What’s this all about?
In the case of Soriano v Forensic News LLC and Others, the UK’s High Court recently ruled on the application of extra-territorial jurisdiction under GDPR, i.e. what needs to be shown to be able to claim that GDPR applies to an organisation outside the EU. Put another way, what are the sorts of issues which private party litigants (and data protection regulators) have to consider in order to be able to act against non-EU data controllers and processors? This article is a summary of the ruling and its implications.
Background
Mr. Walter Soriano is a British citizen and habitually resident in the UK. He brought legal proceedings in the English High Court against the California-based organisation Forensic News and five journalists resident in the US. The allegations concerned various articles, social media posts and podcasts about which a number of claims were brought by Mr. Soriano including for data protection legislation infringements.
The extra-territorial jurisdiction aspects of the case fall under Article 3 of EU GDPR. But Mr. Soriano also had to obtain the court’s permission in order to be able to serve proceedings outside the UK, which relates to Article 79(2) of EU GDPR that allows an individual to bring a data protection claim in the courts of an EU Member State in which, either, the data controller or processor has an establishment, or (alternatively) in which the data subject is habitually resident.
What did the court rule?
The court ruled as follows:
- The court first had to determine what it referred to as “the logically prior question, or anterior gateway, of whether the data protection regime applies to [the] claim at all”, ruling that Mr. Soriano was entitled to bring his claim in the UK under Article 79(2) of EU GDPR because he had been habitually resident in the UK since 2003 and a British citizen since 2009;
- The court then had to decide whether Article 3 of EU GDPR applied to either Forensic News or any of the five individual defendants;
- Article 3(1) provides that EU GDPR “applies to the processing of personal data in the context of the activities of an establishment of a [data] controller or a processor in the [EU], regardless of whether the processing takes place in the [EU] or not”;
- The issue of whether Forensic News could be said to have an EU “establishment” or not was examined against the European Court case-law test which states that to demonstrate “establishment” there must be real and effective activity, even if minimal, exercised through “stable arrangements” (the Weltimmo case in particular was relied upon by the court – for more on this case see here: https://www.corderycompliance.com/european-court-weltimmo-ruling-on-the-jurisdiction-of-data-protection-regulators/);
- Mr. Soriano argued that in this case the “stable arrangements” were that: (a) the publications which were the subject of his case were written in English; (b) the Forensic News website solicits donations in sterling and euro; (c) the Forensic News website features a “store” with its own branded merchandising and accepts UK shipping addresses; and, (d) a tweet sent by one of the defendants invited pledges to Patreon, a subscription platform, from readers in the UK and EU;
- But the court ruled that these were not sufficient to constitute “stable arrangements”, so “establishment” in the UK was not made out. The court pointed out that Forensic News had neither employees nor representatives in the UK and the “journalistic endeavour” of one of the journalists was not oriented towards the UK “in any relevant aspect”. The court also stated that “less than a handful of UK subscriptions to a platform which solicits payment for services on an entirely generic basis, and which in any event can be cancelled at any time” does not amount to “arrangements which are sufficient in nature, number and type to fulfil the language and spirit of [Article 3(1)] and amount to being stable”;
- Article 3(2) provides that EU GDPR “applies to the processing of personal data of data subjects who are in the [EU] by a [data] controller or processor not established in the [EU], where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the [EU]; or (b) the monitoring of their behaviour as far as their behaviour takes place within the [EU]”;
- With regard to Article 3(2)(a), Mr. Soriano argued that services were being offered to readers in the UK irrespective of payment. With regard to Article 3(2)(b), Mr. Soriano argued that through the Forensic News website cookies were placed on readers’ devices and processed their personal data using third-party analytics for the purpose of targeting advertisements, and that his behaviour was being monitored within the UK and the EU with a view to publishing decisions being made about him;
- But the court rejected these arguments stating that there was nothing to suggest that Forensic News was targeting the UK as regards the goods and services it was offering – although the UK was a potential shipping destination for merchandise this was not enough. The court also stated that it had to be demonstrated that the offering of goods and services was related to Forensic News’ “core activity” of journalism, which had not been made out in this case – simply showing that Forensic News may have carried out some processing that was related to the offering of goods and services in the UK merely in the context of its “core activity” was not enough. The court also stated that whilst there was an arguable case that cookies had been used for behavioural advertising purposes or monitoring they were not related to Mr. Solano’s actual claim – journalistic activities were “advanced not through any deployment of these cookies but by using the internet as an investigative tool”. The court stated that this “is not the sort of ‘monitoring’ that [Article 3(2)(b)] has in mind; or, put another way, the monitoring that does properly fall within this provision – the behavioural profiling that informs advertising choices – is not related to the processing that [Mr. Soriano] complains about (assuming that carrying out research online about [Mr. Soriano] amounts to monitoring at all)”;
- The court therefore concluded “that [Mr. Soriano] has no arguable case under [EU] GDPR” – the processing of personal data in this case was outside the jurisdictional scope of EU GDPR.
Takeaways
Although this case was decided on its particular facts it nevertheless provides useful guidance as to how a UK court deals with factors to be considered when determining the issue of the extra-territorial application of GDPR. It should be noted that the court introduced a term of its own when it referred to “core activities” as this is not found in EU GDPR (or in European Data Protection Board Guidance) which instead refers to “what the ‘processing activities’ are ‘related to’”.
This case was decided under EU GDPR. Since “full” Brexit, i.e. as from 1 January 2021, UK GDPR now applies, which is mainly based on EU GDPR (see here: https://www.corderycompliance.com/brexit-uk-vs-eu-gdpr-faqs/). The extra-territorial scope of UK GDPR (organisations based outside the UK targeting their goods or services at individuals in the UK etc.) is broadly equivalent to Article 3 of EU GDPR so it is likely that a UK court would apply the same approach to the issue of extra-territorial application under UK GDPR.
For more information:
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance including advice on jurisdictional issues. GDPR Navigator includes template processes and procedures to deal with data rights requests and short films and other guidance. You can find out more about GDPR Navigator at www.bit.ly/gdprnav.
The court’s ruling can be found here: https://www.bailii.org/ew/cases/EWHC/QB/2021/56.html
We report on data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
We have written about data protection litigation and compensation cases including here: https://www.corderycompliance.com/data-protection-breaches-and-compensation-litigation-issues-for-consideration/
Recent articles include the following about Covid-19 and ransomware attacks: https://www.corderycompliance.com/client-alert-ransomware-covid19-and-upgrading-defences/ & a big Spanish fine under GDPR for lack of transparency etc.: https://www.corderycompliance.com/aepd-fines-caixabank/.
We report about compliance issues here: https://www.corderycompliance.com/news/.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | |
Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
![]() |
![]() |
Image courtesy of https://www.dfsworldwide.com/Shipping-to-China.html