Soriano’s successful appeal on the GDPR jurisdictional gateway confirms the potential for splintering of private GDPR enforcement.

In Soriano v Forensic News LLC & Ors [2021] EWCA Civ 1952 the Court of Appeal end of December allowed the claimant’s cross-appeal on the territorial reach of the GDPR. I reported the decision at the time but had not yet gotten round to post on it. I reviewed the High Court’s judgment here and readers may want to refer to that post to help them appreciate the issues. Like in my review of the first instance judgment I focus here on the GDPR’s jurisdictional gateway ([75] ff), not the libel issue.

Claimant’s case on A3 (2)(a) GDPR is set out as arguing that Defendants, to the extent that they are data controllers, offer services to readers in the UK irrespective of payment. As for A3.2(b), it is contended that the website places cookies on readers’ devices and processes their personal data using Facebook and Google analytics for the purpose of targeting advertisements, with Facebook Ireland Ltd and Google Ireland Ltd operating as the registered joint data controller. Further, it is submitted that Defendants were collecting and obtaining data about the Claimant and were monitoring his behaviour within the UK and the EU with a view to making publishing decisions.

CJEU authority discussed, on the meaning of ‘establishment’, is Weltimmo, Google Spain and Verein fur Konsumerenteninformation. At [78] ff Warby LJ relies to my taste somewhat excessively on the European Data Protection Board’s Guidelines 3/2018 on the Territorial Scope of the GDPR, holding [97] that defendants’ offer and acceptance of subscriptions in local currencies (Sterling cq Euros) is a “real and effective” activity that is “oriented” towards the UK and EU – that the effort only yielded 6 UK and EU subscriptions in total is irrelevant: defendants did more than merely making their journalism accessible over the world wide web. 

The result is that jurisdiction in E&W under the GDPR gateway is upheld – as is therefore, the potential which I predicted for extensive splintering of private GDPR enforcement, in contrast with the EU’s stated intent to have one-stop shop public GDPR enforcement.

Geert.

EU Private International Law, 3rd ed. 2021, Heading 2.2.9.2.5, para 2.258 ff.

Soriano v Forensic News LLC & Ors. (Inter alia) the GDPR jurisdictional gateways being tested.

Soriano v Forensic News LLC & Ors [2021] EWHC 56 (QB) engages ia the jurisdictional implications of the GDPR (this post focuses solely on the data protection claim). Claimant  (habitually resident in the UK) sues in relation to ten internet publications and various social media postings including on Facebook and on Twitter. He relies on various causes of action including data protection, malicious falsehood, libel, harassment and misuse of private information. Defendants are all domiciled in various US States.

The Brussels Ia Regulation is not engaged; the GDPR is. (On the partial overlap and conflict between BIa and the GDPR see my paper here). A79 GDPR reads

“Right to an effective judicial remedy against a controller or processor

    1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
    2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.”

At 45-47 the ‘establishment’ issue is not much discussed for the claimant at any rate meets with the habitual residence gateway. Focus of the discussion is on A3’s territorial scope provisions (I am not sure I agree with the suggestion at 46 that A79 logically comes before consideration of A3). Reference is made to Google Spain, Weltimmo and  Verein fur Konsumerentenininformation- see also my review with Yuliya Miadzvetskaya here. The European Data Protection Board’s Guidelines 3/2018 on the Territorial Scope of the GDPR are then turned to to consider targeting, processing and ‘related to’ per A3(2) GDPR.

At 60, Claimant’s case on A3 (2)(a) is set out as arguing that the Defendants, to the extent that they are data controllers, offer services to readers in the UK irrespective of payment. As for A3.2(b), it is contended that the website places cookies on readers’ devices and processes their personal data using Facebook and Google analytics for the purpose of targeting advertisements, with Facebook Ireland Ltd and Google Ireland Ltd operating as the registered joint data controller. Further, it is submitted (By Greg Callus – the same counsel as in the Court of Appeal judgment in Wright v Grannath which I reported yesterday) that the Defendants were collecting and obtaining data about the Claimant and were monitoring his behaviour within the UK and the EU with a view to making publishing decisions.

Justice Jay held claimant has no real prospect of success on either (a) or (b). At 64 ff: the ‘journalistic endeavour’ complained of is not oriented towards the UK in any relevant respect; as for article 3.2(a), there is nothing to suggest that the First Defendant is targeting the UK as regards the goods and services it offers; as for article 3.2(b), at 68

First Defendant’s use of cookies etc. is for the purpose of behavioural profiling or monitoring, but that is purely in the context of directing advertisement content. There is no evidence that the use of cookies has anything to do with the “monitoring” which forms the basis of the Claimant’s real complaint: the Defendant’s journalistic activities have been advanced not through any deployment of these cookies but by using the internet as an investigative tool. In my judgment, that is not the sort of “monitoring” that article 3.2(b) has in mind; or, put another way, the monitoring that does properly fall within this provision – the behavioural profiling that informs advertising choices – is not related to the processing that the Claimant complains about (assuming that carrying out research online about the Claimant amounts to monitoring at all).

(Obiter, at 69, it is held that had the good arguable case succeeded, the claim would have withstood a forum non conveniens argument).

At 112 ff the jurisdictional case for libel is upheld.

An interesting illustration of the unsettled nature of jurisdictional claims under the GDPR.

Geert.

EU Private International Law, 3rd ed. 2021, Heading 2.2.9.2.5, para 2.258 ff.

 

 

%d bloggers like this: