23 October 2025

CJEU (AG) ¦ Compliance with the Right to the Protection of Personal Data Does Not Require Prior Authorisation by a Judicial Authority

Advocate General Says Competition Authorities May Seize Business Emails Without Prior Judicial Authorisation — But Safeguards and Later Judicial Review Are Essential

Three Portuguese cases referred to the Court of Justice of the European Union concern seizures of business emails by the national competition authority during investigations into suspected anticompetitive conduct. The companies under inspection argued that those emails are “correspondence” protected as a fundamental right and that only an investigating judge, not the Public Prosecutor’s Office or an administrative authority, may authorise such intrusions. The referring court asked the CJEU whether authorisation by the Public Prosecutor’s Office was sufficient and whether communications contained in employees’ business emails should be treated as inviolable correspondence deserving stronger procedural protection.

Advocate General Medina’s position

Advocate General Laila Medina’s latest Opinion — delivered after the cases were referred to the Grand Chamber following the Court’s Bezirkshauptmannschaft Landeck judgment — finds that EU law does not require prior judicial authorisation in every instance where a national competition authority seizes business emails. Her reasoning rests on two central points: first, the nature and objective of competition inspections; and second, proportionality and the need for procedural safeguards and judicial review.

Bastian Schwind-Wagner _Follow "Advocate General Medina considers that national competition authorities may seize business emails without prior judicial authorisation provided that adequate procedural safeguards are in place and that seized material is subject to subsequent judicial review to protect data‑protection and correspondence rights. Prior judicial authorisation remains generally required for seizures at private residences or where the evidence is intended to incriminate a natural person in criminal proceedings."

Why business emails differ from private mobile phones

Medina underlines that the context of competition enforcement differs materially from the facts in Landeck, where the Court addressed access to personal data on a private mobile phone. Competition inspections are directed at uncovering corporate, business-related information about legal persons; individuals connected to the company are affected only incidentally. Access to an undertaking’s corporate email system is therefore less likely to amount to an unrestricted, highly intrusive view into a person’s intimate private life — a characteristic that made judicial prior-review essential in Landeck.

Proportionality, safeguards and subsequent judicial review

Although prior judicial authorisation is not, in Advocate General Medina’s view, an absolute requirement for competition authorities to seize business emails, such seizures must respect the fundamental right to data protection and be proportionate. To secure that proportionality, she recommends adequate and effective procedural safeguards in addition to the obligations already imposed by the General Data Protection Regulation (GDPR) and by national law implementing competition inspection regimes. Crucially, she insists on subsequent judicial scrutiny both during and at the conclusion of the investigation. Medina also specifies situations where prior judicial authorisation would be necessary in principle: seizures carried out at a private residence or seizures intended to gather evidence to incriminate a natural person in criminal proceedings.

Member State flexibility and the role of prosecutors

The Opinion makes clear that EU law allows Member States some discretion. National legislatures may choose to require prior authorisation by a judicial authority for competition inspections if they wish; the Public Prosecutor’s Office can also be part of the authorising mechanism under national arrangements. The Advocate General thus leaves space for differing procedural architectures across Member States, provided that fundamental rights safeguards are maintained.

Implications for financial crime and corporate investigations

For practitioners in financial crime, compliance, and corporate defence, the Opinion has immediate practical and strategic implications. Enforcement authorities in the EU that investigate cartels, bid-rigging, price-fixing or other market abuses may, subject to national rules and safeguards, proceed to seize business emails without first obtaining a judge’s clearance. That reduces one procedural hurdle for competition authorities but amplifies the importance of robust internal records governance, prompt preservation steps, privilege and confidentiality review, and proactive engagement with data protection and litigation counsel.

Companies should assume that competition authorities can lawfully access corporate email systems during inspections, and should therefore:

Ensure well-documented legal privilege and confidentiality policies, with rapid workflows for identifying and segregating privileged or protected communications when an inspection threat arises.
Maintain clear audit trails for data access and retention policies to support proportionality arguments and to facilitate later judicial review.
Train employees on record-keeping expectations and on distinguishing personal from business communications on corporate platforms.
Prepare to contest overbroad seizures after the fact by using available judicial review mechanisms and data-protection claims where appropriate.

Limitations and next steps

The Advocate General’s Opinion is advisory and not binding on the Court of Justice. The Court’s judges will deliberate further and issue a binding judgment at a later date. That final decision could affirm, refine, or depart from the Advocate General’s approach, especially concerning the scope of the required safeguards and the precise boundary between business and private communications.

Takeaway

While the Advocate General signals that competition authorities can, in principle, seize business emails without prior judicial authorisation, the decision places heavy emphasis on procedural safeguards and subsequent judicial oversight to protect data-protection and correspondence rights. For businesses and advisers in the financial crime space, the Opinion underscores the need for stringent internal controls and readiness to litigate the legality and scope of seizures as part of defending corporate interests in competition investigations.

The information in this article is of a general nature and is provided for informational purposes only. If you need legal advice for your individual situation, you should seek the advice of a qualified lawyer.

Did you find any mistakes? Would you like to provide feedback? If so, please contact us!

Dive deeper

CJEU ¦ Case C-258/23 ¦ Link
EUR-Lex ¦ Opinion of Advocate General Medina delivered on 23 October 2025 ¦ Link

« Fine [POL] ¦ GDPR: Bank fined PLN 18.4 Million for unjustified Scanning of Customer IDs

Bastian Schwind-Wagner _Follow Bastian is a recognized expert in anti-money laundering (AML), countering the financing of terrorism (CFT), compliance, data protection, risk management, and whistleblowing. He has worked for fund management companies for more than 24 years, where he has held senior positions in these areas.

Your registration could not be saved. Please try again.

We have sent you an e-mail to confirm your subscription.

Enter your email address to subscribe to our newsletter

Please enter your email address to register, e.g. abc@xyz.com.

I would like to receive your newsletter and accept the privacy policy.

You can unsubscribe at any time using the link in our newsletter.

We use Brevo as a marketing platform. By submitting the form, you agree that the personal information you provide will be transferred to Brevo for processing in accordance with Brevo's privacy policy.