EU Court Provides Ad Hoc Solution for Privacy Concerns in European Commission Competition Investigations

1. Background

EU Regulation 1/2003 grants the European Commission (the “Commission”) extensive powers to gather information from companies under investigation for alleged breaches of EU competition law. In particular, the Commission may conduct inspections of business premises (“Dawn Raids”) as well as make requests for information (“RFIs”) in order to gather evidence under Article 18(3) of Regulation 1/2003.

Article 18(3) provides that:

While the parameters surrounding the conduct of Dawn Raids have been subject to much consideration by both EU and national courts, RFIs have received somewhat less attention.

In that regard, on 29 October 2020, the General Court of the European Union (the “General Court”) delivered two judgements in Facebook Ireland v European Commission.1 The cases related to two separate RFIs issued by the Commission to Facebook, and relate to two separate antitrust investigations regarding Facebook Marketplace and Facebook’s data related practices respectively.

On issuing the RFIs in May 2020, the Commission also suggested to Facebook a separate procedure whereby any sensitive information unconnected to Facebook’s commercial activities would be placed in a virtual data room (“VDR”). Following an examination of those documents in the VDR by the Commission, it would then decide whether or not to place them in its file. Facebook considered this sensitive information to be personal information of its staff.

In July 2020, Facebook launched proceedings to have the Commission’s RFI set aside by the General Court. Separately, Facebook also made an application before the General Court for interim relief which would prevent the Commission from reviewing the contested documents pending the outcome of Facebook’s main proceedings against the Commission.

2. What is the Commission investigating?

The General Court’s judgments gave little insight into the alleged infringements of EU competition law by Facebook save that they relate to Facebook Marketplace and Facebook’s data-related practices. Media reports suggest however that the Commission’s Marketplace investigation relates to an alleged abuse by Facebook of it dominant market position through its tying of Facebook Marketplace to its social network.² The manner in which Facebook collects, processes and monetises data, such as for advertising, would appear to form the basis of the Commission’s data-related practices investigation.³

3. How many documents were at stake?

The Commission’s RFIs required Facebook to produce documents in its electronic servers relating to search terms selected by the Commission. These search terms were wide in nature and included frequent terms such as “big question”, “for free”, “shutdown”, “not good for us”, “advertising”, “grow”, “insight”, “advantage”, “looked at” and “quality”. As the General Court noted, it was “hardly surprising” such wide search terms produced documents which were not always relevant to the RFI.

In total, Facebook provided the Commission with 856,692 out of a total of 973,900 documents, leaving 117,208 documents subject to Facebook’s applications for interim measures.

Facebook categorised these 117,208 documents as falling into four broad categories:

1. documents relating to purely personal information of employees such as exchanges between employees and their families on personal matters as well as personal workplace issues such as requests for time-off and complaints;

2. documents relating to personal opinions and political engagement of employees and senior executives;

3. documents relating to Facebook’s right to privacy such as security assessments of its premises and documents concerning disputes between its employees; and

4. documents relating to Facebook’s business activities such as in relation to website content moderation and commercially sensitive matters concerning taxation issues and stock market announcements.

4. What did the General Court decide?

Briefly, the General Court began by noting that to succeed in an application for interim measures, an applicant must show that:

1. it has a prima facie case in law and fact;

2. the matter is urgent; and

3. the balance of competing interests favours the applicant.

An application for interim measures must fulfil all of the above conditions.

As regards the first requirement, the General Court concluded that Facebook had established a prima facie case that the Commission may have breached Article 18(3) of Regulation 1/2003.

In particular, Facebook argued that the volume of irrelevant documents required by the Commission’s RFI was unnecessary, and therefore a breach of Facebook’s rights of defence.

The General Court noted that similar protections apply to RFIs as apply to Dawn Raids. In that regard, while it is open to the Commission to identify among all of the documents those that are relevant to the investigation, the Commission must respect Facebook’s procedural rights.

In addition, the General Court also found that Facebook had established a prima facie case that the RFI could breach privacy rights protected by the EU’s Charter of Fundamental Rights and the European Convention on Human Rights (the “ECHR”) in the absence of procedural safeguards.

As regards urgency, the General Court noted that an applicant must show that it cannot await the outcome of the principal proceedings for relief without suffering “serious and irreparable damage”.

In that connection, Facebook successfully argued that without interim relief, the privacy rights of its employees stood to be breached. Facebook contended that many of the contested documents contained sensitive personal information relating to employees such as matters relating to political opinions and health, which it noted are subject to heightened protections under the EU’s General Data Protection Regulation (“GDPR”).

The General Court concluded that disclosure of such sensitive personal information to the Commission would be a breach, which a court could not remedy on conclusion of the substantive case between Facebook and the Commission.

Finally, the General Court weighed the risk of the Commission gaining access to sensitive personal data as against the Commission’s interest in enforcing EU competition law.

In that regard, the General Court concluded that an ad hoc review procedure would be the most suitable mechanism to balance both interests.

The General Court outlined its ad hoc procedure as follows:

1. identification by Facebook of documents containing sensitive personal data, which are to be sent to the Commission separately to any other documents;

2. placing by the Commission of those documents in a VDR, accessible to a limited number of the Commission’s investigation team, and only in the presence (physically or virtually) of an equivalent number of Facebook’s lawyers;

3. members of the Commission’s investigation team will review and select the documents to be placed on the Commission’s file, Facebook’s legal team will have the right to comment beforehand on that selection;

4. in the event of disagreement, the document will not be placed on file pending resolution, while the parties attempt to reach agreement;

5. failing this, Facebook’s lawyers may ask the Director for Information, Communication and Media at DG Competition (the Commission’s competition enforcement unit) to resolve any disagreement.

It is possible that the General Court’s ad hoc solution may serve as a template for the Commission’s approach when it issues RFIs in the future, which the Commission may commit to text in the form of a practice notice.

In addition, it is likely that the EU Courts will pay particular attention to sensitive personal data in order to ensure that the heightened restrictions placed on the processing of such data under GDPR are respected.

5. What is the approach in Ireland?

The Competition and Consumer Protection Act, 2014 grants the Competition and Consumer Protection Commission (the “CCPC”) important evidence gathering powers such as the right to conduct Dawn Raids and summon witnesses for examination under oath, as well as require witnesses to produce books, documents and records within their control. 

In CRH v CCPC, the Irish Supreme Court scrutinised, in particular, the CCPC’s Dawn Raid powers.⁴

In certain respects, Facebook Ireland v Commission bears a resemblance to CRH v CCPC, as the latter case also concerned review of irrelevant materials, by the CCPC following a Dawn Raid on CRH’s premises.

In particular, CRH contested seizure by the CCPC of over 100,000 emails of a former executive of one of its group companies, many of which were not relevant to the investigation.

The Supreme Court concluded that the CCPC could not review the email inbox in its entirety, as to do so would have been in breach of the right to privacy under the ECHR. In order for a review to proceed, both sides would need to agree on an “appropriate mechanism” to identify and separate materials irrelevant to the CCPC’s investigation.

Following the Supreme Court’s judgment, the CCPC published its “Privacy Protocol” which sets out the CCPC’s safeguards for privacy rights of businesses and individuals in the context of Dawn Raids.⁵

The Privacy Protocol states that where an individual asserts that seized information is protected by his or her right to privacy, the CCPC will establish a privacy review team. The team will comprise of employees of the CCPC not directly involved in the investigation, where possible. 

The team will review the alleged private material and decide whether it is in fact private. If the individual disagrees with the team’s decision, they can request that it be reviewed again.  If the individual disagrees with the final decision of the CCPC, the individual must take a legal challenge.

In contrast to the General Court’s solution, the Privacy Protocol does not provide a right for legal representatives of the party under investigation to be present during a review of relevant documents.

Also contributed by Niall Fitzgerald.