Soriano’s successful appeal on the GDPR jurisdictional gateway confirms the potential for splintering of private GDPR enforcement.

In Soriano v Forensic News LLC & Ors [2021] EWCA Civ 1952 the Court of Appeal end of December allowed the claimant’s cross-appeal on the territorial reach of the GDPR. I reported the decision at the time but had not yet gotten round to post on it. I reviewed the High Court’s judgment here and readers may want to refer to that post to help them appreciate the issues. Like in my review of the first instance judgment I focus here on the GDPR’s jurisdictional gateway ([75] ff), not the libel issue.

Claimant’s case on A3 (2)(a) GDPR is set out as arguing that Defendants, to the extent that they are data controllers, offer services to readers in the UK irrespective of payment. As for A3.2(b), it is contended that the website places cookies on readers’ devices and processes their personal data using Facebook and Google analytics for the purpose of targeting advertisements, with Facebook Ireland Ltd and Google Ireland Ltd operating as the registered joint data controller. Further, it is submitted that Defendants were collecting and obtaining data about the Claimant and were monitoring his behaviour within the UK and the EU with a view to making publishing decisions.

CJEU authority discussed, on the meaning of ‘establishment’, is Weltimmo, Google Spain and Verein fur Konsumerenteninformation. At [78] ff Warby LJ relies to my taste somewhat excessively on the European Data Protection Board’s Guidelines 3/2018 on the Territorial Scope of the GDPR, holding [97] that defendants’ offer and acceptance of subscriptions in local currencies (Sterling cq Euros) is a “real and effective” activity that is “oriented” towards the UK and EU – that the effort only yielded 6 UK and EU subscriptions in total is irrelevant: defendants did more than merely making their journalism accessible over the world wide web. 

The result is that jurisdiction in E&W under the GDPR gateway is upheld – as is therefore, the potential which I predicted for extensive splintering of private GDPR enforcement, in contrast with the EU’s stated intent to have one-stop shop public GDPR enforcement.

Geert.

EU Private International Law, 3rd ed. 2021, Heading 2.2.9.2.5, para 2.258 ff.