Soriano v. Forensic News, LLC: A First Look on How the GDPR May (Or May Not) Be Enforced on Non-EU Entities

On January 15, 2021, the England and Wales High Court issued a decision in Soriano v. Forensic News LLC, in which it interpreted and applied Articles 3 and 79(2) of the European Union (EU) General Data Protection Regulation (GDPR). Soriano tested the territorial reach of the GDPR and provides some guidance on when and how the GDPR will apply going forward (or at least how the England and Wales High Court will apply it).

Background

Soriano, a British citizen, filed suit against Forensic News, LLC, a California-based company, and five individuals – Forensic News’s owner and journalists – all residents of the United States. In his complaint, Soriano alleged that the defendants “made extremely serious allegations against the Claimant” in various publications and social media postings and he complained of, inter alia, breaches of the GDPR.

Article 79(2) of the GDPR

Before assessing the application of the GDPR under Article 3, a court is required to first consider Article 79(2) to determine whether a claimant is entitled to bring a GDPR claim in the United Kingdom (UK) or an EU Member state. Article 79(2) provides that a claimant may bring a claim either in: (1) the courts of the EU Member State where the data controller or processor has an “establishment” or (2) in the courts of the Member State in where the data subject has a “habitual residence.”
The High Court concluded that Soriano satisfied the criteria under Article 79(2) because he is a UK resident and British citizen. As such, the High Court moved on to consider the merits of his claim under Article 3 of the GDPR.

Article 3(1) of the GDPR

Pursuant to Article 3(1) of the GDPR, the GDPR “applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not.” In an effort to meet the Article 3(1) threshold, Soriano argued:

• Forensic News received three donations from UK readers; and
• Forensic News had three regular UK subscribers.

The High Court concluded that Soriano’s arguments did not show arrangements that were “stable” and, therefore, Forensic News was not established in the United Kingdom. Specifically, the High Court said it could not “accept the proposition that less than a handful of UK subscriptions to a platform which solicits payment for services or an entirely generic basis, and which in any event can be cancelled at any time, amounts to arrangements which are sufficient in nature, number and type to fulfill the language and spirit of article 3.1 and amount to being ‘stable.’”

Article 3(2)(a) of the GDPR

Pursuant to Article 3(2)(a) of the GDPR, the GDPR “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union.” Soriano argued:

• The publications and postings by Forensic News were in English;
• The Forensic News website solicited donations in British pound sterling; and
• The Forensic News website accepted UK shipping addresses for merchandise.

The High Court concluded that Soriano’s arguments did not show evidence that Forensic News was not targeting UK individuals to sell its goods or services, nor was the goods and services it did offer to UK individuals related to its core activity, journalism.

Article 3(2)(b) of the GDPR

Article 3(2)(b) of the GDPR states that the GDPR “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the monitoring of their behavior as far as their behavior takes place within the Union.” In an effort to satisfy this 3(2)(b) threshold, Soriano argued:

• The Forensic News website used cookies for tracking purposes; and
• The Forensic News website engaged in monitoring its users.

The High Court held that the use of cookies was not “related to” the complaint.

Key Takeaways

Soriano provides guidance on how EU courts may approach and apply the GDPR to non-EU/UK companies and entities. The key takeaways are:

1. Whether or not there are employees and/or representatives in the EU member country (or the UK) is considered when a court is deciding whether an establishment exists.
2. Goods or services may be delivered (at least at a de minimis level) to the EU member country (or the UK) without triggering Article 3(2)(a) of the GDPR.

Soriano leaves many questions unanswered. Ward & Berry continues to monitor developments in GDPR jurisprudence, as well as the data privacy law being proposed and enacted in the United States.