Clarifying the territorial reach of the GDPR in data protection litigation

United KingdomScotland

On 15 January 2021, judgment was handed down in the High Court by Mr Justice Jay in the case of Sorianzo v (1) Forensic News LLC (2) Scott Stedman (3) Eri Levai (4) Jess Coleman (5) Robert Denault and (6) Richard Silverstein (link).

The Defendants in this claim variously published or contributed to a number of articles and communications that alleged, amongst other things, that the claimant was a “thug” and had been involved in corrupt activities. The judge described the allegations as “a sustained assault of the Claimant and his reputation”.

The Claimant filed proceedings on various grounds including breach of GDPR, defamation, misuse of private information, malicious falsehood and harassment. The defendants are all domiciled in the U.S., and the hearing concerned a contested application for permission to serve out.

The most significant part of the judgment is the analysis on the territorial scope of GDPR. To date, the territorial scope of GDPR has largely been considered in regulatory contexts, but this is a rare analysis in the context of litigation seeking damages. This is an important topic and issues on the intersection of private international law and data protection are likely to come under increasing scrutiny in light of the recent flurry of CPR 19.6 class actions that have been filed for alleged data protection breaches that rely on the Court of Appeal’s decision in Lloyd v Google, particularly as non-European entities are frequently named as defendants.

The parties and the publications

Given that this was a jurisdiction hearing, the locations of the claimant, the defendants and the underlying events were centrally important.

The Claimant is an Israeli who has lived in the UK since 2003 and holds British citizenship. The First Defendant (“FN”) is a Californian company that operates the website Forensic News. The Second Defendant is FN’s sole manager and director and the Third to Sixth defendants were linked with FN either as journalists or otherwise. The Sixth defendant was not represented. None of the Defendants have any links to the UK other than “brief touristic visits”.

The claim was brought in respect of ten publications (together, the “Publications”). Eight of these were published on FN between June 2019 and June 2020. The last two Publications were published on a blog run by the Sixth Defendant. Evidence adduced to the Court stated that the proportion of hits for the Publications varied between 48.46% to 81.18% for the US, and 5.53% and 35.9% for the UK. More specifically, each Publication was accessed between 14 and 1,398 times in the UK.

Jurisdiction arguments on the GDPR claims

The data protection claims were framed with the Claimant as a data subject, the First and Second Defendant as data controllers, the Fifth Defendant as a data processor (for the FN website) and the Sixth Defendant as data controller of his blog.

The Court considered whether there was a jurisdictional basis for the GDPR claim to proceed at the High Court and whether there was a real prospect of success.

  • Jurisdictional basis for the claim

Article 79(2), Article 2 of the GDPR, headed “Right to an effective judicial remedy against a controller or a processor” provides as follows (emphases added):

“Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.”

It was undisputed that the Claimant was habitually resident in England, and so it was not necessary for the Court to decide whether the Defendants had an establishment in England for the purposes of Article 79(2), although that point was considered in the merits test which we turn to next.

  • Did the GDPR claims have a real prospect of success?

>This is the most interesting part of the judgment and where it directly grappled with the territorial scope of the GDPR. In English law, most causes of action have no territorial limits but two exceptions are GDPR claims and antitrust claims. Territoriality arises where the ordnance that forms the basis of the cause of action has geographical limits. For GDPR, the key provisions are at Article 3 which provides as follows (emphases added):

  1. This Regulation applies to the processing of personal data in the context of activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

The Defendants urged Jay J to definitively decide on territoriality rather than apply the “reasonable prospect of success” test for jurisdiction challenges. Jay J declined, but nevertheless concluded that the Claimant failed to meet the relatively low “reasonable prospects” threshold on Articles 3.1 or 3.2. In doing so, he had regard to the European Data Protection Board’s Guidelines 3/2018 on the Territorial Scope of the GDPR and recitals 23 and 24 to the GDPR.

On the extraterritoriality issues, Jay J found as follows:

  • Article 3.1 – the Defendants did not have any branch or subsidiary in the UK, but this was not in of itself determinative. FN’s lack of employees or representatives in the UK was relevant. While FN had a non-minimal readership in the UK, this was not sufficient to satisfy article 3.1. The Court also had regard to whether the Defendants had “stable arrangements”, in the meaning of recital 22 to the GDPR which was considered in the CJEU’s ruling in Weltimmo (C‑230/14). Jay J found that “taking the Claimant’s case at its reasonable pinnacle” he was not persuaded that the defendants had sufficiently “stable arrangements”
  • Article 3.2(a) – while there was a UK readership, there was no evidence that the UK was being targeted in respect of the services or goods being offered. The fact that some goods might have been shipped to the UK was inadequate for Article 3.2(a). In any event, potential availability of merchandise in the UK was not “related to” the processing being complained of.
  • Article 3.2(b) – Jay J accepted that the Claimant had an arguable case that FN’s use of cookies and similar technologies amounted to “behavioural profiling or monitoring”, but, again, this conduct was not “related to” the journalistic conduct that was the true basis of the Claimant’s complaint.

The judgment also ruled on jurisdiction for the other aspects of the Claimant’s claim, being malicious falsehood, harassment, misuse of private information and defamation, but we don’t address those points in the current note.

Comment

The findings on the territorial scope of the GDPR will be welcomed by non-European domiciled defendants who are increasingly being targeted in GDPR damages claims in England. The Court took a pragmatic view: whilst FN performed some activities into England, the Court found that those activities fell short of the low “reasonable prospects of success” threshold.

Although there was a single defendant with peripheral UK activities, this case could have broader application. We are increasingly seeing multiple entities within corporate groups being named as defendants in data protection claims, including in class actions brought under CPR 19.6 that are relying on the Court of Appeal’s finding in Lloyd v Google. For many of those groups, certain of the defendants will meet the territoriality requirements of GDPR but some will not. Determining which way will be a fact specific analysis, and certain non-European defendants will be able to exit proceedings. This may not be determinative of the case overall as other named defendants will not fit through the escape hatch, but these will be tactical victories for defendants bringing advantages such as narrowing the scope of disclosure.

A notable omission from the Sorianzo judgment was any discussion on applicable law. Logically this analysis should be performed prior to considering the territorial scope of GDPR: if the applicable law of the claims against specific defendants is not English (or other European) law, then the door is open to find that GDPR simply does not apply and the issue of territorial scope of the GDPR does not arise.