The English High Court considers the extra-territorial scope of the GDPR for the first time
In the recent case of Soriano v Forensic News LLC  EWHC 56 (QB), the English High Court has considered the extra-territorial scope of the General Data Protection Regulation (‘GDPR’) for the first time. The Claimant failed to obtain the permission of the Court to serve his claim under the GDPR in the U.S., and so the case provides useful commentary on the circumstances in which the GDPR may not apply to a data processor or controller based outside the E.U.
The Claimant, Mr. Soriano, holds dual British and Israeli citizenship and resides in the UK. The Defendants included Forensic News, an investigative journalism website based in California, its owner, and several journalists who had written for the website. Mr. Soriano sought to bring various claims against the Defendants in relation to ten internet publications and various social media postings including on Facebook and on Twitter, which had had made various allegations against Mr. Soriano’s political connections and financial affairs. Only part of these related to GDPR, and much of the case concerns the other claims: The claims had various causes of action including data protection, malicious falsehood, libel, harassment and misuse of private information. As all of the Defendants are domiciled in the U.S., Mr. Soriano sought the permission of the High Court to serve his claims out of the jurisdiction.
The issues considered by the Court are summarised as follows:
- Did each of its claims satisfy a gateway under the English Civil Procedure Rules?;
- Did each of the claims have a ‘real prospect of success?’;
- Was the English Court forum conveniens for the non-libel claims?; and
- In relation to the libel claims only, did the Claimant satisfy the requirements of the test in Section 9 of the Defamation Act 2013?
This article will focus on aspects of the case in relation to the data protection claim.
The Data Protection Claim
Jurisdiction – Article 79(2)
A claimant is usually required to demonstrate that it has a ‘good arguable case’ if it is to be granted permission to serve its claim outside of the jurisdiction. Whilst this applied to Mr. Soriano’s other claims, it did not apply to his data protection claim, as Article 79(2) of the GDPR provides an alternative jurisdictional gateway, as explained below.
Article 79(2) of the GDPR states that a claimant may bring a claim either in the Member State where the data controller or processor has an establishment, or in the Courts of the Member State where the claimant has their habitual residence. Although Mr. Justice Jay acknowledged that Article 79(2) offered a claimant a choice of where to bring a claim, he found that it was first necessary to consider if Mr. Soriano had a viable claim under Article 3 of the GDPR. The judge stated that Article 3 “defines the ‘territorial scope’ of the GDPR” and that Article 79(2) “addresses the logically prior question, or anterior gateway, of whether the data protection regime applies to the claim at all.”
In other words, Mr. Justice Jay considered that the purpose of Article 79(2) is to give a claimant the choice to bring their claim in the Member State where they have their habitual residence, even if the controller or processor has an establishment elsewhere. On the basis of Article 79(2) being satisfied, the data protection claim also satisfied the ‘statutory gateway’ required by Practice Direction 6B of the Civil Procedure Rules.
As it was clear that Mr. Soriano satisfied the habitual residence limb of Article 79(2), the Judge went on to consider the merits of his claim, and whether Article 3(1) or Article (3)(2) of the GDPR were engaged by the publication of Mr. Soriano’s personal data by Forensic News, as we discuss below.
Establishment – Article 3(1)
Article 3(1) applies to the processing of personal data in the context of (emphasis added) the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. In deciding whether Forensic News had an establishment in the EU for the purposes of the GDPR, the Court considered decisions of the Court of Justice of the European Union that have held that for an establishment to exist there must be ‘real and effective activity’ exercised through ‘stable arrangements.’ The Judge also stated that whilst the European Data Protection Board’s (‘EDPB’) guidelines are persuasive, they are not binding, and add little to the jurisprudence of the case law in the context of ‘establishment.’ Mr. Soriano argued that Forensic News had the necessary ‘stable arrangements’ in the EU to constitute an establishment on the basis that (i) its publication were in English; (ii) its website solicits donations in GBP sterling and euros; and (iii) its webshop accepted orders from addresses in the UK.
The Judge rejected these arguments. Mr. Justice Jay also stated that although the absence of a branch or subsidiary in the UK is by no means determinative, it is a relevant consideration that Forensic News had no employees or representatives in the UK. The Judge also found that the fact the Forensic News had a readership in the UK “which is not minimal” is of no more than marginal relevance and could not, by itself, satisfy Article 3.1.
It is interesting to note that in considering whether Article 3 was engaged, the Judge did not discuss the requirement under Article 27, which requires controllers or processors to designate in writing a representative in the EU. Whilst Article 27(2)(a) states that the obligation to appoint a representative does not apply to processing which is occasional, or to processing of special category data that is not on a large scale, it could have applied here, and perhaps might have impacted the judicial view on representation had that been argued.
The Defendants had argued that as Mr. Soriano’s evidence had fallen short of meeting the test for establishment under Article 3(1), the Judge should rule definitively on the issue. Mr. Justice Jay disagreed, and stated that it was sufficient for him to decide only if Mr. Soriano had demonstrated a real prospect of success on the merits. The Judge decided that on the evidence before him that there was no real prospect of success. Importantly this means the case has not provided a definitive view on the evidence that will show an establishment, and consequently this remains an issue open to debate.
Article 3(2) extends the territorial reach of the GDPR in relation to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the processing activities are related to (emphasis added):
(a) Offering goods and services, irrespective of whether a payment of the data subject is required, to data subjects in the Union; or
(b) Monitoring the behaviour of data subjects to the extent that the behaviour takes place within the EU.
Offering of Goods or Services – Article 3(2)(a)
The Judge held that there was nothing to suggest that Forensic News was targeting the UK as regards the goods and services it offers. In reaching his decision, Mr. Justice Jay stated that Article 3(2)(a) was not satisfied by the UK merely being a potential shipping destination for goods, when very few (if any) goods had been purchased by anyone in the UK.
The Judge also held that the words related to (found in Article 3(2)) are narrower than the words in the context of‘ (found in Article 3(1)), and that Mr. Soriano had not demonstrated that the offering of goods and services is related to Forensic News’ core activity (i.e. journalism).
Monitoring or Profiling – Article 3(2)(b)
In summary, the Court held that Mr. Soriano had no arguable case under the GDPR. However, Mr. Justice Jay stated, obiter, that: “Had I reached a different conclusion on the merits I would have found in favour of the Claimant on forum conveniens……There is nothing to suggest that England and Wales would have been other than the most natural and appropriate forum for trial, and no evidence that such a claim could be brought in the US.”
Although the data protection claim was dismissed, the claimant was granted permission to serve the Defendants in the U.S. in relation to the other claims (i.e. the defamation and misuse of certain private information claims). It is also important to note that the Judge did not make final determination of all the GDPR questions and so this case is not ruling out the effectiveness of such claims in other cases.
This is an interesting decision on many levels and one that illustrates the unsettled nature of jurisdictional claims under the GDPR. The decision provides a useful interpretation of the interplay between Article 79 (jurisdiction to bring a claim) and Article 3 (territorial scope). Although this case turned on its facts, it provides useful guidance on what is not sufficient to trigger the extra-territorial scope of the GDPR.
We expect there will be further need of judicial testing of these issues because the facts here meant man issues remain without resolution, and fundamentally business needs more clarity on what is an establishment and when they will be subject to the UK GDPR. Finally, although not addressed in this case, it is advisable for companies dealing with the personal data of UK or EU citizens to consider the need to designate a representative.
A copy of the High Court’s decision can be found here.