Privacy & Information Security Law Blog

The recent UK case of Soriano v Forensic News and Others tested the territorial reach of the General Data Protection Regulation (“GDPR”) and represents the first UK judgment dealing with the territorial scope of the GDPR. This was a “service out” case, where the claimant, Walter T. Soriano, sought the Court’s permission under the UK Civil Procedure Rules to serve proceedings on the defendants, who were all domiciled in the U.S.

Background

The defendants included Forensic News, a U.S.-based investigative journalism website, its owner and a number of journalists who contributed to the website. Mr. Soriano’s complaint related to ten internet publications and various social media postings, including on Facebook and on Twitter, published by Forensic News relating to various topics including Former President Trump’s financial affairs and the activities of Psy Group, a private Israeli intelligence company in Ukraine allegedly connected to Mr. Soriano. The judgement notes that the various articles and publications “make extremely serious allegations against the Claimant” and “amount to a sustained assault on the Claimant and his reputation.”

Mr. Soriano sought to bring various claims against the defendants, including under the GDPR, for malicious falsehood, harassment, misuse of private information and libel. As the defendants were domiciled in the U.S., Mr. Soriano applied for the Court’s permission to serve out these claims.

The Data Protection Claim

Before assessing the territorial application of the GDPR under Article 3, the Court was required to first consider Article 79(2) of the GDPR to determine whether Mr. Soriano was entitled to bring a GDPR claim in the UK at all. To this end, Article 79(2) of the GDPR states that “…proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence….”

As Mr. Soriano had been habitually resident in the UK since 2003 and a British citizen since 2009, he satisfied the criteria under Article 79(2) for bringing his claim in the UK. The judgment also notes that, “the policy of the GDPR is that someone who is habitually resident in a Member State should have the option to sue there rather than anywhere else. This is so even if the controller or processor has an establishment elsewhere.” Typically, in order to serve a claim out of jurisdiction, the claimant must show that it has a “good arguable case” for doing so. While this was relevant to Mr. Soriano’s other claims, it was not considered for the purposes of his data protection claim, as Article 79(2) of the GDPR offered an alternative jurisdictional gateway for bringing proceedings. In addition, Article 79(2) represented a lower standard of proof for Mr. Soriano, and the Court determined that there was no argument that he was not habitually resident in the UK.

Once the Court determined that Mr. Soriano was permitted to bring his claim in the UK, the Court moved on to consider the merits of his claim. In order to have a viable claim under the GDPR, Mr. Soriano was required to establish that the publication of his personal data fell within the territorial scope of the GDPR under either Article 3(1) or Article 3(2).

Article 3(1) – Establishment

Under Article 3(1), the GDPR “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”

In considering the facts and the application of Article 3(1), the Court considered the decisions of the Court of Justice of the European Union in the Google Spain, Weltimmo and Amazon cases. The Court held that the defendants were not established in the UK for the purposes of the GDPR, with the Judge noting that the defendant had no employees or representatives in the UK. In addition, while Forensic News had a readership in the UK, the Judge took the view that a handful of UK subscriptions to a platform that solicits payment for services on an entirely generic basis is “unlikely to amount to arrangements which are sufficient in nature, number and type to fulfil the language and spirit of Article 3(1) and amount to being ‘stable’.”

Article 3(2)(a) – Offering Goods or Services

Under Article 3(2)(a), the GDPR “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union.”

Mr. Soriano argued that the defendants met this test because the defendants’ publications are in English, their website solicits donations in Sterling and in Euros, includes a “store” with its own branded merchandising and accepts shipping addresses in the UK. In deciding this point, the Court referred to the European Data Protection Board’s Guidelines on the Territorial Scope of the GDPR and concluded that there was no evidence to suggest that Forensic News was targeting its goods or services to anyone in the UK. In addition, to the extent that Forensic News was offering services to individuals in the UK, the Court held that offering the services needed to be “related to” Forensic News’s “core activities,” i.e., journalism. The Court did not consider that this was the case.

Article 3(2)(b) – Monitoring of Behavior

Under Article 3(2)(b), the GDPR “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the monitoring of their behavior as far as their behavior takes place within the Union.”

Mr. Soriano argued that because the Forensic News site used cookies for targeted online advertising, it had engaged in monitoring of people in the EU, and thus the GDPR's territorial scope test was met. Similar to the position taken with respect to the offering of goods or services, the Court held that the use of cookies for behavioral advertising purposes was not “related to” Mr. Soriano’s real complaint. In its judgement, the Court stated that, “the Defendant's journalistic activities have been advanced not through any deployment of these cookies.”

In consideration of the above, the Court concluded that Mr. Soriano had no arguable case under the GDPR.

While Mr. Soriano was unsuccessful in his claim under the GDPR, he was given permission to serve proceedings outside of the UK in respect of the misuse of private information claim (for the photos only) and the defamation claim.

In December 2021 the UK Court of Appeal permitted Soriano’s cross-appeal on the data protection claim, finding that it was arguable that the defendant’s had an establishment in the EU, and had intended to make their output available in the UK and EU, attracting a ‘more than minimal readership’. The Court of Appeal stated that the offer and acceptance of subscriptions in local currencies is arguably a ‘real and effective’ activity, and that in the context of the relevant online media publication, subscription arrangements should be viewed as stable in nature for the purposes of Article 3(1) and Recital 22 of the GDPR, especially as subscriptions provided the majority of the defendants’ income.