The long arm of the GDPR
As most people now know, the GDPR is perfectly capable of applying to non-EU1 organizations. It achieves this by one of three tests. First, where they have an establishment in the EU and, secondly, where they target EU individuals in one of two separate ways. The rationale is clear. The EU wants to regulate activity connected with and protect residents within its territory.
Given that data protection authorities can hand out fines up to 4% of an entity’s worldwide turnover, Locke Lord has advised many US clients on whether they are subject to GDPR and, if so, how to comply.
However, since the tests can be difficult to apply in practice, the January 2021 English Court’s decision in Soriano v Forensic News is most welcome.
The Establishment Test
GDPR applies to a non-EU organization where it processes personal data in the context of an EU establishment, even where the processing takes place elsewhere. The legal form of the establishment is not the determining factor and there doesn’t have to be a branch or subsidiary.
All that is required for an establishment is ‘the effective and real exercise of activity through stable arrangements’. The EDPB guidance observes that the threshold for this is ‘quite low and can be met by having a single employee or agent present in the EU’.
The Targeting Test - Goods and Services
The first type of targeting occurs where a non-EU organization intentionally offers goods or services to individuals in the EU, regardless of any payment. Any resulting processing of such individuals’ personal data is subject to GDPR.
This type of targeting often results from website activity and the difficulty lies in looking for the necessary ‘intention’, since a website can be accessed from anywhere (unless specifically blocked). The EDPB’s guidance points to nine factors, including:
Taken alone, any of these factors may not be sufficient. They all need to be taken into account in combination as part of a factual analysis to determine whether the website owner is offering goods or services directed at EU data subjects.
The Targeting Test - Monitoring
The second type of targeting is where a non-EU organization ‘monitors the [local] behavior’ of individuals in the EU.
The GDPR interprets monitoring as tracking people on the internet, including subsequent use of profiling particularly to make decisions about them or to analyze or predict their preferences, behaviors and attitudes. The EDPB guidance expands this to include other types of network and technology, for example wearable and other smart devices.
However, EDPB also advises that any online collection or analysis of personal data does not necessarily automatically count as monitoring – that depends on the controller’s purpose and, in particular, any subsequent behavioral analysis or profiling techniques.
Soriano v Forensic News
Some three years after it came into effect, we have the first case which analyzed these aspects of GDPR. On the 15th January 2021, the English High Court gave judgment in Walter Soriano v. Forensic News LLC, a claim by a British resident against a California corporation and five individual US journalists who had no links to the UK.
Soriano’s action related to internet publications and social media postings, linking him to corruption and crime. He sued for breach of data protection, malicious falsehood, libel, harassment and misuse of private information.
The data protection claim required him to show that GDPR applied to the defendants under one of the above tests. Soriano argued that all three were satisfied.
Application of Establishment Test
Before looking at Soriano’s argument, the Judge referred to the 2016 Weltimmo case, which he found most helpful. In that case, a non-EU company operated a website dealing in properties in the EU (Hungary), written in Hungarian and had a representative, letter box and bank account there. The EU Court ruled this to be ‘real and effective activity – exercised through stable arrangements’. The judge emphasized that though the activity was minimal, the fact it was exercised through stable arrangements was key.
Soriano argued that the defendants had a UK establishment because: (a) their publications were in English; (b) their website solicited donations in Sterling and Euro, included a store offering own-branded merchandise and accepted UK delivery addresses; and (c) they tweeted inviting pledges to a subscription platform from readers in the UK and EU.
The Judge was not impressed, pointing out:
He concluded that ‘a few UK subscriptions to a platform which solicited payment for services on a generic basis and could be cancelled at any time’ could not amount to stable arrangements and Soriano’s case fell at the first hurdle.
Application of the Targeting Test
On targeting, Soriano argued that Forensic News:
These points were rapidly dismissed.
First, the Judge found nothing to suggest Forensic News was targeting the UK regarding goods and services - Soriano was far from showing enough of the targeting factors described in the EDPB guidance and there was a total lack of purchases, save possibly one baseball cap!
Secondly, an organization can be subject to GDPR for some of its processing activities and not others. Forensic News’s offering goods and services was not related to its core activity of journalism.
The Judge accepted there was a possible case that using cookies for behavioral profiling was monitoring, but here that purely related to directing advertisements. There was no evidence the cookies had anything to do with the monitoring which formed the basis of Soriano’s complaint. Forensic News’s journalism was not advanced through cookies but using the internet as an investigative tool.
The Judge therefor ruled that Soriano did not even have an arguable case under GDPR.
This judgment will be met with some relief. Looking at only the literal wording of the GDPR, one might have thought Soriano had a reasonable case even though the “facts on the ground” made its claim a considerable stretch.
In adopting a common sense approach, albeit on its own unique facts, an English High Court Judge has made some interesting and helpful findings, which will hopefully dissuade plaintiffs from trying to shoehorn GDPR into a different type of complaint.
At the risk of parochialism, one hopes that the judiciary in EU countries will take a similarly enlightened view.
1 The UK is no longer part of the EU, but has the equivalent law. All references to the EU apply equally to the UK.
Sign up for our newsletter and get the latest to your inbox.