Privacy & Cybersecurity Law Blog

On February 19, 2010, the Court of Appeals of Versailles (the “Court”) upheld the unlimited seizure and review of a company’s emails by several agents of the French Competition Authority (Autorité de la Concurrence).  The agents had been authorized by a lower court judge to inspect the emails pursuant to an investigation into an alleged abuse of dominant position in the pharmaceutical market.

The company under investigation, and several of its employees, challenged the validity of the search on the grounds that the Competition Authority had carried out a complete review of all employee emails without selecting those that were relevant to their investigation.  As a result, private documents belonging to employees and third parties were included in the search, in alleged violation of those individuals' privacy rights, the right to secrecy of correspondence and the right to protection of personal data.

Article L.450-4 of the French Code of Commerce authorizes Competition Authority agents to seize any documents that are relevant to their investigation.  In this case, the Court ruled that the agents were authorized by law to include private correspondence if it was relevant to the investigation, and thus their review of the emails did not constitute a violation of correspondence secrecy rights.

With respect to the right to privacy, the Court validated the entire investigation on the grounds that the agents used the only method that enabled them to preserve the accuracy and reliability of the relevant documents.  The fact that personal documents belonging to employees were reviewed during the investigation did not invalidate the search because the investigation had been pre-approved by a judge.  However, the Competition Authority was ordered to return any documents that were identified as being personal to their owners.

The Court also ruled that, in this context, seizing computer files does not constitute a data processing activity.  This ruling shows that there is a possible conflict of laws between competition law and data protection.  Indeed, under the French Data Protection Act, the definition of “personal data processing” is sufficiently broad to encompass “any operation or set of operations in relation to such data, whatever the means used, especially … obtaining, recording, organization, storage, retrieval, consultation (…)”.  Strictly speaking, that definition implies that any investigation conducted by the Competition Authority is considered a “data processing” activity and, therefore, is subject to the limitations and safeguards necessary to protect the fundamental privacy rights of individuals.

This issue was discussed on February 9, 2010, at a workshop on “Meeting the Challenges of Competition Law Compliance” hosted by Hunton & Williams in Paris and including presentations by Hunton attorneys Paul McGeown, Ray Hartwell, Mathieu Guillaumond and Olivier Proust.

The Court’s decision in the Janssen-Cilag case is available (in French) on legalis.net.