by Bill Batchelor, Ryan D. Junck, David A. Simon, Nicola Kerr-Shaw, Bora P. Rawcliffe, and Margot Seve
Top left to right: Bill Batchelor, Ryan D. Junck, and David A. Simon. Bottom left to right: Nicola Kerr-Shaw, Bora P. Rawcliffe, and Margot Seve (Photos courtesy of authors)
Summary
In Nuctech Warsaw (T-284/24), the EU Court of Justice held that EU subsidiaries can lawfully be required to provide access to email accounts and data held by their overseas parent company. The ruling involved the following framing:
- Broad reach of EU extraterritorial investigative powers: The order interprets the European Commission’s (EC’s) investigative powers broadly. EU law applies to conduct with significant effects in the EU, even if the conduct occurs outside the EU. Consequently, the EC may request information from non-EU companies to assess potential EU law violations.
- Implications for other EU enforcement regimes: The investigation was carried out under the EU Foreign Subsidies Regulation (FSR), but the ruling has implications for the EC’s powers under general antitrust rules and other regulations such as the Digital Markets Act or the Digital Services Act. The judgment follows divergent rulings in the UK that limited the extraterritorial reach of UK regulators’ enforcement powers in fraud and antitrust cases. (See our February 2021 alert “English Supreme Court Limits Serious Fraud Office’s Extraterritorial Reach” for more details.)
- Siloing access to data within a corporate organization: The ruling held that there was no evidence local subsidiaries could not access China-held data, or that compliance with the EC’s inspection decision would compel the applicants and the group to infringe Chinese law, including criminal law. Therefore, companies should consider:
- If their IT environment and procedures can be siloed to enable the company to demonstrate that accessing parent company data from the EU is not technically feasible without cooperation from the non-EU entities.
- Whether law and regulation applicable to a company would prevent it from sharing this data with an EU regulator. If so, this should be well-documented in advance, potentially with external legal counsel validation, so that any refusal to comply with a request for data could be quickly substantiated with specific reference to other applicable laws.