The European Commission (or to be more precise, and to point the finger in the right direction, DG Competition) has sweeping powers of investigation in cases of suspected infringement. Indeed, it has even sought and obtained powers that it then seems reluctant to use, such as the right to enter private homes in search of evidence. We still await in eager anticipation to see how it manages the first such intrusion into a domestic scene. In addition, it can call on the assistance of national authorities, some of whom have powers to go even further including bugging phones.
Why, then, does it on occasion pretend, or at least imply, to have powers that it does not possess? Two short examples illustrate.
First, on 16 September the Commission published an “explanatory note” regarding the conduct of dawn raids on company premises (see Sidley Austin’s update on the note here). The note includes an assertion that it has power to seize and inspect the private electronic devices of individuals. Seriously? How is that going to work?
Let’s imagine that I am an employee of a company being raided. Commission officials enter my office, see my iPhone (other devices are available) on my desk and demand to access it. I reply that my firm, in common with many, has a BYOD (bring your own device) policy, that I concluded a contract in my own name with the service provider and that this phone is my property. The fact that I may be reimbursed some of my costs doesn’t make it company property – the clue is in the “O” of BYOD. I am not an “undertaking” in EU law and so am not subject to EU competition law or the procedures that enforce it. I calmly put the device in my pocket and go for a coffee.
Of course, the Commission can in theory (see comments below) access any work emails from my office account that are on the company’s server. And perhaps the Commission is relying on some expectation that as part of its BYOD policy my firm could have reserved the right to inspect my device or records in order to ensure my compliance with other firm policies. But one wonders whether DG Comp has consulted its colleagues in the Data Privacy unit of DG Justice. EU data protection rules mean that a company cannot order an employee to hand over his or her personal device. Even the inspection of employee emails on a server needs to be done in line with the relevant national data protection laws, which in the case of a raid in the UK would include informing the employees of their rights and carrying out a privacy assessment to balance the various interests, including minimising any collection and disclosure of personal data. Has any of this been properly thought through?
I can envisage some entertaining stand-offs, with the officials trying to suggest that the company is refusing to fully cooperate with the investigation by failing to deliver something not within its control, and the individual standing his ground and refusing to hand over a device containing family photos, personal texts and address lists.
If such a power is to be sought, it needs a lot more thought (which may have been given) and explanation (which is totally lacking) as to why it is really needed, how it is to be exercised and what safeguards should be in place. And it hardly seems appropriate to entrust that power to officials without them having a lot more training in the issues that could arise and how to handle them sensitively. It is time to pause, have a proper consultation and look at this again.
The second example of over-reach is entrenched and widespread. As lawyers, we are frequently called up by clients who have received a “request for information” from the Commission. Very often, the first question I am asked is, “Do we have to reply?”. Such a question ought not to be necessary if the questionnaire and/or covering letter were clearer. But the practice of routinely attaching the rules on penalties for failure to comply with decisions, as well as the (at best) ambiguous covering language, lead companies to believe they are under some form of compulsion.
For example, a client received the following in a request under Article 18 issued in August this year:
This letter is a formal request for information made in accordance with Article 18(1) and (2) of Council Regulation (EC) No 1/2003, which empowers the Commission to require undertakings and associations of undertakings to provide all necessary information whether or not they are suspected of any infringement of the competition rules.
The above wording is carefully constructed to deceive. Yes, it is true that Article 18(1) refers to both information requests and decisions, and that the Regulation “empowers the Commission to require undertakings….to provide” information. However, that compulsion only arises when a decision is adopted under Regulation 18(3). The letter that the company is examining is more often a “simple request for information” under Article 18(2) which the company is entitled, if it wishes, to throw into the shredder. Penalties can only arise if it chooses to answer but then gives answers that are incorrect or misleading.
Just to reassure that this is not an isolated incidence, an information request from April this year used wording that was subtly different and even more misleading when it stated:
This letter is a formal request for information made in accordance with Article 18(2) of [the Regulation] which empowers the Commission…
The Regulation may indeed empower the Commission to demand information, but as the Commission well knows, Article 18(2) does not grant those powers in the context of a “simple” request.
I have in the past raised this with Commission officials and suggested they should revisit the form of these letters, so far without success. There must by now be widespread awareness within the House that the language used is at best confusing. Simply put, the Commission does have certain powers to compel delivery of information and if the circumstances justify such measures, it should issue a decision. On the other hand, if it is seeking voluntary cooperation, it should make that clear upfront. To persist with the current misleading practice does the institution no credit. It rightly criticises other bodies and corporations when they make excessive demands for data. Perhaps it could fix its gaze closer to home.
Stephen Kinsella is a partner at Sidley Austin LLP. The views expressed in this article are exclusively those of the author and do not necessarily reflect those of Sidley Austin LLP or its partners. This article has been prepared for informational purposes only and does not constitute legal advice.