A new decision in the High Court of England and Wales therefore offers some welcome reassurance, providing clarity on the rules in the context of a U.S.-based news website.
Background
In the case of Soriano v. Forensic News LLC and Others [2021] EWHC 56 (QB), the claimant, Soriano, a resident and citizen of the United Kingdom, sued in relation to internet publications and a number of social media posts published by the defendants, which included Forensic News, a U.S.-based investigative journalism website. Soriano relied on various causes of action, including data protection (under the GDPR), malicious falsehood, libel, harassment and misuse of private information.
The data protection claim
In Soriano, the court had to look at the extent to which Forensic News could be considered as being subject to either limb of the territorial scope provisions of article 3 GDPR in relation to its processing of the claimant’s personal data as part of Forensic News’ journalistic activities. The judge reached the conclusion that the claimant had failed to show that there was a real prospect of success on the merits, on the basis of either or both parts of article 3. The reasoning was as follows:
- Art. 3(1) – Establishment
Under the first limb of the territorial scope provisions of the GDPR, article 3(1) states that it “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not” (emphasis added).
The judge considered the pre-GDPR jurisprudence of the Court of Justice of the European Union decisions, as well as the European Data Protection Board’s “Guidelines 3/2018 on the Territorial Scope of the GDPR” (the Guidelines). The judge was not convinced that Forensic News had an “establishment” within the meaning of the GDPR (a key requirement) and it was noted that Forensic News had no physical establishment, representatives, or employees in the EU. Furthermore, the website’s journalistic efforts were not meaningfully targeted at the UK, and, even though Forensic News had a readership in the UK, the number of subscriptions were minimal and “unlikely to amount to arrangements which are sufficient in nature, number, and type to fulfil the language and spirit of Article 3(1) and amount to being ‘stable’.” This firmly pushes back on any assumption that the GDPR can apply to an organisation’s data processing activities purely on the basis that its website is accessible from within the EEA/UK.
- Art. 3(2) – Controller not in the EEA/UK
Under the second limb, article 3(2) states that the GDPR “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.” In determining how article 3(2) might apply, the judge relied once again on the Guidelines, as well as the GDPR’s recitals.
Offering of goods or services
In relation to this limb of the test, the judge concluded that there was no evidence that Forensic News targeted the UK and rejected the claimant’s assertions that it was met because the defendant’s publications are in English, the website solicits donations in sterling and euros, and it offers merchandise which could be shipped to a UK address. Crucially, the judge said, any offering of goods or services in the UK was not “related to” Forensic News’ “core activity”, namely its journalism. This also confirms the approach that the GDPR can apply to some strands of an organisation’s EEA/UK activities (such as offering goods or services there) but not others (journalistic activities) – there would be no blanket compliance requirement in this case.
Monitoring behaviours
In respect of article 3(2)(b), the claimant argued that Forensic News used cookies for online targeted advertising, and also collected and obtained data about the claimant, which amounted to the monitoring of his behaviour within the UK and the EU with a view to making publishing decisions. Although the judge acknowledged that there was an “arguable case” that use of cookies may satisfy this limb, the processing was not sufficiently related to the monitoring that formed the basis of the claimant’s complaint, i.e., the journalistic activity. Similar to the above, this demonstrates the ability to segment certain data processing activities, which prevents compliance requirements ‘leaking’ into other areas of a business. The cookie-related processing activities of Forensic News were not those being challenged here – Soriano was not making the complaint in his role as a website visitor.
Conclusion
This case is particularly important, as it is among the first to test the extraterritorial reach of the GDPR in relation to non-EEA/UK companies’ operation of journalistic activities that concern people within the EEA/UK. Organisations located outside of the EEA/UK that do not have an establishment or offer goods or services there, but do make their journalistic material available, may find comfort in Soriano, as it suggests that such organisations are unlikely to be caught by the GDPR on similar facts.
However, non-EEA/UK businesses should continue to consider whether any of their processing activities would be caught by the GDPR. This decision may have been decided differently if Forensic News had, for example, a more substantial UK readership, launched advertising campaigns directed at an EU audience and/or used cookies not just for targeted advertising but for its core journalistic activities.
Finally, although the Guidelines are not legally binding, it is useful to have judicial recognition and support that the Guidelines are a key document used for the interpretation of regulatory intent behind the GDPR.
Client Alert 2021-072