“You've Got Mail” – AG Medina backs email seizures by competition authorities

Setting the scene

Can a competition authority’s email seizure breach the right to private life? That was the question the Portuguese courts sent to Luxembourg. Three companies under investigation by the Autoridade da Concorrência objected to the confiscation of their employees’ business emails, arguing that such searches violated the secrecy of correspondence and required an investigating judge’s prior approval. Under Portuguese law, only certain searches – of homes, banks, or law offices – need judicial authorization. For all others, the Public Prosecutor’s Office acts as the competent judicial authority. The referring court therefore asked whether the business emails seized should be treated as “correspondence” within the meaning of Article 7 of the Charter. The AG’s task then was to decide whether the act of searching professional inboxes tips the balance between public enforcement and private protection in manner restricting the enforcement powers of antitrust investigators without prior approval from a judge.

The legal framework

Article 6 of the EU’s ECN+ Directive requires member states to empower their national competition authorities (NCAs) to conduct unannounced inspections and to access “books and other records related to the business irrespective of the medium on which they are stored.” That includes – unambiguously – electronic communications. But these powers exist “without prejudice” to national rules requiring prior judicial authorization. In other words: Each member state remains free to decide whether a warrant, prosecutorial approval, or both are needed. Portugal chose the latter: a prosecutor’s authorization suffices unless the search intrudes upon specially protected domains such as homes or law offices.

This discretion is where the Charter then enters the frame. Article 7 of the Charter guarantees respect for private and family life, home, and communications. Article 8 adds a distinct right: the protection of personal data. The two overlap. Business communications often contain fragments of personal data. But the Portuguese cases, involving searches for evidence of cartel conduct, were not about uncovering personal behavior but economic wrongdoing by undertakings. While in such a setting, the interference with individuals’ rights is inherently more limited, the AG stressed that any limitation on these rights must rest on a clear legal basis, respect their essence, and observe the principle of proportionality enshrined in Article 52(1) of the Charter. And that proportionality, the AG implied, depends on context.

The Landeck precedent and its ripple effect

Just a year earlier, the Court of Justice ruled in Bezirkshauptmannschaft Landeck that law enforcement authorities accessing mobile phone data in criminal investigations must obtain prior judicial approval, except in urgent cases. That decision set a high bar for privacy protection. The Portuguese cases invited the Court to apply that same reasoning to the competition context, prompting it to request, in a rare procedural move, a second, supplemental opinion from AG Medina. Should NCAs face the same procedural hurdles as criminal investigators according to Landeck?

Medina thought not, building on the essence of her first opinion delivered in June 2024 (and slightly preceding the Landeck ruling).

Why not all data is equal

The AG drew a sharp distinction between business emails and personal devices. A mobile phone, as the Landeck judgment recognized, holds a “vast quantity” of intimate data – communications, location history, even health information. A corporate mailbox, by contrast, contains business correspondence about commercial matters. Its content may mention individuals but do not map their private lives. That difference of degree matters – and is mirrored by the enforcement work of competition authorities. Their officials do not seek personal information, but evidence of anti-competitive conduct. Access to emails is just a means to trace collusion. Access to personal information is then merely ancillary, a by-product of enforcement activities that do not serve to monitor citizens. The proportionality calculus shifts accordingly.

The proportionality test and what it means in antitrust investigations

Proportionality, in EU law, demands necessity, suitability, and balance. According to the AG, seizing relevant emails is necessary, because no equally effective, less intrusive method exists to uncover cartel communications. It is suitable because such data directly relate to the suspected infringement. And it is balanced because safeguards – legal limits, procedural supervision, and judicial review – curb excess. But Medina makes a big point of the latter. Even for business emails, proportionality requires that there be no blank cheques for investigators.

Medina recalled that every antitrust inspection must be founded on a reasoned decision, supported by reasonable suspicions and defining the investigation’s material and temporal scope. In that regard, it should ensure that the collection and access to personal data are limited to what is strictly necessary for the investigation and its purposes. In addition to such purpose limitations, to ensure compliance with data protection principles, investigators must also comply with the principle of data minimization. In practice, this means search terms and indexing software must be narrowly tailored to the investigation’s subject matter, by “using keywords rigorously determined in relation to the pre-defined subject matter of the investigation.”

Further safeguards – which the AG expressly puts on top of general GDPR requirements – strengthen this framework:

• Authorities must inform individuals of any processing of personal data and their related rights; if disclosure could compromise the investigation, they must “record each case of restriction.”
• Personal data collected must be stored in a secure environment, with access restricted to as few accredited people as possible, all bound by confidentiality, and subject to secure deletion once irrelevant or expired.
• Collection should be conducted “in the presence of representatives of the undertaking,” who must “review all provisional documents” and may object to irrelevant or sensitive inclusions; non-relevant personal data should be anonymized in the final file.
• The data protection officer “must be able to examine independently the application of the limitations” to ensure accountability.

Such safeguards, Medina stressed, are not optional accessories to administrative power – they are its constitutional price. Coupled with subsequent judicial review, they serve the same function as prior authorization: preventing, in the spirit of proportionality, “full and uncontrolled access” to personal data. If applied rigorously, they make unnecessary the requirement that judges grant search warrants ex ante.

Drawing the line after Landeck

If Landeck taught that some investigations demand prior judicial scrutiny, the AG’s opinion clarifies when they do not. While access to a mobile phone, carries a “particularly serious” risk of violating personal privacy, access to business email servers does not. For that reason, Medina found that EU law does not require NCAs to seek judicial authorization before accessing such data – unless the search extends to a person’s private residence or aims to incriminate a natural person in criminal proceedings. Outside those boundaries, procedural safeguards suffice.

Still, the AG did not close the door on stricter national regimes. The Charter sets the floor, not the ceiling, of protection. Member states are free to introduce a prior authorization system, whether through a court or a public prosecutor. In Portugal, the Public Prosecutor’s approval performs that gatekeeping role. Other jurisdictions may prefer judicial warrants. Both are valid under EU law; neither is mandatory. What matters is not who signs the order, but whether the process respects legality, proportionality, and the right to an effective remedy.

Practical implications