Sep 282015

Dawn Raids in the EU: Commission Asserts Power to Search Private Devices and Collect Personal Data in EU Antitrust Investigations

Ken Daly, Stephen Spinks and Marc Abenhaïm
, ,

The European Commission has announced its intention to make broader use of its wide-ranging investigative powers, including that it intends to search and seize private devices found on company premises and gather personal data of company employees in the context of antitrust investigations. To prepare for such exercise of powers, companies should consider updates to internal IT policies, dawn raid manuals and dawn raid checklists, and training their staff for potentially expanded data requests.

The Commission recently published a revised version of its non-binding “explanatory note,” indicating what evidence it will look for during inspections (also known as “dawn raids”) carried out at the premises of companies suspected of having participated in anticompetitive practices. It describes who carries out the inspections, what can be searched, seized, stored, etc. The revised note provides that, aside from office computers and company servers, data from private smartphones, external hard drives and cloud-computing services can also be searched and seized during an inspection. The note further says that inspectors may gather personal data included in business documents.

What does the revised note include?

The note reiterates that inspectors may search the entire IT environment, including servers, desktop computers, laptops, tablets and other mobile devices of the company. Inspectors are also entitled to search all storage media, including CD-ROMs, DVDs, USB-keys, external hard disks, backup tapes and cloud services.

However, the revised note now indicates that this power extends to private devices and media used for professional purposes, when found on the premises. The revised note also introduces the concept of “technical entirety” which means that the inspectors may retrieve the entire sequence of an e-mail, attachment and/or embedded data items. For instance, even if only one e-mail attachment is selected in the investigation, the data exported will comprise the cover email and all the attachments included in that thread. Subsequently, the Commission can choose to isolate any individual component, list it individually, and assign individual reference numbers.

The note also provides that inspectors may gather the personal data of individual staff members (such as their names, telephone numbers and email addresses), such data thus becoming part of the Commission’s investigation file. Although personal data fall within the scope of EU Data Protection rules (Regulation No. 45/2001), the revised note suggests that the practice is aligned with these rules because EU antitrust rules only apply to companies, the personal data of individuals are not the target of antitrust investigations and inspections, and all personal data will only be used for the purposes of enforcing EU competition rules.

The note also describes the options available where, at the end of the dawn raid, the inspectors have not finished selecting the documents they wish to review. As a general rule, the data can be collected and secured in a sealed envelope, so that the inspection can continue at a later time. In the previous version of the note, two options were available: opening the envelope with the company present at the Commission’s premises, or returning the envelope as is. The revised version now adds a third option allowing the Commission to request the company to store the data in a safe place, pending a future announced visit.

What does this mean for your company?

The key novelty is the Commission position that inspectors can search and seize (corporate information stored in) private devices and personal data (stored on corporate devices).

Even though this note is not a legally binding instrument, a company’s failure to comply with a request based on it may be viewed as lack of cooperation with the investigation and result in heavy procedural fines. The Commission has stressed the importance of cooperating and already imposed procedural fines for non-cooperation in the past. Companies should therefore familiarize themselves with these changes and consider adapting their internal IT policies, dawn raid manuals and dawn raid checklists, as well as training their staff accordingly.

The compatibility of such wide-ranging powers with data protection rules and the procedural guarantees enjoyed by investigated companies remains a subject of some debate. The most recent EU case law illustrates that companies under investigation do enjoy certain safeguards. And the European Court of Human Rights (ECtHR) for its part exercises a close scrutiny over whether such safeguards are applied in a ‘practical and effective rather than theoretical and illusory’ manner. For example, in a recent case concerning inspections and seizures carried out in France, the ECtHR found violations of the investigated companies’ fundamental rights on several grounds, including that the seizures had included the entirety of certain employees’ professional email accounts and correspondence exchanged with lawyers. Given the sensitivity of personal devices and personal data, it is possible that this issue will be litigated before EU Courts in the near future. Having clear internal procedures and well trained staff, and having experienced counsel present during raids will help you find the right balance between offering full cooperation and protecting your rights.

Ken Daly

Brussels

kdaly@sidley.com

Stephen Spinks

Brussels

sspinks@sidley.com

Marc Abenhaïm

mabenham@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.