The territorial scope of the GDPR, as applied by the High Court
This week saw what is, I believe, the first English judgment dealing with the territorial scope of the GDPR.
This blogpost is a reminder of the rules on "territorial scope", and weaves in the High Court's ruling in Soriano v Forensic News and others ( EWHC 56 (QB)).
For those who don't want the detail, the gist is that the court decided that the claimant could not demonstrate that the GDPR's tests for territorial scope were met, but it is the court's rationale which is most interesting, so I'm afraid you'll have to read on for that.
The second interesting element is that the court held that even if some processing falls within the GDPR, it does not mean that all the controller's or processor's processing falls within the GDPR. In this case, the court decided that, even though the website in question used cookies for monitoring behaviour, that was not sufficient to bring the processing in question, which related to the site's journalistic activity, within the scope of the GDPR.
A brief refresher on "territorial scope"
By "territorial scope", I mean the rules in Article 3 GDPR, which determine when the GDPR applies, based on the location of the controller/processor, or the activities of a controller or processor.
These are separate from the rules around the material scope of the GDPR, which sets out whether the processing itself is the kind of processing which falls within scope (and which is where the exclusion of processing "by a natural person in the course of a purely personal or household activity", often known as the "domestic purposes exemption", sits.)
There are four reasons why a controller or procesor's processing might fall within the scope of the GDPR:
- the controller or processor is established in the EU
- the controller or processor offers of goods / services to data subjects in the EU
- the controller or processor monitors the behaviour of people in the EU
- the controller is established in a place where EU law applies by virtue of public international law
Establishment (Art 3(1))
[The GDPR] applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
The GDPR does not define "establishment", but recital 22 says that:
Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.
Interpreting the previous data protection directive, the CJEU has ruled (in Weltimmo, paras 30 - 31), that "establishment" is broad:
in the light of the objective pursued by that directive, consisting in ensuring effective and complete protection of the right to privacy and in avoiding any circumvention of national rules, that the presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question. ... [I]t should be considered that the concept of ‘establishment’, within the meaning of Directive 95/46, extends to any real and effective activity — even a minimal one — exercised through stable arrangements.
Official guidelines, from the European Data Protection Board, say that the test for "stable arrangements" is also broad:
The threshold for “stable arrangement” can actually be quite low when the centre of activities of a controller concerns the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of a non-EU entity in the Union may be sufficient to constitute a stable arrangement ... if that employee or agent acts with a sufficient degree of stability.
The ruling here
In the case at issue, the court ruled that:
the absence of a branch or subsidiary in the UK is by no means determinative .... However, it is relevant that the First Defendant has no employees or representatives in this country. The fact that Forensic News has a readership in the UK which is not minimal is of no more than marginal relevance: by itself, it could not begin to satisfy article 3.1. It is clear that the First Defendant's journalistic endeavour is not oriented towards the UK in any relevant respect. That the content of the First Defendant's website may be of interest to some readers here is not germane to the issue under consideration, nor is the fact that the Claimant holds joint British nationality. The real question is whether, taking the Claimant's case at its reasonable pinnacle, he has persuaded me that he has the sufficient makings of an argument on "stable arrangements" to enable him to pass through the merits portal. I cannot accept the proposition that less than a handful of UK subscriptions to a platform which solicits payment for services on an entirely generic basis, and which in any event can be cancelled at any time, amounts to arrangements which are sufficient in nature, number and type to fulfil the language and spirit of article 3.1 and amount to being "stable". To the extent that it improves the Claimant's case slightly, the 7th August tweet post-dated all of the publications sued on.
This seems sensible to me:
- no branch or subsidiary in the UK
- no employees in the UK
- no representatives in the UK
- readers in the UK are not relevant, even though "not minimal"
- payments solicited on a generic basis
- I am surprised that the court emphasised that the payments may be cancelled at any time though. I can see why it might go to the "stability" of the establishment, but it seems like an odd criterion to me. But a useful one to note.
The Court referenced the EDPB's guidelines, but only to say that:
Offering of goods / services to data subjects in the EU (Art 3(2)(a))
[The GDPR] applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union
Recital 23 says that:
In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
The test posited by recital 23 is about the intention of the controller or processor, with a list of factors which, depending on the facts of the case, may demonstrate that intention.
The ruling here
In this case, the court decided that:
there is nothing to suggest that the First Defendant is targeting the United Kingdom as regards the goods and services it offers. That this country is a potential shipping destination for merchandise which in the event does not appear to have been purchased by anyone here (save possibly for one baseball cap) does not in my opinion fulfil sub-para (a) as explained in the EDPB Guidelines. No more than a cursory examination of their listed indicia serves to demonstrate how far short the Claimant comes in meeting this sub-para.
The court's approach appears to be a reasonably strict application of the criteria in recital 23, and, on the facts, seems to have reached the logical conclusion.
Monitoring of behaviour of people in the EU (Art 3(2)(b))
[The GDPR] applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the monitoring of their behaviour as far as their behaviour takes place within the Union.
Recital 24 says:
it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
The court was asked to find that, because the site in question used cookies for targeted online advertising, it had engaged in monitoring of people in the EU, and thus the GDPR's territorial scope test was met.
The ruling here
The court decided that:
One might contrast this with the decision of the CJEU in Google Spain, in which the presence of a Google entity in Spain, for the purpose of selling advertising, was sufficient to hold that Google's operation of a search engine through a US entity, Google Inc., was within the scope of the GDPR, as the two were "inextricably linked":
the processing of personal data for the purposes of the service of a search engine such as Google Search, which is operated by an undertaking that has its seat in a third State but has an establishment in a Member State, is carried out ‘in the context of the activities’ of that establishment if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable. (Paragraph 55, Google Spain)
What about the UK GDPR?
Now that we have left the EU and the transition period is over, something very strongly resembling the GDPR is incorporated into our law through the Data Protection Act 2018. The result — the UK GDPR — is, in essence, the text of the GDPR, with a few modifications to replace references to the European bodies/institutions.
Like the GDPR itself, the UK GDPR contains a provision on territorial scope.
One would have thought that a similar analysis would be applied to determine whether a controller or processor's processing fell within the scope of the UK GDPR. But that has not been tested yet.