In a judgment handed down by the UK Court of Appeal on 21 December 2021 ( EWCA Civ 1952, available here), Walter Soriano, the claimant, was granted his cross-appeal, giving him permission to serve Forensic News LLC and four other defendants in the United States with proceedings under the General Data Protection Regulation (GDPR). The appeal came from the High Court, which had previously refused such permission on the basis that the claimant could not demonstrate that the claim satisfied the test for serving claims outside the jurisdiction. The reason given by the High Court was that the processing of the claimant’s personal data did not fall within the territorial scope of the GDPR. The Court of Appeal therefore revisited the GDPR’s territorial scope as part of this appeal and decided the claimant had an arguable case and could therefore serve the claim outside the jurisdiction.
The territorial scope of the GDPR
As a reminder, the territorial scope of the GDPR includes processing of personal data in the context of the activities of an establishment of a controller or processor in the EU, or, if not established, the processing of personal data of individuals where the processing relates to the offer of goods or services to individuals based in the EU or the monitoring of the behaviour of individuals based in the EU. The test for establishment is whether the controller or processor operates real and effective activities through stable arrangements in the EU or UK and that the processing occurs in the context of those activities.
The High Court judge, Mr Justice Jay, believed that the minimal readership and handful of subscriptions to the website did not amount to a tenable case that the defendants had an establishment in the UK and EU. Nor did he feel that the processing activities being complained of were related to the offering of goods or services to, or the monitoring of, individuals in the EU.
The arguments made in this appeal and the decision
As part of this appeal, the Court of Appeal had to consider the territorial scope of the GDPR to decide whether the claimant had a real, as opposed to fanciful, claim (the Merits Test). This is the test that needs to be applied to determine whether a claim can be served outside the jurisdiction. Passing this test by no means suggests that the claimant will be successful in his actual claim against the defendants.
In summary, the Court of Appeal agreed with the claimant’s arguments that:
- the maintenance of a website that specifically and successfully solicits subscriptions in sterling and euro arguably amounts to a real and effective activity exercised through stable arrangements such that it could satisfy the Merits Test. The court suggested that three sterling subscriptions and three euro subscriptions, although minimal, were arguably a real and effective activity oriented towards the EU and UK and, in the absence of any further guidance from the European Court of Justice on this point, that the subscriptions themselves could arguably be considered a stable arrangement;
- the maintenance of the website and the journalistic processing of the claimant’s personal data were related to one another in that the processing of the claimant’s personal data is related to the offer the defendants make to individuals in the EU and UK to provide them with journalistic output. The court could see no authority for deciding that an individual whose personal data is being processed, needed to be the same individual who was being offered the goods or services, or being monitored; and
- the defendant journalists’ processing of the claimant’s personal data was related to the monitoring of the claimant’s behaviour, which took place in the EU, because it is arguable that the journalists used the internet to collect information about the behaviour of the claimant, who is based in the EU, and then they assembled, analysed and ordered that information for the purpose of writing and publishing an article about that behaviour.
This appeal has raised some interesting (read, creative) potential arguments on the territorial scope of the GDPR and it will be interesting to see how this plays out during the claim, although we suspect a hearing on the claim itself is some way off.