Longstanding CCPC dawn raid practice to copy electronic data (including entire email accounts) for later off-site review by investigators is unlawful according to a recent ruling of the Irish Competition Court. Bulk copying of e-files “will almost certainly, perhaps inevitably” capture material outside the scope of any investigation, the court found. Accordingly, CCPC search of that material would be “an entirely unwarranted – not to mention egregious – transgression of the right to privacy” in breach of the European Convention on Human Rights (and, for that matter, the Irish Constitution).
What does this mean for CCPC investigations? One possibility may be longer searches, to allow on-site sifting of digital files, à la DG Comp dawn raids. But the court’s clear and repeat identification of the search of emails as the unlawful privacy intrusion (rather than seizure or copying by the CCPC, oddly considered lawful by the court) suggests even on-site e-searching may be circumspect. As if to emphasise the point, the court proposes “an entirely reasonable and workable solution” that is “perfectly sensible and practically operable”: independent third-party assessment of e-documents for relevance to the investigation.
One thing’s for sure, the verdict won’t make investigations easier for the CCPC. If a specialist law-enforcement agency can’t ultimately decide what’s relevant to its investigation – at least, not without reference to a third party (any determination of which will likely be subject to challenge) – won’t this stymie investigations? As the CCPC argued at trial, “it would be absurd to allow the subject of a criminal investigation to decide what material is relevant instead of the body that is given a statutory function to investigate.”
Already it is some time since the CCPC successfully investigated a cartel. Just last week, an Irish MEP used European Parliamentary hearings on EU modernisation to brand Irish enforcement under Regulation 1/2003 a ”joke.” But the challenging legal environment, of which the Competition Court’s latest verdict is doubtless an example, may also be a factor: in its 10-year review of modernisation post Regulation 1/2003, the European Commission seemed to recognise as much, taking “fundamental issue” with the lack of administrative sanctions in the Irish enforcement system.
A CCPC decision to appeal the 5 April 2016 judgment – widely expected – is yet to be announced. The CCPC seems alive to the judgment’s implications. In a statement the same day as the Competition Court ruling, the agency said “{i}n light of the significance of the judgment, and having regard to our statutory functions and remit, the CCPC is considering carefully the implications of the judgment and the next steps that it will take.”
Background
The legal basis for dawn raids
In Ireland, breach of EU and national competition law (including abuse of dominance) is a criminal offence. So CCPC officers need a search warrant to conduct a dawn raid, whether investigating EU or Irish competition law. (In the dawn raid giving rise to these proceedings (CRH v CCPC), the CCPC investigation concerned possible breaches of both EU and Irish competition law.)
With a valid search warrant, CCPC officials can lawfully enter and search a business premise. In addition, a valid search warrant allows CCPC officials to take copies of business “records” – broadly defined (as affirmed by the Competition Court) to include “an electronic file, including an e-mail box or a network file.”
To get a search warrant, CCPC officials must persuade a District Judge (a lower court judge whose local jurisdiction extends to the premises involved) that there are reasonable grounds to suspect evidence of a competition law violation may be found there. Typically, CCPC officials do this in what is called a Sworn Information: as the name suggests, this is a sworn statement by a CCPC officer of reasonable grounds to suspect there’s evidence at the premises.
Importantly, even though ex parte, grant of a search warrant is a judicial act in Irish law – Irish superior courts have repeatedly affirmed this: it is not a rubber stamp exercise. The District Judge must reasonably form an opinion that a warrant should issue.
CCPC practice on dawn raids
During Irish dawn raids, CCPC practice is to copy digital files – including frequently entire email accounts (both in- and out-boxes) of executives – for off-site sifting at a later date. Thus, the CCPC’s senior IT officer for digital forensics testified at trial that agency practice is “where possible, to remove electronic material from a premises for review off-site.”
In line with this practice, in the dawn raid giving rise to the Competition Court proceedings, CCPC authorised officers copied “the entirety of the e-mail box of” an executive. According to the court, “ … some of the emails and attachments in that e-mail box almost certainly were not caught by the terms of the warrant.” At trial, the CCPC conceded as much, accepting as “a matter of high probability” that some electronic material seized would not relate to the investigation.
(The CRH executive whose emails were copied had worked in a number of CRH subsidiaries, other than the legal entity named on the search warrant (Irish Concrete Limited), over the period for which emails were copied by the CCPC. There was some dispute as to whether, after resigning as MD of ICL, the executive maintained a role in ICL during the relevant period. The court nevertheless found that “ … it is nearly, if not actually inevitable that even the best run ‘dawn raids’ will see a seizure of some materials that ought not to have been taken.” Hence, whether or not the executive did have some further involvement in ICL, the ruling would seem to apply generally to Irish search and seizure operations – at least so far as a search involves bulk copying of electronic documents.)
In sworn testimony, the CCPC’s data forensics officer explained the reasons for the CCPC practice as follows: first, it minimised disruption to the business under investigation. According to the data forensics officer, the CCPC “ … does not want to impact a target business to the extent to which it cannot carry out daily business activities during the course of a search.” Second, the CCPC officer explained that forensic examination of emails “must be conducted in a controlled environment.” In addition, the CCPC argued that the practice avoided delays that might arise due to encryption of documents and, further, that the practice was in line with international best practice (citing both the UK Association of Chief Police Officers (ACPO) Good Practice Guide for Digital Evidence, as well as the U.S. Department of Justice Forensic Examination of Digital Evidence – A Guide for Law Enforcement).
While the court accepted the CCPC’s bona fides in seeking to conduct a lawful and proportionate search, the court nevertheless granted an injunction restraining the CCPC from accessing, reviewing or making any use whatsoever of any such material pending agreement, to both parties’ mutual satisfaction, on a process to sift out material that ought to have been taken from that which ought not.
Comment
One challenge with the judgment is how to reconcile some key conclusions.
One such conclusion is that “certain materials seized by the {CCPC} … were not covered by the terms of the applicable search warrant and were done without authorisation.” On that basis, the court declares that the CCPC acted ultra vires in copying that material. The court goes so far as to state that “{a}n unwarranted intrusion of privacy at the office seems to this Court to be every bit as bad as the unwarranted search of a personal or home computer.”
It should follow that bulk seizure of emails is unlawful and, in practice, could be resisted by defence lawyers at a dawn raid.
Throughout the judgment, however, the court seems to consider that the dawn raid (and copying of the executives email in-box) was conducted lawfully. Thus, the court sees no difficulty “in the conduct of the ‘dawn raid’ per se, nor even in the inadvertent taking away of information that is not covered by the warrant.” Copying of material outside the scope of the search is “almost, if not entirely inevitable in the course of such a ‘raid,’” and “all but, if not entirely inevitabl{e}.” “But such is life,” the court states.
But, apart from considering it an almost inevitable transgression, the court does not explain why a State agency may seize and/or copy private and personal correspondence unlawfully.
Also of interest is the court’s justification for finding the Charter of Fundamental Rights inapplicable. According to the court, the relevant provisions of Irish competition law (specifically, section 37 of the Competition Act 2002, in which CCPC search and seizure powers are set out) do not implement EU law and “ … are simply not a part of that corpus of legislation.” Further, the court found that section 37 of the Competition Act 2002 “ … does not fall properly to be viewed as a statutory provision that is implementing European Union law, in the sense of realising some provision of European Union law in Ireland.” This is notable given that the CCPC’s investigation, on foot of which the dawn raid was based, involved investigation of suspected breaches of EU and Irish competition law. Section 37 is routinely cited by CCPC officials as the agency’s most potent and important power to investigate suspected EU (and Irish) competition law breaches.
Finally of possible interest is the court’s obiter view, when considering whether the CCPC’s copying of disputed material was consistent with data protection rules, that “… it was of course open to the persons present at {the business} premises … to refuse to release to the Commission some or all of the personal data that was being sought by the authorised officers of the {CCPC}.”
________________________
To make sure you do not miss out on regular updates from the Kluwer Competition Law Blog, please subscribe here.
Indeed controversial; giving absolute primacy to a ECHR, human rights fashioned approach can hinder the whole procedural framework with him huge implications at the substantive level of enforcement (i.e. baf news for the internal market).
Moreover, if not even criminal proceedings are allowed to such practices, how will the other authorities – working under administrative procedure – be able to gather solid evidence ?
However, I don’t see this approach contaminating the EU acquis on competition …