The antitrust authorities regularly investigate whether GAFA companies misuse their massive market power. Recently, the DoJ’s proceedings against Google were reported here in our blog. Now one of these companies has turned the tables and fires back: Facebook has taken the European Commission to the General Court. Björn Herbers summarizes this extraordinary procedure.
Facebook, excessive data collection, antitrust law… I know what you’re thinking and you’re right: data is the new oil, if there is anything that can tame the Tech Giants it is antitrust law. Facebook dominates the market for social networks and the Federal Court of Justice has no serious doubts that Facebook’s data collection is abusive. So what’s new, you ask? The two cases (T-451/20 and T-452/20) brought before the General Court in July and on which the court in Luxembourg has now decided on interim relief, are about something else and that is only marginally to do with the combined data power of “GAFA”. Facebook, for its part, accuses the European Commission’s competition authorities of going too far in collecting data and not holding back even with sensitive personal information. The Commission as the true data-hungry monster, not GAFA – “man bites dog”, as it were? In any case, the General Court in its decisions of 29 October, ordered the Commission to set up a data room and arrange specific protective measures for certain data that Facebook must provide. At the same time, there were very critical comments on the Commission’s practice with regard to requests for information and the Court’s order suggests (very) strongly that companies’ rights of defence against “fishing expeditions” and the uncontrolled handling of their data must be boosted.
That sounds interesting, but can we start at the beginning?
With pleasure. As you know, the Commission has been investigating Facebook in two cases since last year: in the first case (AT.40628 – “Facebook Data-related practices”), the Commission is investigating whether the collection, processing, use and monetisation of data by Facebook is in line with EU competition law. One of the suspicions is that the social network uses its data trove to identify and squash potential rivals. In the second case (AT.40684 – “Facebook Marketplace”), the Directorate General for Competition is investigating whether Facebook – by linking social networks and Facebook Marketplace, where users can offer and sell items for free – could be abusing a dominant position and unfairly hindering other providers of virtual flea markets.
Strong stuff, but Facebook is at pains to stress that antitrust compliance is a core consideration in the way the company does business and that it is cooperating with the Commission to clear up the allegations: “We stand ready to answer any questions the European Commission may have“. The Commission seems to have taken this promise very literally. After a series of requests for information to Facebook and other market participants and some back-and-forth about which information and documents Facebook should send to Brussels, Facebook received another letter from the Commission in early May. The Commission now adopted formal decisions requiring extensive internal documents from Facebook in both proceedings. According to Facebook’s antitrust team, the request concerned hundreds of thousands of documents. The sheer number of documents is due to the Commission’s request for submission of all documents available on Facebook’s IT systems containing certain search terms and that these search terms were of a very general nature, such as “advantage”, “quality” or even “looked at”. Facebook claims that, while it would of course still like to cooperate with the Commission, “the exceptionally broad nature of the Commission’s requests means we would be required to turn over predominantly irrelevant documents that have nothing to do with the Commission’s investigations.” At the same time – and here Facebook had particular reservations – a lot of sensitive information from Facebook employees or the company itself would get caught in the net of this broad Commission request. Documents containing employees’ medical information, personal financial documents and private information about employees’ families or internal security precautions documents would show up using the proposed search terms. Hence, Facebook’s response to the Commission: Sorry, but no can do. Instead, Facebook’s external lawyers could filter out from the documents requested those that are obviously irrelevant to the investigation and/or contain sensitive personal information. However, the Commission did not consider it the best idea to leave it to Facebook’s lawyers to decide which material its case handlers should be allowed to see.
And then the cases went to Luxembourg?
Exactly, since neither side was prepared to back down, Facebook brought an action for annulment of the decisions and it is now for the General Court to assess whether the requests for information were appropriate. In both cases, Facebook is seeking the annulment of the requests for information in the main proceedings and interim relief. The Court granted the requests for interim relief by order of 24 July, and the press was impressed and saw a great victory for Facebook. However, the relevant provision of the Court’s Rules of Procedure (Article 157(2)) allows the Court to amend such orders. The July decision was therefore a bit like pressing the stop button; at the same time, the Commission also extended the time limits for replying to the RFI pending the General Court’s decision in the suspension proceedings plus five days.
The General Court’s “real” decision on the application for interim relief (which also overturned the decision of 24 July) was now given on 29 October by order. Here, Facebook prevailed only in small part, with the Court ordering the Commission to set up a data room for the provision of certain particularly sensitive personal information and to admit Facebook’s lawyers to it. Facebook has now provided most of the documents (meaning those which Facebook considers irrelevant to the Commission’s investigation and therefore should not have been requested, but which did not contain particularly sensitive personal information) to the Commission. However, even Facebook’s partial success is considerable in view of the notoriously high hurdles for a request for suspension under EU law; on the other hand, Facebook also failed essentially because of the lack of interest in suspension, whereas the General Court, specifically its President Marc van der Woude, had substantial doubts as to the legality of the Commission’s decision, which strongly raises Facebook’s chances of success in the main proceedings. Success in the main proceedings, in turn, is likely to have a major impact on the Commission’s RFI practice. The Commission may also adapt its practice in the light of the General Court’s admonishments, especially since the decision was preceded by an informal meeting between the Court and the parties where the Court probably made its position quite clear.
Enough of the preface, what is the legal issue?
The Commission’s requests for information are based on Article 18(1) Regulation 1/2003, which allows the Commission, in order to carry out the tasks assigned to it (under Regulation 1/2003, meaning the enforcement of the ban on cartels and abuses), to require undertakings to provide “all necessary information”, either by simple request or by decision. The Commission also has a corresponding basis for such requests f in the context of merger control (Article 11 Merger Regulation), and the Commission makes very liberal use of its powers in both areas. The (usual) terms “request for information” (or “RFI” for short) are sure to give a cold shiver to anyone who has had the pleasure of being involved in complex merger control or antitrust proceedings before the Commission. From the Commission’s point of view, however, the extensive use of RFI is understandable. After all, how else is the watchdog meant to conduct the necessary fact-finding and meet the high standards of evidence required by the courts in cartel and merger control proceedings without access to the facts of the case? RFI are therefore – alongside dawn raids – the Commission’s main tool in its investigations and are playing an increasingly important role. In the Essilor/Luxottica merger case, for example, the Commission collected RFI responses from more than 3,000 opticians.
And the Commission can send out RFI, just like that?
No, of course not. For the addressees of the RFI, the Commission’s request to provide it with all the information it considers necessary constitutes a serious invasion of privacy. Normally, you do not happily share your internal documents with third parties. Under which conditions this interference is justified must be assessed in light of the regulatory purpose of the enabling clause. In antitrust investigations, the Commission may therefore only request information and documents if it has indications of an infringement of Article 101 or 102 TFEU, and if it can reasonably assume that the information will help it to establish whether the infringement has taken place – only then is it “necessary information”. To enable the addressees to understand and, in the event of a dispute, for a court to verify that these conditions of the enabling clause are met, the Commission must specify in the RFI the subject matter of its investigation and the purpose of the information request. As summarised by the General Court:
According to settled case-law, the Commission is entitled to require the disclosure only of information which may enable it to investigate the presumed infringements which justify the conduct of the investigation and are set out in the request for information (General Court, Facebook decision, margin no 36)
However, the Commission enjoys wide discretion as to whether a particular piece of information is “necessary” for the investigation and can therefore be requested:
Given the Commission’s broad powers of investigation and assessment, it falls to it to assess whether the information which it requests from the undertakings concerned is necessary. […] the requirement that a correlation must exist between the request for information and the presumed infringement will be satisfied as long as […] the Commission may reasonably suppose that the information will help it to determine whether the alleged infringement has taken place (General Court, Facebook decision, margin no 38).
In recent years, several companies have taken Commission RFI to the European courts because they considered that the information requested in them was not necessary, but the ECJ has regularly backed the Commission and in principle leaves it to the Commission to determine what is and is not necessary for its investigations. For example, companies have failed to overturn RFI on the grounds that the Commission already has sufficient material at its disposal to prove an infringement, and that further information is not necessary. It goes without saying that the Commission must respect the principle of proportionality in the use of RFI, as in all its administrative actions, but here too the judges in Luxembourg expect quite a high pain tolerance from companies: For example, the fact that the gathering and transmission of information involves considerable effort does not exempt companies from the obligation to reply to an RFI if the information requested is necessary for the Commission’s investigation.
So far so good (or not). And where do these data RFI fit in?
This concept of “the Commission asks, business answers” is, like so much else, being challenged by digitalisation and the move towards a data-driven economy. The possibilities of storing, transferring and processing data have just exploded in recent years. On the one hand, this means that the Commission is confronted in its investigations with ever increasing amounts of information, as companies – practically freed from capacity limits and equipped with ever new technical
toys tools – are busy producing mountains of data. On the other hand, the Commission suddenly has completely different possibilities: Instead of merely requesting specific information (“emails from the sales director with competitor X”), the Commission is now able – at least technically – to examine larger amounts of data in order to get a comprehensive picture of the inner workings of a company and its communications. This is how the Commission puts it:
“The increased amount of data available and potentially relevant in a data-driven environment poses significant challenges but also offers opportunities to root the Commission’s decision in a broad and reliable factual basis” (OECD, investigative powers in practice – Contribution from the European Commission, p. 12).
These “possibilities” identified by the Commission mean that nowadays, one or more proper “data RFI”, which request some virtual container-loads of data and documents, are a standard feature of any half-decent Commission procedure. The Commission regularly defines certain persons in the company, so-called “custodians”, and specifies search terms and a time period. All data and documents of the custodians mentioned in the RFI from the defined period which respond to the search terms must be transmitted. The Commission derives the search terms from the information already available to it (previous RFI, witness statements, etc.) or also consults with the companies to identify relevant search terms.
Obviously, the scope of a data RFI thus depends very much on the scope and nature of the search terms used by the Commission. A search for the keyword “price increase” in combination with competitors’ names in the sales director’s email inbox reveals a manageable number of documents, while the term “price” across all documents from a large number of custodians produces veritable mountains of data.
And that’s why the Facebook RFI were so extensive?
Exactly, such commonplace terms (“advertising” “for free”, “applause” “advantage”, “quality” “looked at”) were included in the disputed RFI which resulted in Facebook’s outcry. The question the General Court had to answer: Is the “necessary information” requirement within the meaning of Article 18 Regulation 1/2003 observed if the Commission uses frequently used or very ordinary words as search terms? It was undisputed that not all documents that would respond to the terms used by the Commission would be relevant or necessary for the investigation.
In the present case, in the first place, it should be noted that the documents requested under the contested decision were identified on the basis of wide-ranging search terms, some of which consist of frequently used or very common words, such as ‘advertising’, ‘grow’, ‘insight’, ‘advantage’, ‘looked at’ and ‘quality’. It is therefore hardly surprising that the application of those search terms would lead to the obligation to produce documents unrelated to the subject matter of the request for information. The Commission itself admits that certain documents requested are not relevant and necessary for its investigation. (General Court, Facebook decision, margin no 39)
However, the Commission told the General Court, this does not alter the legality of the RFI – no matter how carefully it selects search terms, they would inevitably also capture some irrelevant documents. The only thing to be assessed is whether the search terms were suitable for the purposes of the investigation when they were written.
The Court is not convinced by this “20/20 hindsight” logic – once the search terms have been applied, one can in fact determine which documents and data have been identified and whether they are necessary for the investigation. Nor did Luxembourg accept the Commission’s objection that, according to settled case-law, it was after all entitled to collect and then analyse even large quantities of information. This right related only to information which the Commission could reasonably expect to help it in determining whether there had been an infringement of EU competition law (and which therefore meets the necessity criterion).
It should be pointed out in that regard, first, that that case-law does not mean that the principles of necessity and proportionality cease to apply to requests for information. As the Commission itself notes, it follows from that case-law that the Commission must reasonably suppose that the requested information will help it to determine whether the presumed infringement has taken place. (General Court, Facebook decision, margin no 51)
The Court has thus put its finger on the crux of the issue: the Commission’s comprehensive data RFI with broad search terms do not “fit” into the classic scheme of requesting necessary information by RFI. The Commission does not define in advance in abstract terms (by means of search terms or otherwise) what information is necessary for its investigations and then requests it (“email sales director with competitor”). Rather, it uses search terms to collect, in a first step, a part of the company’s overall data set (all emails containing the term “applause”), from which it then filters out the subset of necessary information in a second step (or vice versa). However, the first step also includes – at least in all likelihood – information that is not necessary for the Commission’s investigation. It would be an interesting antitrust case where all documents containing the term “applause” are relevant to the Commission’s investigations. The question is therefore whether a comprehensive data RFI that (inevitably) captures information that is not relevant to the investigation would violate the principles of necessity and proportionality if it did not provide for a mechanism for the second step, sorting by relevance.
And what does the General Court say?
In order to answer this question, the General Court looked at the other means of investigation by which the Commission can obtain information from companies, namely the dawn raid.
[…] it must be borne in mind that Article 18 of Regulation No 1/2003 is not the only way for the Commission to gather the information necessary for its investigations. It may also order inspections at the premises of the undertaking on the basis of Article 20 of that regulation. In the course of inspections, the Commission may make copies of potentially relevant electronic documents for the purposes of the investigation in order to examine them subsequently with a view to their actual relevance for the investigation. (General Court, Facebook decision, margin no 44)
In other words, instead of having the documents sent to it, the Commission can also seize them from companies itself. It is probably not completely outlandish to assume that comprehensive RFI – perhaps using AI-defined selection criteria – may well take over the role of dawn raids in the future. Indeed, the parallels between the situations are obvious:
In the present case, the request for information at issue is very similar to such an inspection, since the applicant must produce a large number of documents collected on its servers on the basis of search terms, the relevance of which will be assessed by the Commission only at a later stage. (General Court, Facebook decision, margin no 47)
In both cases, the dawn raid and the comprehensive data RFI, the Commission first gathers an overview of the existing data, before identifying in these documents those necessary for its investigation and taking them on file. The Commission describes its two-step approach to dawn raids itself as follows:
[The] selected data pool is then reviewed, typically but not exclusively by means of keywords and search queries by Commission inspectors. The inspector will then judge whether the individual document that is responsive to the keyword/search query is relevant for the case or not, typically following a review of some details of the documents. (OECD, investigative powers in practice – Contribution from the European Commission, p. 3).
The pre-selection of potentially relevant documents by means of search terms is followed by a manual sorting process to determine whether the selected documents are relevant to the investigation.
So that’s how this works technically. And legally?
Of course, the Commission cannot act as it wishes when collecting data in a dawn raid. A company has comprehensive rights of defence during a dawn raid. These rights include the right to see the documents that the Commission intends to add to the file, and to check whether they may reasonably be relevant to the Commission’s investigation. The Commission may not simply collect all data that is of interest in any way in order to consider later what it might be used for (“fishing expeditions”). In practice, in order to respect the rights of defence, the Commission allows the company lawyers to look over the shoulder of the Commission reviewers selecting the relevant documents. If the companies or their lawyers then have the impression that something is not right, they can protest immediately (“How is this relevant to the allegations?” or “Stop, that is private!”).
Even closer to the situation of reviewing RFI responses is the so-called “continued search”. In the case of the dawn raids, too, the volume of data generated is now pushing the Commission to the limits of what it can check for relevance on site. In some cases, the Commission therefore copies the pre-selected potentially relevant documents on the spot and does not carry out the actual relevance check until later, in its own offices in Brussels. This approach has just been endorsed by the Court of Justice in the Nexans case, provided, however, that the Commission continues to respect the rights of defence of the companies during the continued search:
Those rights are safeguarded where, as in the present case, the Commission copies the data, admittedly without a prior examination, but then assesses whether the data is relevant to the subject matter of the inspection in strict compliance with the rights of defence of the undertaking concerned, before those documents found to be relevant are placed in the file and the remainder of the copied data is deleted. (Nexans, paragraph 64).
The Commission ensures this respect for the rights of defence by bringing the unaudited data, which is still to be assessed for relevance, sealed (“sealed envelope”) to Brussels and by allowing companies or their lawyers to be present at the unsealing and auditing at the Commission premises:
If the selection of documents relevant for the investigation is not yet finished at the envisaged end of the on-site inspection at the undertaking’s premises, the copy of the data set still to be searched may be collected to continue the inspection at a later time. This copy will be secured by placing it in a sealed envelope. The undertaking may request a duplicate. The Commission will invite the undertaking to be present when the sealed envelope is opened and during the continued inspection process at the Commission’s premises. (Commission, Explanatory note on Commission inspections pursuant to Article 20(4) of Council Regulation No 1/2003, recital 14 )
And the General Court now wants to apply this legal standard to data RFI?
Yes, at least that is the General Court’s preliminary view. It made sense to the Court that the standard applied to the relevance review of documents copied during a dawn raid (whether on site or in Brussels) should also apply to the review and selection of documents retrieved by data RFI:
Accordingly, it is not unreasonable to consider that, in the light of the format and scope of the request for information, a level of protection similar to that guaranteed by Article 20 of Regulation No 1/2003 should apply (General Court, Facebook decision, margin no 48).
In other words, companies must be able to reassure themselves that the Commission only takes relevant documents on file. Safeguard mechanisms similar to those used for dawn raids should apply.
This addressed Facebook’s concern that the Commission was collecting large amounts of documents irrelevant to the investigation. What did the General Court say to Facebook’s complaint that the Commission was using its broad search terms to access employees’ sensitive personal data (medical information, etc.) and of the company (security information, political information, etc.)? Same same, but different. The Court found that such “sensitive personal data” should be treated with particular care by the EU authorities. This does not mean that the Commission may not touch such data – but it is particularly necessary to respect companies’ rights of defence, otherwise this could amount to a violation of Article 7 of the Charter of Fundamental Rights and Article 8 ECHR. Therefore, as far as “sensitive personal data” is concerned, it is even more important to follow the procedure as set out for data collection in dawn raids.
Sounds good – does that apply now?
The order for interim relief is not a final assessment. However, in connection with the Court’s reasoning it is a very strong statement, and one that makes sense. The Court does not refer to all RFI, but only to those with the “format and scope” of that addressed to Facebook, meaning the (large) “data RFI”, as I call them here. These data RFI can be compared to a small dawn raid in terms of document gathering. Ultimately, it makes no difference whether the Commission inspectors themselves – whether on site or in Brussels – carry out the preliminary recording by keywords or otherwise (step 1) or whether this is imposed on the companies by RFI. The interest and protective interest of companies in the Commission’s examination as to which data are relevant to its investigation and therefore put on file (step 2) is the same. And the more data the Commission can technically collect in step 1 – keyword “possibilities” – the more important step 2 and its control becomes. As Advocate General Kokott correctly stated in Nexans:
[…] it is essential that only documents which are shown to be relevant to the subject-matter and purpose of the investigation decision are included in the file, since this is the only way to ensure that no evidence obtained in breach of the rights of the undertakings concerned is used in subsequent proceedings (Opinion of the GA Nexans, paragraph 82).
Add to this the protection of sensitive personal data, which is increasingly appearing on company servers.
The synchronisation of dawn raids and data RFI processes is therefore indeed necessary and appropriate, and it would make sense for the Commission to adapt its practice accordingly now, even before the Court takes its final decision. In practice, this would mean that the above-mentioned paragraph 14 of the guidance note on Commission inspections under Article 20(4) of Regulation 1/2003 should be applied to the relevance test for data on RFI. Companies would thus be allowed to send their lawyers to Brussels to look over the Commission’s shoulder as it sorts the data by relevance (but the Commission would continue to assess relevance – contrary to Facebook’s suggestion, lawyers would not do the sorting).
But back to the General Court: how was this not a big win for Facebook? And what happens next?
According to the Court, there is much to suggest that the Commission’s RFI were not appropriate because they did not request only necessary information and/or are not proportionate and, moreover, because they do not adequately protect particularly sensitive personal data. That alone, however, was not sufficient for interim relief to be granted. The hurdles are very high in EU law here, the applicant’s interest in suspension does not already outweigh the enforcement interest if his prospects of success are good in the main action. The applicant must also be able to show that he will suffer serious and irreparable damage if the contested act is carried out. The Court did not accept that such damage would be caused by the transmission of the documents requested by the RFI, per se. It could be assumed that the Commission would not disclose the documents and, in the event of a decision on the substance of the case, would not use information which might not be relevant but which had made it into the file. No harm done, then. However, the General Court made an exception for sensitive personal data. Here, the Court recognised that damage was already caused by the fact that third parties would be able to see them at all:
It follows from the foregoing that enlargement of the circle of persons with knowledge of sensitive personal data risks causing serious harm to the persons concerned by that data (General Court, Facebook decision, margin no 86)
Decision therefore: (only) with regard to sensitive personal data, the execution of the RFI will be suspended until the Commission implements a safeguard mechanism. The General Court outlines that mechanism in point 2 of the operative part:
Facebook Ireland shall identify the documents containing the data referred to in point 1 and transmit them to the Commission on a separate electronic medium. Those documents shall then be placed in a virtual data room which shall be accessible to as limited a number as possible of members of the team responsible for the investigation, in the presence (virtual or physical) of an equivalent number of Facebook Ireland’s lawyers. The members of the team responsible for the investigation shall examine and select the documents in question, while giving Facebook Ireland’s lawyers the opportunity to comment on them before the documents considered relevant are placed on the file. In the event of disagreement as to the classification of a document, Facebook Ireland’s lawyers shall have the right to explain the reasons for their disagreement. In the event of continuing disagreement, Facebook Ireland may ask the Director for Information, Communication and Media at the Commission’s Directorate-General for Competition to resolve the disagreement.
This is in line with the approach to data collection for dawn raids – and possibly the future standard for data RFI.
To be continued in the main proceedings. But you may already raise your (blue) thumb for the General Court if you like.
Dr. Björn Herbers is a Partner in the antitrust team of CMS Brussels.