EU General Court rules on protection of private data in competition investigations
Introduction
Like many competition authorities, the European Commission ("Commission") has far reaching powers to ask for huge amounts of information for its competition law investigations.1 These days it is no longer just hard copy documents being asked for, but significant amounts of electronic data in specified formats expected to be produced in short time frames. Given the commercial implications of resourcing such a request as well as the potential penalties and reputational damage at stake, it is not surprising when businesses push back. The European Courts have already established that the Commission must act within its powers and in particular only ask for information which is necessary and proportionate. The recent decision by the General Court of the EU (“General Court”) concerning requests for information (“RFIs”) sent to Meta,2 brings this caselaw into the digital age. Last month's ruling marks the first time we hear from the European Courts about the legality of a RFI using digital search terms (so called keyword RFIs), as well as to what extent investigatory powers may interfere with the protection of sensitive personal data. The ruling is likely to have a major impact on the way in which the Commission requests information going forward both in the context of written RFIs and in other investigatory contexts such as dawn raids, and businesses would be well advised to plan ahead, as to how they might respond.
Background
In May 2020, the Commission sent several RFIs to Meta concerning how its marketplace competes with classified advertisement services of other operators and its data collection and processing practices.3 More specifically, Meta was asked to provide the Commission with all documents prepared or received by numerous custodians within a defined time period, which contained one or more of the search terms defined in the annexes to one of the RFIs. This required Meta to run 2,500 search terms across its internal systems and analyse more than a million documents. The Commission bolstered this request with a reminder that it had the right to impose a multi-million euro fine per day of non-compliance.
Two months later, after partially responding to the RFIs, Meta lodged at the General Court both an action for annulment of the decision of May 2020 and an application for interim measures. Meta submitted that applying the Commission's search terms would identify hundreds of thousands of documents, many of which would be wholly irrelevant to the Commission's investigation and/or include highly private or personal information about the business, its officers and employees such as private medical and financial data of employees, documents relating to personal wills or company security assessments. Search terms included: "not good for us", "for free", "shut down", "big question", "advantage", "quality" and "looked at".
On 29 October 2020, the President of the General Court considered that it could not be ruled out that the General Court would find the contested decisions are unlawful in the absence of a verification method with guarantees specifically designed to safeguard the rights of the persons concerned. The President further concluded that Meta had successfully established an urgent need for interim measures in relation to documents containing sensitive personal data. He therefore ordered a bespoke virtual data room procedure for the review of such personal documents, but reserved the broader question of the legality of the RFI to a review by the General Court itself. The Commission then adopted an amending decision, requesting considerably less information and stating that the documents identified via the search terms which contained sensitive personal data could only be placed on the investigation file once they had been examined in a virtual data room.
Meta subsequently amended its action for annulment to take account of the amending decision, submitting amongst other grounds, that applying the search terms specified in the RFI would still inevitably lead to a significant number of irrelevant documents being captured and/or documents containing sensitive private data, which would be contrary to the principle of necessity and amount to a “fishing expedition”. It is this action which the General Court ruled on last month.
Key findings of the General Court
The General Court dismissed Meta's action for annulment stating that,
"The General Court finds that Meta has not successfully demonstrated that the request to provide documents to be identified by search terms went beyond what was necessary."
The General Court recalled that the Commission may, by simple request or by decision, require undertakings to provide 'all necessary information' in order to investigate potential breaches of EU competition rules. Whilst this long reach is scoped by a requirement to only request disclosure of information which is relevant to the investigation, the General Court stated that such a necessity requirement is satisfied if the Commission could reasonably suppose, at the time of the request, that the information may help it to determine whether an infringement of the competition rules has taken place. Applying the principle of necessity to the use of search terms, the Court decided that even if some of the Commission's search terms could be too vague, other search terms appeared sufficiently precise to satisfy the necessity requirement. As a result, the annulment of the search terms which were too vague would have no effect on the obligation to produce the documents identified as relevant from the application of the other search terms.
As for the Commission's search terms potentially capturing sensitive personal data, bearing in mind the fundamental right to privacy, the General Court recalled that any interference with privacy caused by the RFI must:
- be provided for by law – Regulation 1/2003 in this case;
- meet objectives of general interest of the European Union i.e. enforcement of competition law; and
- be necessary and proportionate.
For the General Court, the fact that the Commission reduced the scope of the requested data and adopted a separate procedure for the treatment of documents containing personal data to be produced by Meta, seems to have been especially persuasive. Referring to the General Data Protection Regulation ("GDPR")4 and the Data Protection Regulation ("DPR") applicable to EU institutions,5 the General Court stated that EU institutions may lawfully process personal data when this is necessary for the enforcement of competition law. The General Court further considered that the applicant had not established that the Commission, using the separate procedure based on the interim measure order, obtained documents containing the type of sensitive personal data that would require further protection under the above Regulations such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs etc.
Key points to takeaway
Although this case is somewhat unusual, not least due to the interim measures,6 some general key points should be noted by businesses faced with a RFI from the Commission, whether that be by way of a written request, or in the context of a dawn raid:
- Before handing over any information to the Commission, lawyers should check that the Commission has precisely specified the information requested, the legal basis authorising it to do so and the subject matter of the investigation.
- Parties should engage with the Commission in discussing search terms as early as possible and before handing over any documents. Any concerns around capturing irrelevant, personal and/ or sensitive data should be raised, flagging not only concerns relating to competition law, but also arguments based on privacy and fundamental rights. Recourse to the courts using expedited procedures where necessary should not be ruled out to ensure proper protection.
- The General Court seems alert to the need in some cases to anonymise documents, although takes a ‘proportionate’ approach in this area.
- Based on this case, the Commission has adapted its procedures and handles data protection claims insofar as they relate to special categories of private data under the GDPR and EUDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs etc.).
- The possibilities of storing, transferring and processing data have exploded in recent years and the Commission is now able to examine larger amounts of data in order to get a comprehensive picture of the inner workings of a company and its communications and the European Courts seem to be supportive of this approach – in this case not striking down broad and generic search terms. Digital tools have thus increased the Commission’s ability to get hold of increasing amounts of data, but businesses should ensure that the authority does not overstep the mark – the burden is on the Commission to establish infringements and identify the evidential basis to that end. Given the General Court's endorsement of the use of a virtual data room in this case to protect sensitive personal documents, going forward, the Commission might well accept to use a similar procedure more broadly for other classes of sensitive documents, such as potentially out of scope documents. Businesses should consider how they might be able to use this to protect information not in the scope of the investigation.
There is now a significant body of delicately nuanced case law on the investigation powers of the Commission,7 which businesses must be aware of and use to their advantage if ever faced with an EU investigation. Decisions over the past few years have shown that parties can successfully challenge the authorities in this area, and ensure that the later do not overstep the mark.8 Given that RFIs are, alongside dawn raids, the Commission's main tool in its investigations and are playing an increasingly important role, we can expect to see increasingly bold requests from the Commission which businesses must consider carefully before responding to, without unlawfully hindering the Commission in the lawful exercise of its powers.
The Antitrust team at Mayer Brown can assist with all aspects of competition inspections and the resulting liaison with competition authorities around the world. For an in-depth analysis of the legal and practical aspects of competition inspections under EU law, please see this practical guide published with Concurrences by Nathalie Jalabert-Doury, a partner in the Paris and Brussels offices who is widely recognised as a leading expert in this field.
1 See in particular Council Regulation (EC) No 1/2003 of 16 December 2002, Articles 18 - 21
2 T -451/20 Meta Platforms Ireland v Commission & T-452/20 Meta Platforms Ireland v Commission.
3 Dispute arose from requests sent to Meta in 2020 in relation to two separate Commission abuse of dominance investigations, relating to Facebook’s Marketplace service for classified ads and Facebook’s Data-related practices.
4 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
5 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 2 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
6 The fact that the Commission adopted its handling of the sensitive personal documents in the light of the President’s amending order seems to have made its practices compliant in this case
7 See for example Ceské dráhy, Prysmian and Prysmian Cavi e Sistemi Energia/Commission, T-140/09 and HeidelbergCement/Commission, C-247/14 P.
8 For more on this, see The fundamental importance of gathering sufficient evidence to carry out competition dawn raids | Perspectives & Events | Mayer Brown.
