Soriano v Forensic News LLC & Ors  EWHC 56 (QB) engages ia the jurisdictional implications of the GDPR (this post focuses solely on the data protection claim). Claimant (habitually resident in the UK) sues in relation to ten internet publications and various social media postings including on Facebook and on Twitter. He relies on various causes of action including data protection, malicious falsehood, libel, harassment and misuse of private information. Defendants are all domiciled in various US States.
The Brussels Ia Regulation is not engaged; the GDPR is. (On the partial overlap and conflict between BIa and the GDPR see my paper here). A79 GDPR reads
“Right to an effective judicial remedy against a controller or processor
- Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
- Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.”
At 45-47 the ‘establishment’ issue is not much discussed for the claimant at any rate meets with the habitual residence gateway. Focus of the discussion is on A3’s territorial scope provisions (I am not sure I agree with the suggestion at 46 that A79 logically comes before consideration of A3). Reference is made to Google Spain, Weltimmo and Verein fur Konsumerentenininformation- see also my review with Yuliya Miadzvetskaya here. The European Data Protection Board’s Guidelines 3/2018 on the Territorial Scope of the GDPR are then turned to to consider targeting, processing and ‘related to’ per A3(2) GDPR.
At 60, Claimant’s case on A3 (2)(a) is set out as arguing that the Defendants, to the extent that they are data controllers, offer services to readers in the UK irrespective of payment. As for A3.2(b), it is contended that the website places cookies on readers’ devices and processes their personal data using Facebook and Google analytics for the purpose of targeting advertisements, with Facebook Ireland Ltd and Google Ireland Ltd operating as the registered joint data controller. Further, it is submitted (By Greg Callus – the same counsel as in the Court of Appeal judgment in Wright v Grannath which I reported yesterday) that the Defendants were collecting and obtaining data about the Claimant and were monitoring his behaviour within the UK and the EU with a view to making publishing decisions.
Justice Jay held claimant has no real prospect of success on either (a) or (b). At 64 ff: the ‘journalistic endeavour’ complained of is not oriented towards the UK in any relevant respect; as for article 3.2(a), there is nothing to suggest that the First Defendant is targeting the UK as regards the goods and services it offers; as for article 3.2(b), at 68
(Obiter, at 69, it is held that had the good arguable case succeeded, the claim would have withstood a forum non conveniens argument).
At 112 ff the jurisdictional case for libel is upheld.
An interesting illustration of the unsettled nature of jurisdictional claims under the GDPR.
EU Private International Law, 3rd ed. 2021, Heading 220.127.116.11.5, para 2.258 ff.