Measuring the Reach of GDPR, How Far Is Far Enough?

It’s generally recognized that the General Data Protection Regulation (GDPR) can apply to entities outside the European Union. However, scant court rulings guide non-European controllers and processors on this question. The English High Court’s recent decision in Soriano v. Forensic News LLC and others (2021) helps fill the gap.

In the case of Soriano, the English High Court addressed whether a British citizen/resident can sue a US news publication for alleged GDPR violations. Claimant Soriano, a resident and citizen of the UK, filed suit against ten internet publications including Forensic News, domiciled in the United States, under various claims including under GDPR Article 3. Since Defendant was domiciled in the US, Claimant sought the Court’s permission to serve his claims.

Claimant argued that he could sue in the UK because Article 79(2) of the GDPR allows for proceedings to be brought “before the courts of the Member State where data subject has his or her habitual residence…”

Finding that Article 79(2) indeed offers claimants a choice of court, the Court nevertheless held that 79(2) was applicable only where GDPR actually applies to potential defendants. The Court found that Defendant Forensic News’ actions did not rise to a level that would violate Article 3 of the GDPR, concluding that Defendant’s specific acts were not sufficient to merit GDPR application.

Under Article 3(1), which applies the GDPR to entities sufficiently “established” in an EU member state, the Court noted how Forensic News had no establishment, representatives, or employees in the EU. Even though Forensic News had a readership in the UK, the few UK subscriptions to the site were “unlikely to amount to arrangements which are sufficient in nature, number, and type to fulfil the language and spirit of Article 3(1) and amount to being ‘stable’.”

The Court also observed that under Article 3(2), which applies to the offering of goods or services – that Defendant’s publication in English, their solicitation of donations in Sterling and in Euros, and a webstore that accepts UK shipping addresses were insufficient to merit GDPR applicability. The Court found that no evidence was presented suggesting that Defendant targeted the UK, citing a list of factors to be taken into account when determining if goods and services are being targeted at EU markets. (1)

The Court also commented that the site’s passive use of “cookies” to track web behavior was for the purpose of “behavioural profiling or monitoring, but that is purely in the context of directing advertisement content,” stating that use of cookies did not show the “monitoring” that formed the basis of the complaint. The Court looked for a nexus between Defendant’s “processing” in the GDPR jurisdiction and the “core activity” of the business—journalism. Had the cookies been used to advance the journalistic activities of the Defendant, instead of merely informing advertising choices, the Judge hinted at a different outcome.  

Soriano will help non-EU entities avoid GDPR liability for de minimis EU activities. The fact pattern of Soriano though, may not be applicable to those more established in or targeting EU markets.  Because this case turned on substantive rather than procedural facts, companies with an EU presence should carefully weigh these regulatory risks against the competing value of EU markets.

Written by: Kenneth K. Wang and Philip M. Nelson

 

 

(1)https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf