Personal Communications, BYOD and the Expanding Reach of Competition Investigations: the EU Court of Justice in case T-1119/23

In case T-1119/23 of 3 June 2026 (only available in French), the General Court dismissed in its entirety the appellant’s challenge against a Commission request for information issued under Article 11(3) of the EU Merger Regulation in the context of a gun-jumping investigation.

The judgment is remarkable not because it confirms the Commission’s broad investigatory powers – this was largely expected – but because of the nature of the data at stake. The Commission sought access not only to corporate emails and internal documents, but also to communications stored on private email accounts, personal mobile phones, and messaging applications such as WhatsApp, Signal and Telegram, provided those tools had been used at least once in three years for professional purposes.

The key question before the General Court was therefore not whether the Commission could investigate potential gun-jumping, but whether the scope of that request – including personal communications stored on private devices – was compatible with the European Charter of Fundamental Rights (“Charter”).

Private Devices, Private Lives: Article 7 of the Charter

The Court recognised that modern communication tools often contain an inseparable mixture of professional and personal information and that the Commission’s request inevitably risked capturing private material. In such context, the order to disclose communications stored on personal devices and private accounts was held to constitute a serious interference (“ingérence grave” - § 129-130) with Article 7 of the Charter, which protects private life and communications, since it pertained to a period of three years, captured entire communication chains and was based on broad search terms.

This finding is significant because it distinguishes the case from earlier competition-law judgments that primarily concerned corporate records stored on company servers. The Court openly acknowledged that personal devices and messaging applications raise qualitatively different privacy concerns.

Justifying the Interference: Article 52(1) of the Charter

Having recognised the existence of a serious interference, the Court turned to Article 52(1) of the Charter, noting that: (i) the interference was provided for by law, namely Article 11 EUMR, which expressly empowers the Commission to request information necessary for the performance of its duties (§§ 133-136); (ii) the essence of the right to privacy remained intact, as the request was confined to specific custodians, date ranges, search terms and investigative objectives (§§ 137-157); (iii) effective competition enforcement and the preservation of undistorted competition within the internal market were regarded as objectives capable of justifying even serious interferences with fundamental rights, also in line with the European Court of Human Rights case law (§§ 158-162).

Finally, the Court held that the request was proportionate, relying heavily on procedural safeguards relating to sensitive personal data, confidentiality protections and mechanisms intended to protect journalistic sources. The proportionality assessment occupies a substantial portion of the judgment and ultimately constitutes its most consequential aspect.

Proportionality: A Judgment That Raises as Many Questions as It Answers

The proportionality analysis deserves closer examination. While the Court formally applied a balancing exercise, its approach reveals a strong preference for investigatory effectiveness over privacy concerns.

Simple Request versus Formal Request

One preliminary issue was whether the Commission should first have attempted a voluntary request under Article 11(2) EUMR before resorting to a binding decision under Article 11(3). The Court noted that the text of Article 11(1) of the EUMR does not require the Commission to proceed sequentially, especially when it has reason to believe that evidence may not be (quickly) collected (§§ 60-63, 255-259).

While, legally, that conclusion is difficult to dispute, from a proportionality perspective, the Court appears to have treated the existence of a legal power as almost sufficient in itself. One may question whether proportionality should require a more meaningful inquiry into whether coercive mechanisms are genuinely necessary in circumstances where the undertaking has a record of cooperation. The judgment largely sidesteps that discussion.

Search Terms

The Court was not persuaded by the claim that the search terms were over-inclusive and generated an excessive volume of irrelevant material, emphasizing that the appellant had not demonstrated the existence of more suitable alternatives (§ 293).

This reasoning is understandable but potentially problematic, since the existence of less restrictive key-words alternatives is not always easy to demonstrate when only the authority knows the full investigative theory. Moreover, the Court’s approach risks transforming proportionality review into an evidentiary burden that may be extremely difficult for undertakings to discharge in practice.

The broader message appears to be that over-inclusive search terms are acceptable provided that the undertaking cannot prove a better methodology. This significantly lowers the threshold for defending expansive electronic-discovery exercises.

Entire Conversation Chains

Admittedly, the most controversial aspect of the judgment lies in the Court’s acceptance that if a single message matches the search criteria, the Commission may require production of the entire email chain, WhatsApp conversation or messaging thread, simply because context may be necessary to understand a communication and assess its relevance (§ 299).

That proposition is undoubtedly correct: context matters. Yet the judgment does not engage with possible middle-ground solutions, e.g. could only surrounding messages be disclosed? Could clearly private segments be carved out? Could contextual review occur before disclosure? The Court does not explore these possibilities, preferring to endorse a binary choice between full disclosure and potentially incomplete evidence. The consequence is that highly personal communications may become disclosable merely because they happen to appear in the same thread as a relevant business discussion.

One Professional Use in Three Years Is Enough

Another striking aspect of the judgment concerns whether any personal device may be investigated. The appellant contested the Commission’s simplistic approach according to which, if a personal device or account had been used even once for professional communications during the relevant period, it fell within the investigative scope. The Court did not consider this approach to be excessive, holding that any higher threshold could allow relevant evidence to escape detection.

This finding is largely consequential, as it effectively means that a single work-related WhatsApp message can transform an otherwise private communication tool into a potential source of evidence for competition investigations. The Court appears to assume that the risk of missing relevant evidence outweighs the privacy costs associated with such an expansive approach: whether that balance is convincing remains open to debate.

Bring Your Own Device (“BYOD”) Policies: The Real Legacy of the Judgment

The Court repeatedly emphasized that the appellant had permitted the use of personal devices for professional communications and consequently regarded many of the practical difficulties associated with retrieving the requested information as largely self-inflicted (§ 114). The underlying message is unmistakable: firms cannot benefit from the convenience and flexibility of BYOD while simultaneously relying on the private nature of those devices to shield potentially relevant evidence from disclosure.

From an enforcement perspective, it is understandable that competition authorities cannot permit evidence to migrate beyond their reach merely because business communications increasingly take place on WhatsApp or personal email accounts. Yet this stance significantly alters the risk calculus for undertakings, as companies allowing BYOD arrangements may now face a difficult choice: either they implement governance mechanisms enabling the identification, preservation and retrieval of professional communications stored on personal devices, or they accept the risk that they may be unable to comply fully with future information requests. In light of this judgment, the latter argument is unlikely to find much sympathy before the EU Courts.

Conclusion

In an increasingly digital(izing) era, this judgment undoubtedly strengthens the Commission’s investigative powers. At the same time, it shifts significant compliance burdens onto undertakings and leaves unresolved difficult questions concerning the practical management of privacy in increasingly blurred professional and personal digital environments.

While the ruling formally concerns merger control, its implications are likely to extend beyond the EUMR and influence the reform of Regulation 1/2003, in particular Article 18 (requests for information) and 20 (dawn raids), which raise analogous questions regarding the scope of the Commission’s power to compel production of communications stored on personal devices.

***

The views expressed in this article are solely those of the author and do not necessarily represent the views of Morrison & Foerster.