Careers

Learn more

Qualified professionals

Learn more

Trainee & intern programmes

Learn more

Offices

New York

Learn more

San Francisco

Learn more
A&L Goodbody logo
WhatsUp? A fine of €15.9m for deleting WhatApps during a European Commission competition dawn raid

EU, COMPETITION & PROCUREMENT

WhatsUp? A fine of €15.9m for deleting WhatApps during a European Commission competition dawn raid

During a European Commission dawn raid, an employee deleted some WhatsApp messages containing business-related information which had been exchanged with a competitor

Thu 12 Sep 2024

7 min read

Commentary also available in the Irish Times.

Summary

  1.   companies subject to a regulatory dawn raid should tell everyone not to delete anything and seek legal advice
  2. don’t delete anything during a dawn raid because it might interfere with the raid, destroy evidence and look suspicious
  3. if employers find that someone has deleted data then co-operate with the inspectors immediately - the fine here would have been double (€31.8m) without the company co-operating
  4. get specialist competition law advice from an independent EU lawyer whose advice would be privileged for EU law purposes

What were the facts?

In March 2023, the European Commission dawn raided International Flavors & Fragrances Inc. and International Flavors & Fragrances IFF France SAS (collectively, IFF) as well as others in the fragrances sector.

During the raid, the Commission had (as is standard practice) asked for the electronic devices (e.g. mobile phones) of some key employees. However, a senior IFF employee had intentionally deleted business-related WhatsApp messages, on the employee’s mobile phone, which had been exchanged with a competitor of IFF. 

The deletions occurred after the employee had been informed of the inspection.

On learning of the issue from the Commission, IFF immediately acknowledged the facts to the Commission, proactively cooperated with the Commission during and after the inspection but also helped the Commission recover the deleted data. Such cooperation proved useful – as will be seen below.

In March 2024, the Commission opened proceedings against IFF for obstruction of the inspection.

In June 2024, the European Commission fined IFF €15.9m for obstructing the Commission dawn raid. IFF accepted the fine.

This fine was relating to a procedural aspect of the case – this is the so-called “IFF – Deletion of Data” (AT.40882) case with the substantive case still on-going.

While the fine was very high, it is worth noting that due to the company’s cooperation, the fine was actually halved by the Commission – halved to €15.9m from what would have been €31.8m.

What are the key lessons?

Once a dawn raid or inspection commences then it is important to:

The fine was high but it could have been higher:

Some observers would question whether the fine was too high because it was:

Nonetheless, procedural fines have been high (e.g. breaking a seal placed by the Commission on a door during a dawn raid had attracted a fine of €38 million) and all breaches are ultimately committed by employees.

What was the legal basis for the fine?

The relevant instrument is Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty.

Article 20(4) of Regulation 1/2003 obliges undertakings (i.e. businesses) to submit to inspections ordered by way of a Commission decision. This imposes, according to the Commission, a duty of active cooperation on these undertakings obliging them to make available to the Commission all information relating to the subject-matter of the investigation/inspection. The Commission believes that any subsequent restoration of the data cannot undo the fact that the submission was incomplete.

Article 23(1)(c) of Regulation 1/2003 allows the Commission to impose a fine up to 1% of the total turnover (i.e. value of sales (not profits)) of an undertaking where the latter, intentionally or negligently, produces the required books or other records related to the business in an incomplete form. As from the notification of an inspection decision, undertakings must act diligently and take all appropriate measures to preserve the evidence available to them.

What if the phone was the personal property of the employee and was not owned by the company? The Commission could still examine it if it was found on the property being inspected. If the Commission believed that such a phone with relevant evidence was located elsewhere then the Commission could well search elsewhere having obtained the necessary authorisation to do so.

How did the Commission set the fine if it was by reference to a maximum of 1%? The Commission had regard to such factors as the gravity of the infringement, the nature of the infringement, the intentionality of the conduct, the type of information deleted, the position held by the employee who committed the deletion and the need to deter others from repeating the breach.

What is new and what is left undecided?

What makes this case different is that it was the first time that the Commission fined a company where an employee had deleted WhatsApp messages on a mobile device. It demonstrates the seriousness of deleting apparently casual social media chit-chat. Social media communications can be far more revealing about breaches of competition law than bound contracts under seal.

This was the first time that the Commission’s cooperation procedure was used in a procedural infringement case.

What is not new is that the Commission has fined other businesses for obstructing an inspection. The pattern in these cases is that fines for procedural breaches can be very high and quite punitive.

What is left undecided by this case is what is the legal position of self-deleting messages which cannot be recovered but which are used routinely in business. Self-deleting messages are usually deleted not to thwart an inspection but simply as a matter of routine. If there was a deletion during, or after, an inspection of data then that is clearly a problem. If the self-deletion could be stopped and a request from the Commission to stop deletions was ignored or not complied with in full then there could well be a penalty. What is not clear is whether there could be a fine if a business or association had adopted an automatic deletion policy as a matter of routine.

The fact that information is deleted does not prove any substantive breach; this is purely a procedural breach. Speaking generally and not about this case, it will be interesting to see whether employers could see damages from employees who destroy evidence in breach of express orders not to delete the evidence. It would be important for employers to be able to demonstrate that they have explicitly told employees not to delete evidence in such situations. Here it was a senior employee, according to the Commission, so that would have added to the size of the fine. The fine was higher because Commission was not informed of the data deletion, its inspectors had to detect the deletion themselves after the mobile phone was submitted for review (so the Commission concluded that an overall fine amounting to 0.3% of IFF's total turnover would be both proportionate and deterrent but the Commission decided to reward IFF for its proactive cooperation during and after the inspection so the fine was halved and the reduced fine represented 0.15% of IFF's total turnover).

The company accepted the fine so there will be no appeal. Aspects of what happened have yet to be tested in court. However, that is not necessarily the end of the matter – this was a procedural fine and the substance of the investigation has yet to be concluded – it is too early to say how that will unfold.

Conclusion

The message for businesses is simple: if a business is inspected (and sometimes businesses are inspected with no adverse finding against them so it is not a sign of guilt as such) then the business should warn everyone not to delete anything but to preserve all data. Later, some data may be deleted but once the situation is clearer and there has been advice that it is safe to do so but until that time, it is better to preserve than destroy. During dawn raids, competition agencies have long since checked for deleted data (e.g. by asking for recent backups in case there was a leak or a tip-off of the business) and they are likely to remain focussed on data and deleted data so businesses should never assume that any breach will go undetected. And if a business finds that there is a breach then it is better to address the situation with the competition agency immediately and in full.

Takeaways for General Counsel

Use this case and update as a timely reminder to colleagues to:

For further information in relation to this topic, please contact Dr Vincent Power, Partner, or any member of the EU, Competition & Procurement group.

Date published: 29 July 2024

Key Contacts