A Reflection of the Turkish Competition Authority’s Enforcement History for Examination of Digital Data During On-Site Inspections: Guidelines on Examination of Digital Data During On-Site Inspections Has Been Published

Article by Bahadır Balkı and Esen Ergül

1. Introduction

On June 24, 2020, the long-awaited and discussed amendments on the Law No. 4054 on Protection of Competition (“Competition Law”) have entered into force[1] with the object of (i) reflecting the Turkish Competition Authority’s (“TCA”) experience and know-how since 1997, (ii) the change in the markets in Turkey and globally and (iii) developments in technology and further compliance with the European Union competition law.[2]

Besides the amendments introduced important new concepts, such as, (i) de minimis principle for anti-competitive conducts, (ii) significant impediment of effective competition (“SIEC”) test for concentrations, (iii) the Turkish Competition Board’s (“TCB”) power to order behavioral and structural remedies for anti-competitive conducts, (iv) settlement and commitment procedures, they also brought further clarifications on the TCA’s authority to examine and make copies of all information and documents in both physical and electronic records and information systems of the companies during the on-site inspections and self-assessment procedure for individual exemption.

In terms of on-site inspections, the previous wording of Article 15(a) of the Competition Law was as follows:

“In carrying out the duties assigned to it by this Law, the TCA may perform examinations at undertakings and associations of undertakings in cases it deems necessary. To this end, it is entitled to: (a) examine the books, any paperwork and documents and take their copies if needed”.

Although the previous wording does not explicitly refer to the TCA’s authority for the examination of digital data, it also does not exclude the authority to examination over those. In fact, examination of electronic records and information systems have already been in practice. In any event, with the amendment, the current wording of Article 15(a) of the Competition Law is amended as follows, in a way to clarify the TCA’s authority to examine digital data and as a reflection of the TCA’s enforcement history on that front:

“Examine the books, all types of data and documents of undertakings and associations of undertakings kept on physical or electronic media and in information systems, and take copies and physical samples thereof”

In line with this amendment, the TCA has also published the Guidelines on Examination of Digital Data during on-Site Inspections (“Guidelines”)[3] in order to set the general framework for the examination, copying and storage of any kind of data and documents within the undertakings’ electronic space and information systems. The Guidelines is akin to the European Commission’s Explanatory Note on Commission Inspections pursuant to Article 20(4) of Council Regulation No. 1/2003 and mirrors the undergoing practice of the TCA in terms of examination of digital data during the on-site inspections.

Hereby, we provide the TCB’s precedents demonstrating the TCA’s enforcement history for examination of digital data during on-site inspections as well as an overview of what the Guidelines bring forward.

2. The TCA’s Enforcement History for Examination of the Digital Data

In practice, the TCA has already been examining the data of the undertakings kept on electronic media and in information systems and making copies of the digital data during the on-site inspections prior to the amendments on the Competition Law and the Guidelines. Even, the TCA’s authority to digitally take copies of certain data has been emphasized in certain decisions. For example, recently in 2020, the TCB’s Chemotherapy Drug Preparation decision[4], by referring to the Council of State’s precedents[5], concluded that the TCA has the authority to examine digital data and electronic documents. Similarly, in 2018, the TCB’s Electric Suppliers decision[6] indicates that seizing documents through a CD during the on-site inspection is derived from the authority stipulated under Article 15(a) of the Competition Law.

Also, certain undertakings have been imposed administrative monetary fines due to hindering and obstructing on-site inspections due to not providing access to their digital data. To demonstrate, hereunder, a summary of the notable TCB decisions on this issue will be provided in a chronological order.

• Groupe SEB decision[7]

During the on-site inspection at the premises of Groupe SEB, the case handlers requested to access to the e-mail account of Groupe SEB’s former general manager, who is currently working as Groupe SEB Vice President Eurasia in France. The undertaking responded that it will be examined whether the e-mail account of the relevant manager used during the period she/he was working in Turkey. Afterwards, the case handlers were informed that the former general manager’s duty in Group SEB Istanbul has terminated and access to the relevant manager’s account is technically impossible in accordance with the current standards and legislation. Particularly, the case handlers’ request was rejected due to the relevant local legislation and General Data Protection Regulation (“GDPR”). In response, the case handlers indicated that the correspondences of the former general manager that was made in relation to the business during his office cannot be considered as personal data and the inspection will only cover the correspondences related to the business. Despite such efforts, the TCA have not been able to access the former general manager’s account.

Subsequently, Groupe SEB invited the TCA to complete the on-site inspection by informing them that the account could be remotely accessed.

As the TCA determined that (i) it is of importance for the pre-investigation that the access to the e-mails of Groupe SEB’s former general manager regarding the period he/she was the General Manager of Groupe SEB Turkey in terms of the allegation that Groupe SEB Istanbul has determined the resale prices of final sales points and (ii) the non-provision of remote access to the former General Manager’s accounts constitute obstruction of on-site inspection. To that end, the TCA has imposed an administrative monetary fine on Groupe SEB Istanbul.

• Siemens decision[8]

During the on-site inspection at Siemens Healthcare’s premises, the case handlers informed the company’s IT officers about their request for inspection of all Siemens Healthcare employees with certain time periods and key words. The IT officers responded to this request that Microsoft Office 365 is used within the company and global headquarters should be consulted in terms of how the requested inspection could be carried out within this application. The headquarters indicated that such inspection can be carried out through “eDiscovery” feature and this requires necessary approvals at a global level. In this respect, the case handlers requested access to the relevant feature only for the employees in Turkey.

Despite the case handlers’ explanations that the inspection would be limited to “Siemens Healthcare users” and the undertaking’s representative can be present during the inspection in order to eliminate any potential concerns, the undertaking rejected to grant access as an inspection via “eDiscovery” would result in access not only to Siemens Healthcare employees but also access to all the employees residing in the European Union and this could entail different risks in different jurisdictions. Ultimately, the access was not granted to the case handlers.

Although the undertaking stated that in order to prevent any unlawful conduct, in case the case handlers provide them with the persons, dates to be reviewed and search parameters, they could provide the TCA with the data set, the case handlers referred to their authorities granted by the Competition Law and the on-site inspection cannot be conducted through the suggested procedure and the process will be recorded on the minutes.

Subsequently, the undertaking submitted a petition to the TCA that the “immediate” access to the relevant database cannot be fulfilled on the same date given that (i) the database cannot be limited only with the employees in Turkey due to the global IT infrastructure, (ii) therefore, the case handlers’ access request would result in violation of various security protocols, contractual obligations, intellectual property matters and data protection laws applicable in Europe, USA and rest of the world. However, it was also indicated that they have been searching for alternative methods to fulfill the TCA’s request and proposed certain methods for access. Afterwards, the case handlers conducted another on-site inspection at Siemens Healthcare’s premises based on the proposals.

According to the decision, it could be demonstrated that there were no changes on the system between the first and second on-site inspection conducted, respectively, on October 2, 2019 and October 15, 2019. Nevertheless, the TCA identified that the “eDiscovery” search over Office 365, which would have been conducted on October 2, 2019, could be also made for the “hard deleted” e-mails 30 days back from the day of search and therefore, the data obtained during the second inspection covers a limited time period compared to the first inspection and it is not possible to determine whether the data obtained during these two inspections are the same. Additionally, the decision indicates that the representatives of the undertaking have obtained the search keywords used during the first inspection and had the opportunity to conduct “eDiscovery” search with these words on their servers and that the undertaking did not face any technical impossibility for the on-site inspection to be conducted uninterruptedly and immediately. In this respect, it was indicated that the on-site inspection should be conducted over all the departments of the undertaking and for all the related documents on the date the TCA finds appropriate.

To that end, Siemens Healthcare was imposed an administrative monetary fine for hindering and obstructing the on-site inspection and a proportional fine starting from the day after the first inspection (i.e. October 2, 2019) until the second inspection (i.e. October 15, 2019) for each day that the violation continued. 

• Unilever decision[9]

Within the scope of the pre-investigation against Unilever, an on-site inspection was carried out at the premises of Unilever. After being informed that the undertaking uses Office 365 for e-mail correspondences, the case handlers indicated that Unilever Global should be consulted on how the inspection to be conducted within Office 365 application. Similar to the surroundings in Siemens decision, Unilever Global informed that such inspection could be conducted through “eDiscovery” which is subject to the approval at a global level. Accordingly, the case handlers requested access to a Unilever Turkey user account having the “discovery management role” to conduct the inspection only for the employees in Turkey.

After rounds of discussions between the case handlers, Unilever Turkey and Unilever global, the undertaking rejected access given that the admin authorization that will be granted for the inspection is at global level, the authorization for the Turkish data cannot be separated from the search authority for all the global data and the TCA does not have the authority to conduct such inspection. The undertaking added that access to the Turkish data through separation would require a couple of days.

Although the relevant inspection was allowed later, the TCB concluded that since Unilever did not allow the requested inspection from 10:10 to 17:45, it obstructed the on-site inspection and therefore, imposed an administrative monetary fine on Unilever, by also referring to the Council of State’s decision[10] that even 40 minutes delay of the on-site inspection would result in obstruction of on-site inspection.

• Askaynak decision[11]

During the on-site inspection at the premises of Askaynak within the scope of a pre-investigation, the case handlers found a correspondence sent from Askaynak’s general manager’s personal e-mail account to Gedik’s (another undertaking party to the pre-investigation) corporate account at the premises of Gedik. As the relevant correspondence (i) demonstrates that personal e-mail account is also used for corporate correspondences and (ii) creates suspicion that the personal e-mail account could have been used for the organization of anti-competitive union, the TCA requested to inspect the relevant account. However, after rounds of discussions, while the TCA was granted access to examine the account, it was identified that certain e-mails were deleted.

The TCB’s decision explicitly states that the TCA has the authority examine the computers, e-mail accounts used for business (including both corporate and personal accounts) of the representatives of the undertaking. Subsequently, the TCB imposed an administrative monetary fine on Askaynak for obstruction of the on-site inspection.

• Ege Gübre decision[12]

During the on-site inspection at the premises of Ege Gübre, the case handlers identified that the General Manager of the company has been using an superonline.com account which has been directed to his/her corporate e-mail account but it also includes personal e-mails. Although the relevant account was granted access, once the case handlers found a correspondence, which includes a statement that “İgsaş said it was changing prices”, and intended to obtain a copy of the relevant correspondence, the undertaking obstructed the TCA’s access to the relevant document by alleging that the relevant account is a personal account and allowed the TCA to continue its inspection after the separation of the personal and corporate accounts.

Subsequently, the TCA conducted a second on-site inspection at Ege Gübre with the decision of the Judgeship of Criminal Court of Peace and found that the relevant correspondence that was not provided during the first inspection is directly related to competitive conducts.

Conclusively, the TCB decided that Ege Gübre’s behaviors during the on-site inspection lead to obstruction of on-site inspection and thus, imposed an administrative monetary fine on Ege Gübre.

• Nuhoğlu decision[13]

In the course of the on-site inspection at Nuhoğlu, the case handlers were not allowed to access to the e-mail account Nuhoğlu’s Chairman of the Board on the grounds that the chairman’s computer including his/her personal data cannot be inspected and inspection over the relevant computer requires a court decision.

Although the TCA conducted the on-site inspection later with the decision of the Judgeship of Criminal Court of Peace, the TCB decided that Nuhoğlu’s behaviors are in the nature of hindering on-site inspection and imposed an administrative monetary fine.

3. An Overview of the Guidelines

The Guidelines is basically a mere reflection of the TCA’s approach towards examination of digital data for a long-time.

First, the Guidelines provides information on the authorized persons that could examine the digital data and what can be examined. In this regard, the Chief Competition Experts, Competition Experts and Assistant Competition Experts have the authority to examine the information systems of the undertakings (including association of undertakings) such as servers, PCs/laptops, portable equipment and storage tools such as CDs, DVDs, USBs, external discs, back-up records, cloud services. Furthermore, the Guidelines specifically indicates that the examination over these could be conducted through digital forensics software and hardware allowing to search the digital data. It is also safeguarded that the relevant digital forensics tools ensure searching and copying the digital data, restoring the deleted data, while also preserving the originality and completeness of the data and system of the undertakings.

Second, in terms of the examination of portable communication devices (e.g. mobile phones, tablets), the Guidelines foresees a two-step examination. The first step is for the case handlers to have a quick review at these devices to determine whether they contain digital data of the undertaking, regardless of whether the device is for personal use or for work. In case, it is determined that these devices are completely for personal use, they would not be subject to examination. Otherwise, they would be examined through forensic information devices and after the examination, the data that is considered to be having evidential value within the scope of the file would be extracted and the rest would be permanently and irrevocably deleted.

Third, the Guidelines underlines the undertakings’ obligation to cooperate during the on-site inspection. Accordingly, the undertakings’ are under the obligation to prevent any intervention to the data and the space where they are kept and also, to fully and actively support the case handlers in terms of their requests regarding the information systems. The Guidelines exemplify the cooperation of the undertakings for further clarification. In this respect, cooperation of the undertakings includes but not limited to (i) providing information on the software and hardware related to the information systems used, (ii) authorizing the case handlers as system admins, (iii) providing remote access to the e-mail accounts of their employees, (iv) isolating the computers and servers from the network, (v) limiting users’ access to corporate accounts and (vi) restoring backed-up corporate data.

Fourth, the Guidelines set forth that the examination is essentially completed at the premises of the undertaking, the examination can be continued at the digital forensics lab of the TCA, if deemed necessary. The representative(s) of the undertaking will be invited to the examination that will be carried out at the TCA’s digital forensics lab. This is a newly introduced procedure which have not been seen in the enforcement history of the TCA. In any event, the Guidelines explicitly provides that the examination of the digital data seized from the mobile phones should be completed at the premises of the undertaking.

Finally, the Guidelines also emphasizes that the data copied during the on-site inspection would benefit from the attorney-client privilege principle. In this context, the Guidelines clarifies that the attorney-client privilege would be applicable for the correspondences that are (i) between the undertaking and an independent legal counsel, who has no employment relationship with its client and (ii) made for the purpose of exercising the client’s right of defense. Further, the Guidelines underline that the correspondences that are not directly related to the exercise of the right of defense, specifically, that are made for facilitating a competition law violation or for concealing an on-going or future competition law violation would not benefit from the attorney-client privilege.

4. Conclusion

In light of the foregoing, it would not be assertive to indicate that both the amendment on Article 15(a) of the Competition Law and the Guidelines embodies the TCA’s ongoing practice and well-adopted approach towards examination of digital data of the undertakings during on-site inspections, including the application of attorney-client privilege, while also clarifying the procedure to be followed for such inspections and the limits of the TCA’s authority in this context.

Although the TCB’s precedents have already demonstrated that the TCA has the authority to carry out examination over the infrastructures used by the undertakings (e.g. Office 365, eDiscovery), as this authority is now explicitly regulated, it could be indicated that the undertakings will have no opportunity to refuse access to such infrastructures by alleging the TCA’s lack of authority to examine those systems.

However, the Guidelines does not include further guidance on (i) the first stage of the two-staged examination of portable communication devices, i.e. “quick review” on these devices to determine whether they contain digital data of the undertaking and (ii) the definition of “digital data of the undertaking”. Although in light of the TCB’s decisions, it could be indicated that so long as the relevant personal device or account includes correspondences, e-mail messages or applications regarding the undertaking, the TCA will have the authority to examine those.   

All in all, the TCB’s future decisions on the implementation of the examination, copying and storage of digital data of the undertakings in the scope of the Guidelines are expected to further draw the limits of the TCA’s authority over the digital data of the undertakings.