Investigations into suspected competition law infringements almost invariably involve an analysis of very significant quantities of data generated and stored by businesses. One element that is frequently forgotten in the heat of the battle are data protection requirements. Most of the data that are analysed in the context of an investigation (such as emails of employees) are personal data. Companies therefore must take steps to protect this personal data and to comply with the applicable data protection regulations. In this article, we explore the data collection powers of competition authorities, and how business can best ensure compliance with data protection and privacy rules during an investigation.
What data can competition authorities require companies to produce?
Competition authorities can request companies to produce a wide range of data including:
- financial data;
- sales data;
- marketing data; and
- customer data.
The authorities can order the production of both hardcopy and electronic document and companies cannot refuse to provide the requested documents on the basis that they are internal documents or contain confidential information or personal data.
Many of documents that are typically requested by competition authorities include personal data, which is defined as any information relating to an identified or identifiable natural person (the ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Competition authorities are required to comply with data protection regulations when requesting data from companies. However, also the companies providing the data must take steps to ensure that personal data is protected during a request for information or dawn raid. In doing so they must balance cooperation with competition authorities and their defence rights with complying with data privacy and protection laws
The exact powers of competition authorities vary, as does the way in which those powers interact with data protection rules. Different investigations will vary in the extent to which they require the production of personal data. Data protection policies – and the response to individual investigations – will need to be tailored to the circumstances and to the investigating authority.
Relevant legislation
In the EU, the General Data Protection Regulation (“GDPR”) and in the UK the Data Protection Act 2018 (“DPA”, the UK equivalent of the GDPR) provide specific requirements for processing personal data, including establishing a lawful basis for processing the personal data, providing a privacy notice, responding to data subject rights requests (e.g. access, restriction, erasure). There are also fundamental human rights to privacy that may need to be taken into consideration as well as protections around confidentiality of communications.
The authority itself will also be subject to data protection requirements under the EU Law Enforcement Directive, including requirements to provide a privacy notice. EU Member States will have specific laws implementing this legislation. For the UK, this is covered by Part 3 of the DPA and the Competition and Markets Authority is specified as a competent authority under Schedule 7.
Law firms involved in investigations must also ensure compliance with data protection laws when collecting and handling relevant data.
Pre-investigation measures and practical guidance
It is crucial for companies to have comprehensive measures in place to deal with data protection issues before and during an investigation. Some examples of these measures include:
- Creating and updating dawn raid guidelines that include data protection compliance procedures;
- Ensuring that the company’s privacy notice covers transfer of personal data to law enforcement and regulators in compliance with legal obligations (or voluntarily on the basis of legitimate interests);
- Having a record of processing activities (ROPA) so the company knows what personal data it has and where it is;
- Documenting appropriate IT policies such as data retention, network permissions and data access; and
- Having a policy and process for employees using their personal device. Ideally this would be ringfenced on the device so that it is clear what data are work related and what are personal. Otherwise, maintaining boundaries between work and home devices.
General data protection considerations
If a company is required to provide personal data to the authority, the lawful basis for processing for that purpose is likely to be Article 6(c) of the GDPR, i.e. the processing is necessary for compliance with a legal obligation to which the controller is subject. If personal data is provided that is not within the scope of the obligation (for instance when information is provided voluntarily in a leniency application), then the company may need to establish another lawful basis for the processing, for example legitimate interests, or to determine that it cannot provide the data.
When responding to a request for information or during a dawn raid, companies must take steps to:
- prevent the disclosure of personal data that falls outside of the scope of the investigation - the first step is to establish carefully what information the authority is requesting and to cooperate with the authority in determining the scope of any searches (including any keywords) – if the company needs to withhold information, then it may need to consider bringing a challenge against the request for the information;
- consider whether it is appropriate and permitted to inform employees and customers if there is a risk of disclosure of their data (in some instances, companies may not be required to inform data subjects if their personal data is disclosed to authorities during a specific investigation);
- consider whether the data is special category data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation). Special protections apply to such data;
- decide which devices are in scope and whether personal devices should be searched. Competition authorities may require companies to provide all relevant information during an investigation, which can include checking personal devices of employees. However, companies must be careful not to violate privacy and data protection laws. A person’s personal device and their communications are subject to additional protections under EU, Member State and UK law. Before providing access to personal devices and communications, specific regard should be given to these requirements and whether the authority has the lawful authority to do so, which may require a specific warrant or authorisation depending on the jurisdiction.
Conclusion
It is crucial for any business to consider data protection requirements when responding to a request for information or during a dawn raid by a competition authority. Companies must take the necessary steps in advance and during the raid to protect the personal data of their employees and balance this against their legal obligation to provide the data that has been requested.
This article is part of a special edition on Investigations of our monthly newsletter Competitive Edge.