The High Court concluded that GDPR did not apply to a US website where there was no establishment in the UK (or Europe) and where it didn’t target UK (or EU) customers.
Note: Although this case was decided by the High Court, the matters complained of occurred prior to Brexit. The High Court ruling therefore deals directly with the GDPR. It will continue to be relevant after Brexit as the UK’s data protection legislation substantively mirrors the GDPR provisions.
* For our international readers, the High Court of England & Wales is a senior court with jurisdiction in England and Wales only (Scotland, for example, has a separate equivalent court).
Background
The European data privacy regulation, the General Data Protection Regulation (“GDPR”) has extraterritorial reach in certain circumstances, which means that many businesses based outside Europe find themselves subject to its burdensome obligations for processing personal data.
Until now, businesses have been lacking clarity regarding exactly how far GDPR’s extraterritorial reach extends.
Relevant to this case, the GDPR can apply to businesses outside of Europe in any of the following circumstances:
- Where there is the processing of personal data in the context of the activities of an establishment of a business in Europe (even if the processing happens outside of Europe); or
- Where the processing relates to the offering of goods or services, irrespective of whether a payment of an individual is required, to European individuals; or
- Where the processing relates to the monitoring of the behaviour of European individuals, as far as their behaviour takes place within Europe.
What was decided in this case?
The UK case of Soriano v Forensic News LLC, which was brought by an individual against a US news website, involved a claim under the GDPR.
Did the US website have an establishment in the UK?
The GDPR applies to the processing of personal data “in the context of the activities of an establishment of a controller or a processor in the Union“, regardless of whether the processing takes place in Europe or not. The concept of “establishment” under GDPR is wider than having an entity in Europe and extends to any activity through “stable arrangements“. In this case, the facts were as follows:
Was the US website offering goods or services to individuals in the UK?
The GDPR applies to the processing of European individuals’ personal data by a company not established in Europe, where the processing activities are “related to … the offering of goods or services…” to individuals in Europe.
Was the website monitoring the behaviour of UK individuals?
It was not disputed that Forensic News undertook some monitoring of website access by European individuals, for the purposes of targeted advertising.
So, where does this take us?
For the reasons set out above, the judge in this case concluded that Forensic News was not subject to GDPR.
This is the first UK judgment which considers the extraterritorial reach of the GDPR and may provide some reassurance to non-European and non-UK website operators without a physical presence in Europe (such as branches, subsidiaries, employees or other representatives), whose content is not specifically oriented towards European customers but could nonetheless be accessed by users in Europe.
However, the decision needs to be treated with some caution as it may be that the European courts will take a harder line on this than a post-Brexit UK court will, and in any event, this point was addressed in a ruling dealing with a preliminary point of law only.
If you have any questions about this article or data privacy more generally please contact Deborah Margolis or Darren Isaacs.
