The fate of data seized during antitrust investigations: a telling episode in France

Given the proliferation of data in recent times, ensuring sufficient safeguards are in place during competition authority raids to protect personal and privileged documents is an increasingly challenging objective. In its recent judgment on this area [1], the Paris Court of Appeal strictly applied the letter of such safeguards, which will significantly impact the way the French Competition Authority conducts such investigations in future.

Data submitted voluntarily

In the context of raids conducted by the French Competition Authority on the Logista Group for suspected abuse of dominance, the Court strictly enforced the provisions of Article L.450-4 of the French Commercial Code ("FCC"). This governs how documents can be seized in such contexts. In particular, this provision limits the mandate for such seizures to the strict scope set out in the order from the judge of the competent Court authorising the raid. It also emphasises the importance of the presence of a judicial police officer during such raids to ensure the rights of defendants are respected. Such officers are part of the French police force rather than the court but operate under the supervision of prosecutors.

In the case involving Logista, various documents and email data were obtained during the raid but for technical reasons not all potentially relevant mailboxes could be extracted at that time. Logista therefore committed to provide the remainder in due course. It then proceeded to do this but later challenged the Authority’s reliance on these documents, pointing out that its right to defence had not been respected. They also alleged that they contained privileged material which was not adequately protected. In assessing these issues, the Paris Court of Appeal reiterated in its judgment the scope of Article L.450-4 of the FCC: only documents obtained during seizure operations are admissible. In other words, documents handed over after such operations are not covered by the judge's order and their submission is, therefore, illegal. This illegality led to the documents concerned being returned to Logistica and the Authority was not permitted to rely on them.

The Court also clarified the scope of application of Article L. 450-3 of the FCC for so-called "light" investigations (that do not require a judge's order): while this article provides for the voluntary submission of documents, this provision exclusively applies to inquiries within this category. Therefore, relying on this basis for any proceedings founded on a suspicion of abuse of a dominant position would be ineffective.

Security of sensitive seized data

Before the submission of the contentious mailboxes was invalidated, the Logista Group had argued that the documents submitted on a "voluntary" basis were excluded from the provisional sealing procedure, which ensures the integrity and protection of items seized in dawn raids, as in practice they had no choice but to provide them. In other words, the personal, sensitive and privileged data contained in these documents did not receive the same level of protection as it would have done had it been within seized documents.

This point of contention echoes the earlier judgment [2] of the Court of the European Union ("CJEU") in the European Commission (“EC”)’s case against Meta (formerly Facebook) which also dealt with the security of seized data. Whilst the Paris Court did not expressly reference this judgment, in the Meta ruling, the CJEU similarly assessed the legality and effectiveness of the EC’s practice of protecting and storing sensitive data seized during investigations, in that case by creating a virtual data room.

For the CJEU, this virtual data room practice is valid. The data containing sensitive elements within the meaning of the GDPR [3] is placed in the data room. These documents can only be consulted: (i) by as few members of the investigation team as possible; and (ii) in the virtual or physical presence of an equivalent number of the investigated company’s lawyers. It is within this framework that the relevance of the documents is assessed, and only those deemed relevant will be transmitted to the investigation.

Comment

In reaching its conclusion on the Logista case, the Paris Court of Appeal appears to have been swayed by the fact that Logistica signed a document during the French Compeition Authority’s raid, committing to provide the remaining mailboxes. On that basis, the Court decided that the subsequent provision of those mailboxes could not truly be considered voluntary, since the commitment to provide them was made in the context of a coercive process.

Competition authorities rarely gather all the documents and information they need in a single raid. In practice however, even if it did commit to providing the further mailboxes under a certain level of duress, Logistica could have subsequently sought to engage in further discussion with the Authority on this issue before handing over the material. It seems inappropriate for investigated companies to have the option to choose to disclose documents at one moment and then withdraw that consent later, thereby potentially undermining the whole or at least part of the investigation they are facing.

On the other hand, it is clearly important for competition authorities to wield the extensive powers at their disposal with care. In this case, had the Authority sent a separate request for the remaining mailboxes shortly after the raid, rather than during the raid itself, any complaint of coercion would have been significantly weaker and the outcome of the case could have been very different. If this issue arises again, it will also be interesting to see if greater reliance is placed on the practice of competition authorities and jurisprudence outside France, such as the use of data rooms highlighted in the Meta case. This would be welcome, to avoid future investigations being derailed or damaged based on such technicalities.

Footnotes

1 Paris Court of Appeal, pôle 5 ch. 15, 5 avr. 2023, n° 22/11616.
2 Case Meta – T-451/20 – Meta Platforms Ireland/Commission.
3 Regulation (EU) 2016/679