On 26 November 2014, the EU General Court upheld1 a European Commission decision to fine Czech energy companies for the specific violation of obstructing IT searches during a dawn raid which European Commission officials carried out as part of an antitrust investigation.
This judgment confirms the need for companies to ensure that their IT staff receive dedicated dawn raid training and guidance.
In November 2009, the European Commission conducted an unannounced inspection of the premises in Prague of Energetický a průmyslový holding a.s. (EPH) and its subsidiary EP Investment Advisors s.r.o. (EPIA).
On arrival, after notifying the inspection decision and explanatory notes to a member of senior management, one of the inspectors asked for contact with the person responsible for the IT department. He informed the member of senior management that the email accounts of four individuals holding key company positions had to be identified and blocked by the IT department. The blocking process involved re-setting four email accounts with a new password, known only to the inspectors, in order to ensure that the inspectors had exclusive access to those accounts during the inspection.
At that time, EPH and EPIA did not have an independent IT Department. J&T Banka, a subsidiary of the former parent company of EPH, J&T Finance Group, was temporarily providing IT services. The emails addressed to the EPIA and EPH email accounts passed through the J&T Finance Group server before being distributed to the different accounts.
The IT department changed the passwords for the four email accounts in question. However, in the early afternoon of the first day of the inspection, the IT department, upon the request of one of the individuals whose email account had been blocked, reset the password so that the individual could access his email account again. On the second day of the inspection, the inspectors tried to access the email account in question and were unable to do so.
On the third day of the inspection, the inspectors discovered that another employee had requested the IT department to divert all emails arriving in the four blocked accounts from arriving in their respective inboxes. It was later confirmed that the measure had only been applied to one account.
On 28 March 2012, the European Commission fined EPH and EPIA jointly and severally EUR 2.5 million for refusing to submit to an inspection by negligently allowing access to a blocked email account and intentionally diverting emails to a server.
EPH and EPIA lodged an action with the General Court to seek the annulment of the Commission's decision, or alternatively a reduction in the fine.
The General Court judgment
Negligently allowing access to a blocked email account
The Court held that the mere fact that the inspectors did not obtain, as requested, exclusive access to an email account of an individual whose account had been ordered to be blocked, was sufficient to characterise the incident as a refusal to submit to the inspection.
It was not relevant that:
- the Commission had not proven that the emails had been manipulated or deleted.
- the electronic files at issue had been automatically copied to the server and so remained intact.
- The individual from the company, as he was working remotely, was unable to alter the data on the hard drive of the computer.
The Court considered that the inspectors were under no obligation to investigate whether the files might be intact elsewhere than in the email account which the inspectors had ordered to be blocked. Furthermore, they were under no obligation to verify when the last back-up of the server had taken place to determine whether the verification of content in the email account had been impeded.
The Court held that the head of the IT department was responsible for promptly instructing his staff of the obligation to block access to the four accounts to avoid a breach. It held that the inspectors are not under an obligation to inform everyone at a company premises of their duty to cooperate with an inspection. The Court stated:
"When an inspection decision, the reasons for which have been set out, has been correctly notified to an authorised person within those undertakings, the Commission must be able to carry out investigations, without being under an obligation to inform each person concerned of his duties in the circumstances of the case. Such an obligation would delay the inspection, the duration of which is strictly limited". (Para. 45)
Intentional diversion of emails
The Court held that, as it had been established that the files were not produced in one email account in complete form during the inspection, the Commission was not required to examine whether the missing data could be found elsewhere in the IT system. It was, therefore, not relevant that the emails destined for the individual email account were still stored on the server, or that the Commission knew that this was the case. The European Commission inspectors should have been able to access all the emails normally in the inbox, without being obliged to gather data from other sources to complete their investigation.
Outsourced IT department
The Court held that it was also not relevant that the staff of the IT Department was not employed by the applicants. The fact that the members of the IT Department were employed by an independent company, J&T Banka, and provided their services to the applicants temporarily, did not preclude the Commission from finding that they performed tasks for and under the direction of the applicants.
Business needs to be aware that:
- IT staff will be at the frontline of any dawn raid and will be among the first company representatives to whom the inspectors will want to talk.
- Any refusal by IT staff to comply is likely to be regarded as obstruction even if underlying files are not deleted or manipulated.
- The inspectors are not under any obligation to explain their powers to a wide range of staff – one person is enough. The onus is on the company to ensure that the European Commission's demands are relayed as appropriate within the company.
- There is a critical requirement for IT staff – even outsourced IT staff - to be trained in dawn raid procedure.