How expansive is the GDPR's territorial reach?

How expansive is the GDPR's territorial reach?

How expansive is the GDPRs territorial reach?

The end of 2021 saw Lord Justice Warby reach his verdict in the Court of Appeal hearing of Soriano v Forensic News LLC ([2021] EWCA Civ 1952), determining whether Walter Soriano (the UK based claimant) could serve Forensic News LLC and four other media defendants, based in the United States, with proceedings under the GDPR in the English courts.

The Court of Appeal, with Warby LJ giving the lead judgement, found that Mr Soriano had an “arguable” case when it came to determining whether his personal data was being processed under the remit of the GDPR, which was enough to grant him the permission he needed to serve his data-related claim through the English courts. The case highlights the ongoing debate around the GDPR’s reach, and raises interesting questions around the interpretation of Article 3 of the GDPR.

[Note: following Brexit the references to GDPR are to the EU GDPR. The EU GDPR applies to this case, rather than the UK GDPR, as the claim was brought before 31 December 2020 (the end of the post-Brexit transition period).]

The case

Mr Soriano sought to bring a claim against the defendants for a series of publications referring to him in less than flattering terms (assertions that Mr Soriano was a “thug of the Prime Minister of Israel” and had corrupt links to the Russian State, amongst others).

In July 2020, Soriano issued proceedings in the High Court under the laws of libel, malicious falsehood, harassment, misuse of private information, and of relevance to this article, data protection. Forensic News had collected data on Mr Soriano and made publications about him. He claimed various GDPR breaches, including failing to process personal data fairly, lawfully and transparently, failure to process accurately, infringement of the special category rules and of the rules on transfers of international data.

The GDPR’s territorial scope

As the defendants were based in the US, no claims could be brought against them unless a) they agreed to it (which, perhaps unsurprisingly, they did not), or b) the Court gave permission to serve them outside the jurisdiction.

In determining whether to grant such permission for the data protection claim, the Court of Appeal had to consider whether the defendants’ alleged breach of their data protection obligations was indeed a breach under GDPR, bringing it within the jurisdiction of the UK courts.

The Court of Appeal reviewed the application of Article 3 GDPR, which sets out the territorial scope of the GDPR and agreed, or at least did not disagree, with the Claimant on the following interpretation points:

  • Article 3(1): the GDPR applies to the processing of personal data “in the context of activities of an establishment of a controller of processor”.
    The defendants’ use of the “Patreon” subscription platform in relation to the EU and UK was potentially capable of satisfying the “stable arrangements” threshold for an establishment under GDPR referred to in earlier decisions, and the Court was prepared to find it arguable that the establishment test was met. Furthermore it was noted that the defendants envisaged offering goods/services to data subjects in the EU/UK, and indeed there were a number of EU/UK subscribers already in existence (albeit only 6).
     
  • Article 3(2)(a): the GDPR applies where the processing activities are related to the offering of goods or services to data subjects in the EU/UK.
    Warby LJ noted that the ordinary reading of Article 3(2)(a) would indicate a required connection between the processing of an individual’s personal data, and the offering of goods or services to that specific individual. Mr Soriano was not one of the target data subjects (although the articles were about him, he was not a target subscriber).However interestingly this was not an argument brought forward by the defence, and the parties had proceeded on the basis that Article 3(2)(a) applies to the processing of personal data of data subjects whether or not those individuals were the ones offered the goods/services – provided the two activities are related, which the parties seemed to accept.Warby LJ could therefore only make reference to the consensus between the parties on this point: an expansive reading allowing the data subjects whose personal data is processed in the EU/UK to be different to those being offered goods or services. That aside, it was noted as arguable that the processing complained of could be “related to” the defendants’ offer to provide journalistic content to EU data subjects.
     
  • Article 3(2)(b): the GDPR applies to the monitoring of behaviour which takes place within the EU/UK.
    The Court found that the process of collecting, manipulating, sorting and assembling the personal data on the behaviour of an individual and then publishing articles about such behaviour (including “the Walter Soriano Files”) was enough to bring the activity within the definition of ‘monitoring of behaviour’, thereby fulfilling the requirements of Article 3(2)(b).

Conclusion

This is a good, and relatively uncommon, example of the ongoing debate around the jurisdiction of the EU GDPR, and highlights the breadth of interpretation that the Court is willing to accept in this area. It will be interesting to see the outcome of Mr Soriano’s data protection claim in due course, although it is anticipated that we may be waiting some time.

Contact our experts for further advice

Search our site