In the context of ongoing antitrust investigations into Facebook Inc.’s (‘Facebook’) data-related practices (AT.40628) and Facebook marketplace (AT.40684), on 13 March 2020 the European Commission (‘Commission’) issued two formal requests for information (‘RFIs’), requiring the company to produce a large number of internal documents. Facebook challenged the RFIs before the General Court of the European Union (‘General Court’), alleging that they capture wholly irrelevant and/or personal documents in violation of both Regulation 1/2003 and the European Union’s (‘EU’) Charter of Fundamental Rights (‘Charter’) (see here and here). In parallel, Facebook introduced the applications for interim measures, soliciting the President of the General Court to fully or partially suspend the operation of the contested RFIs. On 29 October 2020, the President of the General Court issued two quasi-identical orders (‘the Orders’) which concluded the interim measures proceedings in cases T‑451/20 R and T‑452/20 R. Given the marginal differences in the text of the Orders, for the purposes of this blog, we will discuss them together. We will comment on how the Orders arrived at a practical solution to uphold privacy objectives while also allowing antitrust investigations to proceed without undue hindrance. The authors consider that the ad hoc mechanism is likely to inspire a durable future alternative.
The Orders in a nutshell
The Commission’s RFIs required Facebook to produce the documents stored in its electronic servers and corresponding to wide-ranging keywords, such as ‘advertising’, ‘grow’, ‘insight’, ‘advantage’, ‘looked at’, ‘quality’, ‘big question’, ‘for free’, ‘shut down’ and ‘not good for us’. Non-compliance with the RFIs would entail a penalty of EUR 8 million per day.
Facebook provided most of the initially identified 973,900 documents so that the applications for interim measures concerned the remaining 117,208 files. According to Facebook, these documents contain a vast amount of irrelevant and/or private information, such as correspondence between Facebook employees and their family members, communication relating to the guardianship of children, personal wills, exchanges at times of bereavement, political opinions and correspondence with prominent political figures, Facebook’s proprietary information (for example, commercially sensitive information on tax planning or diversity initiatives), etc.
Facebook’s main pleas in law focused on the violation of the principles of necessity and proportionality and on the right of privacy of the company and its employees.
“All necessary information”
Article 18(3) of Regulation 1/2003 allows the Commission to request undertakings to provide all necessary information in the framework of its antitrust investigations. The Commission’s reach, however, is circumscribed by the settled case-law (SEP v Commission, Société générale v Commission, Buzzi Unicem SpA v Commission, etc.). The Orders followed suit and confirmed the Commission’s power to request documents that are legitimately expected to have a connection with the alleged infringement, with certain limitations.
The Orders drew a parallel between the RFIs at hand and “more invasive” inspections, characterized by additional procedural guarantees, such as the presence of lawyers of investigated undertakings and a possibility to prevent inclusion of irrelevant documents in the Commission’s file. The President of the General Court concluded that “in the light of the format and scope of the request for information” at hand, a level of protection comparable to inspections could be envisaged (paragraphs 44-48). Further, given the wide-ranging search terms and, notably, “in the absence of a method of verification accompanied by appropriate and specific guarantees designed to safeguard the rights of the persons concerned”, the President of the General Court admitted that the applicant may prevail in the main action (paragraph 53).
In our view, the Orders come to a reasonable conclusion in terms of the principles of necessity and proportionality. However, the suggestion that addressees’ level of protection could depend on the “format and scope” of each RFI raises questions. This approach, although interesting from the standpoint of the rights of defence, could prove difficult to implement in practice. Besides, it is desirable to further clarify the modalities of “appropriate and specific guarantees” that RFIs need to meet in terms of protection of fundamental rights.
The right to privacy
The Orders emphasize the importance of the right to privacy enshrined in article 7 of the Charter and Article 8 of the European Convention of Human Rights. Firstly, the President of the General Court acknowledges that undertakings’ right of privacy may be violated not just in the case of Commission’ inspections but also in the context of (wide-ranging) RFIs, even if the violation was not proven in this case (paragraphs 57 and 81). Secondly, the Orders recognize that processing of certain categories of personal data, such as the information on racial or ethnic origin, political opinions, religious or philosophical beliefs or health data (“sensitive data”) require additional safeguards in compliance with the General Data Protection Regulation and Regulation 2018/1725.
Interestingly, the Orders did not rule out the possibility for an undertaking to rely on the right to privacy of its employees. That Facebook was obliged (on pain of substantial fines) to process and hand over the sensitive data of its employees contributed to this finding. Further, the Orders admitted that the right to privacy of Facebook’s employees may be frustrated by enlargement of the circle of persons with knowledge of their sensitive personal data.
Facebook also tried to invoke irreparable harm resulting from an eventual disclosure of the documents submitted to the Commission to third parties, including to the litigants against it in the United States. Further, Facebook alleged harm related to the possibility of the documents being used for the initiation of new investigations or for the future regulation of its activities by the EU bodies. All these claims were dismissed as unsubstantiated.
The temporary mechanism established by the Orders
At the heart of the Orders lies a 4-step ad hoc mechanism that the President of the General Court instituted to strengthen the protection of sensitive personal data:
- Document identification: Facebook shall identify and communicate the sensitive personal data to the Commission on a separate electronic medium;
- Virtual data room: those documents shall then be placed in a virtual data room accessible to a limited number of members of the case team, in the presence (virtual or physical) of an equivalent number of Facebook’s lawyers;
- Negotiations: the members of the case team shall examine and select the relevant documents, while Facebook’s lawyers shall have a chance to comment on their eventual inclusion in the Commission’s file;
- Disagreement: in case of a disagreement, the contested documents shall not be placed on the file and Facebook’s lawyers shall have the right to explain their reasons on this point. In case of further disagreement, the Director for Information, Communication and Media at DG Competition is competent to resolve the dispute.
The Orders confirm that companies cannot unilaterally prevent the Commission from acquiring documents that may reveal an antitrust infringement on the sole basis that they may contain irrelevant documents and/or personal data. Nevertheless, the President of the General Court opted for increased procedural guarantees for sensitive personal data. Although the Orders do not explicitly refer to it, the reasoning seems to be inspired by EU law provisions on the processing of sensitive data, prescribing ‘suitable and specific measures to safeguard the fundamental rights and the interests of the data subject’ (Article 9(1)(g) of the Regulation 2018/1725 and Article 10(1)(g) of the GDPR).
To this end, we consider that the suggested framework seems practically workable and reasonable in this case. Indeed, pending the General Court’s ruling in the main proceedings, it helps narrow down the circle of persons having access to the sensitive data of Facebook’s employees without substantially frustrating the effectiveness of the investigation.
However, should the EU institutions decide to adopt a similar permanent mechanism, the caution will be required in its design in order to avoid delays in (already lengthy) antitrust proceedings. Besides, to make the procedure more objective and coherent, we recommend designating the Hearing Officer as a competent final arbiter in such cases. Given their independence and experience with very similar issues (professional privilege, access to the file, etc.), we deem reasonable to extend the Hearing Officer’s mandate to comprehend disputes related to sensitive data in antitrust proceedings.
The views expressed are personal and may not be attributed to Clifford Chance LLP. The authors have nothing to disclose.