On Wednesday 16 September 2015 the European Commission’s Directorate General for Competition (DG Comp) published on its website an updated version of the explanatory note that it hands across to companies when it undertakes unannounced inspections (dawn raids) authorised by Commission decision (here).
DG Comp had previously updated the explanatory note in March 2013, around the time the Commission issued its decision in the EPH case, and not long after judgement of the EU’s General Court was handed down in the Nexans case. These cases were critical in establishing the lawfulness of certain practices that DG Comp had adopted when conducting inspections, and emboldened Commission officials as regards their future conduct. The latest revisions to the explanatory note are predominantly clarificatory in nature, updating Commission practice, but they serve as a reminder of the importance now played by information technology in the context of DG Comp’s efforts to gather evidence of anti-competitive practices, and of the expectations that the Commission has in relation to conduct of company employees during dawn raids.
The principal changes are to be seen in paragraphs 10, 14 to 16, and 20 to 21 of the note, and revolve around IT, procedures and data privacy:
- Paragraph 10 emphasises the ability of the officials to search the entirety of the company’s IT environment, and all its storage media. Back up tapes and cloud services now get specific mention. However, it also makes clear that DG Comp considers itself entitled to search the private devices and storage media of individuals where these are found on the premises, if they are used for “professional reasons”. DG Comp gives the example of private / personal devices which companies encourage their employees to use for work purposes – BYOD (bring your own device).
- This begs a couple of questions. First, how the Commission officials will establish whether a device falls within the category of devices that the Commission considers itself entitled to search; and second, what influence the company can be expected to exert over an employee who is less than keen to hand over his or her device so that it can be searched, given that much of its contents can be expected to be personal, private and confidential. Any “rights” that the company may have over any data stored on such a device must clearly be limited to the data that relates to work done by the employee on the device in fulfilment of his or her employment obligations. Consequently there will be a need for companies to tread a careful path in demonstrating commitment to submit to the investigation whilst respecting the rights of individual employees from an HR perspective. It is possible that forensic imaging of such devices, or the attachment of DG Comp’s dedicated forensic hardware and software, would require the explicit consent of the individual employee even if though company is happy for the device to be searched.
- Paragraph 14 confirms the Commission’s procedure for removing data from a company’s premises in order to be able to continue its inspection in Brussels. Although DG Comp’s right to do this was challenged in the Nexans case as part of Nexans’ action for annulment of the inspection decision, the General Court declared this challenge inadmissible.
- The procedure is known as the “sealed envelope” procedure. The Commission is not entitled to open the envelope and continue its review without giving the company the opportunity to be present (so that it can assure itself that the Commission is acting within the scope of its permitted powers). Interestingly, the revisions suggest that the company will not automatically be provided with a duplicate of any data being removed, although it will be entitled to ask for a duplicate (somewhat typically, the note does not say that the Commission officials will actually provide a duplicate if requested to do so – the emphasis is on the company’s obligations in the context of a dawn raid and not on the obligations of the Commission officials). The revisions also suggest that the Commission may prefer to return to the company’s premises to continue the inspection, in which case it may ask the company to keep the sealed envelope in a safe place.
- Paragraph 15 explains the way the Commission handles the data that are to be taken away as evidence following review. DG Comp has long been keen to avoid the need to make and remove traditional paper copies of documents (not least since it is understood that on some occasions papers had to be put in the aircraft hold on the return flight to Brussels, with a clear risk that they may go astray), and these days all you can expect to retain when the officials head back to Brussels are a DVD and a signed copy of the index of its contents.
- What the explanatory note doesn’t make clear (rather surprisingly) is that the DVD will be encrypted and that it will have a unique hash value which will make it evident if there is any interference with / manipulation of any of the underlying data.
- Paragraph 16 makes clear that to protect forensic integrity, documents will be selected for export (putting on to the DVD to take back as evidence) and listed in their technical entirety (so that even if only one attachment to an e-mail was actually of interest to the officials, the e-mail and all other attachments would also be taken at this stage). The Commission explains however that when evidence is placed into the case file, it may be separated out into component parts with each part being allocated a separate document reference.
- Paragraphs 20 to 21 expand substantially on the previous version of the explanatory note as regards data privacy. Officials are clearly getting fed up of arguments being advanced that they are not entitled to take away documents if those documents contain information of the nature which is covered by EU data protection rules. Personal data is highly likely to be contained in documents that the Commission wishes to remove as evidence, and the explanatory note makes it clear that this does not preclude document removal. The Commission reminds companies that it processes personal data in compliance with the EU data protection rules, and confirms that such data may only be used for the purpose for which they were collected (i.e. the enforcement of Article 101 and / or 102 of the Treaty on the Functioning of the European Union).
The Commission’s continued efforts in relation to transparency regarding its procedures when conducting dawn raids are to be welcomed. However, it is less satisfactory that the underlying focus of the explanatory note is on the expansive nature of the Commission’s powers, with precious little attention devoted to its obligations, or any limitations on its powers (other than in the context of protection of confidential information).
In our view the Commission has missed a good opportunity to provide more balance to the explanatory note, and thereby to enable companies who may not be familiar with the Commission’s powers to ascertain, through this note, some of their rights as well as their obligations within a dawn raid situation.
The arrival on site of a group of officials to undertake an unannounced inspection is a time of high stress. One might argue that the explanatory note (which is of course not binding on the EU Courts) is more in the nature of an attempt by DG Comp to minimise the objections that companies might raise in the context of a dawn raid, rather than an attempt to explain the way raids are supposed to work. For example, the ability of a company to understand properly the scope and subject matter of an investigation is a pre-requisite for being able to determine whether or not the officials are acting within their powers in executing a dawn raid. Paragraph 2 of the explanatory note, which explains that the inspectors cannot be required to expand upon the subject matter of the investigation as set out in the decision, may actually inhibit challenge on the part of a company when such challenge would be entirely legitimate.
Companies should look to ensure that they have experts alongside them when they are subjected to unannounced inspections, who are familiar with the officials’ practices and who can hold them to account when it comes to the proper (lawful) exercise of these powers.