WhatsUp? A fine of €15.9m for deleting WhatApps during a European Commission competition dawn raid

What were the facts?

In March 2023, the European Commission dawn raided International Flavors & Fragrances Inc. and International Flavors & Fragrances IFF France SAS (collectively, IFF) as well as others in the fragrances sector.

During the raid, the Commission had (as is standard practice) asked for the electronic devices (e.g. mobile phones) of some key employees. However, a senior IFF employee had intentionally deleted business-related WhatsApp messages, on the employee’s mobile phone, which had been exchanged with a competitor of IFF. 

The deletions occurred after the employee had been informed of the inspection.

On learning of the issue from the Commission, IFF immediately acknowledged the facts to the Commission, proactively cooperated with the Commission during and after the inspection but also helped the Commission recover the deleted data. Such cooperation proved useful – as will be seen below.

In March 2024, the Commission opened proceedings against IFF for obstruction of the inspection.

In June 2024, the European Commission fined IFF €15.9m for obstructing the Commission dawn raid. IFF accepted the fine.

This fine was relating to a procedural aspect of the case – this is the so-called “IFF – Deletion of Data” (AT.40882) case with the substantive case still on-going.

While the fine was very high, it is worth noting that due to the company’s cooperation, the fine was actually halved by the Commission – halved to €15.9m from what would have been €31.8m.

What are the key lessons?

Once a dawn raid or inspection commences then it is important to:

• get specialist competition law advice from competition lawyers who can give advice recognised as “privileged” by the EU (i.e. independent EU qualified lawyers) – there is no time to “dabble” in competition law and it would be positively dangerous to get non-privileged advice
• do not delete anything but, instead, preserve evidence – some of the evidence might ultimately help the business to defend or vindicate itself later. Deleting data looks guilty. The deletion can be a distraction. Competition inspectors use forensic technology which would provide evidence of deletions so don’t expect to get away with it

The fine was high but it could have been higher:

• the Commission was able to recover the deleted data with the company’s assistance (reportedly within four hours) – had the Commission not been able to find the missing data, one can imagine that the fine would be even higher because of the suspicion of what might have been destroyed
• the fine was halved because the company cooperated fully with the Commission – although there is no precise prescription of what the fine would be for deleting emails generally but it is still stated to be halved which is a considerable saving
• the fine was only 0.15% of the company’s turnover when it could have been as high as 1%
• if a business knew of such data being deleted but did not reveal it then it may be in danger of losing any immunity or leniency which it might (in some circumstances) be able to obtain
• without commenting on this particular case, some employees may find that deliberately disobeying an employer’s instruction not to delete data would be a breach of their employment contract and the employee could be terminated

Some observers would question whether the fine was too high because it was:

• for a procedural breach because some substantive breaches have attracted comparable fines; and
• this was not something which was done by the company (but rather one of its employees) and the company had done everything to address the situation.

Nonetheless, procedural fines have been high (e.g. breaking a seal placed by the Commission on a door during a dawn raid had attracted a fine of €38 million) and all breaches are ultimately committed by employees.

What was the legal basis for the fine?

The relevant instrument is Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty.

Article 20(4) of Regulation 1/2003 obliges undertakings (i.e. businesses) to submit to inspections ordered by way of a Commission decision. This imposes, according to the Commission, a duty of active cooperation on these undertakings obliging them to make available to the Commission all information relating to the subject-matter of the investigation/inspection. The Commission believes that any subsequent restoration of the data cannot undo the fact that the submission was incomplete.

Article 23(1)(c) of Regulation 1/2003 allows the Commission to impose a fine up to 1% of the total turnover (i.e. value of sales (not profits)) of an undertaking where the latter, intentionally or negligently, produces the required books or other records related to the business in an incomplete form. As from the notification of an inspection decision, undertakings must act diligently and take all appropriate measures to preserve the evidence available to them.

What if the phone was the personal property of the employee and was not owned by the company? The Commission could still examine it if it was found on the property being inspected. If the Commission believed that such a phone with relevant evidence was located elsewhere then the Commission could well search elsewhere having obtained the necessary authorisation to do so.

How did the Commission set the fine if it was by reference to a maximum of 1%? The Commission had regard to such factors as the gravity of the infringement, the nature of the infringement, the intentionality of the conduct, the type of information deleted, the position held by the employee who committed the deletion and the need to deter others from repeating the breach.

What is new and what is left undecided?

What makes this case different is that it was the first time that the Commission fined a company where an employee had deleted WhatsApp messages on a mobile device. It demonstrates the seriousness of deleting apparently casual social media chit-chat. Social media communications can be far more revealing about breaches of competition law than bound contracts under seal.

This was the first time that the Commission’s cooperation procedure was used in a procedural infringement case.

What is not new is that the Commission has fined other businesses for obstructing an inspection. The pattern in these cases is that fines for procedural breaches can be very high and quite punitive.

What is left undecided by this case is what is the legal position of self-deleting messages which cannot be recovered but which are used routinely in business. Self-deleting messages are usually deleted not to thwart an inspection but simply as a matter of routine. If there was a deletion during, or after, an inspection of data then that is clearly a problem. If the self-deletion could be stopped and a request from the Commission to stop deletions was ignored or not complied with in full then there could well be a penalty. What is not clear is whether there could be a fine if a business or association had adopted an automatic deletion policy as a matter of routine.

The fact that information is deleted does not prove any substantive breach; this is purely a procedural breach. Speaking generally and not about this case, it will be interesting to see whether employers could see damages from employees who destroy evidence in breach of express orders not to delete the evidence. It would be important for employers to be able to demonstrate that they have explicitly told employees not to delete evidence in such situations. Here it was a senior employee, according to the Commission, so that would have added to the size of the fine. The fine was higher because Commission was not informed of the data deletion, its inspectors had to detect the deletion themselves after the mobile phone was submitted for review (so the Commission concluded that an overall fine amounting to 0.3% of IFF's total turnover would be both proportionate and deterrent but the Commission decided to reward IFF for its proactive cooperation during and after the inspection so the fine was halved and the reduced fine represented 0.15% of IFF's total turnover).

The company accepted the fine so there will be no appeal. Aspects of what happened have yet to be tested in court. However, that is not necessarily the end of the matter – this was a procedural fine and the substance of the investigation has yet to be concluded – it is too early to say how that will unfold.

Conclusion

The message for businesses is simple: if a business is inspected (and sometimes businesses are inspected with no adverse finding against them so it is not a sign of guilt as such) then the business should warn everyone not to delete anything but to preserve all data. Later, some data may be deleted but once the situation is clearer and there has been advice that it is safe to do so but until that time, it is better to preserve than destroy. During dawn raids, competition agencies have long since checked for deleted data (e.g. by asking for recent backups in case there was a leak or a tip-off of the business) and they are likely to remain focussed on data and deleted data so businesses should never assume that any breach will go undetected. And if a business finds that there is a breach then it is better to address the situation with the competition agency immediately and in full.

Takeaways for General Counsel

Use this case and update as a timely reminder to colleagues to:

• never engage in anti-competitive conduct
• comply with all instructions
• not delete evidence (some of it might even help the company demonstrate its innocence)
• do not think that social media, or informal back channels, will hide anti-competitive conduct – it just provides evidence of the employee’s wrongdoing and exposes everyone
• follow the best advice of all: “just don’t do it!” – comply with the law and don’t breach it

For further information in relation to this topic, please contact Dr Vincent Power, Partner, or any member of the EU, Competition & Procurement group.

Date published: 29 July 2024