Reach of the GDPR: UK Case Examines Territorial Scope
The English High Court has delivered a judgment examining the territorial scope of the GDPR in the context of a US-based organisation.
In Soriano v Forensic News LLC and Other [2021] EWHC 56 (QB), the English High Court considered whether the GDPR applied to a number of defendants based in the US for the purposes of an application to serve proceedings outside of the UK. It was concluded that the activities of the defendants did not fall within the territorial scope of the GDPR. In this briefing we examine the reasoning for this decision.
Background
The claimant, Walter Soriano, a British-Israeli businessman, issued proceedings against six defendants including Forensic News LLC, an investigative journalism website incorporated in California. In response to a number of Forensic News online publications and social media posts, Mr Soriano issued proceedings asserting a breach of data protection law, among other claims. This decision considered whether or not there was an arguable case for these claims.
Jurisdiction – right to an effective judicial remedy
All data subjects have a right to an effective judicial remedy for an infringement of their GDPR rights under Article 79(1) of the GDPR. Under Article 79(2), these proceedings are brought against the controller or processor in the Member State in which that entity is established or, alternatively, in the Member State where the data subject is resident.
In terms of priority, the court said:
- jurisdiction must be established under Article 79 to determine whether the data protection regime applies to the claim at all; and then
- it must be determined if the activities giving rise to claim are within the territorial scope of the GDPR under Article 3.
The court found that jurisdiction was established in this case since Mr Soriano, a UK resident, was entitled to bring proceedings against the defendants in the English courts under Article 79(2).
Territorial scope – an establishment in the EU
Under Article 3(1), the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The court found that the absence of a branch or subsidiary in the UK was not determinative to meet this threshold. Instead, it examined whether a “stable arrangement” (per Recital 22 of the GDPR) existed through which the defendants exercised their activities.
Mr Soriano argued that Forensic News was established in the UK since: (a) the website was in English, (b) it had UK readers, (c) it solicited donations in sterling and in euro on the website, (d) it shipped merchandise purchased on the website to the UK, and (e) it tweeted inviting support through Patreon from UK and EU readers.
The court rejected these arguments. It noted that: (a) Forensic News had no employees in the UK, (b) the website’s journalistic endeavours were not oriented towards the UK, (c) the UK readership numbers were only of marginal relevance, and (d) there were only three one-off donations from the UK and three Patreon subscribers from the UK. The court concluded that these subscriptions could not be considered sufficient to amount to being a “stable arrangement” for the purposes of Article 3(1), pointing to the fact that the platform solicited payment for services on an entirely generic basis and payments could be stopped at any time.
Territorial scope – offering goods or services to data subjects in the EU
Under Article 3(2)(a), the GDPR applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to those data subjects in the EU, irrespective of whether a payment is required. “Mere accessibility” of a website in the EU is insufficient to meet this threshold (Recital 23 of the GDPR). Rather, the European Data Protection Board (“EDPB”) considers that this provision is aimed at activities that “intentionally, rather than inadvertently or incidentally, target individuals in the EU” for the purposes of offering goods and service to them (note the EDPB guidelines on the territorial scope of the GDPR discussed in a previous briefing available here).
The court was not satisfied that the ability to ship merchandise purchased on the website to the UK was sufficient to be considered to be offering goods or services in the EU. It was also noted that the requirement that processing activities be “related to” the offering of goods or services is stricter than the phrase “in the context of” activities of an establishment in the EU under Article 3(1). It was necessary for the offering of goods and services to be related to the core activity of the Forensic News website – being journalism. The court concluded that the ability to ship merchandise to the UK was not related to journalism and it had already concluded that the website’s articles were not directed towards a UK readership. Therefore, the GDPR did not apply to the activities the subject of this claim under Article 3(2)(a).
Territorial scope – monitoring of data subjects in the EU
Similar reasoning was applied to the interpretation of Article 3(2)(b), which says that the GDPR applies to the processing of personal data of data subjects within the EU by a controller or processor not established in the EU, where the processing activities are related to the monitoring of their behaviour as far as their behaviour takes place within the EU. Mr Soriano argued that the use of cookies for targeted online advertising meant that he was the subject of monitoring. However, the court held that monitoring for targeted advertising was not sufficiently related to the basis of Mr. Soriano’s complaint being the journalistic activities of the website.
Ultimately, the court found that the activities of Forensic News and the other defendants were not within the territorial scope of the GDPR and Mr Soriano did not have an arguable case based on a breach of data protection law.
Takeaways
This decision provides a timely analysis regarding data protection claims brought against organisations that do not have an EU presence but have some EU customer/user base. It is clear that within the same organisation one set of processing activities may be within the scope of the GDPR while another may not. Consequently it is important to have a strong understanding of what processing activities an organisation undertakes for what purposes and to revisit this assessment regularly. This decision may have been decided differently if Forensic News had a UK section on its website, had a bigger UK readership and/or used cookies not just for ad targeting but to improve the website with a view to boosting UK/EU readership.
The relevance of this decision is heightened now that the UK has departed the EU as organisations must now not only understand if processing activities are within the territorial scope of Article 3 of the GDPR but also if processing is within the territorial scope and subject to the UK GDPR. For reference, we discuss the impact of the EU-UK Trade and Cooperation Agreement on the transfer of data and the “one stop shop” mechanism between the EU and the UK in a previous briefing available here.