Dawn Raids: EU Opinion Backs Business Email Seizures Without Judicial Authorization

3 minute read | November.11.2025

Advocate General Medina issued a well‑reasoned opinion in Joined Cases C‑258/23 to C‑260/23 before the Court of Justice of the EU (CJEU) that may allow national competition authorities to seize business emails during dawn raids at company premises without prior judicial authorization.

The CJEU has not yet decided, but the opinion’s structured proportionality analysis is likely to shape the final judgment. Companies should act now by:

updating dawn‑raid protocols to embed GDPR‑by‑design email‑search controls,
setting clear on‑site objection procedures for inspections,
and enforcing clean separation between business, private, and privileged communications amongst employees, supported by bring your own device (BYOD) rules that require such technical segregation on personal devices.

Key Facts and Findings

The Portuguese competition authority (Autoridade da Concorrência) seized employee work emails during competition probes based on an authorization issued by the Public Prosecutor’s Office, but without obtaining a prior authorization to seize the emails from a court. The companies argued that business emails were protected “correspondence” under Article 7 of the EU Charter of Fundamental Rights and that only an investigating judge – not the Public Prosecutor – could authorize the seizure.

AG Medina concludes that Articles 7 and 8 of the EU Charter do not require prior judicial authorization to seize work emails at company premises. However, there must be a strict legal framework and effective safeguards in place, including meaningful ex post judicial review, to prevent abuse and arbitrariness.

AG Medina distinguishes the European Court of Justice’s Landeck ruling of 4 October 2024 (C-548/21) on mobile phone access in criminal investigations, where the court required prior review by a judge or an independent administrative body, except in urgent cases. In contrast to criminal investigations targeting private individuals, work-email seizures target business information in a professional environment to uncover anticompetitive conduct and do not entail full, uncontrolled access to a device that can map out a person’s private life.

The CJEU has still not ruled in this case and it may, in its judgment, clarify the weight of specific safeguards and the conditions for prior authorization at private premises or where personal criminal liability is at stake.

Key To-Dos for Companies

Map your email systems and data trails. Maintain current records of email servers, archives, journaling systems, cloud tenants and backup repositories. Enabling accurate scoping reduces overbroad seizures by authorities.
Separate business from private and privileged communications. Enforce policies that prohibit personal use on critical mailboxes and require privileged labels for counsel communications. Clear separation minimizes incidental capture of private data and protects legal privilege during seizure and review.
Update your BYOD policies and agreements. Design clear protocols for remote work devices, requiring employees to keep business and personal information separate on any personal hardware used for work.
Prepare a consent, transfer and confidentiality template for data undergoing inspection by authorities. Draft templates for consents, international data transfers and confidentiality, and define clear purpose and deletion clauses to preserve privilege where you decide to voluntarily cooperate with authorities.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
White Collar
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Dr. Odey Hardan Associate, Strategic Advisory & Government Enforcement (SAGE), Cyber, Privacy & Data Innovation

Düsseldorf

See my bio

D:+49 211 36 78 7 602
E: [email protected]

Practice:

Strategic Advisory & Government Enforcement (SAGE)
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Dr. Odey Hardan Associate

Düsseldorf

Prior to joining Orrick, Odey served as a research assistant to a distinguished chair focusing on European law, where he authored several academic papers. Throughout his doctoral studies, he delved deeply into the intricate realms of European, international, and data protection law.

Additionally, Odey contributed to significant legal opinions and gained practical experience by supporting the representation of the German Federal Government in pivotal cases before the Federal Constitutional Court, including the proceedings on the European Patent Convention, CETA and the EU-Singapore Free Trade Agreement.

Before starting his legal practice, he also worked as a research assistant for an international UK-headquartered law firm.