The General Data Protection Regulation ("GDPR") might apply to operators of overseas websites that have even a minimal commercial activity in the UK following the judgment of the Court of Appeal of England and Wales in Soriano v Forensic News LLC and Others  EWCA Civ 1952.
Operators of overseas online platforms, apps and websites that collect information about UK or EU users might need to comply with the data protection obligations in the GDPR, and its strict data processing principles, even if:
- they have no physical presence in Europe, or
- their content is not specifically oriented towards European customers,
provided that they have some (even minimal) commercial activity in the UK or the EU.
Background: the High Court judgment
The Court of Appeal of England and Wales has overturned an earlier decision of the High Court about the applicability of the GDPR to a processing by an operator of a US journalistic website (see our client alert about the High Court decision).
In the January 2021 judgment, the first reported decision in the UK and the EU on the interpretation of Article 3 of the GDPR, the High Court adopted a narrower interpretation of the territorial scope of the GDPR.
The High Court suggested that non-EEA and non-UK website operators without physical presence in Europe (such as branches, subsidiaries, employees or other representatives), and whose content is not specifically oriented towards European customers (but could nonetheless be accessed by users in Europe), might be beyond the reach of the GDPR, its strict processing principles, obligations, fines and related privacy claims.
Minimal commercial activity in the UK / EU can bring you in scope of the GDPR
The Court of Appeal disagreed with the High Court. Because the US-based website explicitly solicited subscriptions from within the UK (in pounds sterling) and the EU (in euros) via a third-party platform, the Court of Appeal considered that Article 3(1) GDPR might apply to the website operator.
The Court of Appeal noted that even a minimal activity (with only three subscriptions in pounds sterling and three subscriptions in euros in this case) can be "real and effective" and exercised through "stable arrangements" – the requirements set out in the case law under the old Data Protection Directive (which the GDPR replaced in 2018).
The Court of Appeal also suggested that the processing by the US website operator in Soriano might fall within the scope of Article 3(2) on the basis that:
- the website operator offered a "service" to UK / EU readers and the journalistic processing complained of in Soriano was "related to" an offer made by the website operator to UK / EU readers to provide them with the journalistic services (therefore falling within Article 3(2)(a) GDPR); and
- the website operator (and its employees) "monitored" the behaviour of the claimant in the UK / EU by collecting information about their behaviour, analysing the information and publishing website articles based on that information, including one that had a name of the claimant in its title (therefore falling within Article 3(2)(b) GDPR).
What should overseas website and app operators do now?
1. Consider if you are likely to be in scope of the GDPR. Does your website or app have any visitors or users in the UK or the EU?
- If yes, do you have any commercial activity whatsoever in the UK or the EU as a result of the operation of your website or app, e.g. through online subscriptions, advertising, sales, or donations?
- Or, is your processing of data about any UK or EU individuals related to providing services to individuals in the UK or the EU (e.g. providing online content to your website or app users)?
- Or, do you "monitor" the behaviour of any UK or EU individuals (online or offline) in the UK or the EU and create content for your website or app based on the information collected?
2. Consider what documentation and processes (if any) you need to put in place to comply with the UK GDPR and EU GDPR. For example:
- Have you reviewed what personal data (if any) you collect about UK or EU individuals?
- Have you identified the purpose(s) and a legal basis in the GDPR for processing such data?
- Have you updated (if required) your website privacy notice to ensure it complies with the UK GDPR and the EU GDPR?
- Have you considered whether to appoint a UK or European representative if your processing of European personal data is not occasional?
What is the relevance of this decision in the UK and the EU post-Brexit?
The Court of Appeal decided Soriano under the GDPR as it applied in the UK before the end of the Brexit transition period.
An amended version of the GDPR known as "UK GDPR" took effect in the UK at the end of the Brexit transition period on 31 December 2020. The Court of Appeal's judgment will continue to be relevant to decisions of the UK Information Commissioner's Office and UK courts under the UK GDPR.
While courts and data protection authorities in the EU are not bound by decisions of UK courts, it is likely that the wider interpretation by the Court of Appeal of England & Wales of Article 3 on territorial applicability of the GDPR will be treated as persuasive by such bodies in any infringement proceedings against non-European website operators.