Disclaimer
While this case arises under Council Regulation (EC) No 139/2004 on the control of concentrations, and not under Regulation 1/2003, it is worth noting that the legal provisions governing the protection of confidential information share essentially the same material content across both frameworks. Moreover, the European Commission’s guidance on the use of confidentiality rings expressly applies to procedures conducted under both merger control and Articles 101 and 102 TFEU. For these reasons, and given the broader relevance of the issues at stake – including access to personal data, the right to privacy, and procedural fairness – this article engages with the legal questions surrounding confidentiality and the potential use of confidentiality rings, even in the context of merger proceedings.
1. A far-reaching RFI, two firms, and many open questions
In October 2022, Vivendi notified its acquisition of sole control over Lagardère. The transaction was cleared in June 2023 with commitments. Not long after, the Commission opened an investigation into alleged gun jumping.
In September 2023, it issued two RFIs under Article 11(3) of the Merger Regulation. These RFIs required both companies to produce documents containing certain keywords, including emails and messages exchanged through private accounts and personal devices of employees and company officers, as long as they had been used even once for professional purposes.
The breadth and nature of these demands raised eyebrows: could a company comply with such requests without breaching privacy rights, professional secrecy or – worse – criminal law under national legislation?
2. Interim relief: when cooperation may become criminal liability
Both Vivendi and Lagardère challenged the RFI Decisions before the General Court, also requesting interim measures. Lagardère argued that complying with the RFI would force it to commit a criminal offence under French law (notably Article 226-1 of the French Penal Code), as it would involve accessing private communications without consent.
Initially, the General Court dismissed the application for interim measures, finding no urgency. But this was overturned by the Vice-President of the Court of Justice[1], who ruled that the risk of criminal liability was sufficiently concrete to justify interim protection. The harm, he observed, was not only legal but reputational: “the stigma attached to a criminal conviction and the breach of trust”[2] with employees amounted to serious and irreparable harm.
The key point here is not whether criminal sanctions were likely to be imposed eventually, but rather that the company would be forced to adopt conduct that could amount to a criminal offence, placing it in an impossible position: comply with the Commission and violate national law, or refuse and face penalties under EU law.
3. Where were the confidentiality rings when they were most needed?
The case invites a natural question: why were confidentiality rings not used?
Confidentiality rings are a tried and tested mechanism for reconciling the need for access to sensitive information with the rights of those who provide it. They allow confidential data to be reviewed by a limited circle- external counsel-under strict safeguards. The Commission’s own guidance promotes their use in both antitrust and merger proceedings.
In Vivendi/Lagardère, the Commission did attempt to introduce data room protocols and assurances, particularly concerning sensitive personal data and journalistic sources. However, as the Court observed, these safeguards were largely informal – outlined in a letter, not embedded in the RFI Decisions – and therefore legally uncertain.
More importantly, the Court took a firm stance: mere access to personal data can, in itself, constitute a serious interference with the right to privacy under Article 7 of the Charter and Article 8 ECHR[3]. This marks a shift: where in Akzo[4] the mere reading of privileged documents was not considered a violation, here the simple act of accessing private data is enough to tip the balance.
4. Possession, control, and legal impossibility
A further procedural twist is the question of possession and control. Lagardère pointed out that the documents requested were not in its possession or under its control, but rather in the private realm of its employees. This posed an obvious problem: how could the company be sanctioned for failing to produce documents it neither held nor could lawfully access?
Interestingly, Article 11(3) of Regulation 139/2004 allows the Commission to address RFIs directly to natural persons. This would have been a procedurally safer route, as those individuals clearly control the documents. By addressing the RFI to the company instead, the Commission arguably placed it in a legally contradictory position, between national criminal law and its EU obligations.
In other words, the Commission may have overreached – not in its intent, but in its choice of procedural vehicle.
5. A delicate change: privacy above legal privilege?
Another conceptual point arises from the comparison between privacy and legal professional privilege (hereinafter, “LPP”).
In Akzo, the Court held that the harm of reading privileged documents could only arise if the Commission relied on them in its decision-making. But in Vivendi, the Vice-President made clear that mere access to personal data constitutes harm, even if the documents are not used. This suggests a potential recalibration of fundamental rights, with privacy taking centre stage in digital-age enforcement.
This does not mean LPP is weakened – but it may indicate that privacy, in its own right, is gaining greater procedural protection, particularly when the volume and sensitivity of data are significant.
Conclusion: Towards a new procedural equilibrium?
The Vivendi/Lagardère case is more than a procedural scuffle. It is a revealing episode in the broader tension between the Commission’s investigatory powers and the fundamental rights of the parties involved. The Commission must be able to investigate effectively-but not at the cost of violating national law or undermining constitutional guarantees.
So where does that leave us?
Confidentiality rings offer one practical solution. Their absence in this case is telling. As RFIs become broader, deeper, and more digitally invasive, such safeguards should not be optional, informal or post hoc – they should be embedded ex ante into the procedural DNA of the request.
Because if EU competition law now demands access to private WhatsApp chats and personal emails, it also demands that we rethink the balance between enforcement and rights.
Should we allow companies to be squeezed between conflicting legal obligations without procedural relief? Or is it time for the Commission- perhaps the legislature – to develop clearer frameworks that protect privacy without paralysing enforcement?
The Court will answer in time. But the question can no longer be ignored.
[1] Order of the Vice-President of the Court of April 11 of 2024, Lagardère SA v European Commission, Case C-89/24 P(R), ECLI:EU:C:2024:312.
[2] Ibid, paragraph 77.
[3] Order of the Vice-President of the Court of April 11 of 2024, Vivendi SE v European Commission, Case C-90/24 P(R), ECLI:EU:C:2024:318, paragraph 100.
[4] Order of the President of the Court of September 27 of 2004, Akzo, Case C-7/04 P(R), ECLI:EU:C:2004:566.
Co(E)mpetition Procedure 