Document requests for information by the European Commission in competition investigations can draw out huge volumes of responsive documents. Search queries often identify private documents and correspondence found on employees’ devices even though these ‘responsive’ items are likely irrelevant for the purpose of the investigation.

Last month, the General Court of the EU partially upheld an application by Facebook for interim relief in relation to two wide-ranging RFIs. The Court’s President suspended Facebook’s obligation to disclose responsive documents not linked to its business activities and containing sensitive personal data (in the sense of Article 9 GDPR). It ordered the EC to screen this class of documents via a virtual data room to determine which documents were relevant and should be placed on the file and which should be eliminated.

A practical solution

The orders imposed a practical solution, striking a balance between the EC’s desire to cast a wide net when investigating a potential infringement and individuals’ right to privacy. This is particularly relevant nowadays, since private information is often stored on work devices and servers. The screening mechanism imposed by the Court’s President mimics the procedure used in on-site inspections of digital files. Potentially responsive documents are pre-selected via search terms but then reviewed, in the presence of the company’s representatives, for relevance. This procedure prevents irrelevant private documents (and other categories of excluded documents) being placed on the administrative file.

The solution put forward in the interim orders relates only to sensitive personal data. But, in practical terms, the data room process expands on what is already used for dawn raids. The EC is only bound by this in this specific context, but it could decide to use it more broadly for other classes of sensitive documents, such as contested (in-house) privilege claims or sensitive commercial documents at the margin of the investigation.

Background

In May 2020, the EC adopted two decisions requesting extensive information from Facebook. The decisions identified a list of custodians, included a number of search terms and queries, and defined a specific time period for which documents responsive to the search terms and queries had to be handed over.

After partially responding to the RFIs, Facebook filed an action for annulment before the General Court, claiming that the RFIs were unlawful as they required Facebook to hand over information not relevant to the EC’s investigations. Facebook also asked for the EC’s decisions to be suspended by way of interim relief. Apparently, the RFI search terms yielded many documents which Facebook refused to disclose on the grounds that they were either of a purely personal nature, they contained personal opinions and political engagement, they engaged the applicants right to privacy or because they related to its business activities with were sensitive. Examples include, a private will, medical records, sensitive private correspondence and Facebook’s efforts on diversity issues.

Virtual data room

The President’s interim orders suspended the RFIs as regards Facebook’s obligation to provide documents which were not linked to the company’s business activities and which contained sensitive personal data.

In a second step, the President ordered Facebook to hand over the sensitive personal documents to the EC on an electronic medium and for these documents to made accessible in a virtual data room. On the EC’s side, the data room can only be accessed by a limited number of staff, who will review for relevance in the presence (virtual or physical) of Facebook’s lawyers. If there is disagreement over the relevance of a document, a senior DG COMP official will decide.

Legal findings

In order to grant interim relief, the Court must find that there is a prima facie infringement and there must be a risk of irreparable harm which warrants urgent action.

The President found that there was no prescribed procedure in the RFIs for the exclusion of out-of-scope documents. There were likely to be many in light of the wide and generic search terms. So, it could not be excluded that the RFIs might call for the disclosure of documents which are not necessary for the investigation and infringe the principle of necessity underpinning Article 18 of Regulation 1/2003. As such, the President found a prima facie infringement.

While data protection rules, such as the GDPR, do not prevent the EC from collecting and processing private data in the exercise of its investigatory powers, this must be necessary and proportionate. Certain types of private data require a special level of protection, in line with Article 9 GDPR. Examples are, sensitive personal data, pertaining to health, political opinions, religious or philosophical opinions. Proper steps should be taken by the EC to safeguard, in the exercise of its investigatory powers, the rights and interests of individuals who are entitled to this high level of protection. The President found that if that was not ensured, disclosure (even to officials who are kept to confidentiality) may cause irreparable harm and warrants urgent action.

Given the nature of the RFIs, it was reasonable to consider that guarantees, similar to those applicable to on-site inspections (dawn raids), should apply. In the context of a physical inspection, there is a process to allow that documents which are not relevant (including private documents) are excluded (Nexans, Prysmian, Vinci v France). During a dawn raid (or a continuation at the EC’s premises), companies are entitled to have their lawyers present while officials review documents. These lawyers can comment, for example, as to relevance or legal privilege.

Setting a precedent for private data

The solution does not exclude the EC from having a ‘quick look’ at private documents and data and to have the final say on relevance (subject to the Court’s review), but it saves irrelevant personal documents and private data from becoming part of an investigation file and thereby causing harm to those whose privacy rights are infringed.

In practice, one might expect that this data room evolves into a privacy log, where the parties identify the items in question and give a short explanation on why they are private and irrelevant to the investigation, without disclosing the content. 

In the same way as litigation to determine a proper protection of legal privilege has led to the accepted use of a privilege log when responding to this type of RFI, it is possible, and desirable, that the EC starts accepting the use of a “privacy” log. These orders will provide the EC with the opportunity to consider it and hopefully an incentive to adopt such an approach.

And other types of contested documents?

It is conceivable that, with good faith, this procedure could be applied to other categories of sensitive documents unlikely to be relevant: for example, legal advice that is not privileged under EU law, by U.S. in-house counsel. Such documents are not only sensitive but, as a matter of U.S. law, the client is required to protect their confidentiality. With this screening procedure potentially available, a company should at least try to use it to avoid disclosure beyond what is strictly necessary in order to avoid a waiver of privilege.

Since the order was made under interim proceedings, it reserved the broader question of the legality of the RFI to a review by the General Court itself. The President implied that the wide scope of the RFI search terms, catching many irrelevant documents, and the absence of a verification method on relevance, might be problematic. But he ultimately did not have to rule on the issue. Documents unrelated to the subject matter of an investigation could very well be responsive to a custodian/search term RFI like the EC used in the Facebook investigation. The EC would probably not dispute that in the Facebook case, but it was of the view that it is only the case team who should make that determination and not Facebook (or its lawyers).

It will be up to the General Court (and perhaps even the Court of Justice) to decide on the legality of the EC’s RFIs to Facebook, particularly absent a method for confirming relevance. It may revisit the issues started in the Cement cases.

In the meantime, we may see a change of practice from the EC. Data requests in the digital age are undoubtedly such that a rethink is required on the practical implications for companies, their employees and the rule of law.