Dawn Raids in the EU: Inspections take a new spin

By Nikolaos Theodorakis

The European Commission recently issued an explanatory note on inspections pursuant to Article 20(4) of Council Regulation No 1/2003.[1] This marks the most updated version of the previous note, published in 2013. The note provides that data from, inter alia, private smartphones, external hard drives and cloud-computing services can be seized during an unannounced investigation.

The revised guidance relates to the conduct of inspections at business premises, also known as dawn raids. It is a codification of how the Commission plans to treat certain data found during an inspection. The note allows the search of private devices and cloud services, apart from office computers and company servers, and describes the process of handling and reviewing the data collected.

The note further widens the options of data storage and introduces the concept of technical entirety, which means that a sequence of data can be collected (e.g. an entire e-mail thread). Finally, the note allows the inspectors to gather personal data included in business documents. It is the first time that the Commission has included private data as part of its raid procedure.

 

What Does the Note Include?

 

First, the note reiterates that inspectors may search the IT-environment, including servers, desktop computers, laptops, tablets and other mobile devices of the undertaking. Inspectors are also entitled to search all storage media, including CD-ROMs, DVDs, USB-keys, external hard disks, backup tapes and cloud services. This power now extends to private devices and media used for professional reasons when found on the premises (para. 10).

The note also includes a more detailed explanation on how the regulator may handle data copied from servers (para. 14). The data can be collected to continue the inspection at a later time, secured in a sealed envelope. Previously, two options were available: opening the envelope with the undertaking present at the Commission’s premises, or returning the envelope as is. Now, the Commission can also ask the undertaking to store the data in a safe place so that the Commission can continue to search the premises in a future announced visit.

The note also introduces the term “technical entirety” (para. 16), which in practice means that the inspectors may retrieve the entire sequence of an e-mail, attachment, and/or embedded data items. For instance, even if only one e-mail attachment is selected in the investigation, the data exported will comprise the cover email and all the attachments included in that thread. Subsequently, the Commission can choose to isolate any individual component, list it individually, and assign individual reference numbers.

Lastly, the note suggests that inspectors can gather personal data found in business documents. This includes information that would otherwise classify as private, like staff names, telephone numbers and e-mail addresses. Such data can, therefore, become part of the Commission file (para. 20). The guidance however clarifies that this is aligned with the EU Data Protection rules (Regulation No. 45/2001) and that EU antitrust rules apply only to undertakings. Hence, personal data of individuals do not constitute per se an antitrust investigation target.

 

What Does this Mean in Practice?

 

The updated note means that companies have an insight on how the Commission will treat data searches from on. The inclusion of data found in private devices is a significant leap from the previous note, which expands an investigation’s scope. Further, companies are notified of the additional option to securely store the data in their own premises prior to the continuation of the investigation, and must familiarize themselves with the concept of technical entirety and the possibility of personal data being included in the Commission file.

Even though the note is not legally binding, failure to comply with the above may result to heavy fines. Besides, the Commission has already stressed the importance of compliance in the previous note and has levied fines for non-compliance. Companies should consider training their staff in accordance to the abovementioned changes and to update their own dawn raid manuals and checklists to reflect the updated note.  Finally, one should not forget the broad powers that the Commission has when investigating, including the power of inspection under Article 20(4) of Regulation 1/2003. Any data collection and handling must, however, comply with Regulation 45/2001 that pertains to data protection rules.

Beyond the assertions of the revised note, the compatibility of such wide-ranging powers with data protection rules and the procedural guarantees enjoyed by investigated companies remains to be confirmed. The most recent case law illustrates that undertakings concerned by an inspection do enjoy certain safeguards.[2] In fact, the search and seizure of electronic data may be in breach of Article 8 of the European Convention on Human Rights (“ECHR”) if certain standards are not met. For instance, the collection of data that is unrelated to the investigation, or covered by legal professional privilege, may be disproportionate to the purposes of the investigation, and therefore illegitimate.[3] Given the sensitivity of personal devices and personal data, it is possible that this novel issue will be litigated before EU Courts in the near future. Additionally, member-state specific legislation provides safeguards that would likely not allow the seizure and search of a personal device. It is thus expected that further litigation will occur on a domestic level.

[1] The explanatory note can be found here: http://ec.europa.eu/competition/antitrust/legislation/explanatory_note.pdf

[2] Deutsche Bahn and Others v Commission, cited above.

[3] See Vinci Construction and GMT genie civil and services v France App no 63629/10 abd 60567/10 (ECtHR, 02 April 2015)

Advertisements