On November 27, 2014, the General Court of the European Union (Court) upheld the imposition of a fine of €2.5 million to the companies EPH and EPIA for breach of their duty to cooperate during an inspection of the European Commission (Commission). This heavy sanction once again illustrates the importance of computing in such operations, and the necessity of carefully disseminating instructions from inspectors within the company, and even to external service providers who work there.
During an inspection conducted in cooperation with the Czech competition authority in the (common) premises of EPH and its subsidiary EPIA, the Commission had asked the head of the IT department to block with a new password the email accounts of four employees holding key positions in the company (including the Executive Director of EPIA), in order to have exclusive access to such accounts.
One special detail: EPH and EPIA had been transferred a month prior to the inspection and did not yet have their own IT department. IT was therefore temporarily managed in their offices by employees of J&T Banka, a subsidiary of the former parent company of EPH (J&T Finance Group). In addition, emails sent to their staff’s email accounts continued to transit through the J&T Finance Server Group.
During the inspection, one of the four employees concerned, who was working from home and was no longer able to access his e-mail account (and, apparently, not informed of the inspection), complained to the IT department, which immediately restored his access to the account by resetting his password. Meanwhile, the Executive Director of EPIA asked the IT manager to block from the J&T Finance Group’s server all incoming e-mails to his own account.
No longer able to access the e-mail account of the first employee, and seeing that the Executive Director was no longer receiving any new e-mails, the inspectors sent a statement of objections for refusal to submit to the inspection. On this basis, the Commission jointly and severally imposed on EPH and EPIA a fine of €2.5 million, (i.e. 0.25 per cent of EPH’s turnover bearing in mind that the maximum incurred was 1 per cent) for having (i) negligently granted access to a blocked e-mail account, thus preventing inspectors from consulting it, and (ii) deliberately diverted to a server incoming e-mails to another account.
The Court approved such fine by confirming that this type of infringement is purely material and thus difficult to justify by any defence. In particular, it judges indifferent:
- the fact that the IT department had not been employed by EPH or EPIA, since it was working under their authority and the action of a person who is usually authorized to act on their behalf is enough to establish the infringement
- the ability for inspectors to access files on the server, since the Commission is not required to seek whether the files were intact in another location from the e-mail accounts
- the ignorance of the employee working from home regarding the blocking of his account and the existence of an inspection, since the infringement was based on the negligence of the IT manager
- the short duration of the diversion of incoming e-mails to another account, the limited quantity and the lack of relevance of the filtered messages in relation to the subject of the investigation
- the fact that the Commission did not ultimately have enough evidence to prosecute the companies for anticompetitive practices.
Following the historically large fine confirmed by the Court of Justice in November 2012 in the E.ON case (€38 million, i.e. 0.14 per cent of its turnover), this new case provides an opportunity to recall that companies must ensure that instructions from inspectors are immediately and precisely conveyed to their entire staff, including their external service providers, to avoid any incident that will certainly be severely sanctioned.