Since 2018, many organisations based outside of the EU have been grappling with whether the extra territorial scope of the GDPR means that their data processing activities are caught by and subject to the privacy laws of the EU. This has resulted in certain companies blocking access to their services by those located in the EU (this is quite noticeably seen with certain US news outlets continuing to geo-block EU and UK visitors to their websites).
While not binding on the upper courts (or indeed the EU courts), the case of Soriano v Forensic News LLC and Other considered the territorial scope of the GDPR (in a pre-Brexit world) and whether those publishing material (which included the claimant's personal data) in the US were subject to the GDPR, paving the way for the claimant to seek a judicial remedy for the defendants' alleged breaches of the GDPR.
The GDPR applies to those processing personal data where:
i) the processing is in the context of the activities of an establishment of a controller or processor in the EU; or
ii) the entity located outside of the EU, offers goods or services to data subjects in the EU or engages in the monitoring of data subjects in the EU.
In rejecting the application of the GDPR to the defendants, the court noted:
establishment of a controller or processor
- The defendants had no employees in the UK.
- The journalistic endeavours of the defendants were not orientated towards the UK.
- There were limited numbers of UK readers of the defendants' website.
offers goods or services and monitoring
- The mere ability for those in the UK to purchase and have shipped to the UK, merchandise available on the defendants' website, did not amount to the defendants "offering goods or services" to those in the UK. Further, such activities were not sufficiently attached to the core activities of the defendants i.e. journalism.
- The argument that the defendants could be deemed to be monitoring those in the UK was dismissed for similar reasoning.
To what extent an organisation is caught by the GDPR is a question which we often come across in numerous contexts and it is helpful to now have some court backed reasoning to apply to such issues. For the moment the UK remains aligned with EU data privacy law and judgements such as this relating to pre-Brexit matters are useful guides on the interpretation of the UK GDPR.