Dealing with document searches and data protection issues
Regulators use unannounced inspections to secure evidence, particularly hard copy and electronic documents. As a result, most regulators have broad powers to view documents during an unannounced inspection, but what they are able to ask for varies:
- some can search for documents themselves, others will ask you to identify and provide them
- some can seize original documents, others can only take copies
- some can copy entire email accounts or hard disks, others may copy specific emails or documents only
Usually, the officials’ authorisation documents will include a statement of their powers to search for, copy and seize documents. In some jurisdictions and depending on the powers used, it may be an offence to refuse to produce documents or answer questions. Seek specific legal advice if you are unsure about whether the officials are permitted to access, copy or seize a particular document.
The officials’ authorisation documents will also generally set out the scope of the unannounced inspection, including:
- the alleged conduct (often based on information provided by a whistleblower)
- the suspected infringements of specific laws and/or regulations
- whether your organisation is a "target" of the investigation, or only a "witness"
You can refuse to allow access to documents that are not relevant to the scope of the inspection set out in officials’ authorisation documents. However, before doing this, you should consider the position carefully and may wish to seek legal advice. If the document would ultimately be useful for the officials, they are likely to return with a revised authorisation document. An initial refusal may start the relationship off on the wrong foot and you may not have enough information to assess relevance reliably.
The other general ground for refusing access to documents is that they are legally privileged. The rules on legal privilege vary depending on the jurisdiction and regulator involved. For example, in the context of suspected infringements of EU competition law, the internal communications of in-house lawyers will not be regarded as privileged by the European Commission. If there is a dispute about privilege with the officials, consider whether there is any scope to reach a ‘bagging’ compromise whereby the potentially privileged document is placed into a separate, sealed container which may be removed by the officials but will not be inspected by them until the dispute is settled.
Data protection laws typically contain exemptions for mandatory provision of documents to regulators. However data protection issues can arise in any related internal investigation. The rules on data protection vary by jurisdiction.