The recent UK case of Soriano v Forensic News and Others tested the territorial reach of the General Data Protection Regulation (“GDPR”) and represents the first UK judgment dealing with the territorial scope of the GDPR. This was a “service out” case, where the claimant, Walter T. Soriano, sought the Court’s permission under the UK Civil Procedure Rules to serve proceedings on the defendants, who were all domiciled in the U.S.
Background
The defendants included Forensic News, a U.S.-based investigative journalism website, its owner and a number of journalists who contributed to the website. Mr. Soriano’s complaint related to ten internet publications and various social media postings, including on Facebook and on Twitter, published by Forensic News relating to various topics including Former President Trump’s financial affairs and the activities of Psy Group, a private Israeli intelligence company in Ukraine allegedly connected to Mr. Soriano. The judgement notes that the various articles and publications “make extremely serious allegations against the Claimant” and “amount to a sustained assault on the Claimant and his reputation.”
Mr. Soriano sought to bring various claims against the defendants, including under the GDPR, for malicious falsehood, harassment, misuse of private information and libel. As the defendants were domiciled in the U.S., Mr. Soriano applied for the Court’s permission to serve out these claims.
The Data Protection Claim
Before assessing the territorial application of the GDPR under Article 3, the Court was required to first consider Article 79(2) of the GDPR to determine whether Mr. Soriano was entitled to bring a GDPR claim in the UK at all. To this end, Article 79(2) of the GDPR states that “…proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence….”
As Mr. Soriano had been habitually resident in the UK since 2003 and a British citizen since 2009, he satisfied the criteria under Article 79(2) for bringing his claim in the UK. The judgment also notes that, “the policy of the GDPR is that someone who is habitually resident in a Member State should have the option to sue there rather than anywhere else. This is so even if the controller or processor has an establishment elsewhere.” Typically, in order to serve a claim out of jurisdiction, the claimant must show that it has a “good arguable case” for doing so. While this was relevant to Mr. Soriano’s other claims, it was not considered for the purposes of his data protection claim, as Article 79(2) of the GDPR offered an alternative jurisdictional gateway for bringing proceedings. In addition, Article 79(2) represented a lower standard of proof for Mr. Soriano, and the Court determined that there was no argument that he was not habitually resident in the UK.
Once the Court determined that Mr. Soriano was permitted to bring his claim in the UK, the Court moved on to consider the merits of his claim. In order to have a viable claim under the GDPR, Mr. Soriano was required to establish that the publication of his personal data fell within the territorial scope of the GDPR under either Article 3(1) or Article 3(2).
Article 3(1) – Establishment
Under Article 3(1), the GDPR “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
In considering the facts and the application of Article 3(1), the Court considered the decisions of the Court of Justice of the European Union in the Google Spain, Weltimmo and Amazon cases. The Court held that the defendants were not established in the UK for the purposes of the GDPR, with the Judge noting that the defendant had no employees or representatives in the UK. In addition, while Forensic News had a readership in the UK, the Judge took the view that a handful of UK subscriptions to a platform that solicits payment for services on an entirely generic basis is “unlikely to amount to arrangements which are sufficient in nature, number and type to fulfil the language and spirit of Article 3(1) and amount to being ‘stable’.”
Article 3(2)(a) – Offering Goods or Services
Under Article 3(2)(a), the GDPR “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union.”
Mr. Soriano argued that the defendants met this test because the defendants’ publications are in English, their website solicits donations in Sterling and in Euros, includes a “store” with its own branded merchandising and accepts shipping addresses in the UK. In deciding this point, the Court referred to the European Data Protection Board’s Guidelines on the Territorial Scope of the GDPR and concluded that there was no evidence to suggest that Forensic News was targeting its goods or services to anyone in the UK. In addition, to the extent that Forensic News was offering services to individuals in the UK, the Court held that offering the services needed to be “related to” Forensic News’s “core activities,” i.e., journalism. The Court did not consider that this was the case.
Article 3(2)(b) – Monitoring of Behavior
Under Article 3(2)(b), the GDPR “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the monitoring of their behavior as far as their behavior takes place within the Union.”
Mr. Soriano argued that because the Forensic News site used cookies for targeted online advertising, it had engaged in monitoring of people in the EU, and thus the GDPR's territorial scope test was met. Similar to the position taken with respect to the offering of goods or services, the Court held that the use of cookies for behavioral advertising purposes was not “related to” Mr. Soriano’s real complaint. In its judgement, the Court stated that, “the Defendant's journalistic activities have been advanced not through any deployment of these cookies.”
In consideration of the above, the Court concluded that Mr. Soriano had no arguable case under the GDPR.
While Mr. Soriano was unsuccessful in his claim under the GDPR, he was given permission to serve proceedings outside of the UK in respect of the misuse of private information claim (for the photos only) and the defamation claim.
In December 2021 the UK Court of Appeal permitted Soriano’s cross-appeal on the data protection claim, finding that it was arguable that the defendant’s had an establishment in the EU, and had intended to make their output available in the UK and EU, attracting a ‘more than minimal readership’. The Court of Appeal stated that the offer and acceptance of subscriptions in local currencies is arguably a ‘real and effective’ activity, and that in the context of the relevant online media publication, subscription arrangements should be viewed as stable in nature for the purposes of Article 3(1) and Recital 22 of the GDPR, especially as subscriptions provided the majority of the defendants’ income.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code