A version of this briefing first appeared in the Privacy Laws & Business UK Report, Issue 114 (March 2021)
As UK and EU businesses grapple with the complexities of the post-Brexit world, one of the first key questions for businesses from a data privacy perspective is whether their processing is subject to the UK or EU regime (or both). This briefing considers the implications of the decision of the High Court in the Soriano case and discuss what questions it leaves unresolved.
The impact of Brexit
We are a few months into the post-Brexit world, with the EU and the UK now operating broadly separate legal systems. The UK has its own privacy regime comprised of the “UK GDPR”, which is essentially the European General Data Protection Regulation (or “EU GDPR”) as implemented in national UK legislation, and the Data Protection Act 2018. Both have been modified slightly to make them work in a UK only context and together they are now the primary sources of data protection compliance for UK businesses.
However, the EU GDPR will continue to be relevant for any UK business that remains active in the EEA as a result of its potential extra-territorial application. Similarly, European companies that are active in the UK will have to consider the application of the UK GDPR. As a result, we have seen an increasing number of questions from businesses, both in the EU and UK, seeking to understand exactly when they are subject to either of the two regimes, and what this means for them in practice.
The precise application of data protection legislation always requires careful analysis, but this is particularly important in the post-Brexit world where a business could find itself subject to two (near-identical) regimes for the same processing activity and, therefore, two parallel enforcement actions. Soriano v Forensic News LLC and Others  EWHC 56 (QB) is the first case in which the English High Court has considered the question of GDPR extra-territoriality and therefore provides timely guidance in our post-Brexit world.
Background of the Soriano case
The case was brought by the claimant Mr Soriano against Forensic News and five of its journalists. Mr Soriano was resident in the UK, whereas Forensic News and the journalists were based in the US. Mr Soriano alleged that a number of podcasts, articles and social media posts published by them which mentioned him by name had caused him harm. He brought an action alleging breach of data protection laws as well as libel, harassment and misuse of private information claims.
This briefing focusses on the data protection elements of the case, particularly the interpretation of Article 3 of the EU GDPR and whether, on the facts of the case, the processing in question was held to fall within its scope.
Relevance of the case post-Brexit
The data protection elements of the claim were brought under the EU GDPR before the end of the transition period (i.e. when the EU GDPR applied directly in the UK). However, the judgment is still relevant in the UK post-Brexit since, until the UK introduces any changes to its data privacy laws, the provisions in the EU GDPR and UK GDPR remain broadly identical. This includes the provisions in Article 3 of both instruments which set out when the data privacy rules apply to a given processing activity, including in an extra-territorial context.
The decision is therefore of interest to businesses when considering whether they are caught by the extra-territorial provisions of either the UK GDPR or the EU GDPR.
The jurisdictional hurdle
Before the court considered the application of Article 3 in Soriano, it had to deal with a jurisdictional question. Article 79 gives individuals the right to an effective judicial remedy and allows them to bring a case in the EU member state where they are habitually resident. The defendants argued that this provision is subordinated to Article 3, and that, consequently, the first step should be to consider whether the EU GDPR applies to the relevant processing. The court disagreed, concluding that the gateway test of Article 79 should be considered first. In any event, the Article 79 test was easily met here as Mr Soriano was habitually resident in the UK (which was part of the EU at the time) and so the argument was somewhat moot in this particular case.
Having passed this first hurdle, the next question was whether the defendants’ data processing was subject to the EU GDPR under Article 3.
Soriano on the applicability of the EU GDPR
By way of reminder, the EU GDPR applies:
- to any processing in the context of activities of an establishment in the EU;
- to any processing activities related to the offering of goods or services, irrespective of whether payment is required, to individuals residing in the EU; and
- to any processing activities related to the monitoring of any behaviour which takes place in the EU.
Mr Soriano sought to argue that Forensic News was established in the UK, which at the time was part of the EU. He provided a number of arguments to support his claim:
- the relevant publications were in English;
- the Forensic News website solicited donations in sterling and euro;
- the Forensic News website sold goods through an online store feature with branded products which accepted UK shipping addresses; and
- a tweet sent by one of the journalists invited pledges to Patreon, a subscription platform, from readers in the UK and EU.
However, the High Court did not consider this sufficient evidence to conclude that Forensic News was established in the EU. Justice Jay stated that, although the absence of a branch or a subsidiary was in no way considered determinative, he concluded: “I cannot accept the proposition that less than a handful of UK subscriptions to a platform which solicits payment for services on an entirely generic basis, and which in any event can be cancelled at any time, amounts to arrangements which are sufficient in nature, number and type to fulfil the language and spirit of article 3.1 and amount to being "stable".”
Given the claimant fell at the first hurdle (i.e. whether there was an EU establishment), it was not necessary to consider whether the relevant processing was "in the context of" the activities of the defendants established in the EU.
Offering of services
Mr Soriano sought to argue that Forensic News offered services to people residing in the UK and so was caught by Article 3(2) of the EU GDPR. The High Court accepted the submission from the defendants that under Article 3(2) the relevant data processing has to be "related to" the service offered and that this is narrower and stricter than processing having to be "in the context of" an establishment under EU GDPR Article 3 (1).
Therefore, for the EU GDPR to apply, the claimant needed to demonstrate that Forensic News’ offering of services was related to its “core activity” of engaging in journalism. It was insufficient to simply show that Forensic News may have offered unrelated goods or services into the UK such as offering merchandise online.
The High Court concluded that the claimant had not demonstrated the necessary level of connection between the goods or services being offered into the UK and the journalism content that was the subject of the action. It therefore concluded that the EU GDPR did not apply to the processing of personal data that was the subject of the claim. Given this, the High Court did not need to consider further the application of the factors (originally taken from the Pammer case) set out in the European Data Protection Board’s (EDPB’s) Guidelines 3/2018 on the Territorial Scope of the GDPR and referred to by Mr Justice Jay.
EDPB relies on 2010 Pammer case in its guidance on GDPR extra-territorial application
In Pammer, the CJEU referred to a number of factors which could constitute evidence of an activity ‘directed to’ one or more Member States within the meaning of Regulation 44/2001 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters. Although the EDPB acknowledges in its Guidelines that the notion of “directing an activity” differs from the “offering of goods or services”, it does however deem the Pammer case law to be of assistance when considering whether goods or services are offered to a data subject in the Union. The list of factors the EDPB sets out in its Guidelines therefore includes a number of the Pammer ones (e.g. the international nature of the activity at issue, such as certain tourist activities; the mention of telephone numbers with the relevant code; the mention of an international clientele composed of customers domiciled in various EU Member States etc).
Finally, the claimant contended that Forensic News was monitoring behaviour in the EU by placing cookies on readers' devices and processing their personal data using Facebook and Google analytics for the purpose of targeting advertisements. Mr Soriano argued Facebook Ireland Ltd and Google Ireland Ltd operated as joint data controllers with Forensic News in this respect.
As a result of the various decisions summarised above, the claimant’s claim under the EU GDPR failed, although he was successful in relation to other aspects of his claim which were bought under other laws.
Impact of the decision
The decision as to establishment is not surprising on the facts given previous CJEU case law in this area, particularly the Google Spain, Weltimmo and Verein fur Konsumerentenininformation v Amazon cases. However, there have been fewer cases on the interpretation of Article 3(2) of the EU GDPR.
It is a shame, therefore, that it was not necessary for the High Court to apply the Pammer criteria (as referred to in the EDPB Guidelines), either to the cookies or the offering of goods, as that would have helped to answer some of the recurring questions that arise as to application of the EU GDPR to companies who do not have an establishment in the EU. If the processing being complained of had been in respect of personal data that was held by Forensic News in respect of its sale of merchandise to an individual with a UK delivery address, the outcome may have been different. Likewise had the complaint related to the behavioural advertising.
In the meantime, this leaves companies (and their advisers) to apply the Pammer criteria and the EDPB guidance in order to assess whether the EU or UK GDPR apply to their particular circumstances, with Brexit having increased the number of companies questioning this.
The result of this assessment is often not clear cut, leaving uncertainty as to whether or not the EU or UK GDPR applies. Companies take different risk based decisions as a result. For some, in particular if they are based in a regime with similar high data privacy standards, the downsides of accepting the application of the GDPR are minimal. But for others, the delta between their normal practices and the requirements of the GDPR is more significant, so concluding that the GDPR does not apply (and potentially taking steps to bolster this assessment) is the right commercial outcome.
It is inevitable that some of these decisions will be challenged at some point in the future which, whilst not ideal for whichever company is in the firing line, should at least provide some much needed clarity for others.
This briefing is part of the Slaughter and May Horizon Scanning series
Click here for more details. Themes include Beyond Borders, Governance, Sustainability & Society, Digital, Navigating the Storm and Focus on Financial Institutions. Beyond Borders explores how crossing physical borders became challenging for most citizens during 2020, but investment flows and operations continued on a global basis. This theme looks at some key aspects of managing risk and maximising the value or opportunities in a regulatory and transactional context, and considers what is on the horizon for working beyond borders in 2021.