Global antitrust investigations feature increasingly interventionist agencies with enhanced investigative techniques, bringing changes to the types of media accessed and raising more data protection issues.
Illicit conduct taking place electronically means that evidence is mainly found in electronic form (including social media), so authorities are developing sophisticated and intrusive tools for searching and analysing the data. Companies are often expected to provide a significant degree of co-operation in respect of IT issues, including being able quickly to block individual email accounts, disconnect running computers from the network, remove and re-install hard drives from computers and provide administrator access rights support, with significant penalties for obstruction.
Sometimes agency demands conflict with what data protection laws allow, and the rules vary widely across jurisdictions. The US DOJ is particularly aggressive in requiring disclosure of communications and documents - not even personal correspondence of employees is protected. At the other extreme are countries such as Germany, where data protection rules are strict and backed by criminal sanctions including prison terms, and these differences raise acute difficulties in cross-border cases. In Europe, the trend is towards stricter protection, with a new EU regime entering into force in 2018 under the General Data Protection Regulation.
A number of practical actions can help a company be prepared:
- check that your IT systems facilitate quick responses to document requests. Extremely large amounts of data may need to be downloaded very quickly – not always easy with ‘cloud’ storage – and split up so that only the relevant documents are handed over to the authorities;
- ensure that you always know where your data actually is to be able to assess which law applies (again, not easy with ‘cloud’ storage);
- put in place internal local guidance in each relevant jurisdiction to ensure that legally privileged documents are clearly labelled when they are created;
- put in place appropriate data retention guidance – save the data you need, and delete data that is simply not necessary anymore;
- ensure that employees are aware that, in the event of an investigation, the authorities may gain access to any of their documents or communications, regardless of their means of creation or storage;
- ensure that employees are aware of internal policies in place on use of social media and chat rooms; and
- as far as local law allows, draft employment contracts so as to limit the data protection issues that may arise, and get local advice before responding to requests.
More information is available in the antitrust investigations section of our recent publication Global Antitrust in 2017: 10 Key Themes Preparing You for the Year Ahead.