What are the practical takeaways?
1. Companies should ensure that their compliance training emphasises the perils of using social media and other informal messaging applications for business-related exchanges both internally and with third parties (especially competitors, but also suppliers, customers, and consultants). Employees should understand that communications via social media or messaging applications pose the same risk as communications via more traditional channels like emails, and not be lulled into a false sense of security that informal messaging applications are more "private".
2. Employees should also understand that their personal devices if used for work purposes as well as their work-issued devices can be imaged and searched.
3. In the event of a raid, in consultation with the authority and external counsel, an internal communication must go to employees as quickly as possible stressing the importance of not deleting or destroying any data or leaving any group chats unless and until clearance to do so is expressly granted. That communication should specify that any employee who may in the heat of the moment have engaged in such conduct should report it immediately so that the inspecting authority can be informed as quickly as possible to minimise the company's exposure.
4. Since employees may not always be forthcoming, it is prudent to have specialised forensic support onsite during any inspection so that the company can spot any unusual behaviour and investigate accordingly. Baker McKenzie's Global eDiscovery & Data Advisory team supports our clients with advanced forensic and analytical tools that allow us to conduct the same type of deep forensic work regulators undertake in compliance with applicable laws and the company's internal policies.
5. To allow the company to mitigate risk and to properly defend itself in the event of an investigation, it is critical to have the correct policies in place at the outset. Companies should conduct a broader review of their corporate IT systems, litigation-hold processes, document retention, acceptable use, bring your own device, and other IT monitoring policies, to ensure that they provide maximum leverage, enabling the company to promptly respond to antitrust investigations most appropriately, and minimising the risk of fines for inadvertent obstruction.
Deleting messages and leaving WhatsApp groups during an inspection constitute obstruction
In this latest case, the Commission classified the employee's deletion of messages as a “very serious” obstruction infringement because the employee deleted the messages after they had been informed about the inspection, and because the Commission was not informed of the breach by the company, but detected the deletion itself.
This is the first time that the Commission has imposed a fine for deleting WhatsApp messages but there have been other decisions at Member State level where national authorities have imposed significant fines for similar conduct. For example:
- In 2019, the Netherlands Authority for Consumers and Markets (ACM) fined an unidentified company EUR 1.84 million after employees deleted WhatsApp messages and left WhatsApp groups during an inspection. The fine was reduced by 20% because the company cooperated by proactively informing the ACM of the conduct and providing additional self-incriminating evidence.
- In 2023, the Polish competition authority fined the local subsidiary of a Swiss coffee machine supplier and a household appliance retailer EUR 2.4 million after employees from the respective companies deleted WhatsApp conversations between them when they became aware of an inspection.
Obligation not to obstruct goes considerably further under new UK legislation
Ensuring that employees do not delete messages on mobile devices in the heat of a dawn raid is challenging. But a new duty to preserve evidence where there are reasons to believe that an antitrust investigation by the UK Competition and Markets Authority (CMA) is likely will be even more onerous.
The Digital Markets, Competition and Consumers Act was passed in May 2024 and is expected to come into force in the autumn following the conclusion of a public consultation on important legislative guidance1. It includes the obligation to preserve evidence in all antitrust investigations where a person knows or suspects that an investigation is, or is likely to be, carried out by the CMA.
In practice, this duty would arise, for example, where: a business receives a case initiation letter from the CMA; an employee is made aware that a customer has reported suspicions of price fixing and has been interviewed by the CMA; or a party to a collusive arrangement is "tipped off" that another participant has blown the whistle to the CMA.
The duty will apply to individuals and their employer and raises many questions about the steps a company would need to take to comply with its obligations. Is there a duty to inform employees of any suspicion that an investigation may be likely? How concrete must that suspicion be? What can the employer reasonably do to ensure that evidence is indeed preserved, especially in relation to messages stored on personal mobile devices that it has no access to?
Messaging applications as a broader compliance risk
Messaging applications have landed other companies in trouble with competition authorities outside the context of dawn raids in the past. In 2023, Sepura was fined GBP 1.5m for a non-reciprocal exchange of competitively sensitive information that took the form of 69 text messages sent over two hours between two sales directors (former colleagues) at rival companies. The Sepura director repeatedly disclosed their intentions not to lower prices in response to a pending tender.
Although the recipient did not engage in a pricing discussion and reported the incident internally (allowing his employer to apply for leniency in short order and thus obtain immunity from any financial penalties), the regulator nonetheless found liability on the basis that the recipient company had taken insufficient internal compliance steps, applied for leniency only after it had submitted its bid for the tender, and failed to proactively inform the procuring authority about the unlawful information exchange. It held that "changing the subject" in a messaging exchange does not amount to open and unequivocal opposition that constitutes effective public distancing which is the legal test to rebut the presumption that those taking part in a concerted practice have taken into account information exchanged with their competitors in determining their conduct on the market.
Compliance training must emphasise that liability for anti-competitive conduct is strict and there is no room for complacency, particularly when it comes to socialising with competitors whether in person or electronically.
Competition authorities are becoming more sophisticated and more demanding
The Commission’s press release announcing the latest fine warns that its IT experts use cutting-edge forensic tools to detect any deletion or manipulation of electronic information during inspections. The Commission has been modernising its working methods in recent years, investing in new technologies, hiring more forensic and data analysts, and creating a new Chief Technology Officer post. It is currently reviewing its enforcement powers and the procedural rules laid down in Regulation 1/2003 and may in the coming months propose amendments to give it even more leeway in tackling the investigatory challenges posed by new technology trends.
Conclusion
The gap between the evidence that the authorities are able to sequester and what employers are able to access in conducting internal investigations is only likely to widen which underscores the importance of having appropriate policies and notices in place to provide maximum flexibility in risk mitigation.
1 For a broader overview of the new Act, see our alert – UK: Introducing Regulation of Digital Platforms and New Competition and Consumer Protection Powers.