Overseas websites and the GDPR’s reach

January 20, 2021

Suppose I run a website in the US. I only have staff and offices there, and my target audience is America. Sometimes punters in the UK read my stuff and even buy the odd thing from my website, but not that much, and I don’t really care if they do or not. Is the territorial reach of the GDPR – and/or UKGDPR – wide enough to get me, and thereby expose me to risks of the ICO or civil claimants going after me in the UK?

A good and important question, the like of which has not had any decent treatment in UK case law, prior to the very recent judgment of Jay J in Soriano v Forensic News and Others [2021] EWHC 56 (QB).

This was a ‘service out’ case, i.e. the Court’s permission was sought under CPR Practice Direction 6B to serve proceedings on the defendants, who were US-based investigate journalist website, its owner/operator and some contributing journalists (all US-based). The claimant, Mr S (a British resident) wishes to sue over articles and related social media messages (and a podcast) dealing inter alia with ex-President Trump’s finances and an Israeli intelligence company, Psy Group, allegedly connected to Mr S. Mr S had previously had no public profile. The publications complained of “amount to a sustained assault on [Mr S] and his reputation”, concluded Jay J (at [20]).

Mr S seeks to sue under the GDPR, for malicious falsehood, harassment contrary to the Protection from Harassment Act 1998, misuse of private information, and defamation. As the defendants are all based in the US, he needs the Court’s permission. He got it, in part. I’ll summarise what happened with the majority of the claims, and then look at the GDPR aspects in a bit more depth.

Malicious falsehood: the first hurdle for permission to serve out was whether the claim had a reasonable prospect of success. Answer: no, on these facts.

Likewise for the harassment claim: the sole issue was whether the social media publications taken as a whole arguably amount to a “conscious or negligent abuse of press freedom”: see Warby J in Sube v NGN [2020] EWHC 1125 (QB). Mr S argued that those publications amounted to “concerted campaign of cyber-bullying”, but this was held to have no reasonable prospects on the facts, both as to the allegedly harassing nature of the publications and as to the publishers’ state of mind.

Misuse of private information: as regards the articles and podcast, there were no sufficiently particularised complaints to meet the ‘reasonable prospects of success’ threshold. But the analysis differed for photographs included in the publications complained of. The photographs were apparently obtained from open social media accounts of Mr S’ family members. Jay J was not satisfied that this form of public availability was a conclusive answer to whether Mr S had a reasonable expectation of privacy in respect of those photographs. This requires fact-sensitive analysis, and the privacy claim in respect of the photos couldn’t be dismissed out of hand.

Defamation: section 9 of the Defamation Act 2013 requires a comparative analysis of publications in all relevant jurisdictions in order to determine whether England and Wales is clearly the most appropriate place in which to bring an action. Relevant factors including where the publications mainly occurred, the primary seat of a claimant’s reputation and other pragmatic issues bearing on the convenience of the parties. This went Mr S’ way. See [164]:

“Ultimately, I have concluded that the Claimant has discharged the relevant burden. The Claimant is a British citizen whose personal and business interests lie principally within this jurisdiction. He seeks remedies in respect of harm to his reputation which is centred within this jurisdiction. The claims relate to publications here and nowhere else. He is not a libel tourist. Most significantly, the Defendants have not discharged the evidential burden as to whether a Californian court would countenance a claim for reputational harm suffered in England and Wales, or as to whether a remedy in the US would be adequate in these circumstances…”

Overall, Jay J exercised his forum conveniens discretion to allow Mr S to serve proceedings outside of this jurisdiction in respect of the misuse of private information claim (for the photos only) and the defamation claim.

The GDPR claim: jurisdiction and merits

The meat here concerned the GDPR’s territorial reach, as set by Article 3. But that is not the first question in such cases. The first question concerns Article 79 (right to effective judicial remedy against controller/processor). This is how you determine whether a data subject is entitled to bring a GDPR claim in the UK at all.

Article 79(2) says that “proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence…” As Jay J observed at [46]: “The policy of the GDPR is that someone who is habitually resident in a Member State should have the option to sue there rather than anywhere else. This is so even if the controller or processor has an establishment elsewhere.”

Clearly, this was no problem for Mr S. So the Court could move on to consider the merits of the GDPR claim. This is where things came unstuck for him. To have a viable claim, he would need to establish that the processing complained of (the publication of his personal data) fell within the territorial reach of the GDPR.

Mr S could do this in two ways. By Article 3(1), the GDPR “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”.

What is an establishment? By Recital 22 GDPR, “establishment implies the effective and real exercise of activity through stable arrangements”. The CJEU has considered this question in the Google Spain, Weltimmo and Amazon cases. Applying the CJEU’s approach, Mr S had no chance here. See [64], with my underlining:

“… the absence of a branch or subsidiary in the UK is by no means determinative… However, it is relevant that the First Defendant has no employees or representatives in this country. The fact that Forensic News has a readership in the UK which is not minimal is of no more than marginal relevance: by itself, it could not begin to satisfy article 3.1. It is clear that the First Defendant’s journalistic endeavour is not oriented towards the UK in any relevant respect. That the content of the First Defendant’s website may be of interest to some readers here is not germane to the issue under consideration, nor is the fact that the Claimant holds joint British nationality. The real question is whether, taking the Claimant’s case at its reasonable pinnacle, he has persuaded me that he has the sufficient makings of an argument on “stable arrangements” to enable him to pass through the merits portal. I cannot accept the proposition that less than a handful of UK subscriptions to a platform which solicits payment for services on an entirely generic basis, and which in any event can be cancelled at any time, amounts to arrangements which are sufficient in nature, number and type to fulfil the language and spirit of article 3.1 and amount to being “stable”…”

So, no hope on Article 3(1), as the “establishment” element could not be made out. No need, therefore, to consider what “in the context of the activities of an establishment” means. Oh well, another time.

Mr S’ other shot on jurisdiction was Article 3(2) (offering goods/services to people in the EU, or monitoring their behaviour in the EU). Here’s how Mr S put his case (at [60]): EU folks could buy things from the Forensic News website (and someone indeed once bought a baseball cap); that website monitored online behaviour in the EU via cookies (using Facebook and Google analytics for the purpose of targeting advertisements); the defendants were monitoring Mr S’ behaviour within the UK and the EU with a view to making publishing decisions.

Here, the Court considered EDPB’s Guidelines 3/2018 on the Territorial Scope of the GDPR. Applying the relevant considerations urged by that document, Mr S was doomed under Article 3(2) also: for example, Forensic News was in no way targeting its goods/services offering to anyone in the UK or EU, and anyway any such offering needed to be (and was not) “related to” (the wording of Article 3(2)) the defendant’s “core activities” (i.e. journalistic publication).

Likewise, using cookies for behavioural advertising purposes foundered on the “related to” language. See [68]:

“… the Defendant’s journalistic activities have been advanced not through any deployment of these cookies but by using the internet as an investigative tool. In my judgment, that is not the sort of “monitoring” that article 3.2(b) has in mind; or, put another way, the monitoring that does properly fall within this provision – the behavioural profiling that informs advertising choices – is not related to the processing that the Claimant complains about (assuming that carrying out research online about the Claimant amounts to monitoring at all)…”

In other words, no chance of establishing that this US-based and US-focused website (and its contributors) were doing anything – at least anything relevant to Mr S’ claim – that fell within the GDPR, and thus no permission to serve out for this aspect of the case.

Though the substance of this GDPR claim will not progress, it’s nonetheless good and useful to see the Court getting its teeth into, and shedding some light on, these crucial issues about what is and is not caught by the GDPR.

This article was first published on 11KBW’s Panopticon blog and is reproduced here with kind permission

profile picture of robin hopkins

Robin Hopkins, 11KBW