A recent English court ruling has increased the risk that data controllers will be caught by the European data protection regime, wherever they are located. It has particularly serious implications for those engaged in journalistic activity.
The English Court of Appeal in Soriano v Forensic News has accepted that there is an arguable case that the territorial gateways through which GDPR applies are much wider than previously thought and so capture organisations and businesses outside Europe which might not have thought they are directly regulated.
This is a decision by an English court and so, in light of Brexit, might be said to only impact those processing personal data in the context of the UK version of GDPR. However, UK GDPR is for these purposes identical to the EU version. Accordingly, the grounds on which the English Court of Appeal has concluded that UK GDPR has extra-territorial reach might be equally persuasive to EU courts and regulators. For the purposes of this article, we will refer to GDPR as applying to the UK and EU version of GDPR. And when we refer to “Europeans”, we are referring to those based in the EU, the additional EFTA countries and the UK.
Under Article 3, “Territorial Effect” there are two scenarios in which data controllers and processors can be caught by the GDPR.
The first scenario, set out in Article 3(1), focusses on the concept of “establishment”. It scrutinises the extent of the entity’s connection with the EU and asks whether personal data is processed “in the context of the activities of an establishment of a controller or processor in the Union”. Whilst this terminology does not require an office or physical presence in Europe, it does require that the entity is engaged in some sort of activity there. The bar for the activity to qualify under Article 3(1) has been set by case law at: “any real and effective activity – even a minimal one – exercised through stable arrangements”. Prior to Soriano entities with no European branch, subsidiary, employees or representatives considered themselves unlikely to be caught by this scenario.
The second scenario, set out in Article 3(2) is where the controller or processor is located outside Europe but is processing the personal data of data subjects who are inside Europe and the processing activities relate to either (a) offering goods or services or (b) monitoring the behaviour of those data subjects. In this scenario, the extent to which the extra-territorial entity might come within the purview of the GDPR depends on the nature of the activities it is carrying out, not where they are performing them. As far as we are aware, Soriano is the first case anywhere in Europe to test the wording of Article 3(2).
The effect of Soriano has been to accept that the bar for a data controller or processor to be caught by either Article 3(1) or 3(2) is arguably much lower, thereby increasing the risk that GDPR will apply to their activities.
The case has also provided a practical illustration of what the language in both of the above provisions could mean in practice.
The claimant is a UK citizen resident in the UK. The defendants are a small group of journalists in the US associated with a website called Forensic News run by a 24-year-old called Scott Stedman from California. Between June 2019 and June 2020, they published a series of articles accusing the claimant of various illegal activities, including corruption and murder.
About 75 per cent of all visitors to the website originate from the US and about 5 per cent from the UK. “Hits” for the articles in the US varied between about 49-81 per cent and “hits” from the UK between about 6 per cent and 36 per cent. The content complained about had 2,180 page views in England and Wales and 3,594 in California.
Content is available free of charge, with funding drawn from subscriptions, donations, merchandise sales and advertising revenue. About 80 per cent of revenue came from paid subscriptions via a platform called Patreon. At first subscriptions and donations were invited only in dollars, but the website subsequently Tweeted: “Everyone in the UK or EU can now pledge to Patreon in their local currency of Euros or Pounds.” After this there were three Patreon subscriptions in Euros and three in Sterling. The website included a “store” with its own branded merchandising, accepting shipping addresses in the UK.
In July 2020 the claimant issued proceedings against the defendants in the High Court of England and Wales for breaches of data protection law. (He also sued in malicious falsehood, libel, harassment and misuse of private information.) The data protection claim was on the basis that the defendants were
“data controllers” of the claimant’s special category personal data and their activities (researching and publishing articles about the claimant) constituted unfair processing, the data was inaccurate (because they were making false claims), there was no lawful basis for the processing and that there had been unlawful international data transfers.
The claimant argued that the facts of the case set out above meant that the website was caught by both limbs of Article 3.
Because the defendants are located outside the jurisdiction of England & Wales, Soriano had to seek the permission of the English court to serve legal proceedings on them in the USA, without which the claim could not proceed in the English courts. To do so, Soriano had to show that the claims were sufficiently arguable. Importantly, Soriano did not have to show that the claims would succeed at a full trial.
At first instance the English court refused permission, ruling that the data protection case disclosed no real prospect of meeting either of the two tests in Article 3 which are necessary for the GDPR to apply.
In relation to Article 3(1), it found there was no tenable case that the defendants could be shown to have an “establishment” within Europe because having a few subscribers there who could cancel their subscriptions at any time did not qualify as “stable arrangements”.
As for Article 3(2)(a), the court said there was nothing to suggest that the website was targeting Europe as regards the goods and services it offers.
With Article 3(2)(b), the court said that using cookies within Europe was not enough because it was not related to the journalistic activities that Soriano complained of.
Consequently, the Judge said, the data protection case disclosed no real prospect of succeeding and therefore did not meet the test for service out of the jurisdiction to be granted, hence that part of the claim could not proceed.
The Court of Appeal disagreed. Its ruling that there was a reasonable prospect that all of the jurisdictional bases set out in Article 3 were present in this case, and that hence the case should proceed to be served in the US and be heard in the English courts where those issues could be finally determined, surprised many.
The judgment of the three-judge panel could be said to carry particular weight because it was given by Lord Justice Warby, who is widely acknowledged as the most senior English Judge in this area of the law, having previously been in charge of the part of the High Court which is specifically designated to deal with data protection claims.
The ruling answered a number of key questions about what the wording of Article 3 means in practice, and particularly in what kind of circumstances the GDPR will apply to entities predominantly operating outside Europe. The key questions raised and answered by the appeal were as follows:
Q: What level of presence and activity within the EU is needed to qualify as “any real and effective activity – even a minimal one – exercised through stable arrangements”? In other words, in what kind of situations can entities expect to be “caught” by Article 3(1) GDPR?
A: The appeal ruling showed that, even though an entity’s links to Europe may appear tenuous, the GDPR can cast a wide net, catching a website which, whilst having no branch, subsidiary, employees or representatives within the EU:
Analysis: Moving forwards therefore, entities wanting to sail safely outside “GDPR waters” might be less keen to elicit European subscriptions and in addition consider either blocking website access within Europe or merely making the content available online with no demonstrable intention to be available there.
Q: Can a journalistic website based in the US be said to be “offering goods and services” to data subjects in Europe for the purposes of Article 3(2)(a), even where most of the readers are in the USA and there are very few European subscribers?
A: Yes. The court found that the journalistic activities carried out by the defendants were related to the offer to provide data subjects within Europe with services in the form of journalistic output.
This finding appears to be contrary to the express terms of Article 3(2)(a). It says that GDPR applies to the processing of personal data of data subjects who are in Europe where the processing relates to the offering of goods or services to such data subjects in Europe (our emphasis). In other words, the processing is of the data of those individuals to whom the service is being offered and it is not sufficient that the data being processed is that of a third party, such as the subject of an article like the claimant in this case. However, the Court of Appeal’s ruling was based on a common understanding between the claimant and defendants that Article 3(2)(a) should not be read as requiring the data being processed to be that of the data subjects to whom the journalistic service was being offered.
This seems to us to be a very odd concession by the defendants given the plain reading of Article 3(2)(a). If it were argued effectively, we consider it would be decided that the Article 3(2)(a) gateway is not satisfied in a case like this. The issue might be re-visited when the case comes to a full trial.
Analysis: Confirmation that a US website offering journalistic output to people in Europe amounts to offering “goods and services” for the purposes of the GDPR will be highly controversial in the US and seen as a threat to freedom of speech. It could result in the most risk averse and/or editorially controversial news websites blocking access within Europe as a way of steering away from the GDPR and keeping to the less onerous waters of US laws.
Q: Can journalism amount to “monitoring” under the GDPR for the purposes of Article 3(2)(b)?
Answer: Yes. The court found that someone who uses the internet to collect information about the behaviour in the EU of an individual who is in the EU and then assembles, analyses and orders that information for the purposes of writing and publishing an article about that behaviour in (among other places) the EU is thereby engaging in “the monitoring of [the data subject’s] behaviour…within the Union”.
Analysis: the court has further extended the net, expanding the existing activities which can qualify as “monitoring” (previously thought to include activities like tracking an individual’s location or observing what they are doing or reviewing) to journalistic activity. However, the court was clear that both the research element and the preparatory steps leading to publication were necessary to amount to monitoring: “The mere fact that the defendants created a collection of personal data relating to the claimant’s behaviour in the EU might not be enough.” Hence, moving forwards, we might see non-European based editorial teams seeking to evade the GDPR by only publishing stories they have researched about European-based individuals on websites which are not accessible within Europe. This would be particularly likely to be the case where journalists are investigating serious allegations and / or processing special category personal data (such as information about someone’s sex life or the commission of a criminal offence) which they know is more likely to come under challenge by the data subject.
The case has demonstrated that the territorial scope of the GDPR might well be wider than previously thought. The “minimal” connection required to satisfy Article 3(1) would be satisfied by a website with just six European subscribers but a demonstrable intent to reach European readers. For Article 3(2), “offering goods and services” and “monitoring” can include researching and publishing journalistic articles about a person based in Europe and publishing them within Europe.
What this will mean for Soriano’s case when it is eventually heard in full remains to be seen and we do emphasise that at the moment all that the Court of Appeal has been satisfied with is that the claim is sufficiently arguable. We fully expect these points to be re-visited in this case or in another where the final decision might not be aligned with this preliminary ruling. Emphasising this, the Court of Appeal suggested the Information Commissioner’s Office (the UK data protection regulator) should be invited to make representations at the trial. We think other non-European journalistic organisations might also want to try to intervene, given the ramifications of this case.
Lastly, whilst the decision threatens to cast the GDPR shadow over organisations and businesses based in third countries, it could also hold a silver lining for them. Depending on the facts, entities located in a third country which receive personal data from Europe may in future be able to argue that, because the GDPR regime applies to them, it is not necessary to set up one of the international data transfer “gateways” – such as standard contractual clauses - for the transfer to be lawful, effectively freeing up the flow of data from Europe.
The full text of the decision in Soriano -v- Forensic News is here.
Ian De Freitas
Partner
Farrer & Co. (UIAdvance Member)
Athalie Matthews
Senior Associate
Farrer & Co. (UIAdvance Member)
+44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, February 2022