TITLE: The intersection between the Commission’s obligations to respect privacy and professional secrecy and its investigatory powers under Regulation 1/2003 in cartel cases

1

UNIVERSITY OF AMSTERDAM

MASTER THESIS INTERNATIONAL AND EUROPEAN LAW

TITLE: The intersection between the Commission’s obligations to respect privacy and professional secrecy and its investigatory powers under Regulation 1/2003 in cartel cases

RESEARCH QUESTION: To what extent do the Commission’s obligations under EU Privacy law may affect its powers of enforcing EU Competition law in cartel cases?

First and last name: Souzanna Omran E-mail: souzannaomran@gmail.com Student number: 12134155

Master track: European Competition Law and Regulation Name of supervisor: Dr. Laurens J. Ankersmit

2

TABLE OF CONTENTS

ABSTRACT………...………… 4

1. INTRODUCTION ……….6

1.1.Context and relevance ………...6

1.2.Objectives and research question ………...7

1.3.Methodology ………...8

2. THE IMPORTANCE OF EU PRIVACY LAW ………..8

2.1.The evolution of data protection in the European Union ………..8

2.2.The current data protection framework and Regulation 1725/2018………11

2.3.The protection of confidentiality and business secrets of a legal person as part of the protection of the fundamental right to privacy ………12

3. AN INTRODUCTION TO EU COMPETITION RULES ON CARTELS………...13

3.1.The enforcement of article 101 TFEU and the wide-ranging powers of the Commission under Regulation 1/2003 ………13

3.2.Limitations on the Commission's Investigatory Powers………15

4. THE INTERRELATION BETWEEN PRIVACY PROTECTION AND COMPETITION LAW IN THE CONTEXT OF CARTEL INVESTIGATIONS……….16

4.1.How do these two legal frameworks overlap in certain situations………16

4.2.Privacy in the context of Competition law investigations……….17

4.2.1. The application of Regulation 1725/2018 during cartel investigations…………17

4.2.2. The application of data quality and purpose limitation principles in the context of inspections. The tensions expressed and the need for improvement………19

4.2.3. From “Dow Benelux” to “Deutshe Bahn” -A shift in the approach towards the broad investigative powers of the Commission………..22

4.3. The obligation of the Commission to respect the EU Charter during cartel investigations ………25

3

4.5.Remedies available to data subjects against the Commission in case of non-compliance with data protection law in the context of cartel investigations ………29 4.6.The right of the investigated party to access the file; A balance between the right of the investigated undertaking to defense and the Commission’s obligation to respect business secrets……….34 4.7.Data room practice in the EU, an effective procedural tool in cartel investigations………35 5. CONCLUSIONS………38 6. BIBLIOGRAPHY………..41

4

ABSTRACT

The aim of this research is to assess the intersection between the obligations of the Commission under EU Privacy law and its powers under EU Competition Law. The examined issue constitutes a matter of great significance with regard to the notion of EU’s effort to balance its obligation to promote fundamental rights, such as the one to privacy, with that to enforce economic policies and enhance competition in the markets. Although there are commonalities between these two legal frameworks, as they share an interest in protecting the individual, there are also distinct methods and aims that must be acknowledged. It appears to be that privacy protection as a fundamental right may constitute an “external constraint” on competition law which in certain circumstances can prevent or shape its application. This research seeks to identify whether and up to what extent any limits are placed by data protection law on the Commission with respect to the collection and further processing of personal data in the context of cartel investigations.

Towards the aim of answering the research question, the classical legal research method will be employed. The research will fundamentally focus on legislation, scholarship, relevant case law as well as administrative and executive materials which will help answering the research question.

The research begins with a brief discussion of the importance and the evolution of Privacy Law in the EU and an introduction to the EU competition rules on cartel cases. It then focuses on the intersection of the two legal frameworks in the context of cartel investigations. It analyses the legal framework which -recently entered into force- Regulation 1725/2018 sets out, as well as the changes it brought about. The obligation of the Commission to respect the rights provided for by the EU Charter is demonstrated as well. Key data protection principles such as the lawfulness of data processing, data quality, and the purpose limitation in the context of competition enforcement are analyzed. Moreover, the research discusses how data subjects’

5

and undertakings’ rights apply in this context, and the possibilities of effective judicial remedy when the right to privacy as provided for in the EU Charter is violated. Special reference is made to the introduction of high monetary sanctions against the Commission for non-complying with privacy rules as a remarkable modification of the new data protection framework.

What is more, the research discusses Commission’s obligation to respect professional secrecy of third parties involved in the investigations and the balance maintained with the right of the investigated party to defense by accessing the file. The data room practice appears to be a useful procedural tool towards this endeavor to maintain a balance.

The research concludes that a more holistic approach of the two legal frameworks should be pursued and judicial remedies be more effective. Balancing its extensive discretionary powers with complying with privacy and professional secrecy protection in the context of cartel investigations is not always easy for the Commission. However, the new legal framework and the Commission’s intention to implement it properly as demonstrated in its Privacy Statement are definitely steps into the right direction.

6

1. INTRODUCTION 1.1. Context and relevance

The legal framework of the European Union (‘EU’) safeguards the protection of privacy in various substantial provisions. Article 8 ECHR1 _{protects the right to privacy, namely the right}

to ‘private life’ while under the case law of the European Court of Human Justice (‘ECHtR’) activities of a professional or business nature are not excluded from the notion of ‘private life’. Moreover, article 16 of the Treaty on the Functioning of the European Union (‘TFEU’)2 provides an explicit legal basis for EU data protection legislation, which seeks to ensure the free flow of personal data while respecting the fundamental rights to privacy. The right to data protection is clearly set out in article 8 of the EU Charter of Fundamental Rights3 _{as well.}

The General Data Protection Regulation (‘GDPR’)4 _{entered into force in 2018, seeks to clarify}

existing privacy rights and obligations of a natural or legal person, public authority, agency or other body which processes personal data, while introducing changes to improve compliance and enforcement. Moreover, Regulation 2018/17255 lays down the data protection obligations for the EU institutions and bodies when they process personal data and develop new policies. Interestingly, not only the natural person is protected in its privacy through EU law, but the legal person as well. In particular, the EC Treaty6 contained article 287, namely a provision on the protection of confidential commercial information of undertakings (now article 339 TFEU7, after the amendment of the ‘Treaty establishing the European Community’ by the ‘Treaty on the Functioning of the European Union’).

1_{European Convention for the Protection of Human Rights and Fundamental Freedoms, Sept. 3, 1953, ETS 5,} 213 UNTS 221. (ECHR)

2_{Consolidated versions of the Treaty on European Union (TEU) and the Treaty on the Functioning of the} European Union (TFEU) [2016] OJ C202/01

3_{Charter of Fundamental Rights of the European Union, OJ 2010 C 83/389 (EU Charter)}

4 _{Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of} natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, ‘GDPR’), OJ 2016 L 119/1

5 _{Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection} of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Regulation 1725/2018), OJ 2018 L 295

6 _{Consolidated version of the Treaty establishing the European Community [2002] OJ C 325}

7

As far as EU Competition law is concerned, article 101(1) of the Treaty on the Functioning of the European Union (TFEU) prohibits any agreement or concerted practice between undertakings which has as its object the distortion of competition and which has an effect on trade between Member States.8 _{Cartel activity is considered to be confined to the most serious}

forms of infringement.

The European Commission (‘the Commission’) possesses powers to enforce article 101 TFEU, granted to it by Council Regulation 1/2003 (‘Regulation 1/2003’)9. Regulation 1/2003 grants to the Commission wide-ranging powers to investigate suspected cartels, including the power to collect information as well as to impose a fine to the undertaking concerned and order that the illegal agreement be brought to an end.

The targets of an antitrust investigation will be undertakings or Member States and not individuals. However, necessary information that is collected and further processed by the Commission pursuant to its investigatory powers unavoidably includes personal data.

Since the scope of the enforcement of competition law is remarkably broad, the implementation of the enforcement procedure should proceed in a fair and transparent manner, in line with the rule of law. The Commission must therefore protect the privacy of individuals and the professional secrecy of all undertakings concerned. The procedural Regulations, EU Charter, as well as case-law of the European Courts set out clear limits to the investigatory powers of the Commission.

1.2. Objectives and research question

The aim of this research is to assess the intersection between the obligations of the Commission under EU Privacy law and its powers under EU Competition Law. The examined issue constitutes a matter of great significance with regard to the notion of EU’s effort to balance its obligation to promote fundamental rights, such as the one to privacy, with that to enforce economic policies and enhance competition in the markets.

8 _{TFEU, supra n. 2, article 101}

9_{Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition} laid down in Articles 81 and 82 of the Treaty [2003] OJ L 1/1 (Regulation 1/2003)

8

The present research aims to envisage the coherence of the two legal frameworks: In particular, it has to be identified how a more holistic approach to their application can be achieved and in what way the two frameworks build upon and strengthen each other.10

1.3. Methodology

Towards the aim of answering the research question, the classical legal research method will be employed. In order to reach a conclusion other sub-questions will be answered. First, how the protection of natural persons with regard to the processing of their personal data by the EU institutions as provided for in the EU Charter and Regulation 2018/1725, might shape or even limit the extensive investigatory powers of the Commission. I shall analyze the data subjects’ and the undertakings’ rights during the cartel investigations as well as the judicial remedies available to them. Moreover, account should be taken of the balance needed between the professional secrecy obligations of the Commission and the rights of the investigated parties to defense (i.e. the right to access the file).

Following a brief discussion of the evolution of EU Privacy Law and the competition rules on cartel cases, this research will focus on the intersection between Privacy and Competition law, with regard to what limitations may the first regime pose to the second one.

The research will fundamentally focus on legislation, scholarship, relevant case law as well as administrative and executive materials which will help answering the research question. It is upon this study that conclusions will be made, considering whether balance is maintained between the obligations and the powers of the Commission.

2. THE IMPORTANCE OF EU PRIVACY LAW

2.1. The evolution of data protection in the European Union

10_{Inge Graef, Damian Clifford and Peggy Valcke, ‘Fairness and Enforcement: Bridging Competition, Data} Protection and Consumer Law’ (2018) 8(3) International Data Privacy Law 200,223 < https://academic-oup-com.proxy.uba.uva.nl:2443/idpl/article/8/3/200/5198972> accessed July 2019

9

The right to privacy (family, home and correspondence) is a fundamental human right firstly recognized in the Universal Declaration of Human Rights (‘UDHR’)11, back in 1948.

In 1950, Article 8 of the European Convention on Human Rights (‘ECHR’)12, followed the universal approach and provided for the right to privacy and family life, mentioning, specifically, the prohibition of interference by public authorities. All EU Member States are part of the ECHR, thus, any breach can be taken to the European Court of Human Rights (‘ECtHR’).

ECHR and ECtHR are part of a different legal system to the EU. They are both part of the Council of Europe which has 47 member states. The European Union (EU) consists of 28 Member States. The Court of Justice of the European Union, sometimes referred to as the European Court of Justice, is the body responsible for overseeing compliance with EU law in the EU.13

Neither of the founding treaties of the European Communities included any reference to fundamental rights. The communities were established first and foremost to make it easier to sell goods and conduct other forms of business between the participating countries. Whilst human rights protection was not originally part of the system of the EU, over the years, in its case law the European Court of Justice started to treat such rights as unwritten 'general principles of Community law', thereby granting them the status of primary law. As for the source of these general principles of Community law, the Court referred to the common constitutional traditions of the Member States, and to international treaties to which at least a majority of Member States were party, in particular the above-mentioned ECHR.

When the European Union was formally established by the Treaty of Maastricht (1992), this case law of the Court of Justice was codified in the new Treaty on European Union14 _{in its}

Article 2(2)and ECHR served as a source of fundamental rights in the form of general principles in the EU legal system. Indeed, even the entry into force of the Charter of

11 _{Universal Declaration of Human Rights (adopted 10 December 1948 UNGA Res 217 A(III) (UDHR) art.12} 12 _{European Convention for the Protection of Human Rights and Fundamental Freedoms, Sept. 3, 1953, ETS 5,} 213 UNTS 221. (ECHR)

13 _{‘What’s the difference between the European Convention on Human Rights, the European Court of Human} Rights and the European Court of Justice?’ The UK in a changing Europe < https://ukandeu.ac.uk/fact- figures/whats-the-difference-between-the-european-convention-on-human-rights-the-european-court-of-human-rights-and-the-european-court-of-justice/> accessed July 2019

10

Fundamental Rights (EU Charter)15 as a binding legal act in 2009 did not, deprive the ECHR of its fundamental role in the EU legal system.

Thus, the EU and Council of Europe systems are intertwined because the ECHR lies behind many of the general principles of EU law and its provisions have been used as a basis for the EU’s Charter of Fundamental Rights.16 _{Therefore, although the EU has not yet acceded to the}

ECHR, EU institutions, including the Commission have to comply with rights such as the one to privacy as provided for in the ECHR. Provided that the EU finally accedes to the ECHR, it will become subject, as regards respect for fundamental rights including privacy, to review by the ECtHR.17

The Council of Europe Convention 10818 was the first and still only legally binding international instrument concerning data protection specifically. It was opened for signature long before the era of the internet and electronic communications. Thus, In May 2018, the Council of Europe adopted a Protocol (CETS No. 223)19 amending the Convention 108 so that it becomes up to date.

The amending Protocol introduces the conditions for the future accession to the Convention by the EU. Indeed, in May 2019, the Member States ratified, in the interest of the Union, the amending Protocol insofar as its provisions fall within the exclusive competence of the Union.. Once the EU accesses the modernized Convention 108, all its institutions will become bound by its updated provisions concerning the right to protection of personal data and will be required to act accordingly when data processing is at stake. EU institutions are expected to follow uniform privacy protection standards when exercising their duties.

15 _{Charter of Fundamental Rights of the European Union, OJ 2010 C 83/389 (EU Charter)}

16 _{2017/2089 (INI) Implementation of the Charter of Fundamental Rights of the European Union in the EU}

institutional framework

<https://oeil.secure.europarl.europa.eu/oeil/popups/printficheglobal.pdf?id=683319&l=en> accessed July 2019 17 _{Rafal Manko ‘EU accession to the European Convention on Human Rights (ECHR)’ (European Parliament}

Think Tank, 6 July 2017)

<http://www.europarl.europa.eu/thinktank/en/document.html?reference=EPRS_BRI%282017%29607298> accessed July 2019

18 _{Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data [1981] ETS} 108

19_{Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of}

Personal Data [2018] CETS No.223 < https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/09000016808ac918> accessed July 2019

11

In 1998, greatly influenced by the Convention 108, the first EU Directive 95/46/EC20 concerning data protection came into force. It treated data protection as a part of the human right to privacy. Since the 1995 Directive was addressed only to the Member States, it was necessary to ensure that data protection rights were respected by EU institutions as well. In order to accomplish that, the Regulation 45/200121 _{laid down the obligations for the}

EU institutions when they process personal dataand established the European Data Protection Supervisor (‘EDPS’) who is tasked to ensure that the right to privacy is respected by European institutions and bodies.

In 2000 the Charter of Fundamental Rights of the European Union (‘EU Charter’)22_{, based on}

the ECHR and other European and international instruments, was proclaimed. In 2009 it gained

the same legal value as the treaties with the Lisbon Treaty.23 The EU Charter protects the right to privacy and family life, in article 7. Moreover, article 8 enshrines the right to the protection of personal data as a different right, a distinction which implies the importance of data protection, already at that time.24

2.2. The current data protection framework and Regulation 1725/2018

Over the last 25 years, the rapid evolution of technology has affected our lives and privacy tremendously. Thus, a review of the rules of privacy in the EU legal framework was necessary.

In 2016, the EU adopted the General Data Protection Regulation (GDPR)25, which replaced the 1995 Directive. The GDPR, reinforces a wide range of existing rights, establishes new ones for individuals and clarifies the obligations of a natural or legal person, public authority, agency or other body which processes personal data.

20 _{Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of} individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281

21 _{Regulation (EC) No 45/2001 Of The European Parliament And Of The Council of 18 December 2000 on the} protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data [2000] (Regulation 45/2001) OJ L 8/1

22 _{EU Charter supra n. 15}

23 _{Treaty of Lisbon Amending the Treaty on European Union and the Treaty Establishing the European} Community [2007] OJ C 326, article 6(1)

24 _{Handbook On European Data Protection Law (Publications Office of the European Union 2014), p.14-21} 25 _{Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of} natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, ‘GDPR’), OJ 2016 L 119/1

12

In 2017 the EU proceeded to the reform of Regulation 45/2001 to align it to the new rules established by the GDPR.26 Regulation 1725/201827 establishes a coherent framework on the protection of individuals with regard to the processing of personal data by the EU institutions, while enhancing the competences of the European Data Protection Supervisor (‘EDPS’).28

The processing of personal data during cartel investigations triggers the application of Regulation 1725/2018. The Commission, therefore, needs to engage in the appropriate mechanisms in order to ensure a balance between the rights of the data subjects and the efficiency of competition investigations.

2.3. The protection of confidentiality and business secrets of a legal person as part of the protection of the fundamental right to privacy

The obligation of the protection of confidentiality and business secrets, namely "professional secrecy" under EU law applies to all EU institutions. Professional secrecy provided for by article 339 TFEU,29 entails the general obligation not to disclose information received in an official capacity. In particular, article 339 TFEU expresses a general principle also applying in the course of the Commission’s investigations, where undertakings have a right to protection of their business secrets. In Akzo Chemie BV v. Commission, the Court held that the protection of business secrets constitutes a general principle of EU law.30

The evolution of this principle illustrates the development of the fundamental rights in the EU. In Varec31 the Court although not explicitly referring to the relevant article, went further by raising the protection of confidentiality and business secrets to the status of a fundamental right by finding that it formed part of the protection of privacy under Article 8 ECHR.32

26_{EY France, ‘Evaluation study on Regulation (EC) 45/2001-Final report’ (2015)} <https://ec.europa.eu/newsroom/just/document.cfm?action=display&doc_id=40695> accessed July 2019 27 _{Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection} of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Regulation 1725/2018), OJ 2018 L 295

28 _{Ibid, Chapter VI}

29 _{Consolidated versions of the Treaty on European Union and the Treaty on the Functioning of the European} Union (TFEU) [2016] OJ C202/01, art. 339

30 _{Case-53/85 AKZO Chemie and AKZO Chemie UK v Commission [1986] ECR 1965 (‘AKZO Chemie’), para.} 28; Case C-36/92 P SEP v Commission [1994] ECR I-1911, para. -36, and Case T-36/91 ICI v Commission [1995] ECR II-1847, para. 98

31 _{Case C-450/06 Varec SA v. Belgian State [2008] ECR I-581} 32 _{Ibid para 48}

13

Information covered by the obligation of professional secrecy must be known to a limited number of persons and falls within two categories: business secrets and other confidential information.33 Business secrets may include the technical and/or financial information relating to an undertaking’s know-how, production secrets and processes, supply sources, quantities produced and sold, market shares, marketing plans, sales strategy etc.34_{The category "other}

confidential information" includes information other than business secrets, which may be considered as confidential, insofar as its disclosure would significantly harm a person or undertaking. This may apply to information provided by third parties about undertakings which have the power to put economic or commercial pressure on their competitors or on their trading partners, customers or suppliers. In such circumstances the particular information and the third parties which disclosed it, need to be protected.35

3. AN INTRODUCTION TO EU COMPETITION RULES ON CARTELS

3.1. The enforcement of article 101 TFEU and the wide-ranging powers of the Commission under Regulation 1/2003

Article 101 TFEU36 prohibits restrictive agreements between independent market operators acting either at the same level of the economy (horizontal agreements), often as actual or potential competitors, or at different levels (vertical agreements), mostly as producer and distributor. It also precludes decisions by associations of undertakings and concerted practices. These three types of coordinated market behaviour fall into the ambit of EU competition law if they may affect trade between Member States to an appreciable extent and if they have as their object or effect the prevention, restriction or distortion of competition within the internal market.37

33 _{Case T-353/94 Postbank v Commission [1996] ECR II-921, para. 86} 34 _{Ibid para 87}

35 _{Peter Oliver, ‘The protection of privacy in the economic sphere before the European Court of Justice’ (2009)}

46 (5) Common Market Law Review 1443,1483

<http://www.kluwerlawonline.com.proxy.uba.uva.nl:2048/document.php?id=COLA2009060> accessed July 2019

36 _{Consolidated versions of the Treaty on European Union and the Treaty on the Functioning of the European} Union (TFEU) [2016] OJ C202/01 art. 101

14

Since the EU competition rules are part of the TFEU, they are in line with the treaty’s much wider policy objectives of creating and maintaining the EU single market, “an ever closer union” among the peoples of Europe. Given this context, any attempts by businesses to partition the EU’s internal market along national or other territorial lines or to impose export bans within the EU will be viewed as severe “hardcore” infringements of the competition rules. Other “hardcore” infringements under the competition rules include price fixing (and resale price maintenance) and other market sharing agreements (e.g. customer allocation between competitors) and in particular, arrangements that may be characterized as cartels.38

Arrangements involving “hardcore” price fixing or market sharing which are presumed to have negative market effects, will attract scrutiny if they come to the attention of the competition authorities. Therefore, battling severe anti-competitive conduct requires well-organized strategies adopted by the Commission and the national competition authorities.

Since the late 90’s the Commission has repeatedly reaffirmed its commitment to detecting and punishing “hardcore” anti-competitive conduct, increasing the number and intensity of its investigations and imposing record fines. In order to enable the Commission to focus on such severe anticompetitive conduct, which most likely harms the function of the established internal market, compared to other breaches of competition law, Regulation 1/200339 grants to it expansive investigative powers.40

The Commission may initiate the investigative process on its own or based on a complaint so long as it has reason to believe that an undertaking or undertakings may be infringing EU competition law. The two principal investigative techniques available to the Commission are the powers to receive information and to conduct on-site inspections.

The Commission may make a request for information either informally or formally. Informal requests are initiated through a "simple request" for information and are non-binding. In contrast, formal requests are binding and mandatory. They are issued through a "decision" and

38_{Slaughter and May, ‘An overview of the EU Competition rules’ (2006)} <https://www.slaughterandmay.com/media/64569/an-overview-of-the-eu-competition-rules.pdf> accessed July 2019

39 _{Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition} laid down in Articles 81 and 82 of the Treaty [2003] OJ L 1/1 (Regulation 1/2003)

40 _{Slaughter and May ‘The EU Competition rules on cartels. A guide to the enforcement of the rules applicable to} cartels in Europe’ (2018) <https://www.slaughterandmay.com/media/64584/eu-competition-rules-on-cartels.pdf> accessed July 2019

15

are subject to possible review by the Court of first Instance.41 Typically, a request will require an undertaking to provide documents in its possession and/or to provide information.

Moreover, articles 20(1) & (2) of Regulation 1/2003 allow the Commission to conduct inspections of undertakings.42 _{When sufficient suspicions have been developed, the}

Commission along with “other accompanying persons” may enter and search business premises, question personnel and take away information, stored in the form of paper or electronically.43 Inspections initiated by formal decision are sometimes referred to as "dawn raids." The key attribute of this type of inspection is that Commission officials appear unannounced at the beginning of the business day at the undertaking's premises while the company faces one of the most intrusive experiences.44

3.2. Limitations on the Commission's Investigatory Powers

Albeit its above-mentioned broad investigatory powers under Regulation 1/2003, while using them, the Commission is required to observe the general principles and rights prescribed by EU law.

First, it can be observed that arts. 20(8), 21(2), 21(3) and recitals 27-29 of Regulation 1/2003 codify the judgement delivered by the ECJ in Roquette case45 regarding the principle of proportionality and the protection against arbitrary investigations. These principles delimit Commission’s broad investigatory powers.46 _{In Roquette, the ECJ held that under the principle}

of proportionality, the Commission must provide the national court reviewing the case with a reasonable and substantiated explanation of the factual information and evidence that give rise to its suspicions. Furthermore, the principle against arbitrariness requires that the Commission proves that the measures are appropriate and not intolerable towards the purpose of the investigation.

41 _{Regulation 1/2003 supra n.39, art. 18(1)} 42 _{Ibid arts 20 (1) & (2)}

43 _{Ibid art. 20(2)}

44_{Borenius law firm “Mock Dawn Raids” <} https://www.borenius.com/services/competition-public-procurement/mock-dawn-raids/> accessed July 2019

45 _{Case C-94/00 Roquette Frères, SA v. Directeur Général de la Concurrence, de la Consummation et de la} Répression des Frauds and Commission [2002] E.C.R. I-9011

46 _{Laurent Garzaniti, Jason Gudofsky and Jane Moffat, ‘Dawn of a new era? Powers of investigation and} enforcement under regulation 1/2003’ (2004) 72(1) Antitrust Law Journal 159,207 < https://www-jstor-org.proxy.uba.uva.nl:2443/stable/40843620?seq=3#metadata_info_tab_contents> accessed July 2019

16

Articles 12(2) and 28(1) of Regulation 1/200347 set limits on the use of information collected pursuant to the Commission's powers of investigation. This information can be used only for the purpose of the enforcement of competition law.

Besides, the right to defense, and all that it entails, constitute a pillar of any legal proceeding that has the slightest claim to fairness, and is well established in the European Convention on Human Rights48. It can thus constitute another limitation on the Commission’s extensive investigatory powers. For the legal proceeding of the investigation to be conducted on an equal playing field, the right of the suspected undertaking to defense must primarily be safeguarded. In order for an undertaking to exercise this right in full capacity, it must have: (i) the right to be heard, namely the opportunity to provide its responses and put forth its defenses (ii) the right to counsel, namely the right to consult its counsels (According to the legal professional privilege the communications of independent EU counsels with their clients may not be disclosed), (iii) the privilege against self-incrimination, namely the right to refuse to answer questions where it would require it to admit to the infringement that the Commission is seeking to establish and (v) the right to good administration, namely the right to impartial and fair legal proceedings.49

4. THE INTERRELATION BETWEEN PRIVACY PROTECTION AND COMPETITION LAW IN THE CONTEXT OF CARTEL INVESTIGATIONS 4.1. How do these two legal frameworks overlap in certain situations

The recent complicated forms of commercial conduct combined with the ongoing revolutionary development of technology have led to the intersection between different legal fields that are traditionally applied and enforced in isolation. Noticeably, the growing interaction between competition and privacy is of great significance.

As they are both areas of EU law, they complement each other and they share an interest in the protection of the individual. While data protection law aims to protect the privacy data subjects

47 _{Regulation 1/2003, supra n. 39 arts. 12(2), 28(1)}

48 _{European Convention for the Protection of Human Rights and Fundamental Freedoms, Sept. 3, 1953, ETS 5,} 213 UNTS 221. (ECHR)

17

including the safeguard of a secure and fair personal data processing environment, competition law contributes to a fairer society keeping markets competitive, setting lower prices, improving quality and by extent protecting consumers against distortions of competition. Hence, competition and data protection have to go hand in hand in order to adequately protect individuals’ interests. Up to this point, it is obvious that the target of fairness is of great importance in both regimes.50

Naturally, the overlaps between these two fields as regards their substantive principles are particularly apparent in relation to practices involving the collection and use of personal data of individuals or confidential information of undertakings. The processing of personal data triggers the application of EU data protection rules including the GDPR51 _{and Regulation}

1725/2018.52 _{We should now turn to the particular overlaps of the two frameworks when the}

Commission conducts an investigation of competition infringement under Regulation 1/2003.53

4.2. Privacy in the context of Competition law investigations

4.2.1. The application of Regulation 1725/2018 during cartel investigations

Privacy protection rules apply to public authorities, including competition authorities such as the Commission and companies. The relevant legal instrument at EU level aiming to protect personal data processed by EU institutions and bodies in the exercise of activities within the scope of EU law is Regulation 1725/2018.54 It thus applies to the Commission when conducting its cartel investigations.

50 _{Inge Graef, Damian Clifford and Peggy Valcke, ‘Fairness and Enforcement: Bridging Competition, Data} Protection and Consumer Law’ (2018) 8(3) International Data Privacy Law 200,223 < https://academic-oup-com.proxy.uba.uva.nl:2443/idpl/article/8/3/200/5198972> accessed July 2019

51 _{Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of} natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, ‘GDPR’), OJ 2016 L 119/1

52 _{Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection} of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Regulation 1725/2018), OJ 2018 L 295

53 _{Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition} laid down in Articles 81 and 82 of the Treaty [2003] OJ L 1/1 (Regulation 1/2003)

18

Commission investigations in the field of competition target undertakings or Member States and not natural persons as such. Nevertheless, during competition investigations, personal data within the meaning of Regulation 1725/2018 are inevitably processed.55

Indeed, Regulation 1725/2018 defines personal data as: “any information relating to an

identified or identifiable natural person”.56 _{Processing, namely “any operation or set of}

operations which is performed upon personal data,”57 covers the whole life cycle of personal data from collection to deletion and data protection rules must therefore be respected throughout all stages of an investigation. In the event of cartel investigations, the controller who “determines the means of processing of personal data”58 _{will typically be the}

Directorate-General for Competition (DG Competition) of the Commission which is responsible for the antitrust enforcement in the EU. The processor who processes personal data on behalf of the

controller”59 _{will be the specific investigation and forensics teams or trained staff.}

Pursuant to article 5 of Regulation 1725/2018 all data processing must be based on one of the exhaustively referred legal grounds that make such processing legitimate. The Commission usually relies on the so-called public interest criterion as legal bases for data processing. DG Competition has issued a Privacy Statement60, concerning the application of Regulation 1725/2018. This Privacy Statement reaffirms the “data quality principle”61 according to which the personal data collected and processed should be adequate, relevant, accurate and not excessive. This principle is closely linked to the “purpose limitation” principle, pursuant to which personal data must be collected for a specific purpose and may not be further processed for incompatible purposes.62

55_{Commission Decision (EU) 2018/1927 of 5 December 2018 laying down internal rules concerning the} processing of personal data by the European Commission in the field of competition in relation to the provision of information to data subjects and the restriction of certain rights [2018] OJ L 313/39, (Commission Decision 1927/2018) recital 2

56 _{Regulation 1725/2018 supra n. 52, art. 3(1)} 57 _{Ibid art. 3(3)}

58 _{Ibid art. 3(8)} 59 _{Ibid art 3(12)}

60_{European Commission Competition Directorate-General Privacy Statement} <http://ec.europa.eu/competition/general/privacy_statement_antitrust_en.pdf> accessed July 2019

61 _{Regulation 1725/2018 supra n. 52, art. 4c, d} 62 _{Ibid art. 4b}

19

4.2.2. The application of data quality and purpose limitation principles in the context of inspections. The tensions expressed and the need for improvement

In the course of unannounced inspections (the so-called dawnraids), the Commission typically reviews company records and search employees’ e-mails and electronic files and records. Its investigatory tasks may empower it to make hard and/or soft copies of relevant documents or even seize entire hard disks. Various updated types of software allow searching larger volumes of data in a much shorter time period in order to analyze or process data to establish the likelihood of the existence of an infringement of competition. Documents, files and other records – whether stored electronically on a server, a computer or a mobile phone, or physically in a cupboard or paper archive – gathered in cartel investigations will frequently contain personal data relating to employees of companies that are subject to an investigation or business secrets and confidential information of the investigated companies or third parties, including suppliers, customers or competitors. Collecting, accessing, and reviewing these records constitutes data processing, thus triggering the application of data protection law.

Consequently, competition law investigations have become increasingly data intensive. Naturally, the question raised is whether such intrusions of the Commission’s investigative powers are compatible with data protection rules.

Once at the business premises, the Commission’s officials start by locating the target devices and extracting possible relevant files, which will be reviewed for relevance so that it can be determined whether they constitute legally privileged or private documents. As discussed in chapter 3, section 3.2 certain communications between lawyer and clients may, subject to strict conditions, be protected by legal professional privilege (also referred to as ‘LPP’) and thus be confidential as regards the Commission.The principle is limited in the EU to dealings between clients and independent lawyers, Generally, this has been interpreted to exclude in-house lawyers.63

Commission officials will tag any relevant documents and only these will subsequently be copied and taken to Brussels for investigation in the presence of the undertaking’s

63 _{Commission Notice on best practices for the conduct of proceedings concerning Arts. 101 and 102 TFEU [2011]} OJ C 308/6, para. 51

20

representatives. The DG Competition’s practice of digital evidence gathering64 also states that a company representative has the right to point out which documents are likely to be private and the inspectors will subsequently judge and assess the validity of the claim. If approved, these documents are excluded from the copy process. In case of disagreement, a formal protest can be made and the sealed envelope or ‘continued inspection’ procedure would apply.65

Albeit the safeguards provided by the relevant legal instruments one may doubt the transparency of the procedure as a whole. In fact, the Commission’s officials enjoy wide discretion in selecting which documents are considered relevant for the investigation’s purposes and the undertaking’s views may thus be undermined. The company may always challenge the scope of the decision, if there are grounds for doing so. Nevertheless, the legal framework and the case law of the Court as we shall see, do not strictly define the legal position of the investigated party if the inspectors take copies of documents which are outside the scope of the decision.

Moreover, since the inspectors have the right to make copies of entire hard disks, when it is not possible to study the content of the documents at the business premises, it goes without saying that large amounts of irrelevant data will inevitably be copied and reviewed irrespective of the purpose of the investigation. It has not been clarified how far it is permissible to copy the electronically stored information (ESI) provisionally merely for the purpose of analysing it, even if the documents not being kept are later wiped. This would in any case allow the Commission to look at documents outside the legitimate scope of the decision and undermine the purpose limitation principle. The Commission should copy or examine only as much of the ESI as seems likely to be relevant. A potential solution would be that the Commission may only look at the headings and not the content of such documents to confirm that they indeed fall outside the scope of the investigation, in the presence of the company’s lawyers.

Another flaw noticed in the process is that the scope of the investigation, given to the Commission’s decision is in fact determined by the officials who choose and apply the search terms under which the processing of data will be conducted. Therefore, if a search term used, fell outside the scope of the decision, documents copied accordingly would be copied illegally, even if they are not retained in the end. The larger the volume of ESI that is being analysed,

64 _{Nathalie Jalabert-Doury, Dirk Van Erps, ‘Digital evidence gathering: An update’ (2013) 2 Concurrences art.} No 52013, pp. 213-219 < https://www.concurrences.com/en/review/issues/no-2-2013/legal-practice/digital-evidence-gathering-an-update> accessed July 2019

21

the most likely it is that any given search term will occur in many documents that have no relevance as evidence.

Unless the search terms specified unrelated products, or named an employee never concerned with the products being investigated, the review process on behalf of the Court will face difficulties. Actually, the Court will not have the necessary evident to determine if a search term was so obviously irrelevant that it was illegal to use it. Precisely because search terms most of the time lead to the selection of documents outside the scope of the inspection decision, a reform of the legal framework appears to be essential. Legal rules are those which will circumscribe the limits and the focus of the inspections as far as possible and ensure that documents selected initially by search terms are not later copied unnecessarily and without legal justification.

The company should be entitled to know what kinds of documents are being provisionally copied for analysis, and what search terms are being used. The disclosure of search terms is the only way that the company knows whether the inspector operates the software within the scope of the decision. What is more, disclosure of search terms would make judicial review more effective and reduce the need to examine every document being copied, and therefore the time taken by the inspection. Thus, the inspection would be more efficient and article 8 of EU Charter concerning data protection respected. If the company knows the search terms, it can cooperate more easily and identify documents that are relevant for the investigation. 66

However, the Commission’s position concerning the procedure as demonstrated in Explanatory Note67 appears to be rather vague and not providing sufficient safeguards for the privacy of the investigated parties. Surprisingly, it makes no reference to the limits of the officials’ powers in order to show that throughout inspections Article 7 of the Charter and the principle of proportionality will be respected.

What is more, it is not always assured that the Commission takes due care to delete personal data from seized documents unless it is requested to do so, while it reserves the right under certain circumstances to invoke an exemption or restriction to the application of the data quality

66 _{John Temple Lang, “Legal problems of digital evidence” (2014) 2(1) Journal of Antitrust Enforcement 44,} 68,<https://doi.org/10.1093/jaenfo/jnt007> accessed July 2019

67 _{Explanatory note to an authorization to conduct an inspection in execution of a Commission decision under}

Article 20(4) of Council Regulation No 1/2003 (2015)

22

principle. It is therefore understood that albeit the legitimacy seeked by the relevant instruments concerning the cartel investigations, the wide discretionary powers of the Commission may in practice take precedence over the privacy rights of the undertakings.68

4.2.3. From “Dow Benelux” to “Deutshe Bahn” -A shift in the approach towards the broad investigative powers of the Commission

Regarding the “purpose limitation” principle and the proper use of personal data that it requires, in practice it is often questioned whether copied data is used for other purposes than initially foreseen. This risk is demonstrated in the following further analyzed two cases of relevant case law of the Court of Justice of the European Union.

In Dow Benelux case69_{, due to the suspicion of the existence of a cartel between certain}

competitors in the Community, the Commission decided to carry out an investigation into relevant undertakings including Dow Benelux. The latter raised objections against the conduct of the investigation by the inspectors, stating that the Commission issued its decision using the information obtained during an earlier investigation in another undertaking.

The Court held that information which is obtained during an investigation should not be used for another purpose than that mentioned in the authorisation to investigate or the order of investigation.70 The Court however went on to establish an exception to this principle by stating that its application does not mean that the Commission would be prohibited from initiating a procedure of investigation in order to verify the correctness or to complement data which incidentally became known to it during an earlier investigation.71_{According to the Court, such}

a bar would hinder the protection of competition and go beyond the necessary protection of the rights of the undertaking.72

68 _{Monika Kuschewsky and Damie Geradin, “Data Protection in the Context of Competition Law Investigations:} An Overview of the Challenges.” (2014) 37(1) World Competition 69,102 <http://www.kluwerlawonline.com.proxy.uba.uva.nl:2048/document.php?requested=document.php%3Fid%3D WOCO2014005%26type%3Dhitlist%26num%3D0%23page%3D1&id=WOCO2014005&type=hitlist&num=0# page=1> accessed July 2019

69 _{Case 85/87 Dow Benelux NV v Commission of the European Communities [1989] ECR 1989 -03137} 70 _{Ibid paras 17-18}

71 _{Ibid para 19} 72 _{Ibid para 19}

23

The ruling in Dow Benelux appears to be rather controversial. In the first place it doesn’t seem acceptable that the Commission takes this incidentally obtained information to initiate another investigation that falls out of the matter subject of the inspection at stake. This would by all means extend the scale of powers of the Commission to the detriment of the investigated undertakings.73

Although in Deutsche Bahn case the Commission’s initial inspection decision was adopted due to potentially unjustified abuse of a dominant position by Deutsche Bahn rather than cartel activity, it is interesting to deliberate over the Court’s approach regarding the Commission’s investigatory powers.

In brief, according to the facts of the case during an inspection carried out against Deutsche Ban because of potential abuse of its dominance, the Commission found documents related to a possible different infringement in relation to which the Commission had received a prior complaint (apparently, inspectors had also been briefed about that complaint). Since the subject matter of that evidence was out of the scope of the inspection decision, the Commission adopted a second inspection decision. Those as well as a third inspection decision were later appealed before the General Court by Deutsche Bahn.

The General Court’s Judgment74 _{confirmed the Commission’s wide inspection powers, stating}

that the Commission was not prevented from using evidence incidentally gathered in one investigation for another investigation as long as the proper procedural requirements were respected.

Deutsche Bahn appealed before the European Court of Justice (ECJ) and seeked to have set aside the judgment of the General Court. The appeal was based on the infringements of its rights of defense due to the irregularities vitiating the conduct of the first inspection.

73_{R.H. Lauwaars, 'Joined Cases 46/87 and 227/88, Hoechst A.G. v. Commission, Judgment of 21 September 1989;} Case 85/87, Dow Benelux NV v. Commission, Judgment of 17 October 1989; Joined Cases 97-99/87, Dow Chemical Ibérica S.A. et al. v. Commission, Judgment of 17 October 1989.' (1990) 27 (2) Common Market Law

Review 355,370

<http://www.kluwerlawonline.com.proxy.uba.uva.nl:2048/document.php?requested=document.php%3Fid%3D COLA1990021%26type%3Dhitlist%26num%3D0%23xml%3Dhttp%3A%2F%2Fwww.kluwerlawonline.com% 2Fpdfhits.php%3Ftype%3Dhitlist%26num%3D0&id=COLA1990021&type=hitlist&num=0#xml=http://www.k luwerlawonline.com.proxy.uba.uva.nl:2048/pdfhits.php?type=hitlist&num=0> accessed July 2019

74 _{Joined cases T-289/11, T-290/11, T-521/11, Deutsche Bahn AG and Others v. European Commission (General} Court, 6 September 2013)

24

The ECJ’s judgement75 states that the Commission can only search for documents coming within the scope of the subject-matter of the inspection as defined in the decision76. In fact, the Court recalls the relevant case law in the field as demonstrated particularly in Dow

Benelux v Commission judgement.77 _{Moreover, ECJ in paragraph 59 recalls that pursuant}

to Dow Benelux the Commission can start new investigations if it comes across new evidence genuinely by surprise, but concludes in paragraph 62–siding with Advocate’s General Opinion78- that although inspectors need to be provided with background info about a case, “all that information must nevertheless relate solely to the subject-matter of the inspection

ordered by the decision”.

In the present case, the Commission informed its agents immediately, before the first inspection was conducted, that there was another complaint against Deutsche Bahn concerning a subsidiary. That background, prior information, was unrelated to the subject-matter of the first inspection decision.79 Thus, ECJ concluded that the first inspection was vitiated by an irregularity because the Commission’s agents being previously aware of this background information, seized seized documents falling outside the scope of the first inspection decision.80 It therefore upheld the appeal and annulled the second and third inspection decisions.

In this judgment ECJ took a step towards the clarification of Dow Benelux doctrine and the meaning of “accidental discoveries” in the course of an inspection concerning potential competition law infringements outside the scope of the inspection decision. The judgement endorses a strict approach towards the Commission’s misuse of the very ample powers that it enjoys and perhaps intends to convey the general message that privacy rules and principles may not be undermined throughout Commission’s investigations. Indeed, the procedural

75_{Case C-583/13 P Appeal brought on 15 November 2013 by Deutsche Bahn and Others against the judgment of} the General Court (Fourth Chamber) delivered on 6 September 2013 in Joined Cases T-289/11, T-290/11 and T-521/11 Deutsche Bahn and Others v European Commission [2014] OJ C 24, 25.1.2014

76 _{Ibid para 60}

77 _{Dow Benelux, supra n. 69, para 17}

78 _{Case C-583/13 P Appeal brought on 15 November 2013 by Deutsche Bahn and Others against the judgment of} the General Court (Fourth Chamber) delivered on 6 September 2013 in Joined Cases 289/11, 290/11 and T-521/11 Deutsche Bahn and Others v European Commission [2014] OJ C 24, 25.1.2014, Opinion of Advocate General Wahl, para 69

79 _{Ibid para 64}

25

safeguards provided by the relevant instruments must be respected and not sacrificed for the extensive discretion the Commission enjoys while enforcing EU Competition law.81

4.3. The obligation of the Commission to respect the EU Charter during cartel investigations

The concept of positive obligations has become a regular feature of the case law of the European Court of Human Rights (ECtHR). Pursuant to this concept, the full and effective protection of fundamental rights requires states to take active measures. States cannot simply remain passive by complying only with their negative obligations to remain abstain from human rights violations. While the ties between the EU and the European Convention on Human Rights (ECHR) have not been formalised by the accession, as it has been analysed in Chapter 2, section 2.1., the ECJ must still ensure that the meaning and scope of the rights of the Charter which correspond with the rights of the ECHR are the same as those guaranteed under the ECHR (Article 52(3) of the Charter). The case law of the ECtHR, and the concept of positive obligations, must therefore be taken into account as well.82

Thus, during its cartel investigations pursuant to Regulation 1/200383 the Commission has a positive obligation to respect and promote the EU Charter.84 This obligation stems from the wording of Article 51(1) EU Charter, the case law of the Court and the institutional structure of the Commission as such.

The Commission’s failure to respect the EU Charter rights when enacting legally binding acts can be challenged via Article 263 TFEU, or before the national courts pursuant to the preliminary reference mechanism85 and could result in a declaration that the act is unlawful.

81_{Alfonso Lamadrid, Pablo Ibanez Colomo, “On dawn raids and the ECJ’s Judgment in Deutsche Bahn (Case} C-583/13 P)” (June 2015) < https://chillingcompetition.com/2015/06/23/on-dawn-raids-and-the-ecjs-judgment-in-deutsche-bahn-case-c-58313-p/> accessed July 2019

82_{Ottavio Marzocchi “The protection of fundamental rights in the EU” (2019)}

<http://www.europarl.europa.eu/ftu/pdf/en/FTU_4.1.2.pdf> accessed July 2019 83 _{Regulation 1/2003 supra n. 53}

84 _{Charter of Fundamental Rights of the European Union, OJ 2010 C 83/389 (EU Charter)}

85 _{Consolidated version of the Treaty on the Functioning of the European Union (TFEU) [2016] OJ C202/01,} art. 263

26

The Commission must comply with its substantive obligation to respect privacy rights provided for by articles 7 and 8 of the Charter, when adopting legally binding competition law decisions. Particularly, an implication for competition law that this obligation may entail is that the wide margin of discretion enjoyed by the Commission when exercising its enforcement powers may no longer be sustainable when the EU Charter is engaged.

Pursuant to article 9 of Regulation 1/2003 the Commission alternatively to find an infringement may take a "commitment decision". That provision allows companies to offer commitments that are intended to address the competition concerns identified by the Commission. If the Commission accepts these commitments, it adopts a commitment decision making them binding on the parties without, however, establishing an infringement. It is at the discretion of the Commission to accept or not commitments offered by investigated parties.

Albeit the broad discretion the Commission enjoys when accepting commitments, it must comply with its substantive obligation to respect EU Charter rights. More specifically, the Commission cannot give binding force to commitments offered by an undertaking to remedy an alleged breach of competition law if these commitments entail an interference with the right to data protection. For instance, when the Commission is about to accept commitments it might inter alia order the investigated party to disclose customer personal data to its competitors on the market in order to enable them to compete effectively. This remedy, designed to protect competition, might raise data protection concerns.

The Commission must therefore ensure that the data sharing agreement respects data protection law. In such situations, one may argue that the Commission’s discretion when enacting binding measures is curtailed since it may be obliged to work in conjunction with the European Data Protection Supervisor (EDPS) so as to guide the investigated party to communicate with affected data subjects in order to obtain their consent to the data sharing and to provide them with the opportunity to object. In this way, a potential infringement of the data protection rules in order to secure an end to anticompetitive conduct is avoided. The EDPS has interestingly advocated that competition law enforcement should consider the data protection rights of consumers and proposed such a holistic solution to problem solving.86

86_{EDPS Preliminary Opinion “Privacy and competitiveness in the age of big data: The interplay between data} protection, competition law and consumer protection in the Digital Economy”, March 2014, paras 29-32; EDPS Opinion 8/2016 “On the coherent enforcement of fundamental rights in the age of big data”, 23 September 2016

27

What is more, as demonstrated in Alrosa case87 the potential engagement of the EU Charter may restrict the wide discretion of the Commission when accepting commitments and the limited review of this discretion due to the complex economic assessments it may entail. In such situations, a strict standard of review of the Commission’s decision will be applied. The outcome of the cases cited suggests that the Commission cannot use its competition law competences in a manner that breaches the right to data protection or jeopardises its effectiveness. The Commission must not have an unfettered discretion: the law must indicate the scope of any discretion, and the way it may be exercised. Thus, it appears to be that data protection may constitute “an external constraint” on competition law. It can therefore shape or even more significantly block the enforcement of competition law.88

However, it is not always certain whether the Commission acts in accordance with its privacy obligations stemming from the Charter when it exercises its freedom to copy and take all documents within the scope of even a valid investigation. In fact, Regulation 1/2003 does not indicate the scope of the Commission’s discretion or the manner of its exercise, in relation to inspections of digital evidence. Even more significantly, the Regulation does not mention that the Commission’s powers are subject to the principle of proportionality under Article 5 TEU, pursuant to which the action of the EU institutions must be limited to what is necessary to achieve the objectives of the Treaties.

Indeed, the Commission officials have not claimed that its discretion is lawful because it is fettered by legal principles such as Article 7 of the Charter or proportionality under Article 5(4) TEU. Instead they suggest that this discretion may not be restricted.89 _{This claim along with}

the de facto difficulty for the Commission to conduct its investigations on the basis of the specific organization of each company’s database may imply that those principles are not always respected. What is more, it is likely that the Court will be more tolerant of the conduct of the Commission if unusual difficulties have been caused by the organization of the company’s information.

87 _{Case C-441/07 P Commission v Alrosa Company Ltd [2010] ECR I-05949, paras 60,61,67}

88_{Costa-Cabral, Francisco and Lynskey Orla, ‘Family ties: the intersection between data protection and}

competition in EU Law’ (2017) 54(1) Common Market Law Review 11,50 <http://www.kluwerlawonline.com.proxy.uba.uva.nl:2048/document.php?id=COLA2017002> accessed July 2019

28

4.4. Rights of data subject in the context of cartel investigations

Pursuant to articles 14-24 of Regulation 1725/2018, data subjects retain a number of rights concerning the process of their personal data. Thus, during cartel investigations, controllers are responsible for ensuring that data subjects can exercise their rights to request access to their personal data, obtain the rectification, erasure or blocking of personal data where such data is incomplete or inaccurate or where the processing of such data is unlawful, and object to the processing of their personal data.

However, Regulation 1725/2018, in article 25 also provides for restrictions on the exercise of those rights based mainly on reasons of “general public interest”. Unsurprisingly, DG Competition relies on such restrictions of the scope of the data subjects’ rights in a far-reaching manner and may therefore potentially infringe its privacy obligations. Indeed, in its Privacy Statement90, DG Competition states:

“Granting to data subjects a right of access or erasure of their data present in the Commission's case files would hinder the monitoring and inspection tasks of the Commission when enforcing competition law, which is necessary to safeguard important economic or financial interests of the European Union”.

Pursuant to the Commission Decision 1927/2018, the Commission may restrict data subjects’ rights “where the exercise of those rights would jeopardise the purpose of the Commission's

investigative and enforcement activities, including by revealing its investigative tools and methods”91 _{Under art. 4 (1) where the Commission restricts data subjects’ rights, it is obliged} to inform them sufficiently. Nevertheless, the same article provides that “the provision of

information may be omitted for as long as it would undermine the purpose of the restriction”.

Apparently, the interpretation and application of the current legal framework allows for wide discretion of the Commission concerning its power to restrict data subjects’ rights in the context of the enforcement of EU Competition law. What is more, this interpretation does not seem to take into account that restrictions to a fundamental right cannot be applied systematically but following a case-by-case assessment of the circumstances of the data processing. This is

90_{European Commission Competition Directorate-General Privacy Statement supra n. 60} 91 _{Commission Decision 1927/2018 supra n. 55}