Access to emails in dawn raids: need for judicial authorization?

Advocate General (“AG”) L. Medina has delivered her Opinion in Joined Cases C-258/23 to C-260/23, where the Court of Justice of the European Union (“CJEU”) has been called upon to clarify whether prior control over the search and seizure of emails is required in the context of investigations by national competition authorities (NCAs).

Main points of the Opinion

In her Opinion, AG Medina concludes that EU law —interpreted in the light of Articles 7 and 8 of the Charter of Fundamental Rights— does not, as a rule, require prior judicial authorization for NCAs to search for and seize professional electronic correspondence in dawn raids, provided that strict legal safeguards and effective ex-post judicial review are implemented at national level.

Among the necessary safeguards, the Opinion refers to a duly reasoned decision ordering the inspection, which needs to be founded on reasonable suspicions of infringement and must define the subject matter and the time frame; data minimization through narrowly defined search parameters; or involvement of companies’ representatives with the possibility to raise objections. Similarly, the Opinion underlines that effective ex-post judicial review must be available during and after the investigation, with the possibility of consequences for non-compliance.

Finally, the Opinion makes two relevant clarifications. Firstly, prior judicial authorization is indeed required to conduct inspections at private residences or domiciles; and secondly, Member States may choose to establish an internal prior authorization mechanism and assign it to a judicial authority or independent body —including the Public Prosecutor’s Office if it meets the requirements of independence and impartiality outlined in European case law.

Context and origin of the request for a preliminary ruling

The need for such prior control has been a highly debated topic in antitrust proceedings in Portugal carried out by the Portuguese Competition Authority (Autoridade da Concorrência).

The Portuguese Constitutional Court ruled that the interpretation of the law, according to which already opened emails could be seized with the authorization of the Public Prosecutor’s Office (Ministério Público), was incompatible with the Portuguese Constitution (Judgements No. 91/2023 and 314/2023). Subsequently, the Lisbon Court of Appeal declared the seizure of email messages without a warrant from the Pre-trial Judge (Juiz de Instrução Criminal, or “JIC”) to be null and void, ordering their removal from the case file and the destruction of copies, and the Supreme Court of Justice (Supremo Tribunal de Justiça, AFJ No. 12/2024) stated that it was the responsibility of the JIC to order or authorize the seizure of e-mails, whether opened or unopened, under the Cybercrime Law applicable to antitrust cases.

This body of case law led to the suspension of several ongoing proceedings and uncertainty as to the validity of email-based evidence seized without prior authorization from the JIC.

However, AG Medina clarifies that Member States may choose to establish an internal prior authorization mechanism and assign it to a judicial authority or independent body —possibly, the Public Prosecutor’s Office if it meets the requirements of independence and impartiality outlined in European case law. This would be the case of the Portuguese Public Prosecutor’s Office.

In relation to the —highly discussed— requirement of authorization by the JIC set by the Constitutional Court, AG Medina merely states that European law does not prevent a Member State from implementing a more demanding mechanism, of prior authorization by “a judicial authority, also including the prosecutor”. In this sense, the conclusions seem to point to these EU provisions as a floor rather than a ceiling.

Hence, the burden of reconciling the minimum requirements by European law with the additional guarantees set forth in Portuguese constitutional law is referred back to the Portuguese jurisdiction. No reference is made to any incompatibility of the mechanism for prior approval by the JIC with European law or possible jeopardy of the effective application of Articles 101 and 102 TFEU resulting from this added requirement.

Pending a final decision from the CJEU, the discussion on the articulation between the safeguards required by EU law and the Portuguese constitutional and legislative decisions regarding the seizure of professional emails remains open.

What’s next? Practical implications

The AG’s Opinion is not binding on the CJEU, whose decision will ultimately determine how this topic should be interpreted at EU level. Thus, despite the reference for a preliminary ruling originated in Portugal, the judgement will set out legal principles in other Member States with regards to the balance between enforcement needs (the seizure of professional emails) and the safeguards required by —at least— EU law on privacy and data protection.