Retaining Documents You Shouldn't Isn't the Only Source of Data Risk

When asked about the chief data risks they confront in Europe, most organisations turn first to complying with restrictions on collecting and retaining data under GDPR. They focus, understandably, on ensuring that they are not collecting data without consent, using it for purposes other than those allowed, or retaining more data than justified or for longer than allowed. Several years on from GDPR going into effect, enterprises and public agencies should have technology and processes in place to ensure compliance with its requirements.

However, European organisations would be well advised to make sure they also have the capability to preserve data when obliged to do so. In some cases, companies doing business or with affiliates in the United States will incur preservation obligations arising from civil litigation. But perhaps more importantly, they must be prepared for potential investigations under the authority of the Directorate-General for Competition of the European Commission. 

What Is the Directorate-General for Competition?

The European Directorate-General for Competition, often abbreviated as DG COMP, is a department within the European Commission responsible for overseeing competition policy in the European Union. It plays a key role in ensuring fair competition within the EU's single market, similar to the role the Federal Trade Commission and Securities and Exchange Commission do in the United States. The primary objectives of DG COMP include:

• Enforcing EU competition rules: DG COMP enforces the EU's competition rules to prevent anti-competitive behavior, such as cartels, abuse of dominant market positions, and anti-competitive mergers and acquisitions.
• Reviewing mergers and acquisitions: DG COMP assesses proposed mergers and acquisitions to determine whether they would significantly impede effective competition within the EU's single market. It evaluates the potential impact on market competition and may impose conditions or prohibit mergers that would harm competition.
• Investigating antitrust cases: DG COMP investigates allegations of anti-competitive practices, such as collusion among companies to fix prices or restrict competition. It takes enforcement action against companies found to be engaging in anti-competitive behavior, including imposing fines and other remedies.
• Monitoring state aid: DG COMP monitors and regulates state aid provided by EU member states to ensure that it does not distort competition within the single market. It assesses whether state aid measures comply with EU rules and may require member states to recover illegal state aid granted to companies.

To enforce the regulations governing competitive markets in the EU and make determinations about possible violations of these laws, the Directorate-General must by necessity conduct thorough investigations encompassing business documents, financial records, internal and external communications, and other types of electronic evidence held by the subjects of these investigations. 

Understanding the Obligation to Preserve Data

Organisations under investigation by DG COMP are subject to certain obligations designed to ensure transparency, fairness, and the effective enforcement of EU competition law. It must ensure the confidentiality of any information provided to DG COMP during the investigation process and may not disclosing confidential information to third parties without authorisation. The organisation cannot retaliate against employees, customers, or other parties involved in the investigation, such as whistleblowers or competitors. Throughout the course of the investigation, the organisation has the right to legal representation, who can assist in understanding their obligations, preparing responses to information requests, and representing their interests before DG COMP.

Several obligations also focus on data that the organisation holds that may be relevant to the investigation. Organisations must cooperate fully with DG COMP throughout the investigation, including providing all requested information, documents, and data relevant to the investigation in a timely manner. DG COMP has the authority to request information from the investigated organisation, as well as from third parties, related to the investigation. The organisation must respond accurately and completely to these requests. Finally, the organisation must preserve all relevant evidence, documents, and data that may be requested by DG COMP for the duration of the investigation in order to ensure the integrity of the investigation process.

Failure to comply with these requirements may result in fines or potentially negative investigatory outcomes, but they are not simple. Large, multinational organisations, with operations in multiple countries across the EU (and the globe), might hold petabytes of data (1 petabyte = 1,024 terabytes) in on-premises servers; in private, hybrid, and public cloud data lakes; on individual employees computers and smartphones; and other locations. For such organisations, understanding all the data they hold, much less identifying what data might be relevant, producing it on demand, and preserving it indefinitely all pose significant challenges. 

To learn more about these obligations and how Exterro can help organisations meet them, download our recent whitepaper, Responding to Data Preservation Requirements in Europe.