Personal devices, WhatsApp and Signal within reach: EU General Court upholds broad information-gathering powers in merger enforcement

Alert
|
12 min read
Jonathan Entrena |
Marika Harjula |
Peter Citron

The EU General Court has handed down two significant judgments clarifying the boundaries of the European Commission's powers to issue requests for information (RFIs) in merger control proceedings. The rulings come against a backdrop of RFIs in merger review that have grown significantly in breadth, where personal mobile devices, messaging applications and personal email accounts may be within scope. 

The standards established by the judgments regarding the extent of the European Commission's powers to compel the production of documents are likely to be applied to broader antitrust investigations beyond the merger control sphere, including DMA, DSA and FSR investigations. The judgments are therefore of practical relevance to all companies seeking to prepare for, or respond to, European Commission investigations across any area of EU antitrust enforcement. 

At a Glance

  • The EU General Court ("GC") has dismissed1 annulment actions brought by Lagardère and Vivendi challenging RFI decisions issued as part of the Commission's gun-jumping investigation into Vivendi's acquisition of Lagardère.
  • Personal Devices and Messaging Applications Are Within Scope – One Professional Use Is All It Takes. The GC confirmed that the Commission can require the production of relevant business communications held on personal email accounts, personal mobile phones, and personal messaging applications (e.g., WhatsApp, SMS, Telegram and Signal), where those tools have been used for professional purposes. A single instance of professional use can be sufficient to bring a personal device, application or account within scope.
  • Journalistic Sources Can Be Adequately Protected. Where an RFI may capture information that could identify journalistic sources, the Commission may introduce procedural safeguards (such as permitting journalists to review, redact, or withdraw responsive documents) to ensure that source protection is maintained.
  • Group-wide Reach. The Commission can extend the scope of an RFI beyond the addressee to capture documents held across the wider corporate group, including by controlling shareholders.
  • Impossibility, Workload and National Law Are Not a Shield. Defences based on impossibility, workload or national law face a very high bar. Only obligations that are objectively and absolutely impossible to perform from the outset will qualify. Operational difficulties, large volumes of documents, and reliance on national criminal or labour law are unlikely to succeed, particularly where any difficulties are partly attributable to the undertaking's own practices.
  • The Commission's Article 11(3) powers extend beyond the substantive review of a notified merger. The GC confirmed that the Commission may use binding RFI decisions to investigate suspected breaches of the notification and standstill obligations under the EU Merger Regulation, as well as non-compliance with commitments or conditions attached to a clearance decision.
  • Exceptions and Proportionality Are Interpreted Narrowly. The GC's approach to both proportionality and exceptions reflects a consistently narrow interpretive lens. Challenges based on workload, operational difficulty, national law, or fundamental rights face a high threshold, and the bar for establishing that a request is disproportionate is demanding. 

The Dispute

In July 2023, the Commission opened an investigation into the potential early implementation (commonly referred to as "gun-jumping") of Vivendi's acquisition of Lagardère, a transaction that had previously been cleared subject to commitments.

In the context of its gun-jumping investigation, the Commission adopted separate but parallel decisions under Article 11(3) of the Merger Regulation requiring Vivendi and Lagardère to provide documents and communications from 15 named individuals (and their predecessors and successors), covering the period from 1 January 2020 to 19 September 2023. The decisions' annex defined "documents" broadly to include all electronic files, including emails and instant messages on WhatsApp, SMS, Telegram and Signal, extending to personal email accounts and personal mobile devices provided they had been used at least once for professional communications. The scope also included deleted documents remaining accessible on IT systems.

The Commission justified its recourse to binding decisions under Article 11(3), rather than simple requests for information under Article 11(2), on the basis that only the former could guarantee that the parties would provide a complete response under pain of penalties, and that it was necessary to act swiftly to prevent the deletion of relevant documents from files (in particular, messages subject to automatic deletion and documents held by departing employees).

The investigation concerned whether Vivendi had exercised decisive influence over Lagardère prior to clearance, including matters relating to operational synergies between Vivendi and Lagardère audiovisual entities, the programming schedule of radio station Europe 1, appointments and departures of journalists, editorial choices of Lagardère magazines potentially influenced by Vivendi or Bolloré group executives, strategic decisions of the Hachette publishing group, and the appointment of individuals linked to the Bolloré group to Lagardère's board of directors.

Following the failure of both Vivendi and Lagardère to comply with their respective contested decisions by the original deadline, the Commission imposed on each a periodic penalty payment (not exceeding 5% of their respective average daily aggregate turnover per day of delay) running from the first working day following an extended compliance deadline.

In response to concerns raised by the parties regarding the scope of the contested decisions and its implications for the privacy of individuals and the protection of journalistic sources, the Commission entered into dialogue with the parties and subsequently formalised a series of procedural safeguards. These included:

  • Sensitive personal data: Documents containing sensitive personal data2 were to be provided to the Commission in an encrypted format, separately from other documents, and identified as "sensitive personal data." A limited number of Commission officials responsible for the investigation were permitted to review those documents in a virtual data room, to assess their relevance before entering the case file.
  • Journalistic source protection: Where documents responsive to the decision contained information capable of identifying journalistic sources, persons concerned holding a press card were entitled to review those documents, identify any information covered by journalistic source protection, and provide a redacted version from which any identification of sources had been removed. Where it was not possible to produce a non-confidential version of a document, the press-card holder was entitled to withdraw the document from production entirely.

Vivendi and Lagardère brought actions before the General Court seeking annulment of the contested decisions, as well as for interim measures. Vivendi obtained partial interim relief suspending the obligation to produce the documents.

The GC judgements

Both actions to annul the contested decisions were dismissed in their entirety. Key points include the following.

No Purely Exploratory "Fishing Expedition"

Both applicants argued that the Commission exceeded or misused its powers by adopting what they characterised as decisions pursuing an "exploratory purpose". The GC rejected those arguments, finding that the contested decisions clearly specified that the Commission required the documents in order to investigate whether gun-jumping had occurred or whether the parties had breached the commitments. Since the search for evidence to verify a presumption of infringements of the EU Merger Regulation constitutes one of the tasks assigned to the Commission by that Regulation, the Commission had not used its powers for a purpose other than that for which they were conferred.

Article 11(3) Applies Beyond Substantive Merger Review

The GC confirmed in both cases that Article 11(3) of the Merger Regulation (which empowers the Commission to issue a binding decision, rather than a simple information request) may be used not only to assess merger compatibility but also to investigate suspected post-authorisation breaches of notification, standstill and commitment obligations. The Commission's broad discretion to proceed directly with a decision, without first issuing a simple request, was upheld as justified by the need to guarantee a complete response under penalty of sanctions and to act quickly to prevent document deletion. 

Adequacy of Reasoning

The GC found in both cases that the decisions identified the suspected infringements with sufficient clarity in their recitals. The Commission was not required to disclose the specific indications behind its suspicions at the preliminary investigation stage, nor to provide individual justification for each search term.

Impossibility Arguments Narrowly Construed

Lagardère argued that it was impossible to access personal communication tools under French criminal law. The GC rejected that argument, noting that the French penal provisions cited punish "voluntary", "bad faith" or "fraudulent" conduct, whereas the obligation arose from a binding EU legal act, and that the principle of primacy of EU law applies. It further noted that Lagardère tolerated the practice of employees using personal devices for professional purposes, and that this practice undermined the claim of absolute impossibility.

In Vivendi's case, the GC separately rejected the claim that it was impossible to obtain documents from its controlling shareholder, the Bolloré Group. The GC noted that Vivendi and Bolloré had already been characterised as constituting a single undertaking for the purposes of competition law (a characterisation established in Vivendi's own merger notification and confirmed in the clearance decision). It further observed that Vivendi had in fact successfully collected and transmitted the relevant Bolloré documents during the course of the proceedings, which rendered the claim of impossibility difficult to sustain.

Privacy Rights – Charter of Fundamental Rights of the European Union ("Charter")

The GC found in both cases that, although the obligation to transmit documents from both professional and personal communication tools carried the risk of a serious interference with the right to respect for private life, the interference was provided for by an EU legislative act, did not impair the essential content of the right, pursued the objective of protecting effective and undistorted competition in the internal market, and was proportionate.

The GC highlighted, in particular, that:

  • personal communication tools were only captured where used at least once for professional purposes;
  • data relating to private life would be collected only incidentally; and
  • procedural safeguards for sensitive personal data were in place, such as encrypted provision and a virtual data room procedure.

The GC confirmed that lawful processing of personal data under the GDPR is in principle deemed to satisfy the requirements of Article 7 (Right to Respect for Private and Family Life) and Article 8 (Right to the Protection of Personal Data) of the Charter.

Journalistic Source Protection (Article 11 of the EU Charter)

The GC found in both cases that the decisions did not concern the disclosure of journalistic sources, since any such disclosure would be purely incidental. In a process similar to that applied to privileged documents, the procedural safeguards allowed persons concerned who held press cards to review responsive documents and provide redacted versions or withdraw documents entirely (where redactions were not possible).

In Vivendi, the GC confirmed that the comprehensive system of remedies (in particular, the possibility of bringing an annulment action accompanied by a request for interim relief) satisfies the procedural guarantees required by European Court of Human Rights case law under Article 10 ECHR, including the requirement of preventive judicial oversight. In both cases, the applicants' standing to pursue this plea was found to be exhausted following the Commission's introduction of formal journalistic source protection safeguards, which neither company chose to challenge.

Proportionality

Both applicants raised detailed challenges to specific aspects of the decisions, including:

  • the period covered (nearly four years);
  • the choice of search terms. In particular, Vivendi argued that it was required to apply around 100 search terms to all professional and/or personal communication tools of the persons concerned. Lagardère noted that the search terms imposed would retrieve more than 77,000 documents, many of which were unrelated to the subject matter of the investigation;
  • the scope of persons concerned;
  • the requirement to produce entire conversation threads; and
  • the compliance deadlines.

The GC rejected those challenges, finding that the Commission could reasonably assume at the date of the decisions that the information requested was likely to help it determine the existence of the suspected infringements, and that the workload imposed was not disproportionate to the needs of the investigation.

Key Takeaways

Review internal communications policies. The "used at least once for professional purposes" threshold for personal communication tools is low and will capture a wide range of employees. Companies should assess whether their existing policies adequately address the use of personal devices and consumer messaging applications for business communications, and whether they have the practical means to retrieve such communications if required to do so. Operational difficulties arising from a company's own internal practices (such as permitting employees to use personal devices and messaging applications for business communications without implementing adequate retrieval mechanisms) will be treated as self-created and are likely not to provide a defence.

Engage early on safeguards. Where an RFI may capture sensitive personal data or journalistic source material, early dialogue with the Commission on the design of protective procedures (e.g., virtual data rooms, encryption or source-protection review mechanisms) is advisable. Whilst such safeguards will not reduce what must ultimately be produced, they can provide important protections for genuinely sensitive material.

Plan for group-wide production obligations. In line with its longstanding practice, where a company forms part of a wider group linked by control relationships, the Commission will likely treat the group as a single undertaking and may therefore require production of documents held across the group, including by controlling parent companies (which a subsidiary by definition cannot compel to produce documents). Companies should carry out an early assessment of where documents are located across the group, and alert parent companies to the possibility of a document request. 

Think of implications beyond merger control. Whilst the Commission's information-gathering powers in merger control and in general antitrust proceedings (under Regulation 1/2003) derive from different legal instruments, the standards articulated in these judgments are likely to have broader resonance. In dawn raids conducted in antitrust investigations, the Commission has for some time been accessing and imaging the private mobile phones and personal messaging applications of targeted individuals where these have been used for professional purposes. These judgments, by confirming at General Court level that the "used at least once for professional purposes" threshold is likely to be a lawful and proportionate basis for requiring production of documents from personal communication tools, will embolden the Commission both in its dawn raid practices and in the context of formal requests for information in broader antitrust investigations under Regulation No 1/2003 (where the Commission equally has power to compel the production of documents by binding decision). The same reasoning is likely to resonate in investigations conducted under the EU Digital Markets Act, Digital Services Act and Foreign Subsidies Regulation, both of which confer on the Commission broad inspection and information-gathering powers. Companies should treat these judgments as a clear signal to review their document retention and retrieval policies, as well as their dawn raid protocols, to ensure that those policies are sufficiently developed and internally coherent to address both the Commission's broad access rights and the privacy interests of the individuals concerned.

1 Lagardère SA v European Commission, Case T-1119/23, judgment of 3 June 2026; Vivendi SE v European Commission, Case T-1097/23, judgment of 3 June 2026.
2 Sensitive personal data as defined by Article 9(1) of the General Data Protection Regulation (GDPR) — namely data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, or data concerning health, sex life or sexual orientation.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2026 White & Case LLP

Contacts

Jonathan Entrena
Jonathan Entrena
Partner|Brussels
Services
Antitrust/Competition, Regulatory & Compliance, Technology, Artificial Intelligence (AI), Litigation
Marika Harjula
Marika Harjula
Partner|Brussels|Helsinki
Services
Antitrust/Competition, Foreign Direct Investment (FDI) Reviews, Foreign Subsidies Regulation (FSR), Energy, Mining & Metals, Sovereigns
Peter Citron
Peter Citron
Professional Support Counsel|Brussels
Services
Antitrust/Competition

Service areas

Top