Out-Law News | 28 Jan 2021 | 3:22 pm | 6 min. read
A US-registered publisher will not have to defend claims that its processing of a British resident's personal data breached EU data protection laws after the High Court in London ruled that the laws do not apply to it.
The court reached that verdict despite it recognising that the US publisher had a "not minimal" number of UK readers; a fact the High Court said was "of no more than marginal relevance" to the question of whether its activities fell subject to the EU's General Data Protection Regulation (GDPR).
Data protection law experts Laura Gillespie and Stuart Davey of Pinsent Masons, the law firm behind Out-Law, said that the High Court's consideration of the territorial scope of the GDPR was of wide relevance to businesses, and not just to the publisher involved in this case.
Davey said: "While this case concerned a UK judgment on a US publication's activities in respect of the EU before the Brexit transition period ended, the same issues and concepts arise in the context of UK organisations' activities in the EU now Brexit has taken effect, though those will be a matter for the EU courts, not UK courts, to consider. In addition, similar concepts will now apply to non-UK organisations in respect of their UK market activities, under the UK GDPR that now has effect."
The court was considering the territorial scope of the GDPR when determining whether Walter Soriano could proceed with data protection claims he had raised against Forensic News LLC, five journalists and a blogger in a trial before the London court. The claims concerned allegations made about him contained in a series of publications by Forensic News. The allegations were published prior to the end of the Brexit transition period.
The court's findings in relation to the data protection claims usefully shed some light on interpreting the territorial scope of the GDPR, especially for UK controllers in the context of Brexit
The court ruled that Soriano "has no arguable case under the GDPR" on the basis that the GDPR did not apply to Forensic News. It also determined that Soriano had no real prospect of success in pursuing claims of malicious falsehood and harassment against the publisher at trial. However, the court has allowed Soriano to proceed with claims that he has been defamed, as well as in respect of misuse of private information – a claim centred on photographs Forensic News had allegedly "ripped from the social media accounts of a child in [Soriano's] family".
Gillespie said that the court's findings in relation to the data protection claims "usefully shed some light on interpreting the territorial scope of the GDPR, especially for UK controllers in the context of Brexit".
There are two ways in which the GDPR can apply to organisations.
First, under Article 3.1, it applies if their processing of personal data takes place in the context of activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.
While the CJEU has confirmed that the absence of a branch or subsidiary is not determinative of whether an organisation is 'established' in the EU, the judge said Soriano had failed to demonstrate that Forensic News was engaged in real and effective activity, even to minimal extent, exercised through stable arrangements, as case law required
Soriano argued that Forensic News should be deemed to have been 'established' in the EU at the time of the publications because the publications were in English; Forensic News' website solicits donations in pound sterling and in Euro; the website provided for the sale of branded merchandise to consumers in the UK; and because a tweet invited readers in the UK and the EU to subscribe for content.
However, Mr Justice Jay said the arguments were not sufficient to demonstrate that Forensic News was established in the EU. The judge considered how the concept of 'establishment' had been considered by the Court of Justice of the EU (CJEU) and in guidance produced by the European Data Protection Board (EDPB) in reaching that verdict.
While the CJEU has confirmed that the absence of a branch or subsidiary is not determinative of whether an organisation is 'established' in the EU, the judge said Soriano had failed to demonstrate that Forensic News was engaged in real and effective activity, even to minimal extent, exercised through stable arrangements, as case law required.
Mr Justice Jay said it was relevant that Forensic News has no UK employees or representatives, and that its UK readership – which made up 4.57% of the total visitors to Forensic News' website, and in one case 35.9% of the share of readership for one of the articles Soriano took issue with – "could not begin to satisfy" the criteria for 'establishment' under the GDPR.
On the arguments raised about UK subscriptions, the judge said: "I cannot accept the proposition that less than a handful of UK subscriptions to a platform which solicits payment for services on an entirely generic basis, and which in any event can be cancelled at any time, amounts to arrangements which are sufficient in nature, number and type to fulfil the language and spirit of Article 3.1 and amount to being 'stable'."
It is not necessary, however, for organisations to be 'established' in the EU for them to fall within the scope of the GDPR.
The second way the Regulation can apply is when the processing of personal data concerns EU data subjects and is carried out by a controller or processor established elsewhere, so long as the processing relates to either the offering of goods or services to data subjects in the EU, as provided for under Article 3.2(a), or the monitoring of their behaviour as far as their behaviour takes place within the EU, as provided for under Article 3.2(b).
Mr Justice Jay
High Court judge
There is nothing to suggest that [Forensic News] is targeting the United Kingdom as regards the goods and services it offers
Soriano claimed that Forensic News offers services to readers in the UK in a way that satisfied the Article 3.2(a) requirements. He claimed that Forensic News used cookies to collect website visitors' data and processed that data using data analytics tools in order to serve them with targeted adverts. He also claimed that the publisher was collecting and obtaining his data and monitoring his behaviour within the UK and EU with a view to making publishing decisions.
Mr Justice Jay ruled, though, that "there is nothing to suggest that [Forensic News] is targeting the United Kingdom as regards the goods and services it offers". The judge said that the possible sale recorded of one baseball cap to a UK buyer was not sufficient to show otherwise.
Mr Justice Jay said that, in any event, Soriano had failed to sufficiently demonstrate that Forensic News' offer of goods and services in the UK was related to its core activity of journalism – which he had determined was necessary to satisfy the requirements of Article 3.2(a)
Laura Gillespie of Pinsent Masons said: "The court's decision that the placement of cookies for the purpose of behavioural advertising would not amount to monitoring the behaviour of EU citizens will give some comfort to controllers who operate businesses online."
Gillespie said that another way in which the judge's comments have a practical relevance for businesses in the UK but also active in the EU market post-Brexit is in relation to obligations arising under the GDPR in relation to the notification of personal data breaches.
"Now that the UK has left the EU, if a controller suffers a personal data breach and the breach affects UK and EU citizens, a careful analysis will have to be undertaken to establish to which supervisory authority any notification should be made," Gillespie said. "It could result in parallel investigations being carried out by both the UK Information Commissioner's Office (ICO) and relevant European supervisory authority."
Earlier this month, the EDPB published new draft guidelines on examples regarding data breach notification. The draft guidelines, which are open to public consultation until 2 March 2021, complement existing guidelines the EDPB adopted on personal data breach notification.