Cordery

Legal.Compliance.

UK Appeal Court Ruling on Extra-Territorial Application of EU GDPR: The Soriano Case

What’s this all about?

In the case of Soriano v Forensic News LLC and Others, the UK’s Court of Appeal recently ruled on the application of extra-territorial jurisdiction under EU GDPR, i.e. what needs to be shown to be able to bring a claim that EU GDPR applies to an organization located outside the EU in a data protection infringement claims context.

In this case the Court of Appeal overturned a High Court decision (which we wrote about here https://www.corderycompliance.com/soriano-and-gdpr/) and ruled that businesses engaging in substantially low-level commercial activity in the UK may be subject to EU GDPR and accordingly, in this case, the data protection claim in question could be served on defendants outside the UK. This article is a summary of the ruling and its implications.

Background

Mr. Walter Soriano is a British citizen and habitually resident in the UK. He brought legal proceedings in the English High Court against the California-based organization Forensic News and five journalists resident in the US. The allegations concerned various articles, social media posts and podcasts in connection which a number of claims were brought by Mr. Soriano including for data protection legislation infringements.

The extra-territorial jurisdiction aspects of the case concern Article 3 of EU GDPR, which sets out the territorial scope of EU GDPR. But Mr. Soriano also had to obtain the court’s permission in order to be able to serve proceedings outside the UK, which relates to EU GDPR (Article 79(2)) that allows an individual to bring a data protection claim in the courts of an EU Member State in which, either, the data controller or data processor has a so-called “establishment”, or (alternatively) in which the data subject is habitually resident. It should be noted that EU GDPR applies to this case because the claim was brought before 31 December 2020, i.e. before the UK left the EU.

Whilst the High Court granted Mr. Soriano’s application for permission to serve the defendants with some of his claims it refused permission to serve the defendants with the majority of the claims, including with regard to the data protection claims on the basis that Mr. Soriano had not demonstrated a real prospect of showing that his claims fell within the territorial scope of EU GDPR, as defined by Article 3, notably because:

  • There was no tenable case that the defendants had an “establishment” in the EU, under Article 3(1) of EU GDPR;
  • It was not realistic to suppose that Mr. Soriano could prove that the data processing activities complained of were related to the offering of goods or services to data subjects in the EU, within the meaning of Article 3(2)(a) of EU GDPR;
  • As regards Article 3(2)(b) of EU GDPR, whilst the High Court accepted that Mr. Soriano had an arguable case that “cookies etc.” had been used concerning him for the purpose of behavioural profiling or monitoring, the court held that this was purely in the context of directing advertisement content – there was no evidence that the monitoring was “related to” the data processing complained of, namely the defendants’ use of the internet as an investigative tool to support their journalism.

The defendants appealed arguing that the High Court had been wrong to grant the permissions to serve the defendants with some of Mr. Soriano’s claims. Mr. Soriano cross-appealed arguing that he should have been permitted to pursue the claims that had been refused including with regard to data protection contending that he had an arguable case that EU GDPR applied to the conduct complained of.

What did the court rule?

The Court of Appeal ruled as follows:

  • Applying Article 3 of EU GDPR (along with so-called forum conveniens jurisdiction principles) to the purported facts of the case, the High Court had wrongly determined that Mr. Soriano’s case lacked merit to be able to grant permission to serve a claim on a defendant outside the jurisdiction;
  • It was arguable that the defendants had an “establishment” in the EU (under Article 3(1) EU GDPR), based on the “minimal activity” of publication subscriptions from the UK and EU;
  • In terms of Article 3(2) of EU GDPR, it was arguable both that the journalistic data processing was “related to” an offer to provide journalistic output services and that the processing fell within the definition of “monitoring” under Article 3(2)(b). It was also arguable that the case fell within Article 3(2)(b) because “Someone who uses the internet to collect information about the behaviour in the EU of an individual who is in the EU, and then assembles, analyses and orders that information for the purposes of writing and publishing an article about that behaviour in (among other places) the EU is thereby engaging in “… the monitoring of [the data subject’s] behaviour … within the [EU]” within Article 3(2)(b). The publication of personal data clearly is a form of “processing”. The preparatory activities are plainly integral to that processing. It follows that the GDPR applies in such a case on the footing that publication amounts to a “processing of personal data of [the data subject]” which is “related to” the monitoring. The mere fact that the defendants created a collection of personal data relating to the claimant’s behaviour in the EU might not be enough. But what they are alleged to have done is to assemble, analyse, sort, and reconfigure such data, and then publish the result in articles including (among others) one entitled “The Walter Soriano files”. I [i.e. the judge] think it is arguable that those activities fall within the meaning of “monitoring”, and within the scope of the [European Data Protection Board’s] notions of “behavioural analysis and profiling”.

Takeaways

This ruling has potentially far-reaching implications for businesses outside the UK (it should not be seen as just applying to media organizations), i.e. in terms of data protection infringement claims brought in UK courts against organizations located outside the UK as it implies that where such businesses engage in substantially low-level commercial activity in the UK they may be subject to EU GDPR.

Although this ruling concerns EU GDPR, the relevant provisions under UK GDPR (which replaced EU GDPR in the UK in 2021) are equivalent, so the chances are that the same outcome would apply under UK GDPR.

To date, Articles 3(1)&(2) of EU GDPR and UK GDPR have not been subject to much interpretation by the courts, and in this case the Court of Appeal was mainly focused on whether the claim was arguable. It is notable that in this case the Court of Appeal stated that “[…] these issues will, so it seems, need further and definitive consideration in this case [therefore] it seems to me [i.e. the judge] that the Information Commissioner should be invited to consider intervening to assist the court.” The Court of Appeal also placed much reliance in its ruling on both the case-law of the Court of Justice of the European Union and official guidance of the European Data Protection Board.

In light of the Court of Appeal’s ruling, in terms of managing litigation risk with regard to potential data protection infringement claims under UK GDPR, businesses located outside the UK should consider reviewing whether they might fall within the extra-territorial jurisdiction of UK GDPR and ask themselves whether (either as a data controller or data processor) they are processing the personal data of data subjects who are in the EU where the processing activities are related to:

  • Either, the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the UK;
  • Or, the monitoring of their behaviour as far as their behaviour takes place within the UK.

Businesses should also bear in mind that if they are outside the UK and they are offering goods or services to data subjects in the UK or monitoring their behavior etc. they will also likely need to appoint a Data Protection Representative in the UK (see our articles about cases concerning this area here https://www.corderycompliance.com/dpr-liability-limits-ruling/ and here https://www.corderycompliance.com/locatefamily-fined-by-ap/).

The court’s ruling can be found here: https://www.bailii.org/ew/cases/EWCA/Civ/2021/1952.html

We report on data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.

We have written about data protection litigation and compensation cases including here: https://www.corderycompliance.com/data-protection-breaches-and-compensation-litigation-issues-for-consideration/

We report about compliance issues here: https://www.corderycompliance.com/news/.

For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.