A letter with a paper trail attached
On May 27, 2026, 35 Green and Socialist & Democrat MEPs — including Alexandra Geese (Greens/EFA, Germany) and Lynn Boylan (The Left, Ireland) — wrote to Environment Commissioner Jessika Roswal demanding she strip a confidentiality clause out of the Commission's forthcoming update to the EU's data centre sustainability rating scheme. Their letter didn't just allege industry capture in the abstract. It pointed to a specific investigation by Investigate Europe, corroborated by AlgorithmWatch, showing that legislative text keeping individual facilities' energy and water data confidential tracked, in places nearly word-for-word, submissions filed by Microsoft and by DigitalEurope, the trade body that also represents Amazon, Google and Meta. "Prohibiting citizens and local government from making informed decisions around data centres is the wrong way to go in a democracy," the MEPs wrote.
What the underlying rule actually does
The fight is over Commission Delegated Regulation (EU) 2024/1364, adopted 14 March 2024 under the Energy Efficiency Directive (2023/1791), which built the European database on data centres. Operators with at least 500 kW of installed IT power demand must report a set of KPIs — energy consumption, power usage effectiveness, water usage effectiveness, renewable energy share — annually, with the first submissions due 15 September 2024 and 15 May each year after. The Commission has described the database's purpose as pushing operators toward lower energy and water use and more renewable procurement, and the underlying directive treats disclosure as the mechanism that does that work: sunlight on laggards, credit for leaders. The Commission's own adoption notice puts data centres at roughly 3% of EU electricity demand today, a share widely expected to climb as AI training and inference load scales.
The amendment now in dispute would keep every individual facility's KPI submission confidential by default — not just genuinely sensitive information like precise cooling-system engineering, but the basic emissions and water-use figures the directive was written to publish. According to reporting cited in the MEPs' letter, Microsoft warned regulators that "raw data on individual data centres could be released in response to access-to-information requests from NGOs," and DigitalEurope raised near-identical concerns about "reactive data publication in response to access requests from competitors and NGOs." Ten legal experts consulted by Investigate Europe concluded the resulting clause likely conflicts with the Aarhus Convention, the treaty guaranteeing public access to environmental information. Separately, Tech Policy Press reports that during the 2023 Energy Efficiency Directive talks, transparency advocates were outnumbered roughly 100 to 1 by industry lobbyists, per researcher Christiaan van Veen — a lopsidedness that shows up in the text.
The renewable-certificate wrinkle
A second, less-discussed feature compounds the problem: the KPI framework lets operators count electricity as "renewable" using Guarantees of Origin — tradable certificates that can be purchased anywhere in the EU and matched to consumption anywhere else, with no requirement that the underlying green power was generated near the facility or at the same time it was drawing from the grid. A data centre running on Polish coal-heavy grid power at 8pm can still report itself as renewable-powered if its operator bought a Guarantee of Origin from a Norwegian hydro plant. That's a known weakness of GO markets generally — Norway has at times exported more certificates than its actual renewable output would support — and it means the one KPI most likely to be published prominently (the renewable energy factor) is also the one least tethered to what's actually happening on the local grid the community lives next to.
The case for confidentiality — and why it doesn't hold here
Industry's underlying concern isn't fabricated. Individual data centres can be commercially sensitive — capacity figures reveal a hyperscaler's regional buildout strategy, and in a tight market for grid connections, competitors genuinely could use granular consumption data to reverse-engineer expansion plans. Protecting bona fide trade secrets is a legitimate regulatory function, and a rule that let anyone scrape proprietary cooling architecture off a public database would deserve criticism too.
But the clause the Commission adopted doesn't protect trade secrets — it protects facilities from disclosure of the exact figures the directive already requires them to calculate and hand to regulators. Aggregate or regional-level publication, which several member states already manage for other environmental permitting data, would satisfy legitimate competitive concerns while still letting a town whose water table a data centre is drawing down, or a grid operator planning capacity, see what's actually happening. Opacity of this kind is also bad industrial strategy on its own terms: the Commission's Cloud and AI Development Act is aiming to triple EU data centre capacity within five to seven years, and that buildout depends on local planning approval and grid connections that get harder to secure, not easier, when communities suspect operators of hiding consumption data. A rating scheme the public can't verify won't defuse the permitting fights already slowing hyperscale construction in Ireland and the Netherlands — it will fuel them.
What should happen next
Commissioner Roswal's office has not yet said whether it will amend the delegated act before finalizing it. The proportionate fix is narrow: publish facility-level KPIs by default, allow a genuine trade-secret exemption reviewed case by case rather than a blanket carve-out, and tighten the renewable energy factor to require temporal and locational matching rather than EU-wide certificate shopping. None of that requires slowing the AI infrastructure buildout the Commission wants — it requires the Commission to stop letting the companies being regulated write the rule that shields them from scrutiny.