Reed Smith Client Alerts

It is well known that the General Data Protection Regulation (GDPR) brought with it extraterritorial reach and can apply to a non-EEA/UK organisation in certain circumstances – no small cause for concern, particularly in light of the substantial fines for non-compliance. Beyond regulatory guidance however, in the UK, there has been little case law to test this extraterritorial reach until now.

Authors: Elle Todd Tom Gates Claire Wallace

GDPR padlock

A new decision in the High Court of England and Wales therefore offers some welcome reassurance, providing clarity on the rules in the context of a U.S.-based news website.


In the case of Soriano v. Forensic News LLC and Others [2021] EWHC 56 (QB), the claimant, Soriano, a resident and citizen of the United Kingdom, sued in relation to internet publications and a number of social media posts published by the defendants, which included Forensic News, a U.S.-based investigative journalism website. Soriano relied on various causes of action, including data protection (under the GDPR), malicious falsehood, libel, harassment and misuse of private information.

The data protection claim

In Soriano, the court had to look at the extent to which Forensic News could be considered as being subject to either limb of the territorial scope provisions of article 3 GDPR in relation to its processing of the claimant’s personal data as part of Forensic News’ journalistic activities. The judge reached the conclusion that the claimant had failed to show that there was a real prospect of success on the merits, on the basis of either or both parts of article 3. The reasoning was as follows:

  • Art. 3(1) – Establishment

Under the first limb of the territorial scope provisions of the GDPR, article 3(1) states that it “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not” (emphasis added).

The judge considered the pre-GDPR jurisprudence of the Court of Justice of the European Union decisions, as well as the European Data Protection Board’s “Guidelines 3/2018 on the Territorial Scope of the GDPR” (the Guidelines). The judge was not convinced that Forensic News had an “establishment” within the meaning of the GDPR (a key requirement) and it was noted that Forensic News had no physical establishment, representatives, or employees in the EU. Furthermore, the website’s journalistic efforts were not meaningfully targeted at the UK, and, even though Forensic News had a readership in the UK, the number of subscriptions were minimal and “unlikely to amount to arrangements which are sufficient in nature, number, and type to fulfil the language and spirit of Article 3(1) and amount to being ‘stable’.” This firmly pushes back on any assumption that the GDPR can apply to an organisation’s data processing activities purely on the basis that its website is accessible from within the EEA/UK.