden of proof so that applicants must prove an “overriding public interest” to gain access.

The list of presumptively confidential categories includes, under Article 4(2)(e) of the Annex, “procedures under the Digital Markets Act and Digital Services Act.” This is a new addition that goes beyond pre-existing Court of Justice authority. The Court has recognised general presumptions for competition proceedings brought under the 2003 Antitrust Regulation and the Merger Regulation. The Digital Markets Act and Digital Services Act are post-2022 instruments; no court judgment establishing a general presumption specifically for DMA or DSA proceedings existed when the rule was adopted. An internal Commission briefing note dated 27 November 2024 describes the entire list as “codifying … general presumptions of non-disclosure … in accordance with existing case-law”. The briefing note does not cite any DMA- or DSA-specific judgment, because none exists.

The practical effect is direct. The companies subject to DMA “gatekeeper” obligations - Apple, Alphabet/Google, Amazon, Meta, Microsoft and ByteDance/TikTok - are the subjects of the Commission’s most active regulatory enforcement. Documents from those proceedings are now presumptively off-limits to the public.

The adopted rules also include, under Article 5 of the same Annex, a provision on text messaging applications on Commission corporate mobile phones, requiring that they “shall comply with the Commission’s information technology security recommendations for the automatic disappearance of messages.” The rule was adopted three weeks after the General Court hearing in the Pfizer texts case, in which Commission lawyers were unable to explain what had happened to von der Leyen’s text messages with Pfizer’s CEO. The same provision prohibits the use of messaging apps for “important information that is not short-lived,” while simultaneously directing that apps be configured for autodeletion, structurally reducing the pool of documents the Commission would be required to hold and produce in response to future access requests.

In parallel, Access Info Europe and other NGOs have launched legal challenges and written to the European Ombudsman, arguing that the new rules are incompatible with Regulation 1049/2001 and the EU Charter of Fundamental Rights.

Shielding Big Tech: lobbying, access and mergers

Large technology companies now exercise economic and social power comparable in scale to public authorities. Their products and platforms shape public discourse, consumer choice and access to information, all of which are elements that make regulatory transparency especially important.

Big Tech’s lobbying footprint in Brussels is extensive and well documented. Research by Corporate Europe Observatory and LobbyControl shows a dense network of firms, trade associations, consultancies and intermediaries seeking sustained and privileged access to EU institutions. Comparable investigative reporting in other regions illustrates how similar strategies are used globally to influence regulatory outcomes.

The scale of industry influence over EU transparency rules is not hypothetical. In a separate investigation published in April 2026, Investigate Europe revealed that Microsoft and DigitalEurope, a lobby group whose members include Amazon, Google and Meta, successfully secured a secrecy provision in EU law classifying individual data centre environmental performance data as confidential commercial information, after both organisations submitted near-identical proposed amendments to the Commission during consultation on the 2024 Energy Efficiency Directive delegated act. The Commission incorporated their text almost word for word. Legal experts told Investigate Europe that the resulting clause “clearly seems not to be in line” with EU transparency rules and the Aarhus Convention.

Mergers are a particularly clear example of why transparency matters. Decisions approving or blocking mergers can reshape markets, entrench dominant positions, and affect data protection, media pluralism and consumer welfare. Yet access to merger files is among the most restricted areas of EU transparency practice. Under the new rules, documents from competition and merger proceedings as well as DMA and DSA enforcement are now subject to a standing presumption of confidentiality. This prevents effective scrutiny of decisions that redistribute economic and political power.

Our case (or how we got into this)

PI has encountered these problems directly.

In 2024, we submitted a series of access-to-documents requests to DG COMP seeking:

• applications by consumer and civil society organisations to be recognised as interested third parties in merger proceedings;
• evidence and submissions provided by economic consultancies and lobbying firms acting on behalf of large technology companies;
• and institutional exchanges about Google’s commitments following its acquisition of Fitbit.

The Commission applied a blanket presumption of confidentiality and refused to disclose any of the requested documents, including materials that fell outside the scope of recognised presumptions and documents relating to Privacy International’s own communications with the Commission.

On 8 August 2025, we lodged a complaint with the European Ombudsman. While the Ombudsman found that Privacy International did not meet the formal standing requirements to pursue the complaint directly, because PI is not an EU-based entity for the purposes of the Ombudsman’s jurisdiction, she opened an own-initiative inquiry into two systemic issues:

• the Commission’s refusal to disclose correspondence concerning applications for recognition as interested parties in seven merger cases; and
• the refusal to disclose unsolicited third-party submissions in those same procedures.

This inquiry reflects a broader concern that the Commission’s current practices risk hollowing out the practical effectiveness of transparency rights, even where the legal framework formally guarantees them.

What needs to be done

1. Restore the default of openness
   The Commission should revise its internal rules to align strictly with Regulation 1049/2001 and the General Court’s case law: transparency by default, document-specific reasoning and a genuinely narrow and proportionate use of confidentiality claims. In particular, the inclusion of DMA and DSA proceedings in the standing presumption of confidentiality, without any supporting Court of Justice authority for those specific frameworks, should be withdrawn or suspended pending a proper legal basis.
2. Strengthen oversight
   The European Ombudsman should continue to pursue systemic inquiries into the use of presumptions of confidentiality and assess whether the Commission has meaningfully implemented the Stevis-Gridneff ruling. While the Ombudsman’s powers are limited, clear findings of maladministration play a crucial role in reinforcing legal and political accountability.
3. Protect public scrutiny of Big Tech
   Where large technology companies exercise quasi-public power, the Commission must ensure that merger and regulatory files are accessible in ways that allow independent scrutiny of how public-interest considerations are weighed against commercial secrecy. The inclusion of DMA and DSA enforcement documents in a standing presumption of confidentiality is incompatible with this obligation absent any Court of Justice authority specifically recognising such a presumption for those frameworks.