European Court proposes ad-hoc virtual data room in Facebook case

Finding the fine balance between the European Commission`s investigative rights and the protection of personal and sensitive information

The EU’s General Court (“General Court”) aligns the protections applicable to information requests issued by the European Commission (“EC”) to those in dawn raids by requiring the EC to review potentially sensitive documents only in an ad-hoc virtual data room and accompanied by the investigated party’s counsel.

Facebook is currently being investigated by the EC in relation to its “Marketplace” and its data collection practices. Over the course of these investigations, Facebook received a number of information requests from the EC, in response to which Facebook provided hundreds of thousands of documents to the regulator.

The EC’s power to request information from companies derives from Article 18(2) and (3) of Regulation No 1/2003, pursuant to which the EC can either send a simple request for information or adopt a decision requiring companies to provide information. In both cases, the EC has to inform the companies about (i) the legal basis for the request, (ii) the relevant time limits and (iii) the penalties that apply for non-compliance. These penalties can amount to 1% of the group company’s total worldwide annual turnover or can consist of daily penalties amounting to 5% of the daily turnover in the case of a formal information request by decision.

While the first information requests in this case consisted of informal requests, the later ones were based on formal EC decisions. The information requests, which involved a search of the hard drives of some of Facebook’s key employees, furthermore used very broad and generic search terms, such as “big question” or “for free”. In preparing the response to the final two information requests, Facebook generated more than 80.000 documents that supposedly either had nothing to do with the investigation or contained very sensitive personal data of Facebook’s employees. The company therefore decided not to hand over the information to the EC. Instead, given the daily fines of EUR 8 million in the case of non-compliance, Facebook challenged the two most recent information requests and applied for interim measures.

Facebook argued that the EC had not only exceeded its investigatory powers under Regulation 1/2003 by requesting information un-related to the two investigations, but that it had also violated the fundamental rights of Facebook’s employees due to the personal and sensitive nature of the information contained in several of the documents. Essentially, the EC should not be able to ask for documents that would not help in the investigation and that were furthermore personal in nature.

The legal test for obtaining interim measures, under Article 160 of the Rules of Procedure of the Court („Rules of Procedure“) read in conjunction with Article 278 TFEU, is fairly stringent. First, an applicant has to make a prima facie case, which means it has to show that its pleas are not unfounded. Second, the applicant has to show that not granting interim measures would result in serious and irreparable harm to the applicant before the decision in the main proceeding could even be reached. Making things harder, the Court only exceptionally suspends decisions adopted by the EU institutions, which are presumed to be legal – as recognized by the Courts (see for instance General Court, Case T-131/16 R).

In antitrust cases, the General Court typically grants the EC a wide margin of discretion, when it comes to the scope of its investigatory powers. So long as the information the EC is aiming for in its requests can reasonably be expected to help determine whether an infringement has taken place, such requests will be justified. The General Court applied this line of reasoning for instance in the 2019 decision dismissing Qualcomm’s claim that information requests had been too broad (see General Court, Case T-371/17).

In the case at hand (Facebook Ireland Ltd vs. European Commission (Case T-451/20 R)), however, the President of the General Court found that given the similarities between such large scale RFIs and dawn raids, similar procedural protections should apply. In both cases, parties are required to provide large amounts of data and documents to the EC, which it may review at a later stage on its own premises. In the case of dawn raids, the EC is required to exclude documents that do not relate to the business or the investigation, which is ensured by lawyers that may be present.

Based on the above, the President of the General Court (who pursuant to the Rules of Procedure decides applications for interim measures) held that given the breadth of the request and the lack of any method for verifying the importance / relevance of the documents, it could not be excluded that the challenge could be successful. In order to protect Facebook’s employees from immediate harm (by having their personal documents disclosed to a wide(r) audience), while at the same time allowing the EC to verify the relevance of the 80.000 documents for the investigation, the President ordered those documents moved to a separate virtual data room. Only a limited number of people from the EC would have access to this data room and only in the presence of an equivalent number of the party’s lawyers. As far as can be seen, this is the first example of a virtual data room solution in the context of information requests. It follows the same principles that parties are familiar with in dawn raids, whenever the amount of information is too large to be investigated on the premises of the investigated parties.

It should be noted that while details are not known, the EC had proposed a similar solution to Facebook earlier in the investigation. Facebook may therefore have tried to play for time by refusing the EC’s proposal and trying to get more favourable terms from the General Court. Depending on the outcome in the main proceeding, this data room solution may become a new standard for investigations involving large amounts of data and documents. While this would give investigated parties a tool to push back on overly broad information requests, it will also potentially make it harder to challenge them, so long as the EC correctly applies this procedural protection.