The General Data Protection Regulation ("GDPR") has extraterritorial reach, meaning that many organisations based outside the European Economic Area ("EEA") and the United Kingdom (in the case of the UK GDPR) must comply with GDPR obligations for personal data processing activities which fall within the territorial scope of Article 3 of the GDPR. However, businesses have been lacking clarity regarding exactly how far GDPR's extraterritorial reach goes.
The High Court of England and Wales has in Soriano v Forensic News LLC and Others  EWHC 56 (QB) considered the applicability of Article 3 of the GDPR to a US website. The judgment gives some re-assurance to non-EEA and non-UK website operators without physical presence in Europe (such as branches, subsidiaries, employees or other representatives), whose content is not specifically oriented towards European customers but could nonetheless be accessed by users in Europe, that their processing of personal data from users in Europe might be beyond the reach of the GDPR, its strict processing principles, obligations, fines and related privacy claims.
In Soriano, a UK-based claimant complained about a number of articles, social media posts and a podcast published by a US investigative journalism website linking the claimant to third parties in a way which, according to the judge, amounted to "a sustained assault on the Claimant and his reputation".
The claimant wished to bring various claims, including in data protection under Article 79 GDPR, in malicious falsehood, in libel, for harassment, misuse of private information and defamation. As the defendants were based in the US, the claimant required a permission from the English court to serve proceedings on the defendants.
The GDPR claim
To bring a claim under Article 79 of the GDPR, the claimant had to persuade the court that the defendants' processing of the claimant's personal data fell within the territorial scope of the GDPR in either Article 3.
While the judge refused to determine whether the GDPR would apply to the defendants' processing of the claimant's personal data, the judge has decided that the claimant has not, on the merits, demonstrated "a real prospect of success" of the GDPR claim under Article 3(1) and / or Article 3(2) of the GDPR. However, the claimant was given permission to serve proceedings on the defendants in the US relating to the claim for the misuse of private information and defamation.
Establishment criterion – Article 3(1) GDPR
Under Article 3(1), the GDPR applies to "the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not".
The judge considered the jurisprudence of the Court of Justice of the European Union under the old Data Protection Directive as well as the non-binding European Data Protection Board ("EDPB") Guidelines 3/2018 on territorial scope of the GDPR. Although the concept of "establishment" is wider than having a branch or a subsidiary in Europe and extends to any activity through "stable arrangements", the judge was not persuaded that a US website publishing in English would be considered to have stable arrangements in the UK where it had:
- no employees or representatives in the UK;
- some readership in the UK but was not oriented towards UK "in any relevant respect"; and
- only a handful of UK donation subscriptions solicited "on an entirely generic basis".
The judge did not consider if the processing was "in the context of the activities of an establishment" because the claimant's case failed on the first hurdle of demonstrating that the claimant had a real prospect of success to bring the GDPR claim under Article 3(1).
Targeting criterion – Article 3(2) GDPR
Under Article 3(2), the GDPR applies to "the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union."
The judge considered GDPR recitals 23 and 24 and the EDPB Guidelines and concluded that there was nothing to suggest that the website was targeting the UK as regards to goods and services it offered. While the website's merchandise could be shipped to the UK (and someone possibly bought one baseball cap from the website), the judge considered that this was not "related to" (Article 3(2) GDPR wording) to the defendant's "core" journalistic activity. This factor (i.e. that the processing activities for goods or services being offered has to relate to the "core" activity of the controller in order to fall within Article 3(2) GDPR) seems to be a new consideration identified by the judge as it is not discussed as being a factor in the EDPB Guidelines.
This case is noteworthy because it is the first judgment in England and Wales which considers the extraterritorial reach of the GDPR and demonstrates how courts might consider similar cases under the UK GDPR involving operators of overseas websites with no physical presence in the UK or targeting of UK customers.
The judgment also highlights that GDPR applicability is not a binary concept of the GDPR either applying or not applying to a non-European business. Article 3 GDPR is clear that the GDPR might apply to some processing activities of the non-European business but not other activities. International businesses therefore have to consider which of their processing activities will be and will not be in scope of the GDPR to evaluate the associated risks and correctly implement their data protection compliance programmes.