In an increasingly digital world, the collection and analysis of different types of evidence about alleged anticompetitive practices has become more complex. Competition authorities must be able to gather all the relevant evidence from vast quantities of information stored digitally and exchanged through e-mail accounts, mobile phones, and social networks. The task of collecting evidence has become further complicated by the increasing number of companies moving their IT infrastructure and business operations to a cloud computing environment.
The Serbian Commission for Protection of Competition (“Commission“) carried out its first dawn raid (unannounced inspection) in 2015 and since then it has raided over 15 companies. Since the first raid, the Commission has been willing to search for information stored on digital devices. Being aware of digital trends, the Commission has also invested heavily in strengthening its forensic capacities for gathering credible digital evidence and hence its ability to prove antitrust infringements.
The Commission has wide-ranging investigative powers that include digital searches. With a valid search order, Commission investigators may enter and search a business’s premises, interview its employees and search its records, regardless of whether they are stored in physical or electronic form.
In practice, investigators use IT forensic tools (hardware and software) to search the company’s electronic environment and storage media (e.g. smartphones, desktop computers, tablets, DVDs, USB-keys, etc.). Digital forensics not only allows investigators to review and copy electronic documents and e-mails in bulk, which is sometimes more than justified, but also to recover deleted files.
Investigators may search the company’s electronic devices as well as devices belonging to its employees. The Commission may also search employees’ personal devices if it suspects they are being used for business purposes.
The location of the server where electronic information is stored raises many jurisdictional issues. However, many competition authorities, including the European Commission, have an intrusive approach and deem the location of the information to be irrelevant if the company's employees normally have access to it from the raided premises. This issue is not regulated in Serbia, but we assume that the Commission’s approach does not vary considerably from EU practice.
The Commission will usually start an IT search by asking a company IT specialist to provide technical assistance by blocking individual e-mail accounts, disabling the internal network or providing administrator rights. The company staff may also be asked to disclose passwords or to provide access to any personal electronic devices being used for business purposes.
After gaining access to electronic devices, investigators start mirroring or duplicating data stored on the company’s hard drives. This is also known as the creation of a forensic copy (image). The forensic copy is stored on the Commission’s hard drives so that it can be investigated using keywords searches. This, however, is not considered to be a seizure.
The purpose of the keyword searches is to identify all electronic documents that have probative value. However, keyword searches should not interfere with the company’s right of defence. Investigators should not go on a “fishing expedition”, using search terms and keywords that are not within the terms of the search order. This would be the case if investigators used very broad or irrelevant search terms that led to a large number of hits that had no relevance for the investigation or used search terms that refered to markets not specified as being affected by the alleged infringement in the search order.
In the same vein, as a rule the Commission should not take more than a cursory look at any document that lies outside the search order to confirm such a fact. For privileged documents, the Commission should only look at the headings and not the contents of electronic documents.
The company should object to Commission searches with terms that fall outside the scope of search order or those for privileged documents. The searched terms must be disclosed to the company and specified in the record of inspection.
The documents relevant as evidence are listed in the record of inspection and added to the case file in physical or electronic form. The Commission should delete from its hard drives all other documents copied onto its devices that are not considered relevant at the end of the inspection. As this is not regulated, the company should exercise caution and insist on written confirmation that the Commission has permanently deleted non-relevant files from its hard drives.
Since investigators can produce authentic digital copies, they can inspect the mirrored files and communication after they leave the searched premises. In other words, the raid can be continued at the Commission’s premises (off-site search). In order to prevent the Commission from going into a “fishing expedition” during the off-site search, the company should insist that, upon being created at the raided premises, the forensic copy is sealed in a protective envelope. The company should further insist that its legal advisors are present during the off-site search of forensic images at the Commission’s premises.
Once the review is complete and the selected documents are added to the case file, the forensic copy should be deleted. However, as already mentioned, this matter is not regulated, so the company should demand written confirmation from the Commission that the copy has been destroyed.
Tips for digital searches
One way for companies to prepare for a dawn raid is to organise basic training on dawn raid defence best practices for their IT specialists and other employees. It is also advisable to create a data map and inventory of hardware, so that the cooperation with investigators is smooth and fast. Here is a list of practical tips companies should follow in the event of a dawn raid:
- Contact their legal advisor and ask the Commission not to begin the inspection before the advisor is present;
- Check the terms of the search order and the decision on opening the investigation, particularly for details of the products and markets concerned, the type of behaviour and the time period under investigation;
- Insist that the investigators review and copy only as much of the electronic information stored on the company's devices as seems likely to be relevant for the investigation;
- Object if the search terms used lie outside the terms of the search order;
- Insist that your legal advisors are present during the offsite search at the Commission’s premises; and
- Insist on all electronic documents not added to the case file being returned or deleted.