Privacy Rights in Dawn Raids – the Privacy Protocol as the legacy of the CCPC's bagged cement investigation
Privacy Rights in Dawn Raids – the Privacy Protocol as the legacy of the CCPC’s bagged cement investigation
Dawn Raids and Bagged Cement
On 28 February 2020, Ireland's Competition and Consumer Protection Commission (CCPC) announced that it had closed its investigation into alleged anti-competitive practices in the "bagged cement sector". The investigation, which commenced in 2014, was interesting for several reasons, most notably because it resulted in litigation before the Irish High Court and Supreme Court on the legality of a dawn raid conducted by the CCPC during the investigation.
The litigation concerned whether the CCPC was entitled to seize and review the email account of a CRH executive which contained emails unrelated to the business of the undertaking concerned. The High Court found that the CCPC was not entitled to review those particular records which were outside the scope of the investigation. The Supreme Court agreed (CRH Plc, Irish Cement Ltd v The Competition and Consumer Protection Commission  IESC).
In announcing the closure of the investigation, the CCPC noted that, following this litigation, it has published a 'Privacy Protocol' which outlines the safeguards to protect privacy rights in future investigations.
The Protocol has received little attention since it was published in July 2018. In this briefing, we summarize the key aspects of the Privacy Protocol which applies to both competition and consumer-protection inspections undertaken by the CCPC.
1. During the Dawn Raid – making a privacy claim
Under the Competition and Consumer Protection Act 2014, the CCPC has broad powers to search and review electronic and hard copy records during an inspection (or "dawn raid").
According to the Privacy Protocol, where a CCPC officer is seeking to review 'private information', the relevant individual or a representative is required to inform the CCPC officer that the record in question contains or may contain 'private information'. The nature of the private information must be explained.
The Privacy Protocol includes a narrow definition of private information:
"Private Information is defined as information relating to an undertaking or individual which does not concern the 'business or economic activities or interests' of such undertaking or individual. The example given in the protocol is email correspondence between a husband and a wife about being late home from a meeting."
Where this occurs, the CCPC officer's response depends on the format of the records being reviewed i.e. whether they are electronic or hardcopy records and whether the records are standalone (e.g. a single file) or mixed with other non-private or private but potentially relevant records:
(i) Where the claim relates to electronic material which may contain potentially relevant material, the CCPC will proceed to seize or copy the record. The record will be kept separate from other 'non-private' material in accordance with the seizing procedure described below.
(ii) Where the claim relates to a specific electronic file or document or an individual hard copy item the CCPC may examine the claim on-site 'where practicable' with the search target's consent to verify whether the material is in fact private.
If the claim is accepted on-site → the material will not be seized or copied
If it is not possible to verify the claim on-site → the material will be seized or copied by the CCPC in accordance with the seizing procedure below
The Seizing Procedure
The CCPC will copy electronic material which is claimed to be private onto a separate external storage device (the 'Disputed Data Storage Device')
Where the claimed private material cannot be separated from either: (a) material which the CCPC considers relevant; or (b) non-private material, the entire file will be copied to the Disputed Data Storage Device
Hard copy items which are claimed to be private will be placed in a sealed envelope
In certain cases, the CCPC will convert hardcopy material into digital format and the same procedure as set out above will apply
2. After the Dawn Raid
The Privacy Protocol requires all claims, to be put in writing to the CCPC within 14 days of the end of the search. This administrative (rather than legislative) requirement applies even to privacy claims accepted by the CCPC officers during the dawn raid.
In order to manage this post-search process, businesses should be vigilant to ensure that all claims made during the inspection and the outcome of such claims are recorded in a contemporaneous record. This will greatly assist businesses in following the "post-search" procedure in the Protocol. Although it is possible to make privacy claims after the dawn raid, it is preferable to make any privacy claims as early as possible before any materials are seized or copied.
What does the Privacy Protocol not do?
It is important to understand the limits of the Protocol. In particular:
(i) The Protocol does not prevent the CCPC from inspecting business-related books, documents or records OR from seizing or copying potentially relevant material subject to the process followed in the Privacy Protocol.
(ii) The Protocol does not cover material over which a claim of legal professional privilege has been made. Section 33 of the Act details the procedure which applies to the seizure of privileged material and the CCPC is proposing to publish a separate protocol on this.
Conclusion – irrelevant records and key word searches
The CCPC's press release announcing the closure of the investigation noted that the CCPC had gathered 'a substantial amount of electronic material' during the investigation. Excluding the information contained in the email inbox which the Supreme Court held the CCPC was not entitled to review, the CCPC conducted what it described as a 'detailed and extensive review and assessment of all of the documents available to it' with the assistance of digital forensic tools.
As the CCPC has the power to seize records (unlike the European Commission which may only copy records), the CCPC conducts these types of reviews at the CCPC rather than on the site of the inspection. In contrast, the European Commission engages in on-site electronic searches, typically using key words.
The Protocol includes a very narrow definition of private information and does not directly address in detail the issue of CCPC officers seizing "irrelevant" material during dawn raids. This was one of the key issues identified in the Supreme Court's decision in CRH. The Privacy Protocol states that the CCPC 'may' use keyword searches during the search 'to ensure that only potentially relevant material, individuals and custodians of data are identified'. It will be interesting to see how the CCPC's practice in this regard develops in future inspections.
For the moment, businesses and legal counsel should ensure they are familiar with the Privacy Protocol so that they can best protect their privacy rights and the privacy rights of their employees in response to a competition or consumer dawn raid by the CCPC, and in particular, bear in mind the 14 day timeline to raise issues with the CCPC.