European Court Redraws Rules for Email Seizures in Portuguese Competition Investigations
The Luxembourg-based Court of Justice of the European Union (CJEU) has established new rules governing how Portugal's Authority for Competition (AdC) can gather digital evidence. On 16 July 2026, the court ruled that EU competition law permits national authorities to seize corporate emails without a judge's prior sign-off, overturning a 2024 ruling by Portugal's Supreme Court of Justice that had required judicial pre-authorization. The verdict reshapes litigation strategies for businesses across the country and leaves Portugal's Constitutional Court to reconcile this decision with foundational privacy protections.
Why This Matters
• Email seizures now authorized during inspections: Competition inspectors can copy professional communications during on-site raids, provided they act under prosecutorial direction—no magistrate approval needed beforehand.
• Portugal's legal framework must adapt: The nation's highest court previously declared warrant-free email collection unconstitutional; Portuguese lawmakers and courts now face pressure to align that position with the CJEU's enforcement doctrine.
• Three Portuguese firms affected: Imagens Médicas Integradas (IMI), SIBS, and Synlabhealth II—companies that challenged the AdC's email seizures—must now defend themselves under the new standards set by Luxembourg.
What This Means for Employees and Workers in Portugal
If you work for a company in Portugal and suspect it faces a competition investigation, understand this: your professional work emails can be seized without advance judicial approval. This doesn't mean all your privacy disappears—the court ruling includes safeguards—but it does mean emails sent from your corporate account may be accessed by competition authorities. The good news: the ruling requires that seizures be proportionate, limited to relevant communications, and subject to judicial review after the fact. Personal devices used for both work and personal purposes receive stronger protections and require either prior court approval or independent administrative oversight before they can be searched.
The Dispute That Reached Luxembourg
When the AdC launched surprise inspections of IMI, SIBS, and Synlabhealth II on suspicion of cartel activity and abuse of market dominance, investigators relied on authorization from the Public Prosecutor's Office to access and download email archives. No examining judge issued a warrant; none was requested. The three companies challenged this practice, citing a 2024 precedent from Portugal's Constitutional Court, which had held that compiling email evidence without a magistrate's advance approval violated fundamental privacy protections under Portuguese law.
Portugal's Competition, Regulation and Supervision Court faced a dilemma: the nation's own supreme constitutional authority said such seizures were illegal, yet enforcement success against cartels required faster, more thorough digital evidence gathering. Rather than choose sides, the Portuguese judges escalated the question to Luxembourg.
The CJEU's Landmark Reasoning
The European court addressed a core doctrinal question: can member states impose procedural safeguards—like requiring a judge's pre-approval—that could slow EU competition enforcement? The CJEU said no, provided robust protections remain in place.
The ruling acknowledges that access to private communications and data protection are fundamental European rights. Overriding them demands strong justification. The court identified one: preserving fair competition serves the public interest sufficiently—but only if three essential pillars exist.
First, legal clarity: National lawmakers must establish clear limits on when, how, and by whom seizures may occur. Broad fishing expeditions are forbidden. The scope must connect directly to suspected competition violations, not general corporate curiosity. Second, built-in safeguards: Laws must include explicit protections—perhaps limits on how long data is stored, exclusions for attorney-client privilege, or restrictions on accessing personal messages mixed into corporate systems—to prevent abuse. Third, real judicial oversight: After seizure, companies must have a genuine opportunity to challenge the legality and proportionality of what was taken. Courts reviewing post-seizure challenges must have genuine power to exclude improper evidence or sanction careless regulators.
A Critical Exception: Personal Devices
The CJEU created protective space for mixed-use technology. If an inspector seizes a smartphone or laptop used for both work and personal purposes, accessing the data requires prior judicial review or independent administrative oversight. This recognizes that forcing someone to unlock a device containing both work emails and personal data creates an unjustifiable intrusion unless a neutral decision-maker has pre-approved it. How courts will apply this distinction in an age of remote work remains to be seen.
How Portuguese Courts and Lawmakers Will Respond
The Competition, Regulation and Supervision Court will resume proceedings against IMI, SIBS, and Synlabhealth II using the CJEU's guidance. Rather than invoking a blanket constitutional veto, the three companies now face a narrower challenge: proving that the AdC's seizure violated the framework requirement, lacked adequate safeguards, or occurred without effective post-search judicial review.
Portugal's legislature is expected to examine its competition statute in the coming months. The existing legal text does not clearly specify which emails qualify as relevant, how long seized data may be stored, whether companies can inspect the selection process, or how quickly challenges must be filed. Legal observers predict lawmakers will add procedural checkpoints—perhaps internal review boards or tighter data retention periods—to institutionalize the safeguards the CJEU requires.
The Constitutional Court will also need to address this ruling. It could issue a clarifying opinion distinguishing competition enforcement from criminal investigation, where prior judicial authorization remains mandatory. It might also acknowledge that EU law supremacy requires deference to the CJEU's interpretation. Either way, the court will likely refine rather than completely reverse its prior position.
Practical Implications for Businesses
Executives should understand the new landscape: an AdC inspector armed with prosecutorial authorization may, without warning, demand access to company email servers, messaging platforms, and document repositories. Refusal incurs penalties. Once files are copied, companies typically receive formal notice within 10-15 business days, triggering a limited window to file a court challenge.
Organizations should consider: segregating personal and professional data where feasible, establishing clear email retention policies that distinguish between archival records and routine correspondence, and ensuring qualified personnel cooperate with searches while flagging sensitive material for privileged review review.
Comparative Position in Europe
Portugal now aligns more closely with enforcement practices in France, the Netherlands, and the United Kingdom—jurisdictions where competition authorities routinely access digital communications without front-loaded judicial warrants. The CJEU's decision does not authorize unlimited seizure; it conditionally permits rapid evidence gathering provided legal safeguards are in place. The European Commission is currently updating Regulation 1/2003, the foundational competition-enforcement statute, to create harmonized digital-investigation standards across the EU. Today's judgment effectively endorses that direction.
Data Privacy Advocates' Concerns
EU data-protection authorities have raised concerns that the CJEU's reasoning prioritizes enforcement efficiency over privacy protections. Professional emails often contain sensitive information—medical references, family matters, union discussions—that may warrant stronger procedural shields. Privacy specialists worry the mixed-device exception leaves questions unanswered. Consumer and worker advocacy groups have urged the European Parliament to tighten forthcoming regulation revisions with explicit data-minimization rules: competition authorities should be mandated to filter obviously irrelevant messages before human review, and seized data should be destroyed on a defined schedule rather than retained indefinitely.
What Happens Next
Portugal's parliament, courts, and competition authority will clarify how this ruling applies in practice. For now, employees and businesses should recognize that professional work emails are potentially accessible in competition investigations, but the CJEU's decision includes judicial safeguards and limits on how authorities can use this power. The balance has shifted toward enforcement, but Portuguese institutions will shape how that balance actually works day-to-day.