Fine of €2,5 Million imposed for negligent access to inbox and email “diversion” during inspection of the European Commission

Introduction

By a judgement dated November 2014 issued in case T 272/12, the General Court of the European Union ( “the Court”) confirmed the sanctioning of Energetický a pr myslový holding a.s. («EPH») and of its subsidiary EP Investment Advisors s.r.o. (“EPIA”) – Czech companies with activities in the energy sector – with a fine of €2,5 million because, during an unannounced inspection of the European Commission (“Commission”), access was granted to a blocked email account and the messages addressed to a mailbox under investigation were automatically retained in the server. This conduct was considered as a refusal by the companies investigated to submit to an inspection, a practice that is sanctioned in Regulation (EC) n.º 1/2003 of the Council of 16.12.2002 (“Regulation”).

The facts

During a surprise inspection carried out on the premises of EPH and EPIA, the Commission’s inspectors ordered the person responsible for the companies’ IT department to block the email accounts of four persons holdings key positions within the companies. Some hours after the block one of those key-persons – working at home – realized he could not access his email account and reported the problem to an employee of the IT Department, who changed the password in order to allow him to access his e-mail account again.

On the second day of the inspection the legal representative of the company, also subject to the email block, ordered the IT Department that the emails destined to his email account be retained on the server instead of being transferred to his mailbox.

In March 2012 following an investigation of the facts described above, the Commission adopted an infringement decision in which it concluded that the companies had committed an infringement of refusal to submit to an inspection and sanctioned them to a total fine of €2,5 million.

The appeal

On appeal, the companies contested the legal assessment of the above-referred conduct, claiming, in particular, that the Commission could not conclude infringement without previously demonstrating that the messages (unduly) accessed had been manipulated or eliminated. They further claimed that the Commission should have taken into account that the retained emails, even though not having reached the mailbox under investigation, remained available in the companies’ server, where the Commission’s inspectors could have consulted them.

The appellants also argued that the conduct of the IT technician responsible could not be attributed to them because the former was an employee of an independent company and was not, as such, authorised to act for the applicants.

The Court fully rejected these arguments. Following closely its previous case-law, the Court recalled that the measures adopted by the inspectors had the purpose of securing exclusive access to the email accounts during the inspection; in this context, it was enough for the Commission to prove that access had been granted – even if negligently - to the data of a blocked email account. In the case at hand, not only was the Commission able to produce proof thereof on the basis of documents but such proof was undisputed by the appellants.

Hence, the Court considered it irrelevant for a finding of infringement to prove whether or not the data had been manipulated or eliminated and it did not accept that certain technical characteristics of electronic data - such as their resistance to destruction and their automatic copying – would ensure, as argued by the appellants, their integrity and permanent availability.

On the other hand, it results from the case law of the European Union on cooperation duties in case of an investigation, that the companies were, in the present case, bound by an obligation to make available to the inspectors, in the respective inboxes, the email messages of those being investigated, just as it had been expressly requested. Such obligation was breached with the intentional diversion of incoming emails to the server.

In this context – the Court clarified – it is irrelevant that the messages remained available in the company’s server and the Commission’s inspectors had no obligation to previously ascertain such availability, before concluding that an infringement had occurred.

In what concerns the conduct of the person responsible to the IT department, the Court found it sufficient that the person at stake had, from the beginning of the inspection, been indicated by the legal representative of the companies investigated as the responsible person for IT. The fact that the members of the IT department were remunerated by a different legal entity and rendered their services on a temporary basis did not preclude, in the Court’s reasoning, their acting for and under the direction of the appellants.

One final relevant point to note is that the Court stressed the deterring effect of fines is particularly relevant when electronic files are at stake as they are much easier and quicker to manipulate and conceal, even in the presence of inspectors, which – the Court notes - poses particular difficulties for the effectiveness of an inspection.

Final remarks

From the moment a company is notified of an inspection decision, it must adopt all measures necessary to implement the instructions received from the inspectors and see to that the persons authorised to act for the company (even if they are not its own employees) do not render said implementation more difficult.

On the other hand and as results from the above, the assessment of whether or not a company has complied with its cooperation duties in the context of a surprise inspection must be done in strictly objective terms.

It is therefore crucial for companies under investigation to be able to assure, top to bottom within an organization, full compliance with its cooperation duties, which requires appropriate monitoring and control in the course of an inspection. Compliance with said duties can be further enhanced by other measures, whether preventive - in particular, though adequate training and preparation of a company’s employees for the event of an inspection - or reactive measures - through immediate reporting to investigating authorities of any incident that occurred in the course of an inspection as well as through close cooperation in its remedying.