By Deborah Margolis and Darren Isaacs- 31 March 2021
In the first case of its kind, the High Court of England & Wales* has considered the limits on the extraterritorial reach of the European Data Protection Regulation (GDPR). The High Court concluded that GDPR did not apply to a US website where there was no establishment in the UK (or Europe) and where it didn’t target UK (or EU) customers.
Note: Although this case was decided by the High Court, the matters complained of occurred prior to Brexit. The High Court ruling therefore deals directly with the GDPR. It will continue to be relevant after Brexit as the UK’s data protection legislation substantively mirrors the GDPR provisions.
* For our international readers, the High Court of England & Wales is a senior court with jurisdiction in England and Wales only (Scotland, for example, has a separate equivalent court).
The European data privacy regulation, the General Data Protection Regulation (“GDPR”) has extraterritorial reach in certain circumstances, which means that many businesses based outside Europe find themselves subject to its burdensome obligations for processing personal data.
Until now, businesses have been lacking clarity regarding exactly how far GDPR's extraterritorial reach extends.
Relevant to this case, the GDPR can apply to businesses outside of Europe in any of the following circumstances:
The UK case of Soriano v Forensic News LLC, which was brought by an individual against a US news website, involved a claim under the GDPR.
In a preliminary hearing, a judge in the High Court had to decide whether any of the three points above applied.
It is important to keep in mind that this was a preliminary view of a senior UK judge, so the issue remains open to be argued again more fully in another case or on appeal.
The GDPR applies to the processing of personal data “in the context of the activities of an establishment of a controller or a processor in the Union", regardless of whether the processing takes place in Europe or not. The concept of "establishment" under GDPR is wider than having an entity in Europe and extends to any activity through "stable arrangements". In this case, the facts were as follows:
The judge was not persuaded that Forensic news had stable arrangements in the UK, so it did not have an “establishment” and therefore he did not go on consider if the processing was "in the context of the activities of an establishment”.
The court went on to consider the second way that GDPR may apply.
The GDPR applies to the processing of European individuals’ personal data by a company not established in Europe, where the processing activities are “related to … the offering of goods or services...” to individuals in Europe.
In this situation, there was nothing to suggest that Forensic News was targeting the UK market as regards to goods and services it offered. While the website's merchandise could be shipped to the UK (and there was evidence that somebody in the UK had bought one baseball cap from its website), the judge considered that this didn’t amount to the offering goods or services to individuals in Europe. Even if it did, the judge also doubted that the processing that was complained of was “related to” any such offering.
It was not disputed that Forensic News undertook some monitoring of website access by European individuals, for the purposes of targeted advertising.
Interestingly, however, the judge in this case was of the view that monitoring merely of the sake of targeted advertising, when the core business of Forensic News was journalism, was not the sort of “monitoring” that was intended to be caught by the GDPR. In his view: “the monitoring that does properly fall within this provision – the behavioural profiling that informs advertising choices – is not related to the processing that [Mr Soriano] complains about…”.
This view, in particular, may prove to be controversial in the future.
For the reasons set out above, the judge in this case concluded that Forensic News was not subject to GDPR.
This is the first UK judgment which considers the extraterritorial reach of the GDPR and may provide some reassurance to non-European and non-UK website operators without a physical presence in Europe (such as branches, subsidiaries, employees or other representatives), whose content is not specifically oriented towards European customers but could nonetheless be accessed by users in Europe.
However, the decision needs to be treated with some caution as it may be that the European courts will take a harder line on this than a post-Brexit UK court will, and in any event, this point was addressed in a ruling dealing with a preliminary point of law only.
If you have any questions about this article or data privacy more generally please contact Deborah Margolis or Darren Isaacs.