Organizations in the United States often ask us how to comply with GDPR. But starting with that question skips a key inquiry: the extent to which GDPR applies to a US company in the first place.
A recent UK court decision in a case called Soriano v. Forensic News explored that issue. That decision contains some important lessons for US companies seeking to determine their exposure to claims brought by individuals under Article 79 of GDPR. Article 79 creates a private right of action for individuals who believes that a controller or processor’s violation of GDPR’s requirements has infringed his or her rights under that law.
In Soriano, an individual named Walter Soriano sought to bring claims under Article 79 against Forensic News LLC, a US-based company that operates an investigative journalism website. Forensic News published several stories claiming that Soriano, a UK resident, was engaged in a variety of criminal activities, including ties to corrupt oligarchs, money laundering, and multiple homicides.
Soriano sought to bring his claims in the UK, which required him to apply for permission to serve UK proceedings on US-based defendants, or “serve out,” his claims. The serve out analysis required the court to evaluate the merits of Soriano’s claims to determine whether there was a sufficient legal basis to serve the claims outside the UK.
A key element of that inquiry was whether Forensic News’s personal data processing underlying Soriano’s data protection claims was subject to GDPR under Article 3.
Article 3.1’s Establishment Criterion
Under Article 3.1, GDPR “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” Recital 22 describes an establishment as implying “the effective and real exercise of activity through stable arrangements.”
Soriano argued that several factors showed Forensic News conducted such processing and had stable arrangements in the UK. These factors included Forensic News publishing its stories in English (the language used in the UK), soliciting donations in Sterling and in Euro, accepting UK shipping addresses in its online store, and sending a tweet inviting UK and EU readers to subscribe to its publications. Soriano also argued that ongoing UK and EU reader subscriptions would themselves constitute stable arrangements.
The court rejected those arguments. After observing that Forensic News did not have a branch, subsidiary, or employees in the UK or EU, the court acknowledged that Forensic News has “a readership in the UK which is not minimal.” But the court concluded that fact was “of no more than marginal relevance” and “could not begin to satisfy article 3.1” alone. The court also discounted the presence of UK subscriptions, stating that “less than a handful of UK subscriptions,” which in any event could be cancelled by subscribers, were insufficient to constitute stable arrangements under the Article 3.1 establishment analysis.
Article 3.2’s Offering of Goods or Services Criterion
GDPR Article 3.2 extends GDPR’s territorial reach to organizations without an EU establishment under two circumstances.
First, Article 3.2(a) provides that GDPR applies to personal data processing of individuals located in the European Union by controllers or processors without an EU establishment “where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union.”
Soriano argued that Forensic News’s offering of services to UK readers met that standard, relying on the same facts cited for his Article 3.1 establishment argument.
But that argument also failed to persuade the court. The court explained that “no more than cursory examination” of the facts showed that Soriano could not establish that Forensic News was targeting the UK with offers of goods and services, and the fact the UK “is a potential shipping destination for merchandise” did not alter that conclusion.
The court further opined that, even if Forensic News’s alleged activities (i.e. operating a store selling branded merchandise) constituted an “offering of goods or services,” Soriano’s claim would still fail because the alleged processing activities insufficiently related to his claims. The court stated that “related to the offering of goods or services” under Article 3.2(a) should be construed more narrowly than processing “in the context of the activities of an establishment” under Article 3.1. In the court’s view, that narrower construction means that any offering of goods and services must relate to the relevant entity’s “core activity.” In this case, the court construed Forensic News’s core activity as journalism and concluded that Forensic News’s alleged store operations would not sufficiently relate to its core journalistic activities to satisfy Article 3.2(a).
Article 3.2’s Monitoring Criterion
The second criterion for extraterritorial application of GDPR to organizations without an EU establishment, Article 3.2(b), provides that GDPR applies to personal data processing of individuals located in the European Union “where the processing activities are related to the monitoring of their behaviour as far as their behaviour takes place within the Union.”
Soriano also argued that Forensic News was subject to GDPR on this basis, noting that it monitored UK data subjects that visited its websites through targeted advertising cookies.
The court accepted that Soriano had “an arguable case” that Forensic News used cookies for “behavioural advertising or monitoring” as contemplated by Article 3.2(b), but still held Soriano could not maintain a claim. To that end, the court suggested that any “monitoring” that Forensic News conducted of Soriano consisted primarily of online research into his activities. And the court held that such research—to the extent it could fairly be viewed as monitoring in the first place—“is not the sort of ‘monitoring’ article 3.2(b) has in mind.” As to the use of behavioral advertising cookies, the court found that cookie processing was “not related to the processing that [Soriano] complains about” (namely, publication of unflattering details about him), and therefore was irrelevant for determining whether Soriano had GDPR claims about Forensic News’s online research and publications.
The court therefore found Soriano had no GDPR data protection claim against Forensic News.
Takeaways from Soriano
The Soriano case offers two useful reminders for privacy lawyers and organizations considering GDPR’s extraterritorial application.
First, the opinion underlines that GDPR’s application, while undeniably broad, is not without limits. Consistent with EDPB guidelines on GDPR’s extraterritorial application, the Soriano decision indicates that an organization can have minimal or incidental contacts with the EU without satisfying Article 3 criteria.
Second, the court’s focus on the nexus between Soriano’s claims and the Article 3.2 criteria serves as a reminder that GDPR applies to specific processing under Article 3 and not necessarily to entire organizations. As a result, the question of whether GDPR applies to a US company often does not lend itself to a simple “yes” or “no” answer. Indeed, the Soriano court acknowledged that Forensic News’s cookie monitoring of EU data subjects may have been subject to GDPR, but that conclusion was irrelevant because the processing underlying Soriano’s claims—research and publication of information about him—was not.
Understanding these nuances of GDPR’s extraterritorial application can therefore provide opportunities to focus operational compliance efforts on processing that is subject to GDPR, rather than on the organization as a whole.