The decision of Mr Justice Jay in Soriano v Forensic News LLC  [2021] EWHC 56 (QB) is interesting in a number of respects but in particular for its analysis of the circumstances in which the GDPR will apply to a publisher (or indeed any data controller/processor) based outside of the EU.

This issue is becoming increasingly important in light of the growing tendency of claimants to bring GDPR claims alongside or in place of more traditional media publication claims. The Judge’s reasoning will extend to the application of the new UK GDPR to publishers based outside of the UK.

The decision is also noteworthy in that it is a rare instance of a claimant surmounting the hurdle of s.9 Defamation Act 2013. This will be the subject of Part 2 of this case comment.

Background

The Parties

Mr Soriano is described as an Israeli national, but a British citizen who is habitually resident in the UK. It is suggested that he is a man of some means – owning properties in Israel and a ‘small property investment portfolio’ in the US.

He sues Forensic News LLC, its proprietor – 24 year old Californian Scott Stedman, and four other collaborators/associates of Mr Stedman, all of whom are domiciled in the US and all bar one of whom are in their mid-late 20s. Forensic News LLC is said to be run from Mr Stedman’s parent’s home in California.

Mr Soriano complains about ten internet publications and various social media postings including on Facebook and on Twitter. In respect of these publications he issued claims against one or more of the Defendants for defamation, malicious falsehood, harassment, misuse of private information, and breach of his data protection rights.

Because of the domicile of the Defendants, Mr Soriano required the Court’s permission to serve the claim on the Defendants out of the jurisdiction. The application came before Mr Justice Jay – Mr Justice Nicklin having previously directed that the application should be made on notice to the Defendants.

The publications

None of the publications are reproduced in the judgment, but the Judge’s preliminary assessment of them was that they:

‘appear to make extremely serious allegations against the Claimant at various Chase levels (including level one) asserting, for example, that he is the “thug” of the current Prime Minister of Israel, has close and corrupt links to the Russian State and various individuals of note, is guilty of multiple homicide, has received illegal “kickbacks”, has been convicted of corruption in Monaco, is part of a money laundering operation and makes illegal arrangements for corrupt oligarchs and public figures…on any view they amount to a sustained assault on the Claimant and his reputation‘. [20]

The Judge went on to say that

Given the extent of publication in England and Wales, the Claimant has a convincing argument that he has suffered serious harm to his reputation within the meaning of s.1 of the 2013 Act, and on my understanding Mr Price [Counsel for the Defendants] did not suggest otherwise’.  [145]

 Judgment: GDPR Claim

Jurisdictional gateway

In respect of the data protection claim only, the Defendants disputed the Claimant’s ability to establish a ‘good arguable case’ that he fell within one of the jurisdictional gateways under CPR Practice Direction 6B.

The gateway relied upon by the Claimant was para 3.1(20) of PD 6B. That is where a claim is made ‘under an enactment which allows proceedings to be brought and those proceedings are not covered by any of the other grounds referred to in [para. 3.1]‘.

The relevant enactment for these purposes is Article 79 (2) of the GDPR, which provides (emphasis added):

Right to an effective judicial remedy against a controller or processor

    1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
    2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

The Judge rejected the Defendants’ contention that 79(2) is in some way subordinated to the ‘territorial scope’ provisions in Article 3 GDPR (see below in relation to merits). The Judge’s view was that Article 79(2) ‘addresses the logically prior question, or anterior gateway, of whether the data protection regime applies to this claim at all‘ (para. 46).

In analysing Article 79(2) the Judge noted that:

‘The first sentence of sub-article (2) is expressed in mandatory terms, the second sentence is permissive. The policy of the GDPR is that someone who is habitually resident in a Member State should have the option to sue there rather than anywhere else. This is so even if the controller or processor has an establishment elsewhere. So, the second sentence of sub-article (2) is applicable whether or not the first sentence is fulfilled’. [46]

The Claimant submitted that he had a good arguable case in any event that the First and Second Defendant have an establishment in England and Wales, but the Judge held that it was unnecessary to determine this question at the jurisdictional gateway stage. This was because there could be ‘no dispute that the Claimant satisfies the habitual residence limb, which is the alternative jurisdictional springboard for bringing proceedings‘. [47].

Accordingly, the Judge was satisfied that the Claimant could bring his data protection claim within the gateway of PD6B para. 3.1(20), subject to the merits and forum conveniens tests.

Merits – Real prospect of success

Unfortunately for the Claimant, he fell at the next hurdle of satisfying the Court that he had a real prospect of success in establishing that the Defendants were subject to the GDPR by virtue of Article 3.

Article 3 provides:

Territorial scope

    1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
    2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
      • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
      • the monitoring of their behaviour as far as their behaviour takes place within the Union.

The Judge rejected the Claimant’s attempt to rely on all three possible means of establishing the application of the GDPR under Article 3, as follows.

(i) Article 3(1) Processing in the context of the activities of an establishment of a controller or a processor in the Union

The Claimant failed to demonstrate that the First Defendant had the necessary “stable arrangements” in the UK to constitute an “establishment” for the purposes of Article 3(1), even though the Claimant needed only to establish a real (as opposed to fanciful) prospect of success at the service out stage.

The Claimant relied on the CJEU decision in Weltimmo sro v Newzeti Adatvedelmi es Informacioszabadsag Hatosag [2016] 1 WLR 863, in particular that: (1) the absence of a branch or subsidiary was not the determining factor, (2) the test for “establishment” would be satisfied if there was “any real and effective activity – even a minimal one – exercised through stable arrangements” (para 31), and (3) “both the degree of stability of the arrangements and the effective exercise of the activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned” (para 29).

The Judge also noted the European Data Protection Board’s Guidelines 3/2018 on the Territorial Scope of the GDPR which re-enforce the jurisprudence, namely that the presence of one single employee may be sufficient to satisfy the “stable arrangement” threshold, but mere presence to that extent will not trigger the GDPR if the processing in question is not carried out in the context of the activities of the EU-based employee.

The Claimant relied on the following factors in seeking to show that he had an arguable case of establishment: the publications are in English; the website solicits donations in Sterling and in Euro; the website includes a “store” with its own branded merchandising, accepting shipping addresses in the UK; and a tweet sent on 7th August 2020 invited pledges to Patreon, a subscription platform, from readers in the UK and the EU. It was submitted that the Patreon subscriptions were stable inasmuch as they remained in place until cancelled.

In rejecting these arguments the Judge held:

‘I cannot accept the proposition that less than a handful of UK subscriptions to a platform which solicits payment for services on an entirely generic basis, and which in any event can be cancelled at any time, amounts to arrangements which are sufficient in nature, number and type to fulfil the language and spirit of article 3.1 and amount to being “stable”‘. [64]

 (ii) Article 3(2) – where processing activities relating to the offering of goods or services to data subjects in the Union

Here the Claimant argued that the Defendants, to the extent the First Defendant was not established in the UK under Article 3(1), it falls within Article 3(2) on the basis that it offers services to readers in the UK irrespective of payment.

The Judge rejected this, finding that ‘there is nothing to suggest that the First Defendant is targeting the United Kingdom as regards the goods and services it offers. That this country is a potential shipping destination for merchandise which in the event does not appear to have been purchased by anyone here (save possibly for one baseball cap) does not in my opinion fulfil sub-para (a) as explained in the EDPB Guidelines‘.

Those Guidelines state that the ‘targeting criterion largely focuses on what the processing activities are “related to”, which is to be considered on a case by case basis‘ and that a controller ‘may be subject to the GDPR in relation to some of its processing activities but not subject to the GDPR in relation to other processing activities. …‘.

The Judge held that the words ‘related to’ (found in Article 3(2)) are narrower than the phrase ‘in the context of‘ (found in Article 3(1)):

‘The Claimant must demonstrate that the activity in sub-para (a) (sc. the offering of goods and services) is related to the First Defendant’s core activity, namely its journalism; and in my judgment it is not. It is not enough for the Claimant to show that the First Defendant may have carried out some processing which is related to the offering of goods and services in this jurisdiction (I have concluded that it has not), or that such processing may have been in the context of what I am characterising the First Defendant’s core activity’. [67]

(iii) Article 3(2) – Processing activities relating to the monitoring of the data subject’s behaviour in the Union

The Claimant contended alternatively that the First Defendant’s website places cookies on readers’ devices and processes their personal data for the purpose of targeting advertisements. It was further submitted that the Defendants were collecting and obtaining data about the Claimant and were monitoring his behaviour within the UK and the EU with a view to making publishing decisions.

While the Judge accepted that the Claimant had an arguable case that the website’s use of cookies amounted to the type of ‘monitoring’ envisaged in Recital 24 GDPR and the associated EDPB Guidelines (in the sense that it amounts to behavioural profiling for the purpose of informing advertising choices), this processing had nothing to do with the Defendants’ journalistic activities.

As for the collecting and obtaining of data about the Claimant with a view to making publishing decisions (including using the internet as a research tool), the Judge found that to the extent this amounts to monitoring at all it ‘is not the sort of monitoring’ that article 3.2(b) has in mind‘ (para. 68).

Forum conveniens

While holding that the Claimant had no arguable case under the GDPR, the Judge indicated that had he decided the matter differently then he would have found in favour of the Claimant on forum conveniens: ‘Mr Callus [Counsel for the Claimant] rightly points out that the claim under the GDPR would have to be brought in the courts of a Member State of the EU. There is nothing to suggest that England and Wales would have been other than the most natural and appropriate forum for trial, and no evidence that such a claim could be brought in the US‘.

Comment

The decision is instructive in articulating the relationship between Article 79 GDPR (jurisdiction to bring a claim) and Article 3 GDPR (territorial scope) and  the thresholds a claimant must cross in order to serve his/her claim out of the jurisdiction.

In particular, the jurisdictional gateway (on the basis of Article 79) is easily satisfied provided that the claimant can show that the UK is his/her habitual residence. This is the case even where the Defendant has no establishment in the UK/EU.

This is significant – Article 79(2) was not available to claimants seeking service-out in claims brought under the Data Protection 1998. In those cases, claimants generally relied on the injunction/tort gateways (e.g. Vidal-Hall v Google and Lloyd v Google).

The position in relation to claimants based outside of the UK (and even more so outside of Europe) is more complex.  Here, the claimant will need to meet the “good arguable case” test in demonstrating that the Defendant is established in the UK for the purposes of Article 79. Following the Weltimmo case, it has been argued that the bar for establishment is relatively low. However, this case shows that mere presence will not be sufficient to demonstrate that stability and a more granular analysis is necessary.

Further, even if claimants can meet the establishment test, they still need to consider the precise processing in question to determine whether it is “in the context” of the activities of that establishment.

In a similar way, the Claimant will also need to consider the precise processing if relying on the Article 3(2) limb. The key message is that where ‘targeting of goods or services’ or ‘monitoring’ can be shown, this must relate to the processing activities complained of. It is not sufficient to say that the publisher also happens to offer goods or services to data subjects in the Union or monitors such data subjects (e.g. through the use of cookies) if these activities to not relate to the at-issue journalistic activity.

So who said bringing data protection claims is easier than bringing libel claims? This article relates only to the service out of the data protection claim. The case looks set to deliver many more interesting aspects of modern reputation management as it progresses.

Ashley Hurst is a Partner and Henry Fox is a Senior Associate in the Media and Information Law team at Osborne Clarke LLP.