Modern Data Risk Management in the Competition Law arena : Data Protection in Commission Investigations : Modern to approach modern data risk management in competition situations

2016

Modern Data Risk Management in the Competition

Law arena

Data Protection in Commission Investigations

Aamna Chaudhry

Table of Contents

INTRODUCTION 3 SECTION I OPENING STATEMENT AND METHODOLOGY 5

METHODOLOGY 5

RESEARCH DESIGNAND SOURCESOFDATA 6

SECTION II COMMISSION PROCEDURE AND POWER OF INVESTIGATION 7

COMPETITION LAW 8

DATA PROTECTION LEGISLATIONINTHE EUROPEAN UNION 21

SECTION III PUBLIC AUTHORITY AND PRIVATE ENFORCEMENTS 29

PUBLIC AUTHORITY ACTIONS 29

PRIVATE ENFORCEMENT CONCERNS 31

SECTION IV RECOMMENDATIONS AND CONCLUSIONS 33 BIBLIOGRAPHY 36

STATUTORY LAWAND TREATISE 36

EC OFFICIALSTATEMENTS 36

CASE LAW 37

BOOKS/ARTICLES 39

APPENDIX I – KEY TERMS AND ABBREVIATIONS 42 APPENDIX II – GLOSSARY 43

Abstract

Digital technology is creating unprecedented challenges in complying with European Commission competition law investigatory requests. In an era where the lines between work and personal life are becoming increasingly blurred, there is much potential for personal data to be captured in the dragnet of such an investigation. The central issue remains an enigma – in such situations what should be the limits on competition

authorities and companies when faced with the need for an ongoing internal monitoring, potential investigation for leniency application, or in the critical dawn raid scenario. Consideration must be taken of what data analysis considerations may arise, and what responsibilities do undertakings have concurrently complied with data protection

procedures and regulations. This thesis discusses and analyzes the law and jurisprudence involved in such situations and provides guidance on the best possible manner in which to protect such data privacy interests.

Introduction

Data risk management can be introduced as the most pressing and continually evolving issues across all types of regulatory and litigation investigations. This paper will specifically seek to explore the ongoing interaction and tensions between the created by competition law investigations in balance against modern European privacy concerns. The analysis begins with a broad examination of the power of investigation vested with the European Commission and the wide ranging implications of such power in light of the counterbalance data privacy protection directives and regulations. There will be a an assessment of the risk and exposure undertakings take while acting in good faith

compliance with these investigations in attempting to safeguard the digital privacy rights of both the corporation and the rights of individual employees This thesis seeks to answer what is the best approach to modern data risk management in contemporary competition situations. It will discuss the modern system and the concerning possibility of abuse it creates for the privacy rights of the individuals and the undertakings involved. I will conclude with my own ideas and suggested considerations on best practices of undertakings to anticipate and comply with their data protection needs.

Privacy rights protection and technology are the biggest the lightening rods of legal issues pervading every sector of the law in 2016. Data risk management and privacy is a broad and encompassing subject. The sheer magnitude of data is held in connection to every undertaking, and the corresponding increasingly complex forensics methodology being used to analyze such data is a daunting but unavoidable task involved

with monitoring and investigating completion matters. Data has become the evidentiary sword and shield for parties to successfully control or evade prosecution or allowable defense. With the unprecedented level of information that can be gathered, it is necessary to consider responsible methodologies to be used by all parties for compliance and a fair outcome.

Section I – Opening Statement and Methodology contains the opening statement about the aims and goals of this thesis, and sets forth the methodology statement. Section II – Commission Procedure and Power of Investigation establishes the historical and contextual importance of competition law, provides the key legislation involved in the intersection of Competition Law and the European Union Privacy Law, and explains how it all comes together in the investigatory phase. Section III – Public Authority and Private Enforcements examines the jurisprudence in the public enforcement, and discusses the private enforcement issues. Section IV – Recommendations and Conclusions will provide the recommendations and conclusions that can be made for individuals, undertakings and the Commission with highlights of the specific implications these the regulations have in different scenarios and by industry and including a

presentation of the long term policy analysis and potential implications in this evolving area of law.

Section I Opening Statement and Methodology

Methodology

This thesis was written in order to assess the challenges of complying with competition law investigations in the digital era. This topic required a two-pronged research approach – (1) to fully investigate the traditional law methods of primary case law and legislation along with secondary legal sources and (2) to investigate the most current methods and technology involved in data forensics. The research necessitated a deep dive into primary sources, secondary sources, and relevant commentary related to both. Because the topic revolves around technology, much of the relevant sources on the actual forensics and commentary on how the industry operates is in modern online format, rather than traditional printed sources. As a result the research is both of

qualitative and quantitative research method nature. By adopting this process, this thesis will seek to look at the existing law, how such investigations are executed, and the role technology and public policy both need to take.

For the legal research side, it was necessary to collect and analyze the legislation, the accompanying legislative materials, the comments and website notes on the

legislative materials, the case law (both of the European Court of Justice). These constitute the primary resources through which the European Union through the

Commission, the Court of Justice and the Member States can be said to directly express their respective opinions.

On the technology in data protection and law side, there has been limited statement made directly on the subject of competition investigations. There is also limited case law, although what does exist sets precedence for the further evolution of the subject. What limited commentary can be found is quickly outdated. On the technical aspects of digital and data forensics there is quite a bit of highly technical sources to be found, although they are mostly located online, undoubtedly to be more easily updated as the technology speedily evolves. It must be recognized that providing a single and conclusive definition of the nature and scope of the study will however be difficult for this exact reason – between the quickly changing nature of a nascent approach in the still

maturing European Union it becomes impossible to come to a solidly dependable and reliable conclusion. This is also why it is such a relevant and important topic to consider, as it maps out potentialities and creates a map with which to navigate.

Both sides are brought together in this thesis to an analytical look at the current interplay between data protection concerns and compliance with the competition authority vested in the Directorate General of Competition (or DG Competition as they are commonly referred to). The purpose of the thesis is to answer what are the

evidentiary implications current investigations of Competition Law – both in DG Competition investigations; and undertakings seeking to answer, comply, or otherwise seek leniency.

Research Design and Sources of data

As this is a question of law as it applies to facts, I will use the classic legal analysis appropriate in such situations, where the issues are governed by primarily statutory law, then judicial interpretations and application as precedence to future rulings, official accompanying literature and statements, unofficial literature and academic analysis of potential issues, and lastly websites and news articles to illustrate the current state of affairs.

I sought primary law in the European Regulations statutory law and treatises. Secondly, I sought the landmark cases of note in relation to the application of this law both in the European Court of Justice, and on occasion in the courts of the Member States where relevant. Then I took into account the Public statements made by the European Officials, both in speeches and appearance and in the different written statements

released. Lastly, I did my best to reach out to various practitioners and academics to ask for further considerations and readings. By conducting the research in such a manner I hope to create a snapshot of the current state of the law as it exists at the moment, and identify the key areas where it is continuing and there are questions unanswered.

Section II Commission Procedure and Power of Investigation Key: Regulatory Law and Directives

Competition Law Competition Law – StatutoryActs and Regulations 1. Articles 101 and 102 2. Privacy Statement 3. Regulation 1/2003 Data Privacy Law Privacy Law – Regulation

and Directive 1. Directive 95/46/EC 2. Regulation No. 45/2001

Background

As stated at the outset, the central issue at question is what should be the limits on competition authorities and companies when faced with the need for an ongoing internal monitoring, potential investigation for leniency application, or in the critical dawn raid scenario. In order to formulate a possible approach, the key competition law and data privacy law will each need to be analyzed in turn.

Competition law holds a special status within the European Union (EU) as one of the primary tools designed to achieving the aim of establishing of the European Single Market in order to eliminate the internal barriers to trade within the EU1_{. In}

understanding the actions and motivations of the European Commission and European Court of Justice, the idea of single market integration is of utmost importance as one of the most valuable assets for the EU to protect2_{. The key players in making sure this} primary goal is achieved are the European Commission, the European Courts of Justice, and the individual Member States as part of the Union.

1 Richard Whish & David Bailey, Competition Law, Oxford University Press (2012), p 23.

2 Whish and Bailey, page 51; also see Commission’s Guidelines on Vertical Restraints OJ [2010} C 130/1, para 7. This idea can also be considered literally as the European Single Market is valued at The EU Single Market accounts for 500 million consumers and 21 million small and medium-sized enterprises (SMEs), and is the world’s largest single market and trading bloc. See http://ec.europa.eu/trade/policy/eu-position-in-world-trade/ (accessed June 2016) (figures as cited are published in 2014, with the financial recovery they are likely to trend upwards).

The European Commission also places a special emphasis on Data Privacy and Protection. They explicitly state on their website that their core objectives in this set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market, which the Commission has prioritized. The expressed intent is to allow European citizens and businesses to fully benefit from the digital economy, as well as hold those persons and organizations which collect and manage personal information with the responsibility to protect it from misuse, protecting rights of the data owners as guaranteed by EU law.3

While these two spheres of law are separate and do not reference each other explicitly in the official legislation, they intersect in the course of Competition investigations, particularly of large undertakings with modern operations, when the investigation subjects are also subject to overlapping Data Privacy protection rights and obligations.

Competition Law

The power to carry out this central aim is vested in Council Regulation 1/2003 (as it entered into force in May of 2004). The Commission sought to implement the rules of competition as laid down in Articles 101 and 102 (then known as articles 81 and 82 of the Treaty on the Functioning of the European Union (TFEU))4_{. To do this, the Commission} bestowed the Competition Authority with enforcement powers in this Regulation over the entirety of the 28 EU Member States, as well likewise delegating to the National

Competition Authorities (or NCAs)5_{. With this regulation, the Commission is conferred} with the power of enforcement of Articles 101 and 102, the statutory authority controlling anticompetitive practices, specifically acts of collusion, cartels, abuse of market

dominance, merger control and state aid. The European Commission works together with

3 http://ec.europa.eu/justice/data-protection/index_en.htm

4 Originally the Commission’s powers were set out in Regulation 17/62, which was in force between 1962 and 2004, and later replaced and expanded upon by

Regulation 1/2003.

the national competition authorities of the Member States in cooperation as the European Competition Network (ECN)6_.

In analyzing the Commissions actions, it is essential to always consider to the fundamental aims of the EU competition policy. There is a wide range of issues that may motivate the Commission’s policy in what manner the competition policy is being pursued7_{. Beyond the economic integration originally sought, over time the broad range} of objectives has evolved to include antitrust rules, industrial policy and transnational cooperation, market structuring (through merger regulation)8_{. While overall there is still} a coherent anti-competition policy at play, it can also be recognized that there are other diverging policies concurrently at play9_{. Some may even argue that there is an}

undercurrent of a reluctant shift towards an American style of individualism10 _{that can be} 6 http://ec.europa.eu/competition/ecn/index_en.html

7 See Damien Chalmers, Gareth Davies, Giorgio Monti, European Union Law, Third Edition, Cambridge University Press (2014), pages 954-955.

8 Closely related is the timely issue of digital privacy interests against competition concerns involving the regulation of today’s tech giants as part of the perceived American Hegemony (aka - Apple, Amazon, Google, Facebook, and Microsoft – the American ‘Frightful Five’ seeking to bring a new global order) as accomplished through competition law. Such investigations illustrate the central theme of this thesis; as such industries will inherently require complex data forensics. [For example, see How Europe Is Going After Google, Amazon and Other U.S. Tech Giants, New York Times online,

http://www.nytimes.com/interactive/2015/04/13/technology/How-Europe-Is-

Going-After-U.S.-Tech-Giants.html?version=meter+at+6&module=meter-Links&pgtype=article&contentId=&mediaId=&referrer=&priority=true&action=clic k&contentCollection=meter-links-click [accessed June 2014)

9 Also see Kelemen, R. Daniel. Eurolegalism: The Transformation of Law and

Regulation in the European Union. Cambridge, MA: Harvard UP, 2011. 43. Chalmers cites to this publication to state that Competition Policy has a rock star status. Kelemen in his book argues for the idea that the EU’s emphasis on market integration has generated political incentives and pressures to enact detailed, transparent, judicially enforceable rule (or “rights”), thereby encouraging public enforcement litigation and increased private litigation by individuals, interest groups, and firms.

10 This evolution can be seen in the statement made 15 years earlier in the article by Misha Glenny, How Europe Can Stop Worrying and Learn to Love the Future Wired Magazine (January 2, 2001) "The American instinct is to always vote for the individual: It's much safer to have the gun in the hands of an individual than to have the guns in the hands of the government. We tend to think the other way around. We feel secure with the government. The government protects you rather than the

extrapolated to the corporate level. Whereas once corporations played traditional roles alongside the government, in the new industrial era a progressional shift may be observed of transnational entities who are directly involved creating the backbones of modern industry, intimately subject to competition regulation but potentially less intimately entwined with governmental oversight11_{. The divide between the US and the EU in the} comparative regulatory and related litigation cultures between governments and their subjects is now becoming closely aligned if for no other reason than the rise of the technology giants that are deeply steeped in nearly all facets of the economy12_{. In the} past comparative scholars would have illustrated the cultural divide as being one of a tolerance of risk – with the EU considering regulatory challenges to be more akin to a clerical nature than the direct challenge which is the hallmark of the US; there is now a potential of alignment between the two driven by the identical technological expansion transforming the respective markets. It is necessary to recognize that the broad powers vested in the Commission should very certainly be held to an objective ethical standard. While there is difficulty in anticipating the quickly evolving nature of this area of law, as a still nascent and largely untested field of research, it is nonetheless important. Unlike medical research, where decades of clinical trials have created reflection and

methodology, the risks and rewards of analyzing big databases to in the process of information derivation that are only now beginning to materialize.13

Certainly the same could be said of the individuals who drive such corporations, and the corporations themselves as singular entities. Not only does the innovation heavy drive of modern industry look negatively upon the sharing of business and trade secrets, such situations regularly involve individuals with deep stakes and lifetime investments in government being an institution that you need to be suspicious of." It is

emphatically not the intention of this thesis to dictate which methodology is superior.

11 For example, Microsoft and Facebook have come together to lay a transatlantic cable across the Atlantic named MAREA thereby supplanting and bypassing the traditional telecom industries. In a fascinating turn of events, this is said not to be taking existing business away from telecom giants, but rather the future potential business. Cade Metz, Facebook and Microsoft are Laying a Giant Cable Across the Atlantic, Wired Magazine (26 May, 2016).

12 See earlier footnote 8.

13 On this subject, see Sarah Zhang, Scientists Are Just as Confused About the Ethics of Big-Data Research as You, Wired (20 May 2016).

their corporate lives. It is easily understandable that personal and business interests have become deeply entwined, leading to situations where exposure of personal information can be subject to government intervention14_{. It does not seem like a situation where an} entity will be easily convinced to trust regulatory authorities “just because” the

government says so based on broad ethical trust. Respectively considered, parties stand to lose if such situations are mishandled – with privacy interests weighed against

governance concerns.

The issue is best introduced by considering the competition investigations, otherwise commonly referred to as enforcement. Enforcement by the Commission commences in one of a few ways. At the outset, DG Competition can start taking steps towards an investigation targeting an undertaking when it receives information from any number of sources putting them on notice of unlawful activity. This investigation can be triggered by and of their own independent initiative, or by press reports or some similar publicly disseminated information putting the Commission on notice of the potentially unlawful actions of an undertaking. In the alternative, the Commission can have such notice by direct complaint by other private individuals or companies.

If upon sufficient notice or information, the Commission elects to take action, they will commence the enforcement procedure15_{. Once commenced, the Competition} Authority has the power to request information, and if necessary proceed to share their concerns which would eventually lead to hearings. Enforcement procedures require information in a broad sense of the alleged infringement as obtained through the information gathering phase. Information gathering can be done with a simple non-compulsory request where the undertaking may elect to provide documentation relating

14 Such situations include workplace daycare, romantic entanglements, onsite services such as medical or sports. For an interesting look at the continual evolution of the traditional workplace see https://plus.google.com/+LifeatGoogle/posts 15 The Commission is not required to commence enforcement procedures, and can elect to do so based on my factors including whether there is a EU wide interest, whether there is a major risk to market integration, or whether it would rather be better left to the respective national competition enforcement authority. [See Commission Notice on cooperation within the Network of Competition Authorities, paragraphs 14-15, http://eur-lex.europa.eu/legal-content/EN/ALL/?

to an alleged infringement.16 _{Or in more draconian circumstances, the competition} authority can launch what is commonly known as a Dawn Raid procedure. In this situation, DG Competition or the representative NCA will arrive unannounced at the undertaking’s premises with a warrant to carry out an full investigation, often taking computers and downloading all forms of data to return to their offices for further investigation.

This procedure inevitably results in the real possibility of a dragnet of personal information, only tangentially related, to be reviewed and entrusted to authorities17_{. The involved individuals then are forced to expose such information} to the authorities and are forced to accept that government officials and their designees may see very personal private data.

Interestingly, on the other hand if the subject undertaking it to self monitor in order to either monitor to prevent unlawful activity or to comply and reply, they cannot seek to disclose personal data and claim similar exceptions to data

protection regulations. Such scenarios arise at the time of when it comes to internal investigations in order to answer queries, monitor their own employees for unlawful conduct, and in leniency applications. These issues are discussed in further detail in the next section when continuing the examination of ongoing internal monitoring, potential investigation for leniency application, and external dawn raids.

When considering the relevant competition law, it is essential to note that the Data Protection Directive was not written in any part with specific consideration of

Competition investigations at the time of legislation. The rules were not drafted with competition law investigations in mind, nor do they contain any competition specific references18_{. This is important because the general rules and principles broadly govern} the competition investigation. This can be a nebulous manner to navigate increasingly 16 Regulation 1/2003, articles 18 and 19.

17 See above footnote 13. Examples of this entanglement rise to the highest levels, see US Presidential Candidate Hillary Clinton’s use of a personal server for work related emails. See Kara Brandeisky, 5 Things You Didn’t Know About Using Personal Email at Work

http://time.com/money/3729939/work-personal-email-hillary-clinton-byod/

(accessed June 2016).

complex investigations involving every flavor of data; where the key considerations will be the lawfulness of the investigation, the rights of the subjects of the data processing, the confidentiality and security concerns, and the security of the process of the collections. This thesis discusses the point at which the Investigational powers and Data Regulation intersect in DG Competition’s official Privacy Statement at the outset, and then

respectively discusses the powers and impact of each.

Privacy Statement

The primary source of direct comment made on the subject from DG Competition is contained within their Privacy Statement19_{. The Directorate Counsel of Competition,} in direct reference to the processing of personal data in the context of anti-trust

investigations carries it out, states that the data collected and processed is subject to Regulation (EC) 45/200120 _{with regards to the processing of personal data by the}

community institutions and bodies and on the free movement of such data as overseen by Isabelle Benoliel, Director of Registry and Resources Directorate of the competition, acting as the Controller21_{. This statement should be considered contextually with several} issues: the actual privacy level protection for personal and private information, the potential for future use against said individuals, privacy of business secrets, and third party confidentiality22_.

19 European Commission Competition Directorate-General, Privacy Statement, found at http://ec.europa.eu/competition/contacts/electronic_documents_en.html

(accessed 5 June 2016).

20 Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.

21 As an aside, Mrs. Benoliel’s background can be seen at http://www.wileurope.org/members/details/Isabelle-Benoliel.

22 The European Commission discusses this in their Standard annex on business secrets and other confidential information document –illustrating exactly what kind of data is at issue,

http://ec.europa.eu/competition/antitrust/information_en.html (accessed 13 June, 2016).

Confidentiality is defined as ‘the information must be known only to a limited number of persons and, if disclosed, be liable to cause serious harm to the person who provided it or to third parties with regard to interests which, objectively, are worthy of protection’, whereas Business Secrets are defined as ‘information about an undertaking's business activity of which not only

The type of personal data collected by the DG Competition includes names, contact details (work email address, telephone and fax number and private contact details), and the position of the person in the undertaking. With such data, it may also be photographs, personal conversations, and bank and medical records as well. Such

information is contained in antitrust files restricted to the DC Competition personnel and restricted to those using the DG Competition IT infrastructure. Among the many

concerns private individuals may have, the information theoretically can be transferred to national competition authorities for use to impose pecuniary sanctions on natural persons if:

‘It has been collected in a way which respects the same level of protection of rights of defense of natural persons as provided for under the national rules of the receiving authority…. This implies that information, and in particular personal data, can only be used by a national competition authority against a natural person if it has been collected without the cooperation of that person”23_{. (Italic} emphasis added)

DG Competition goes on to enumerate potential for safeguards for protection of personal data when national courts seek this information; that the national court should assure confidentiality, specify in their request why the specific document is directly relevant, the potential that the national courts may be refused on confidentiality grounds, to duty to avoid interference with the functioning and independence of the Community, or to safeguard third party legitimate interests.

On this last and extremely relevant point of third party confidentiality, the statement cites the AKZO procedure24 _{on the obligation to protect professional secrecy.}

disclosure to the public but also mere transmission to a person other than the one that provided the information may seriously harm the latter’s interests… includ(ing) technical and/or financial information relating to an

undertaking's know-how, methods of assessing costs, production secrets and processes, supply sources, quantities produced and sold, market shares, customer and distributor lists, marketing plans, cost and price structure and sales strategy’. (italic emphasis added)

23 European Commission Competition, Privacy Statement.

24 AKZO Chemie BV and AKZO Chemie U.K. Ltd v. Commission, [1986] E.C.R. 1965). A special set of procedures to be applied when a party sought access to information submitted to the Commission by a third party. The three step procedure requires that (1) a party submits that the information can be deemed a business secret or

The Competition Hearing Officers should comply with the Data Protection Regulation when deciding on disclosure of information. They are required to do a balancing of interests where there is a risk of disclosures of confidential information. There is a guarantee that data is collected for specified, explicit and legitimate purposes, only for the purpose of applying EC competition rules – explicitly stating that in such an event the proportionality test must be used. Eventually data is kept until the closure of the case, and then held in the archives afterwards for future reference as needed.

Regulation No. 1/2003 Investigational Powers

The power to conduct investigations by the DG Competition is codified in Regulation 1/2003, giving the European Commission broad powers of investigations when it chooses to act. With this regulation, DG Competition was given the power by the Commission to conduct antitrust investigations for the good of the Union. As mentioned above, such information is supposed to be only used for applying EC competition rules AND in respect with the subject matter for which it was collected25_.

At the outset, Article 20(4) of Regulation No. 1/2003 requires the Commission to state reason for the decision ordering an investigation by specifying its subject matter and purpose. This threshold requirement is designed not merely to show that the proposed entry onto the premises of the undertakings concerned is justified, but importantly also to enable those undertaking to asses the scope of their duty to cooperate while at the same time safeguarding their rights of defense26_{. Furthermore, the information obtained during} investigations cannot be used for purposes other than what is indicated in the inspection warrants27 _{in order to safeguard business secrecy and the rights of defense while balanced} otherwise confidential, the Commission must first write to that party if the

Commission intends to disclose it, affording the submitter an opportunity to object. (2) If the submitter of the information continues to object, and the Commission is still determined to disclose, it must prepare a “reasoned explanation” of its decision of why the information is not legally protected from disclosure. (3) This reasoned decision may then be challenged to the European Court of First Instance, prior to such disclosure.

25 As laid out in the Regulation, case law, and explicitly stated within the Privacy Statement as well.

26 Deutsche Bahn v. European Commission, C-583/13 P (18 June 2015), at paragraph 56.

against the an unjustified hindrance to the Commission in the accomplishment of its task of ensuring compliance with competition rules in the common market and identifying infringements of article 101 and 102 TFEU.

The powers of investigation are enumerated in Regulation 1/2003 Chapter V, opening with Article 17, which gives DG Competition a broad and expansive authority to conduct such investigations. It specifically states:

‘Where the trend of trade between Member States, the rigidity of prices or other circumstances suggest that competition may be restricted or distorted within the common market, the Commission may conduct its inquiry into a particular sector of the economy or into a particular type of agreements across various sectors. In the course of that inquiry, the Commission may request the undertakings or associations of undertakings concerned to supply the information necessary …’ In the course of the investigation, DG Competition may further request the

undertakings or associations of undertakings concerned to communicate to it all

agreements, decisions and concerted practices. As will be discussed here (and elsewhere in this thesis at length), the first phase of a DG Competition action consists of requests for information, interviews, and inspections on behalf of the investigating Competition Authority. Such investigational powers are broadly encompassing, yet they can be limited based on specific language in the regulation as well as based on rulings in case law.

Upon presentation of written authorization specifying the subject matter and purpose of the inspection DG Competition can commence actions such as requests for information as enumerated in Article 18 for all information deemed as necessary. They can also conduct interviews as they are endowed with the powers to take statements (Article 19) in the form of interviews of those who are deemed to potentially have such knowledge. The interviews are required to be made with the consent of the interviewees, per Article 3 of the implementing regulations.

Of more central concern in relation to data protection are the powers of inspection of premises and records both to location of the business and to the personal locations of those who may be otherwise subject to the dragnet of the investigation per Articles 20 and 21). This is a key highlight in terms of potential breadth or overreach by

investigators on one hand, and company policy anticipating such outcomes and

leveraging control over their employees on the other hand. While Regulations 1/2003 and the courts does give DG Competition broad powers of investigation, there are still conditions and restraints in the form of properly worded inspection orders (GC Deutsche Bahn 2013), Legal privilege (Manfredi, AM & S, Hilti), and the rights against

self-incrimination (Mannesmannröhren-Werke). Undertakings need to tread carefully as they are subject punishment for intentionally or negligently supplying incorrect or incomplete information is by fine of up to 1% of turnover of the preceding year28_.

Finally, the Regulations state that the Commission may publish a report on the results of its inquiry into particular sectors of the economy or particular types of agreements across various sectors and invite comments from interested parties, raising the specter of potential disclosures of personal information, third party information, and business secrets. In such situations the Regulation presents certain limitations. Article 12 sets forth the limits on the exchange of information the Commission with the respective Member States. This article allows for the information to only be used for the same subject matter issue for which it was collected. The evidence collected for 101 and 102 violations can only be used to impose sanctions on natural persons where the information has been collected in a way that respects the same level of protection of the rights of defense of natural persons as provided for under the national rules of the receiving authority. On one hand, this puts an outer limit on the breadth of the proceedings this allows for, giving the individual the highest rights of defense available. However, on the other hand, while on the European Union level there is no individual liability the same is not necessarily be true on the Member State level, thereby creating increased potential liability for individuals caught in the dragnet of an investigation. In fact, DG

Competition refers to this potential risk of private citizens to be subject to national competition authority sanctions in their Privacy statement, and has created special procedures that protect interested third parties where a balancing of interests requires the disclosure of information that is considered to be confidential by those parties:

28 Regulation 1/2003, Article 23. Please note that this may not apply where a formal request for information was made, but the undertaking elected intentionally not to answer. Also note, on the other hand, this fine can apply when a seal is broken in the process of a dawn raid investigation.

‘There are special procedures that protect interested third parties where a

balancing of interests requires the disclosure of information that is considered to be confidential by those parties (the so-called AKZO procedure)’29

The exchange of information is also touched upon in Article 28 in reference to professional secrecy. Undertakings would understandably have a heavily vested interest in preventing the disclosure of any such information. It is foreseeable that undertakings would be sensitive to potential exposure, and impossible for the Commission to promise any airtight 100% safeguard against the leaking or misuse of information. Therefore a sensible approach is to design a system that can safeguard against such potentialities to the fullest extent possible, allowing for investigations while avoiding any risk exposure.

Lastly note that there is a very real potential for private individuals to be subject to national competition authority sanctions, a risk cited in DG Competition’s privacy statement, also see Article 12(3) of Regulation 1/2003.

Fundamentals of European Law - Legal Certainty, Proportionality, and Necessity

While on its face the language appears to be straightforward, in practice the implications are murkier and potential complications may arise. On this subject, the rulings of the European Court of Justice and Member State Courts have not been necessarily been uniformly made in such a way that would pave for a clear and consistent future, potentially making the area uncertain in situations where there may be allegations of potentially overbroad fishing investigations.

The actions of DG Competition, as authorized by the Commission, always need to comply with the fundamental EU law. Regulation 1/2003 was soundly based on the principals for the rights of the defense, the protection of legal certainty and principles of certainty, proportionality, and necessity in the enforcement of the competition rules.30_.

While it is openly acknowledged in the recitals of Regulation 1/2003 the need for undertakings to have legal certainty in order to promote innovation and investment, it is

29 European Commission Competition Directorate-General, Privacy Statement, found at http://ec.europa.eu/competition/contacts/electronic_documents_en.html

(accessed 5 June 2016).

how this may apply in situations where competing interests are at play in an technical data driven arena is anything but certain31_{. The Commission encourages seeking guidance}

on the subject of data protection the closest thing to guidance that DG Competition has provided is the Privacy Statement.

Proportionality is intertwined with the certainty principle in terms of data

management. While Article 7 of the Regulation gives the power to impose behavioral or structural remedies proportionate to the infringement committed and necessary to bring the infringement effectively to an end, a remedy cannot be made without effectively removing competition concerns through workable and proportionate solutions for businesses. This analysis is similarly mirrored with consideration of the Legal Necessity Principle under Article 20(8) where the Member State judiciary can review authorization for inspection for scope, but not for necessity review as such review can only be done by the ECJ.

In investigations the answers for large data requests may exceed this threshold – a major data dump would not be a workable solution for either party. We see an example of such a case with HeidlbergCement v. European Commission. Here the Court

addresses the issue the Commission’s powers to require, by way of decision,

undertakings to supply information in a quantity, format and timeline contested by the target undertakings overbroad and expansive, in the context of an investigation relating to possible breaches of EU competition rules32_{. The court addressed the proportionality}

aspect of multiple large and broad requisitions for information, with the judgment making clear that the Commission cannot go on mere fishing expeditions, but has to be specific in indicating the subject of its investigation and the alleged infringements. Moreover, AG Wahl, in his statement on the case, goes to indicate that an undertaking’s duty does not

31 Regulation 1/2003, recital 38: Legal certainty for undertakings operating under the Community competition rules contributes to the promotion of innovation and investment. Where cases give rise to genuine uncertainty because they present novel or unresolved questions for the application of these rules, individual undertakings may wish to seek informal guidance from the Commission. This Regulation is without prejudice to the ability of the Commission to issue such informal guidance,. 32 HeidelbergCement AG v. European Commission, case C-247/14 P, at para. 21 (10 March 2016).

imply that they must ‘spend time and resources presenting the information in such a certain specified format so as to effectively do the Commission’s own work for it33_.

DG Competition’s Privacy statement “guarantees that data are adequate, relevant, and not excessive relation to the purposes for which they are collected” in terms of the manner and scope of which the personal data is being collected and analyzed. This concept, in theory, aligns with the data protection directive that states that minimum data should be processed, in the least intrusive method, anonomyzed, with limited disclosure to third party victims/law enforcement, and appropriate retention periods34_{. As will be}

discussed, this is just one of the ECJ decisions of recent that address the rights of defense of undertakings under investigation35_.

Jurisdictional and Scope

With the Commission heavily reliant on Member States Competition Authorities in different jurisdictions using their respective and discretion in respect to data, it easily leads to uncertain results. Without specifically outlined guidance, the entire field of Competition is lumped together with all other aims and measures per the Data Protection Directive (as discussed in the next section). But, in considering DG Competition broad and expansive powers of investigation, the vigilant undertaking will undoubtedly object when investigations cross the line into indiscriminate searches and fishing expeditions. Where an investigation and/or its methodology is vaguely defined or overbroad, the consequence will be a broad dragnet of information. With this, the Commission may flag other information when as they come across it. Colloquially referred to as the plain view doctrine, it is commonly understood to occur when law enforcement seizes information that is in plain sight during an investigation36_{. While recognized in jurisdictions outside} of Europe (i.e. the United States), within the Europe such broad investigations are 33 Opinion of Advocate General Wahl, case C-247/14 P HeidelbergCement AG (delivered 15 October 2015), paras 113-123.

34 See Kuschewsky & Geradin, generally pages 69-102. Also see DG Competition Privacy Statement); and best practices as promoted by the ICN Anti-cartel

enforcement manual. (Section 8.1)

35 See Court of Justice, Judgment of 14 November 2012, T-135/09, Nexans France SAS; judgment of 14 November 2012, T-140/09, Prysmian SpA; judgment of 18 June 2015, case C-583/13 P, Deutsche Bahn; concerning the EC’s right of inspection

permitted so long as they are made on reasonable grounds37_.

In consideration of these issues, a the seeds are planted for an objection arising from the seemingly paternalistic approach of trusting an omnipresent omnipotent Commission Authority, as big brother is policing with the best interests of the world in mind. This policy can be considered inadvisable because there can be better alternatives to achieve the same necessary objectives of such investigations.

Data Protection Legislation in the European Union

There are two main pieces of legislation that protect personal data processed by EU institutions and bodies in the exercise of activities within the scope of EU Law – Directive 95/46/EC38 _{and Regulation No. 45/2001 which protects individuals with regards} to processing of data by EU Institutions39 _{(hereafter respectively referenced as the Data}

36 While this is a concept enshrined in American law (enshrined as an exception to the constitutional 4th _{Amendment prohibition of unlawful search and seizure, and} established in United States v. Beatty, 170 F.3d 811, 838 (8th Cir. 1999) (citing Horton v. California, 496 U.S. 128, 136-37 (1990)) ), the concept is still illustrative of the notion of what occurs in the present situation – the issue of what occurs when law enforcement discovers evidence outside the scope of their warrant for the investigation.

37

38 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing

Directive 95/46/EC (General Data Protection Regulation).

In 2016 Directive 95/46/EC was repealed and replaced by the new

Regulation 2016/979. It entered into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018. Of note in legislative history terms, objectives and principles of Directive 95/46/EC remain sound, but was done to improve legal certainty, and alleviate

differences within the union which were perceived to constitute obstacles to the pursuit of economic activities, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such differences in levels of protection were due to the existence of differences in the

implementation and application of Directive 95/46/EC.

39 Kuchewsky & Geradin, Data Protection in the Context of Competition Law Investigations, page 72.

Privacy Directive40 _{and the Data Regulation)}41_{. Both pieces of legislation set out the legal} framework for the process and transfer of personal data; the Directive governs in actions as taken by DG Competition, whereas the Regulation governs over public authorities and private undertakings. This legislation is controlled by in light of Article 8(2) on the European Convention of Human Rights and Article 7 of the Charter of Fundamental rights extending the same rights to privacy to Corporations. As referenced earlier, it is essential to recall that they were not written with the specter of competition investigations in mind.

The main legislation affecting the data collections of any competition law

investigation is the European Union General Data Protection Directive (GDPR), codified as Directive 95/46/EC42 _{is considered to be the main overall legislation with protection of} individuals with regard to the processing of personal data and on the free movement of such data. While there is a new recently passed GDPR, with provisions broadening in terms of personal data protections, it is yet to be seen how that will effect competition investigations. There is also Regulations (EC) NO. 45/2001, is the primary regulation on the protection of individuals with regards to the processing of personal data by the Community institutions and bodies – including the free movement of data. Directly citing this Regulation, the in the Antitrust Manual of Procedures by the European Commission defines personal data which cannot be published publicly:

“Personal data, that is any information relating to an identified or identifiable natural person (such as names of representatives of the undertaking referred to in minutes of meetings, letters etc.) Should for reasons of personal data protection only be mentioned in the SO if this is necessary to support the objections against the undertaking concerned or to allow parties to properly exercise their rights of defense? Where possible the natural person should not be identified in the SO by name but rather a description of the person's function should be given in general terms (example: marketing manager of undertaking A, employee of undertaking B)”.43

40 As the new legislation will not enter into force until 2018, this thesis will continue to refer to the existing Directive 95/46/EC.

41

42 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, November 1995

The rules as set forth in the Data Protection Directive and the Regulation are applicable upon the access and collection of electronic records. This collection is done through by special investigators from the data forensics industry (also known as digital forensics44_{) using a specific methodology by which data is recovered and investigated in} the in the context of a legal audits. In this forensics process, data is considered relevant electronically stored information (ESI), and is formally (1) identified, (2) collected, (3) preserved, and (4) reviewed for the intended purpose of the investigation. The process is consequential in the broad exposure of details (directly and proximately related to the causes of action) either in a Dawn Raid, during information collection for the

investigation and process of a leniency application, in the responses to requests for information, or the essential internal ongoing compliance programs45_{. Digital evidence} can offer authoritatively structured coherent information as presents incontrovertibly constructed46 _{timelines, and lends itself to data analytics, based on digital events rather} than flawed human recollection.

More interestingly we not have the forensics tools to detect patterns or even direct actions as derived by economic data analysis, whereas the tracking and detecting patterns in situations with massive amount of granular data would make it otherwise impossible. So for example, not only is collusion and cartel discovery possible through reactive techniques such as internal whistleblowing or external competitor/customer complaints, it 43 European Commission Antitrust Manual of Procedures, Internal DG Competition working documents on procedures for the application of Articles 101 and 102 TFEU March 2012, section 2.2.1

44 Data Forensics is a broad and evolving term, sometimes also known as digital forensics (although there are subtleties that make the terms not interchangeable). 45 Tangentially speaking, while closely related and occurring concurrently in the investigational process, there is an important difference to point out between Data and Digital Forensics and EDiscovery. Digital Forensics will address situations where Data related to the allegation can be found, traced, and investigated in terms of possible manipulation, whereas EDiscovery addresses the review of the actual contents of the extracted data. Generally see http://capsicumgroup.com/digital-forensics-and-e-discovery-where-one-stops-the-other-begins-2/ (accessed 13, June 2016).

46 With the caveat that proper document retention and collections procedures were used.

is also potentially possible to proactively detect such collusive behavior through economic modeling providing a manner of policing collusive conduct where it would otherwise continue undetected.

On the other hand there exists a key caveat in this process – it is imperative to protect the privacy of the individual is not compromised in the data dragnet. Such data collection needs to be made in such a way that does not violate the data protection and data privacy guidelines47_{. The reform on data protection rules recognize this and sought} to write legislation on the anonymization (removing personally identifiable information where it is not needed), pseudonymization (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorized can read it) to protect personal data48_.

Only through compliance with the commission’s legislation as codified in Articles 101 &102, Regulation 1/2003 and the Data Directives and Regulation can such evidence be safely relied upon in terms of data protection. This is only so long as there is constant vigilance of navigating through the veritable minefield of objections if undertakings, and to a more limited scope the Commission, misuse or mishandle such procedures as will be discussed in this section.

As mentioned earlier, the General Data Protection Regulation and related Directives are triggered by the electronic processing of personal data that has been 47 This concept is called “differential privacy” which is technically defined as the statistical science of trying to learn as much as possible about a group while learning as little as possible about any individual in it. Undertakings such as Apple are

endeavoring to collect and store user data in such a manner that allows them to glean useful notions about people without identifying anyone specifically in a manner that would create a privacy violation; emphatically designing algorithms such a way that no other third party (hacker, other entity) could either. See Arvind Narayanan and Vitaly Shmatikov, Privacy and security Myths and fallacies of “Personally identifiable information”, American Bar Association, vol. 53 (June 2010). Narayan and Shmatikov discuss the capability to do this, and potential fallacy of attempting it. For the counterpoint and example of implementation see Andy Greenberg, Apple’s ‘Differential Privacy’ Is About Collecting Your Data—But Not Your Data, Wired Magazine (June 13, 2016).

electronically stored49_{. As a result, intelligent design is necessary in the identification and} definition of the information technology infrastructure. This includes an element of design consideration that would be useful when considering Information Technology (IT) systems, as the component building blocks of information structuring the manner in which data protection and vulnerabilities. Once information is identified as potentially relevant information in the course of the investigation, it is essential to analyze the information not only as direct evidence, but also in terms of what can be directly derived or inferred as a result. This analysis should include full matrix of these ideas in light of what the modern competition investigation may require, and provide the analysis potential issues when regulations are applied to the matrix.

Within the EU regulatory materials, “Personal data” is defined as any information relating to an identifiable person – “data subject”, either directly or indirectly. 50 _{It is a} misleadingly simple definition. The objects that can be considered to be personal data is quite wide ranging - including website addresses, email addresses, persons’ names; in addition there is a whole host of information that can be additionally derived by any such record or log. When read in context, such data may provide information on the tracking of the physical location of the subjects, every person they may have communicated with during the course of the relevant period, providing a window into the private lives of the data subject through the accompanying metadata51_.

49 See Article 2(c) of the Data Protection Directive; Also see Kuchewsky & Geradin, at page 74. As the authors also note, traditionally business documents in paper format would not have been covered as part of this definition, but now if they are part of a filing system or are intended to form part of such a filing system, such as personnel files or card-index systems if scanned in order to be electronically stored. 50 Article 2(a) of the Directive defines the term "personal data "as "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly […]". Further analysis of the issue of identifiability is provided by the EU's Article 29 Working Party, in its

Opinion 4/2007.

51 Metadata by definition describes other data. It provides information about a certain item's content. A text document's metadata may contain information about how long the document is, who the author is, when the document was written, and a short summary of the document. Christensson, P. (2006). Metadata Definition. Retrieved 2016, Jun 15, from http://techterms.com

The scope can be quite extensive of what information may be pulled. With the advent of BYOD52 _{(Bring Your Own Device) by many employers, individuals are}

increasingly using one personal mobile device for both work and personal usage. This is a fascinating, albeit ethically questionable53 _{new angle to provide evidence in case of} proving collusion in cartels – each of the suspected members can have their geolocation traced via the metadata presented from extracted cellular data54_{. While not specifically} addressed in the terms of a competition investigation’s purview, metadata as personal data should be taken into consideration when considered in terms of location, movement patterns, and time and mode of access of the information (via cell phone, desktop, laptops, tablet, and company or personal chat logs.

With the Commissions broad investigational powers, it is unclear exactly where the lines on accessing personal information are drawn. However, it can certainly be clearly complicated in terms of sensitive information. Sensitive definition can be broadly understood to information regarding race, ethnic origins, political opinions, religion, union memberships, health, sexual orientation, criminal history, etc.55 _{Where in modern} work situations, personal and private lives become so intertwined that it may be difficult to divorce one data set from the other in any manner that will allow for consideration of the content of the useful evidence. Sensitive information of third parties may also be 52 For a quick overview of what is typically entailed in such a policy, see

http://www.itmanagerdaily.com/byod-policy-template/ (accessed June 2016). 53 See above commentary on the ethics of big data research at footnote 12. In Zhang’s article, she specifically cites a similar incident where a hacker, in 2013, found a way to match names to publicly available DNA sequences based on information about research participants that the original researchers themselves posted online.

54 Geotracking is just one of the derivations that is possible through metadata. Modern cellular phones transmit locations, even when in ‘airplane mode’. It is common misunderstanding that turning on airplane mode is a failsafe against tracking. The NSA confirms this fact; they used the technique in Iraq and “enabled the agency to find cellphones even when they were turned off.” This helped identify “thousands of new targets, including members of a burgeoning al-Qaeda-sponsored insurgency in Iraq,” according to members of the special operations unit interviewed by the Post. It can be concluded, that if so desired such triangulations can likewise be used to prove collusion if so desired. Dana Priest, NSA growth fueled by need to target terrorists, The Washington Post (July 2013).

involved based on specifically on the industry being investigation (i.e. medical records, insurance, dating websites, etc.)56

The Working Document on surveillance of electronic communications for

intelligence and national security purposes (December 2014) considers the ability to pull such information and the interplay with fundamental rights of privacy and data protection (albeit written with a different purpose in mind in light of the Snowden revelations). It sets out a balancing of privacy against the economic well being of a country. Lawful interception of data is a common thread between broad governmentally approved

investigations, so the opinions within this working document may be of note – especially as technological innovation is commonly recognized as starting out as security

technology and taking on a second life in civilian applications.

While the United Nations Universal Declaration of Human Rights (1948) in Article 12 of the Declaration and Article 17 of the International Covenant declare that no one shall be subjected to arbitrary or unlawful interference with his privacy57_{, such} interference with privacy is admissible under Article 8(2) ECHR where:

(A)n interference by a public authority with the exercise of right to respect for private life may only be admissible if such restriction:

is in accordance with the law (which must have foreseeable consequences and be generally accessible and) 39 and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others58_.

The procedure is defined by the Regulation and Directive when data is obtained 56 Kuschewsky & Geradin, page 73.

57 International Covenant on Civil and Political Rights, General Assembly Resolution, 2200A 16 December 1966.

58 Pages 16,20,33; The Working Document on surveillance of electronic communications for intelligence and national security purposes (December 2014). Accessed at

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp228_en.pdf (accessed June 2016).

through the ‘Data Process’ and carried out by ‘Controllers’ and their proxies in the form of ‘Processors’. As set out the Data Protection Directive Article 2(b) Data process is defined as:

“[T]he operation which is performed upon personal data… such as collection, recording, organization, storage, adaption, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available.” (Italic emphasis added)

Such Data Processing would be carried out by Controllers, as defined by Article 2 (d) as the natural or legal person, public authority, or agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. In the context specific to this thesis, the Controller is DG Competition or their direct proxy59_{. This Process in terms of Data Forensics is highly technical and} broader than the language reflected in the legislation. In practice, the complexity arises in the definition, location and extraction of the data.

There are additional actors named specifically by Regulation 45/2001. Those who are the target of information collections are commonly known as the ‘Data Subjects,’ and as individuals can claim through the judicial process any rights, protections, or compensation they may be entitled to. Specifically in terms of data protection, this law and remedy would be either at the national level where it is enforced by the respective Member State, or at the European Union Level where it would be with the European Data Protection Supervisor (EDPS)60_.

The result is that there is broad authorization for DG Competition to search business and ancillary premises, which also presents multiple information access issues. 59 Article 2 (d) of the Regulation: “The Community institution or body, the

Directorate – General, the unit or any other organizational entity which alone or jointly with others determines the purposes and means of processing of personal data.”

60 Regulation (EC) No 45/2001, Article 47(1) can be broad summarized as giving EDPS the powers to give advice to data subjects, give advice to controllers in the situations of alleged breaches, make orders and admonish controllers, order rectification, refer the matters to the Community and the Parliament or the European Court of Justice (as necessary), and intervene in actions brought before the Court of Justice of the European Communities.

At the outset clear and concise search terms and parameters much be designed in order to target and identify the relevant documents. This also may lead to complications in which form the data is obtained, be it documents, chat conversations and emails, or in audio or picture format. And once it is obtained, there will be chain of custody issues as the data is removed from the premises and taken back to the Commission authority offices. This chain of custody will further be complicated when obtain not just from a server, but also potentially across borders through cloud computing, or from personal electronic devices and cellular phones. Moreover, the information collection authorization is complicated because it is subject to corruption through encryption methods, wrong passwords, lost passwords, inherent data degradation, and inadvertent or willful data manipulation (and consequent recreation).

Section III Public Authority and Private Enforcements

Having analyzed the competition and privacy law as applies, we now turn to in such situations what should be the limits on competition authorities and companies when faced with the need for an ongoing internal monitoring, potential investigation for

leniency application, or in the critical dawn raid scenario.

Public Authority Actions

When DG Competition decides to take action, the procedure is swift. Typically the inspectors and proxies arrive prior to the start of the business day and seal off whatever offices, homes, or other locations they wish to search. By design, such an investigation will trigger special issues that need to be identified and resolved by both the investigator and the investigated. From the outset of the inspection, DG Competition needs to be adequately prepared with a clear decision and mandate that defines in sufficient detail the scope of such an investigation to protect against overbroad 'fishing expedition' allegations. To serve the DG Competition’s endgame in the investigation – the dawn raids always occur as surprise inspections, and the better planned such

inspections are the more precisely they can be executed. Knowing this, it is good policy for an undertaking to always anticipate such a scenario and prepare how they would

potentially react in such a situation in order to be prepared.61

In the Nexans case, the ECJ ruled for the first time that a warrantless dawn raid violated the fundamental right to privacy because the government did not have

“reasonable grounds” to conduct it62_{. Interestingly of note, as this is one of few cases} which directly address this issue, it appears that appeals can only be made upon final judgment of the court, not at preliminary hearings63_{. This lead to a ruling which} subjected the undertaking was subject to an unreasonable search, they were effectively powerless to stop it, only leaving the undertakings power to object afterwards. This is important recognize as objections will need to be preserved for hearings and undertakings would do well to consider the manner in which they hold information.

In a closely related issue, the assertion of privilege is necessary, as evidenced by the Manfredi case, is also a key consideration64_{. It is a challenging but essential task for} an undertaking to identify on its face what is within the boundary of the issue being

61 To address this, many law firms have published such Dawn Raid guides and checklists for employees of undertakings to refer to, in an attempt to prevent mistakes in the minefield of issues that can arise.

62Nexans SAS v. Commission, Case T 135-09 (14 November, 2015). A dawn raid was carried out on a suspected cartel on electric cables. In its investigation the commission decided to take back certain computer drives and files to Brussels to review later. The court said “[T]he Commission . . . must . . . identify the sectors covered by the alleged infringement with which the investigation is concerned with a degree of precision sufficient to enable the undertaking in question to limit its cooperation to its activities in the sectors in respect of which the Commission has reasonable grounds for suspecting an infringement of the competition rules,

justifying interference in the undertaking’s sphere of private activity, and to make it possible for the Court . . . to determine, if necessary, whether or not those grounds are sufficiently reasonable for those purposes.” (emphasis added).

63 Nexans at paragraph 131. Also see Prof. Dr. Dr. h.c. Carl Baudenbacher, Digital Evidence Gathering in Dawn Raids. Judicial Review: Up Front or

Retrospective?, 20th St.Gallen International Competition Law Forum ICF (4-5 April 2014); Dr. Baudenbacher opines that in such investigations its far better to have the court intervene on a more preliminary stage, even if it may be too early to even know what is contained within the collected materials. (pages 10-11).

investigated65_{, and what is the manner in how such information would be electronically} stored. Predictive forensics cannot be a failsafe against which a party can rely on

avoiding disastrous errors or spiraling investigational costs. Of course, DG Competition cannot know this, or ask such a question without signaling to the target undertaking that a surprise inspection will occur, nor can they run afoul by violating the undertaking’s right to defense (and against self incrimination). Technical tasks will necessarily be done on the spot; tasks such as locating of target devices, extracting possible relevant files, uploading on mobile server, tagging of such documents to return to Brussels (or the respective NCA authority). For undertakings experiencing such a surprise inspection, the right to defense not self-incrimination will be of key importance in limiting any potential liabilities. This becomes somewhat tricky as Legal Counsel not guaranteed at the point of such inspections; although company representative are allowed to follow inspectors and raised very limited objections. When weighed against the potential damage of an undertaking’s, the Commission was able to rely on evidence against undertakings which was obtained during an investigation but which was not related to the subject matter or purpose thereof.

Private Enforcement Concerns

Certain industries have very specific investigational and data retention issues, as discussed in footnote 7 in reference to the ‘Frightful Five’. Consider the Aerospace, Software, real product manufacturing, and financial industries. While the rules of competition law undoubtedly apply equally to all, the respective monitoring and investigational tools necessary, as well as the specialized knowledge to understand the resulting information, will all take special knowledge on behalf of the investigators to predict and identify accurately the search parameters, and execute in a manner that doesn’t compromise those who have data housed on the target undertaking.

Such complications arise in large multi-national undertakings that have cross-border operations to consider. Such complications are too expansive to discuss in detail

65 Evidence residing of the easily recognizable ‘hot document,’ which may or may not exist.