Article 15 of Law on the Protection of Competition numbered 4054 ("Law") authorizes the Competition Authority ("Authority") to conduct on-site inspections at the undertakings' premises if deemed necessary in carrying out the duties assigned to it by the Law. Pursuant to the relevant Article, competition experts employed by the Competition Board ("Board") are authorized to:
- Examine the books, all types of data and documents of undertakings and associations of undertakings kept on physical or electronic media and in information systems, and make copies and take physical samples thereof;
- Request written or oral statement on particular issues; and
- Perform on-site examinations of any assets of the undertakings.
Based on the aforementioned provision, the Authority frequently exercises its right to make on-site inspections in numerous cases, particularly in investigations and preliminary investigations, so much so that on-site inspections often cause concern for undertakings, and there are usually discussions about which documents or devices experts have the authority to inspect during on-site inspections. Although the relevant provision grants the experts the authority to examine the data and documents retained in all kinds of information systems of the enterprise, especially the limits of this authority, are sometimes discussed. In practice, competition experts, especially recently, have been examining mobile phones (Whatsapp, etc.) in addition to the computers of the undertakings' officials, which may cause concern for the undertaking executives.
Considering these concerns observed, in practice, the Board has published a Guideline on the Examination of Digital Data during On-Site Examinations ("Guideline") in its decision dated 08.10.2020, in order to solidify the limits of on-site inspection authority.
The Guideline sets a general framework regarding the inspection and storage of undertakings' data and documents in electronic media and information systems during on-site inspections. Within this framework, the procedures and principles set by the Guideline regarding investigation of digital data during on-site inspections are summarized, below:
Authority to Inspect
Authority experts are authorized to inspect all kinds of servers, desktops, computers/laptops, information systems, such as portable devices, and other storage tools, such as CD, DVD, USB, external hard disks, back-up records and cloud services that contain the undertaking's digital data.
Thus, it is clear that experts are not limited to computer analysis, but may also examine servers, and all other archives and backups of the undertakings. Moreover, it is clearly stated that even cloud services will be the subject of investigation.
It is already known that competition experts work with IT specialists during on-site examinations. IT experts scan the servers of the undertakings, and it is possible to recover even deleted documents. Sometimes, there are objections by the executives of the undertakings regarding the access of IT specialists to the servers. It is observed, in particular, that international companies oppose the experts' requests to access their data stored abroad and, particularly, cloud storage services. The Guideline reinforces that experts conducting on-site inspections are authorized to review all of these resources.
In this context, in accordance with the Guideline, company officials are under the obligation to provide information about the software and hardware related to the information technologies used, provide system administrator privileges, provide remote access rights to the e-mail accounts of the employees of the undertaking, isolate the computers and servers from the network environment, limit the access of the users to the corporate accounts, and to restore data, if needed.
Portable communication devices, such as mobile phones and tablets, shall be examined to determine whether or not they contain digital data of the undertaking. Portable communication devices that are determined to be completely specific to personal use cannot be inspected. On the other hand, portable communication devices that are found to contain the undertaking's data shall be inspected at the place of business of the undertaking through digital forensic means.
In other words, the Guideline makes it clear that experts are authorized to inspect mobile phones; company phones of the undertaking officials will be subject to examination, while personal phones may be reviewed until it is understood that they are completely specific to private use. In this sense, it is possible to examine the correspondences, not only on company phones, but also on personal phones, and those found to be related to the activities of the undertaking may be taken as evidence within the scope of the case.
Procedure for Obtaining Data
If deemed necessary by the competition experts during the inspection, the digital data may be partially or completely copied to separate data storages using digital forensic means. The 'hash' values shall be calculated for both the copies obtained via the digital forensic means used, and the original version, to ensure the copied data is exactly the same as the original. The copies shall then be transferred to the computer assigned by the Authority, which are equipped with digital forensic software. The copied data will be indexed and inspected by the competition experts. At the end of the inspection, the digital data obtained shall be copied to two separate data storages, and one of the copies shall be provided to the undertaking. When the inspection is finalized, an on-site inspection report shall be prepared, which shall include the 'hash' values of the relevant digital data, such as an annex, and these will be signed by the competition experts and the undertaking's representatives.
The method in question is the method that has been used in practice for years. On the other hand, the legitimacy of this method has been demonstrated once again in the Guideline.
As a rule, inspections shall be concluded at the place of business of the undertaking. However, if deemed necessary, the inspection may be carried out at the Authority's digital forensics laboratory. In any event, the analysis of digital data obtained from mobile phones is completed at the undertaking's premises. The digital data to be examined in the headquarters of the Authority are transferred to three separate data storages after the hash values are calculated and compared as equivalent copies. One of the copies is left to the undertaking and the other two copies are put in an envelope and sealed by the competition experts, and placed under physical security. The undertaking concerned is invited in writing by the Authority to have a representative available at the time the sealed envelope is opened, and during the examination that will continue in the Authority's forensic informatics laboratory. If deemed necessary by the Board, with a decision to be taken, the sealed envelope in question may be returned to the undertaking without being opened.
With this regulation, it is also possible for the data received during on-site inspections to be analyzed at the headquarters of the Authority, with the exception of mobile devices. This method has not been observed before in practice; however, it is likely to appear in future on-site investigations given that it is now included in the Guideline. It should be noted that this method is also used by the Commission in the European Union.
Trade Secrets and Attorney-Client Privilege
In the event that the digital data obtained throughout the inspection contains trade secrets, "The Communiqué on the Regulation of the Right to Access the File and Protection of Trade Secrets" will be utilized. This is the current practice, as well.
Finally, data obtained during on-site inspections benefits from protection under the principle of attorney-client privilege. Accordingly, correspondence between the undertaking and an independent lawyer who does not have an employee-employer relationship with the undertaking, for the purpose of using the client's right to defense, is deemed to belong to the professional relationship, and benefits from protection within the scope of the lawyer-client confidentiality principle. However, correspondence on matters that are not directly related to the exercise of the right of defense, such as assisting with an antitrust violation or concealing an ongoing or future violation, cannot benefit from this protection. With this implementation of the Guidelines, the elements determined in the previous decisions of the Board have been reinforced.
With the Guideline, the authority of the experts and the limits of the examinations in the on-site inspections carried out by the Authority are clearly determined. It should be noted that the rules stipulated in the Guideline are already encountered in practice and are generally accepted. On the other hand, with the publication of the Guideline, this issue has been officially clarified.
It is particularly noteworthy that the data stored in mobile phones and cloud services are also considered to be within the scope of examination. In addition, the method of remote inspection introduced with the Guideline will add a new dimension to the on-site inspection procedure. How often and how this method will be applied will be observed over time.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.