In a move aimed at providing for technological advancement in business, the Commission has published revised guidance setting out how it will conduct dawn raids, including in particular the handling of data. Companies should consider whether it is necessary to update their own dawn raid manuals and checklists to reflect the Commission's new stated approach.
Where the Commission suspects a possible infringement of competition law, it has wide powers to investigate, including the power of inspection in execution of a Commission decision under Article 20(4) of Regulation 1/2003. It is this measure (inspection pursuant to a formal Commission decision, rather than just written authorisation), for which the Explanatory Note was published. The Note seeks to reflect the fact that most business is now conducted electronically, and so to supplement its rules relating to entry and inspection of physical documents, the Commission has extensively detailed its powers to inspect, detain, copy and deal with data in any medium – particularly files stored on computers or related hardware and software.
Most broadly, the Commission sets out that it will apply its general power of entry and examination under Article 20(2) to explicitly cover a company's books and records "irrespective of the medium in which they are stored", and the ability to take copies in any form. The Commission goes on to state that, in its searches of a company's IT environment and storage media (which covers everything from laptops and mobile phones to DVDs and USB sticks), it may use built in search functionality or its own dedicated forensic IT tools to copy, search and recover data, whilst respecting the integrity of the company's system and data.
The wider ICT provisions also cover the level of co-operation that is required by the company under investigation. The company should provide staff to assist the Commission, not only to provide explanations, but also to freeze email accounts, remove hardware from the network, grant administrator access rights and other general computer support.The Commission has also included provisions which seek to minimise concerns over company data being leaked or used outside the remit of any such inspection. All documents and data copied during an inspection will be covered by the provision of Article 28 of Regulation 1/2003 concerning professional secrecy. Any personal data, as defined in Regulation 45/2001, will be processed in compliance with that Regulation. Furthermore, at the end of each inspection, the inspectors will be required to cleanse all their forensic IT tools in a manner by which none of the undertaking's data can be recovered by any known technique.
However, it may still be a concern that the undertaking's storage media may be kept by the inspectors until the end of their inspection. The Commission expressly acknowledges that, on occasion, it may be necessary to grant third party access to data – over which the undertaking will have little control other than to identify any business secrets or other confidential information, and make a case to the Commission for permission to provide non-confidential copies.
The publication of the Note means companies now have useful guidance as to how the Commission will approach electronic searches. The Note follows, on the whole, the Commission's already common practice. Indeed, the Commission has already levied fines (EUR 2.5 million) on Czech energy companies for failing to block email accounts when required, and for diverting incoming emails. Whilst the Note is not legally binding, in light of the potentially serious penalties for non-compliance with an investigation companies should nonetheless consider updating their own dawn raid policies to reflect the Commission's updated Explanatory Note.