Data Privacy And Competition Law A View From The EU

Transcription

1 Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY Phone: Fax: Data Privacy And Competition Law A View From The EU Law360, New York (April 19, 2012, 1:19 PM ET) -- Data privacy in the digital age is increasingly attracting attention during competition law investigations. Despite elements of convergence, the differing approaches of authorities around the world toward the protection of privacy create challenges when developing standards and procedures that are accepted globally. The protection of personal data in the European Union and, specifically, how this impacts the rights of individuals and companies where personal data may be collected as part of a competition law investigation requires close review. There remain areas where a lack of congruence in the level of protection afforded presents challenges when navigating investigations and protection across multiple jurisdictions. Data Privacy in the EU Protection of Privacy in the EU The importance of protecting privacy and personal data is reflected in a number of legislative enactments and decisions in the EU: The Charter of Fundamental Rights provides fundamental rights for the protection of private life and personal data.[1] The Court of Justice of the European Union (CJEU) has decided that legislative enactments that violate the right to protection of private life and the protection of personal data can be rendered inapplicable. In Volker und Markus Schecke[2] the CJEU emphasized the fundamental right of data protection when invalidating part of EU legislation requiring publication of the names of persons that were the recipients of funds from the European Agricultural Guarantee Fund and the European Agricultural Fund for Rural Development.

2 In October 1995, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (data protection directive)[3] was adopted. Member states have all enacted their own local implementing legislation. As the data protection directive specified only the minimum measures to be put in place, and member states were therefore free to implement stricter requirements if they wished, this has resulted in inconsistencies between the national data protection laws. By way of example, the rules on data controller notification, the requirements for the transfer of data outside the European Economic Area, the rights of data subjects and the meaning of data subject consent (and/or the method by which it can be given) can vary significantly between EU countries. The data protection directive has, however, ensured that there is a framework for the protection of privacy in relation to the processing of personal data. The right to protection of private life and personal data is not absolute as will be seen by a number of measures that seek to balance potentially conflicting rights: Article 52(1) of the Charter of Fundamental Rights states that limitations may be imposed on the exercise of fundamental rights (including those in Articles 7 and 8 of the charter) where the limitations are provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others. [4] Article 42 of the Charter of Fundamental Rights establishes a right of access to documents of the European Parliament, Council and Commission for [a]ny citizen of the Union, and any natural or legal person residing or having its registered office in a Member State. [5] Article 15 of the Treaty on the Functioning of the EU establishes a similar right of access to documents held by EU institutions.[6] Regulation 1049/2001[7] establishes substantive and procedural rules on access to public documents held by EU institutions. The principles of openness and transparency are enshrined in recitals 1 and 2 of the Access to Documents Regulation which reads as follows: (1) The second subparagraph of Article 1 of the Treaty on European Union enshrines the concept of openness, stating that the Treaty marks a new stage in the process of creating an ever closer union among the peoples of Europe, in which decisions are taken as openly as possible and as closely as possible to the citizen. (2) Openness enables citizens to participate more closely in the decision-making process and guarantees that the administration enjoys greater legitimacy and is more effective and more accountable to the citizen in a democratic system. Openness contributes to strengthening the principles of democracy and respect for fundamental rights as laid down in Article 6 of the EU Treaty and in the Charter of Fundamental Rights of the European Union..

3 It is nevertheless stated that there are circumstances that may justify limitations on public access to documents. In particular, Article 4(1)(b) provides that access may be refused where disclosure would undermine the privacy and the integrity of the individual, in particular in accordance with Community legislation regarding the protection of personal data. To what extent, therefire, have the EU institutions and courts determined where protection of privacy may justify limitations on disclosure of personal data in the context of a competition law investigation? The CJEU has ruled that Article 4(1)(b) should be interpreted as requiring the institution holding the data to apply the legislation regarding the protection of personal data, that is to say Regulation 45/2001.[8] The Bavarian Lager[9] case concerned a request for public access to minutes of a meeting between the European Commission, representatives of the U.K. government and the European beer sector relating to a commission investigation concerning whether U.K. law had the effect of hindering or preventing overseas suppliers from entering the U.K. brewing industry. The Commission ultimately decided to close the case, following which Bavarian Lager, a brewery that wanted the commission to pursue infringement proceedings, requested access to the minutes of the meeting. The commission provided access but decided to delete the names of five persons on the basis that two persons had not consented to disclosure of their names and that the commission was unable to contact the other three to obtain consent. The commission maintained that it was required to obtain the consent of the individuals named in the minutes on the basis that Article 4(1)(b) of the Access to Documents Regulation required the application of the Data Protection Regulation in all cases where a document contained personal data.[10] In short, the commission maintained that unless the data subject (the person to whom the data relates) consents to disclosure, the disclosure can only occur where the recipient (person requesting access) can demonstrate the necessity of the disclosure and that there is no reason to believe that the legitimate interests of the data subject will be prejudiced. The General Court held that publishing the names of the persons attending a meeting in their personal capacity would not harm the rights of privacy of those persons. However, the CJEU ruled that data privacy protection means that an express justification needed to be given for the refusal stating that: Where a request based on [the Access to Documents Regulation] seeks to obtain access to documents including personal data, the provisions of [the Data Protection Regulation] become applicable in their entirety, including Articles 8 [the provision requiring the recipient of personal data to establish the need for their disclosure] and 18 [the provision which confers on the data subject the right to object at any time, on compelling legitimate grounds relating to his or her particular situation] thereof.[11]

4 Privacy in Competition Law Investigations It must be recognized that the Access to Documents Regulation is not the only piece of EU legislation that may be relevant to disclosure of personal data in an EU competition law investigation. Article 16 of Regulation 773/2004[12] provides that business secrets or other confidential information of any person shall not be communicated or made accessible by the commission in competition law proceedings. There is also a requirement on a person or undertaking that submits documents to the commission to provide the commission with a separate nonconfidential version of the document and to identify any information which it considers to be confidential. [13] A question arises as to whether the commission would be obliged to grant access to any personal data contained in the documents in circumstances where the data subject had not identified the data as confidential information. It would appear to follow from Article 5 of the Access to Documents Regulation that personal data may be processed if the recipient demonstrates the necessity of the processing. It may be that, in certain circumstances, the necessity test is met where the commission transfers documents in order to meet its own legal obligation to ensure that investigated parties can exercise their rights of defense. Furthermore, pursuant to Article 15(4) of the Procedural Regulation, the parties that receive the data are only required to use that data for the purposes of the competition law proceedings. However, the precise boundaries of the relationship between the Access to Documents Regulation and competition law inquiries have not been tested and it is conceivable that circumstances may arise where the legitimate interests of the data subject might be detrimentally affected by the transfer of the personal data to third parties (including investigated parties or in a public decision). Protection of Privacy under National Law United Kingdom Data Protection In the U.K., the collection and protection of personal data is governed primarily by the Data Protection Act 1998, which came into force on March 1, The rights and duties set out in the Data Protection Act are designed to apply generally, but there are some exemptions. If an exemption applies, then depending on the circumstances a person will be exempt from the requirement: (1) to notify the Information commissioner; and/or (2) to grant the data subject access to personal data; and/or (3) to give privacy notices; and/or (4) not to disclose personal data to third parties. The following are some of the main exemptions that may be raised in the context of a competition or regulatory investigation.

5 The Data Protection Act provides an exemption from the subject information provisions for processing personal data in connection with regulatory activities.[14] The exemption applies only to the core functions of bodies that perform public regulatory functions concerned with: (1) protecting members of the public from dishonesty, malpractice, incompetence or seriously improper conduct, or in connection with health and safety; (2) protecting charities; or (3) fair competition in business. For the exemption to apply, those functions must also be: (1) conferred by or under an enactment; (2) functions of the Crown, a Minister or government department; or (3) any other public function exercised in the public interest. The exemption would appear to apply to functions exercised by various regulators whose regulatory role is recognized by the public and the sector they oversee. Such regulators may be established by law or as a result of mutual agreement between the participants in their sector of business.[15] However, there is no automatic or general exemption for regulatory bodies. This reflects the rule that personal data that are processed to perform such activities are exempt from the subject information provisions only to the extent that applying those provisions would be likely to prejudice the proper performance of the activities. A further exemption from the first data protection principle provided for in the Data Protection Act (i.e., fair and lawful processing) applies where personal data is processed for the prevention or detection of crime.[16] In appropriate cases, this could be raised in the context of investigation into suspected cartel activity under the cartel offense contained in the U.K. Enterprise Act 2002, which established criminal liability for certain hardcore cartel activity. Freedom of Information Act A consideration of access to information in the U.K. would not be complete without a brief mention of the Freedom of Information Act 2000 (FOIA), which came into force in full on Jan. 1, This gives any person, including foreign nationals and companies, access to any information held by public authorities. There are two types of exemption from disclosure under FOIA: (1) absolute exemptions (where the only question is whether the exemption applies); and (2) qualified exemptions (where, even though the information falls within the terms of the exemption, the public authority has still to consider whether the public interest in maintaining the exemption is greater than that in confirming or denying the existence of the information requested and providing the information to the applicant). The sections of FOIA of most immediate relevance to competition investigations are sections 41 (exemption for information provided in confidence) and 43 (exemption to protect commercial interests). However, other exemptions may come into operation when businesses are seeking access to data during competition inquiries. For example, information may be lawfully withheld if it constitutes personal data that is subject to data protection laws.[17] The information commissioner has issued practical guidance to public authorities on how to apply the exemption.[18]

6 Protection of Privacy under National Law France Data Protection Legal Overview Data protection in France is governed by the (amended) Law on Computer Processing and Liberties (Informatique et Libertes), which came into force on Jan. 1, 1980.[19] This law states that data controllers must process data in compliance with the rules set out under its Article 6, as follows: data must be collected and processed fairly and lawfully; data must be collected for a determined, explicit and legitimate purpose and must not be subsequently processed in a manner incompatible with this purpose; the collected data must be adequate, relevant and nonexcessive as regards the purposes for which it was collected and subsequently processed; the data must be accurate, complete and up-to-date; and the data must be stored in a form that allows the identification of the data subjects for a period no longer than necessary for the purposes for which it was obtained and processed. Case Experience A recent case of the French Cour de Cassation has highlighted the tension between data protection and the powers of competition authorities.[20] On Nov. 30, 2011, the Cour de Cassation upheld a decision from Feb. 19, 2010 by the French Court of Appeals of Versailles relating to the search and seizure of s of employees of the company Janssen- Cilag. The French Commercial Code grants the French Competition Authority the power to inspect the premises of a company suspected of engaging in anti-competitive practices and to search and seize all documents and information relevant to the investigation. The Court of Appeals held that the officials of the French Competition Authority were authorized by a freedoms and custody judge to inspect the s as part of a competition investigation in the pharmaceutical market. Janssen-Cilag and its employees challenged the search on the basis that the French Competition Authority had violated the individuals rights to privacy, rights to secrecy of correspondence and rights to protection of personal data by searching all employee s including private correspondence and third party correspondence. The Court of Appeals held that the seizure of private s and correspondence, even information that was potentially irrelevant to the investigation, did not invalidate the search and seizure because the inspection had been sanctioned by a judge. The case raises the question about whether public (in this case competition) investigations should be conducted within the boundaries of data protection law and where, in the case of tension, an appropriate balance is to be struck. The case raises complex questions including some that do not have a clear-cut answer. In particular, central to the reasoning upholding the seizure appears to be that the investigation itself was not considered disproportionate and that employees would be permitted to reclaim documents that were private, confidential or irrelevant to the investigation.

7 However, this position raises a more fundamental issue in terms of the protection of personal data and the rights of defense of the company concerned pending and following resolution of the status of any disputed documents. A perennial problem that has been raised in other contexts is whether the prospect or actual return of disputed documents to their owners provides an acceptable remedy where unlawfully obtained documents have already been brought to the minds of investigating officials or the relevant case team. Even if such documents may not ultimately be used in evidence, there remains a risk that their disclosure to the investigating authority (and potentially other authorities where this is permitted under relevant law) can irretrievably prejudice the rights of individuals and corporations. Data Protection in the EU in Evolution While there is ample legislation that serves to protect personal data in Europe, the scope of protection at EU level and in the individual member states is far from settled. On Jan. 25, 2012, the commission published a proposal for a new General Data Protection Regulation. [21] The main proposed changes arising from this proposal are: a single set of rules on data protection, which will apply across the EU; increased responsibility and accountability for those processing personal data; subjects will have easier access to their own data and will be able to transfer personal data from one service provider to another more easily. This is likely to improve competition between services; the creation of a right to be forgotten whereby people will be able to require enterprises to delete their data if there are no legitimate grounds for retaining it; and national data protection authorities will be given greater powers to enforce the proposed regulation in their country. They will be able to impose penalties of up to 1 million or up to 2 percent of the annual global turnover of a company if they commit serious breaches of the new laws. It is likely to take at least a year to finalize the proposals and then a further one to two years until the new laws come into force. Concluding thoughts Although member states have implemented legislation at a national level, the law on data protection remains an evolving area in part as a result of new legislative proposals, but also owing to developing case law. Where competition cases are concerned, confidentiality and privacy are important since it is precisely the privacy of the process which facilitates investigated parties and competitors bringing forth information to the competition authorities. However, the authority may not fully address the competition issues adequately in the absence of wider disclosure and consultation with third parties that may raise privacy issues.

8 While the case law and legislation are developing, among the following would appear to be the main implications for practice: when submitting documents to a competition authority or regulator make an express claim, where relevant, for confidential treatment of business secrets and other confidential information including personal data; provide a nonconfidential version of documents submitted to a competition or regulatory authority; parties seeking access to personal data held by EU institutions should establish, at the very least, the "necessity" of the disclosure and that such disclosure would not prejudice the legitimate interests of the data subject; take account of differences between treatment of personal data in the EU and at member state level and the different cultural and legal traditions which may militate in favor of (or against) protection or disclosure; keep in mind that data protection laws do not exist in a vacuum and that a variety of national and supranational legislation may need to considered (including regulatory guidance on transparency) when determining whether a particular disclosure or access to documents is lawful in a particular case; and exercise caution where personal data is to be transferred outside the European Economic Area where specific rules apply. --By Suzanne Rab and Holly Murphy, King & Spalding LLP Suzanne Rab is a partner in the antitrust practice, and Holly Murphy is an associate in the employment practice, in King & Spalding's London office. The opinions expressed are those of the authors and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice. [1] Charter of Fundamental Rights of the European Union (2000/C 364/01). Article 7 provides that [e]veryone has the right to respect for his or her private and family life, home and communications. Article 8 provides that: 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority. [2] Joined cases C-92/09 and C-93/09, Volker und Markus Scheche, decision of Nov. 9, [3] Directive 95/46 EC of the European Parliament and of the Council of Oct. 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] Official Journal L 281, 23/11/1995 p. 31. [4] Charter of Fundamental Rights, Article 52. [5] Charter of Fundamental Rights, Article 42. [6] Consolidated Version of the Treaty on the Functioning of the European Union [2008] OJ C115 (TFEU), Article 15.

9 [7] Council Regulation (EC) No 1049/2001 of the European Parliament and of the Council of May 30, 2001 regarding public access to European Parliament, Council and Commission documents [2001] Official Journal L 145, 31/05/2001 p. 43 (Access to Documents Regulation). [8] Council Regulation (EC) No. 45/2001 of the European Parliament and of the Council of Dec. 18, 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data [2001] (OJ 2001 L8, p.1) (Data Protection Regulation). [9] Case C-28/08P, Commission v. Bavarian Lager [2011] 1 C.M.L.R. 1. [10] Data Protection Regulation, Article 4(1)(b). [11] [2011] 1 C.M.L.R. 1. [12] Commission Regulation (EC) No 773/2004 of 7 April 2004 relating to the conduct of proceedings by the Commission pursuant to Articles 81 and 82 of the EC Treaty OJ [2004] OJ 123, Article 16. [13] Commission Regulation (EC) No 773/2004 (Procedural Regulation), Article 16 (2). [14] Data Protection Act 1998, c. 29, s.31(5)(ii) [15] However, the exemption does not apply to investigatory or complaint-handling functions that may benefit the public but which organizations undertake when investigating their own activities. [16] Data Protection Act 1998, c. 29, s. 29(1)(a). [17] Freedom of Information Act 2000, c. 36, part II, s.40(3)(b). [18] Information Commissioner s Office Guidance, The Exemption for Personal Information, [2011]. [19] Loi Informatique et Libertés, Act no of Jan. 6, 1978 Amended by the following laws : Act of Aug. 6, 2004 Relative to the Protection of Individuals with regard to the Processing of Personal Data and Act of May 13, 2009 Relative to the Simplification and Clarification of Law and Lighter Procedures [20] Cassation : la loi informatique et libertes inapplicable a la saisie de l Autorite de la concurrence. Jan. 17, [21] Proposal for Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM (2012) 11 final (Jan. 25, 2012). All Content , Portfolio Media, Inc.