Soriano v Forensic News – Can a US corporation with no EU operations be caught by the GDPR?

Introduction

The General Data Protection Regulation (“GDPR”) (summarised in our alert here) can apply to entities which are not established in the EU. There has been relatively little EU or UK case law detailing the exercise of this extra-territorial jurisdiction.

Soriano v Forensic News LLC and others [2021] EWHC 56 (QB) [2021] 1 WLUK 106 provides some interesting guidance as to when this extra-territorial jurisdiction is triggered. This remains relevant in the UK after Brexit under the UK’s version of the GDPR.

Background to the Case

In Soriano, Walter Soriano issued proceedings against Forensic News and a number of journalists in relation to certain allegations made in various online publications about his connections with a private Israeli intelligence company and ex-President Trump’s affairs. Soriano sued for malicious falsehood, libel, harassment, misuse of private information and breach of the GDPR. As none of the defendants were resident in the UK, Soriano needed an order from the UK courts to permit him to serve his claim “out of the jurisdiction” which required him to satisfy, first, the “jurisdictional gateway” test and, secondly, the “merits” test.

The Jurisdictional Gateway Test

Under the “jurisdictional gateway” test, a claimant must satisfy one of the grounds under which the court is permitted to make an order to serve a claim outside the jurisdiction. The court held that Soriano did satisfy this test as Article 79(2) GDPR entitled him to an effective judicial remedy against a controller of his personal data in “the courts of the Member State where the data subject has his…habitual residence”. As Soriano was habitually resident in the UK, the test was satisfied.

The Merits Test

Under the “merits” test in relation to his claim for breach of the GDPR, Soriano was required, inter alia, to show that he had a “real prospect of success” in proving that the GDPR applied to Forensic News. This question was addressed by looking at Articles 3(1) and (2) of the GDPR.

Article 3(1)

Under Article 3(1), the GDPR applies to the “processing of personal data in the context of the activities of an establishment of a controller…in the Union” regardless of where the processing occurs.

In reviewing this in the context of this case, the court referred to Weltimmo sro v Nemzeti Adatvédelmi és Információszabadság Hatóság [2016] 1 WLR 863, where the Court of Justice of the European Union held that:

•  
  • the absence of a branch or subsidiary was not the determining factor;
  • the test for “establishment” would be satisfied if there was “any real and effective activity – even a minimal one – exercised through stable arrangements”; and
  • both the degree of stability of the arrangements and the effective exercise of the activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.

The court also noted that the European Data Protection Board’s Guidelines 3/2018 on the Territorial Scope of the GDPR (“EDPB Guidelines”) affirm the position in Weltimmo, indicating that even a single EU-based employee of a non-EU entity can satisfy the “stable arrangement” threshold. Nevertheless, the GDPR will not apply if the data processing is not in the context of this employee’s activities.

The court rejected Soriano’s argument that Forensic News was “established” in the UK because its publications were in English, its website solicited donations in Pounds Sterling and Euro, its website store accepted UK-based shipping addresses, and a tweet invited pledges to the generic Patreon subscription platform from UK and EU-based readers.

The court held that the absence of a branch or subsidiary in the UK is not determinative. The fact that Forensic News has a readership in the UK which is not minimal was considered only of marginal relevance; alone, it could not satisfy Article 3(1). However, Forensic News’ lack of any employees or representatives in the UK was relevant. The court decided that the real test was whether the claimant had a reasonable argument on the “stable arrangements” point. Here, “less than a handful of UK subscriptions” via the Patreon platform that could be cancelled at any time did not constitute “stable arrangements”. It was clear that Forensic News’ journalistic endeavour was not UK oriented in any relevant respect.

Article 3(2)

Article 3(2) applies to data processing by controllers or processors which are not established in the EU where the processing activities relate to:-

•  
  • offering goods and/or services to EU-based data subjects (Article 3(2)(a)); or
  • monitoring the EU-based behaviour of EU data subjects (Article 3(2)(b)).

The court held that Article 3(2)(a) was not satisfied. It rejected Soriano’s case that it was enough to show that Forensic News offered goods or services to UK-based readers. There was no evidence to suggest that Forensic News was targeting the UK in terms of the goods and services it offers, notwithstanding that the UK was a potential shipping destination for merchandise available on Forensic News’ online store. The court held that Soriano needed to demonstrate that the relevant offering of goods and services is related to Forensic News’ core activity of journalism, which in the court’s opinion it was not.

In relation to Article 3(2)(b), the court rejected Soriano’s argument that Forensic News’ use of tracking cookies on their website and the subsequent processing of visitor personal data for the purpose of targeting advertisements satisfied Article 3(2)(b).

Whilst the court accepted that Soriano had an arguable case that Forensic News used cookies for the purpose of behavioural profiling or monitoring, there was no evidence that this had anything to do with Forensic News’ journalistic activities, which used the internet as an investigative tool rather than  cookies. The processing activities of which Soriano complained had nothing to do with any monitoring carried on by the use of cookies. The court also questioned whether Forensic News’ online research on Soriano amounted to monitoring at all.

Conclusion

The court took a pragmatic and proportionate stance in applying the tests set out in Article 3. In relation to a complaint for breach of the GDPR against controllers not established in the EU/UK, it suggests that:

•  
  • the processing activities must be related to the activity which is the subject of the complaint; and
  • a website will not be caught just because it offers goods or services to UK residents – it must be shown that the website targets UK residents.

Although this is a case which very much turns on its facts, the reasoning adopted by the court is illuminating; the GDPR will not apply to US and other non-EU or UK-based businesses which do not have any establishment in the EU or UK and which are not targeting them just because they happen to have a few EU or UK-based customers and/or which happen to use tracking cookies for purposes unrelated to the processing in question.

Click to view the full alert.