When the General Data Protection Regulation1)Regulation (EU) 2016/679 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, … Continue reading came into force throughout the European Union nearly three years ago, one of its most eye-catching features was its extraterritorial jurisdiction provisions. These extend the reach of the GDPR to businesses located outside the European Union who offer goods or services to EU residents or who monitor the behavior of EU residents2)Art. 3(2)(a) and (b) GDPR..
Under the threat of becoming liable for a breach of the GDPR and potential fines of up to €20m or four percent of global turnover (whichever the higher), many businesses based in the United States and other locations outside the European Union have simply taken a stance of refusing to deal with EU residents, including taking measures such as geo-blocking websites to EU-based visitors. Other businesses, in the United States and elsewhere, have found themselves contemplating whether they might be subject to the GDPR and how to react merely because they have made a new EU-based business connection, acquired the contact details of a potential customer in the European Union, or even become aware that an employee at a customer organization had moved to the European Union.
A court in the United Kingdom has now considered the limits of extraterritorial jurisdiction of the GDPR, which may provide some reassurance to overseas businesses that limited contact with EU residents via a website may not necessarily lead to them being subject to the GDPR.
In the recent case of Soriano v Forensic News ( EWHC 56 (QB)), the High Court of England and Wales looked at the extent to which the U.S.-based news website defendant, Forensic News, could be regarded as being subject to either limb of the GDPR’s jurisdiction provisions in relation to its processing of the personal data of the UK-resident claimant as part of its journalistic activities. The facts of the case derive from the period prior to Brexit and the end of the transition period, while the United Kingdom was still subject to EU law, and therefore, the court applied the EU version of the GDPR and related jurisprudence and guidance.
The GDPR’s jurisdiction provisions are set out in Article 3 and have two elements:
(1) an organization is “established” in the European Union for the purposes of the GDPR; or
(2) the extraterritorial jurisdiction provisions, which apply when an organization located outside the European Union offers goods or services to EU residents or monitors their behavior.
Although the main purpose of the Soriano case was to decide on whether the United Kingdom was the appropriate forum in which to litigate a range of other potential claims, including defamation, malicious falsehood, harassment, and misuse of private information, its interpretation of the jurisdiction of the GDPR is significant because it is one of the few judicial authorities that have been handed down on this issue so far.
Meaning of “Establishment”
The judge considered the first limb of Article 3 GDPR—what it means for a business to be “established” in the European Union for the purposes of Article 3(1) GDPR, taking into account the pre-GDPR Court of Justice of the European Union authorities, Google Spain3)Case C-131/12 – Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, EU:C:2014:317., Weltimmo4)Case C-230/14 – Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, EU:C:2015:639, and the Amazon case5)Case C-191/15 – Verein für Konsumenteninformation v Amazon EU Sàrl, EU:C:2016:612.. Of these, the judge placed some weight on the test for establishment set out in the Weltimmo case as being relevant in relation to the facts: (a) the test for “establishment” would be satisfied if there was “any real and effective activity—even a minimal one—exercised through stable arrangements”; and (b) “both the degree of stability of the arrangements and the effective exercise of the activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of the services concerned.”
The judge also considered the European Data Protection Board’s (EDPB) “Guidelines 3/2018 on the Territorial Scope of the GDPR” (the Guidelines—see our alert on the Guidelines). These Guidelines do not have binding legal effect; therefore it is significant that they have now be reviewed by a court and relied upon as authority, which may serve to strengthen businesses’ confidence in relying on them in future. The judge’s conclusion was that Forensic News could not be said to be “established” in the European Union because it did not conduct minimal activity through stable arrangements in the European Union. The judge took into account that Forensic News did not have any EU-based employees or representatives, and that although it had a small readership in the United Kingdom, this was not considered relevant to its processing of the claimant’s personal data. Forensic News had “less than a handful” of UK subscribers via the “generic” subscription platform, Patreon, and these could be cancelled at any time, which the judge cited as not amounting to arrangements that were “sufficient in nature, number and type to fulfil the language and spirit of Article 3.1 GDPR and amount to being ‘stable.’”
Application of extraterritorial Jurisdiction
In considering whether Article 3(2)(a) or (b) GDPR might apply, the judge relied once more on the Guidelines, in particular, the lists of factors that they set out relating to the offering of goods or services to EU residents and to the monitoring of the behavior of EU residents. The judge took a relatively strict interpretation of both types of activity, which could offer some comfort to other businesses whose online activities may inadvertently reach EU residents.
Offering Goods or Services
In relation to the offering of goods or services under Article 3(2)(a) GDPR, the court concluded that Forensic News’ activities had been minimal, as it had not specifically targeted the United Kingdom, and although it was possible to ship items purchased from its website to the United Kingdom, in practice, only one baseball cap had ever been shipped to the United Kingdom. Crucially, any offering of goods or services in the United Kingdom had been merely ancillary to Forensic News’ core data processing activities at issue, namely, the journalism as part of which it processed the claimant’s personal data.
Monitoring of Behavior
Had this particular case proceeded further, it is possible that Forensic News could have utilized the exemption from the GDPR for the processing of personal data for journalistic purposes6)UK Data Protection Act 2018, c. 12, sch. 2, pt. 5, ¶ 26 (in fulfilment of Article 85(2) GDPR), and a similar result would have been reached at a later stage.
While such case could be perceived as a welcome interpretation for website publishers not established in the European Union (or United Kingdom), there are some caveats to reliance on this case as a precedent. This is a first-instance decision of the English High Court, so even within the United Kingdom, it may bear a limited deal of precedent value. Moreover, although the case was decided during the transition period before the United Kingdom’s departure from the European Union, it is unlikely that EU or other member state courts would rely on this interpretation. Indeed, despite the Guidelines, many questions remain over the interpretation of Article 3(2)(b) GDPR. That article was explicitly adopted in order to address behavioral marketing through cookies and other tracking technology, whereas the judge’s view on it appears to have been limited by the very particular facts of this case. Another court considering Article 3(2)(b) GDPR in relation to different facts may apply the article as broadly as the provision is framed.
This case is particularly interesting for organizations located outside the European Union and United Kingdom that have minimal levels of contact with EU residents online, particularly where they conduct more sensitive personal data processing activities overseas that are separate from their online presence.
Such organizations may draw comfort that this case seems to provide for the possibility that some low level of data processing activity could be regarded as de minimis in nature and would not attract GDPR liability. This has previously been lacking in relation to GDPR and has been the cause of anxiety for overseas businesses to the extent that they feared being caught by the GDPR if they allowed EU visitors to their website.
It is also useful to have judicial recognition of the EDPB guidelines on the territorial scope of the GDPR. However, this case is based very much on its own facts, so individual circumstances and factors will always be relevant and will need to be considered on a case-by-case basis. The fact that this is a decision of the English courts arriving just as Brexit takes effect may also signal that this could be the start of a divergence in how the United Kingdom and the European Union apply their respective versions of the GDPR in the future.