Soriano v Forensic News LLC & Ors. (Inter alia) the GDPR jurisdictional gateways being tested.

Soriano v Forensic News LLC & Ors [2021] EWHC 56 (QB) engages ia the jurisdictional implications of the GDPR (this post focuses solely on the data protection claim). Claimant  (habitually resident in the UK) sues in relation to ten internet publications and various social media postings including on Facebook and on Twitter. He relies on various causes of action including data protection, malicious falsehood, libel, harassment and misuse of private information. Defendants are all domiciled in various US States.

The Brussels Ia Regulation is not engaged; the GDPR is. (On the partial overlap and conflict between BIa and the GDPR see my paper here). A79 GDPR reads

“Right to an effective judicial remedy against a controller or processor

    1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
    2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.”

At 45-47 the ‘establishment’ issue is not much discussed for the claimant at any rate meets with the habitual residence gateway. Focus of the discussion is on A3’s territorial scope provisions (I am not sure I agree with the suggestion at 46 that A79 logically comes before consideration of A3). Reference is made to Google Spain, Weltimmo and  Verein fur Konsumerentenininformation- see also my review with Yuliya Miadzvetskaya here. The European Data Protection Board’s Guidelines 3/2018 on the Territorial Scope of the GDPR are then turned to to consider targeting, processing and ‘related to’ per A3(2) GDPR.

At 60, Claimant’s case on A3 (2)(a) is set out as arguing that the Defendants, to the extent that they are data controllers, offer services to readers in the UK irrespective of payment. As for A3.2(b), it is contended that the website places cookies on readers’ devices and processes their personal data using Facebook and Google analytics for the purpose of targeting advertisements, with Facebook Ireland Ltd and Google Ireland Ltd operating as the registered joint data controller. Further, it is submitted (By Greg Callus – the same counsel as in the Court of Appeal judgment in Wright v Grannath which I reported yesterday) that the Defendants were collecting and obtaining data about the Claimant and were monitoring his behaviour within the UK and the EU with a view to making publishing decisions.

Justice Jay held claimant has no real prospect of success on either (a) or (b). At 64 ff: the ‘journalistic endeavour’ complained of is not oriented towards the UK in any relevant respect; as for article 3.2(a), there is nothing to suggest that the First Defendant is targeting the UK as regards the goods and services it offers; as for article 3.2(b), at 68

First Defendant’s use of cookies etc. is for the purpose of behavioural profiling or monitoring, but that is purely in the context of directing advertisement content. There is no evidence that the use of cookies has anything to do with the “monitoring” which forms the basis of the Claimant’s real complaint: the Defendant’s journalistic activities have been advanced not through any deployment of these cookies but by using the internet as an investigative tool. In my judgment, that is not the sort of “monitoring” that article 3.2(b) has in mind; or, put another way, the monitoring that does properly fall within this provision – the behavioural profiling that informs advertising choices – is not related to the processing that the Claimant complains about (assuming that carrying out research online about the Claimant amounts to monitoring at all).

(Obiter, at 69, it is held that had the good arguable case succeeded, the claim would have withstood a forum non conveniens argument).

At 112 ff the jurisdictional case for libel is upheld.

An interesting illustration of the unsettled nature of jurisdictional claims under the GDPR.

Geert.

EU Private International Law, 3rd ed. 2021, Heading 2.2.9.2.5, para 2.258 ff.

 

 

One Reply to “Soriano v Forensic News LLC & Ors. (Inter alia) the GDPR jurisdictional gateways being tested.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.