When the General Data Protection Regulation1 (GDPR) came into force throughout the European Union nearly three years ago, one of its most eye-catching features was its extraterritorial jurisdiction provisions. These extend the reach of the GDPR to businesses located outside the European Union who offer goods or services to EU residents or who monitor the behavior of EU residents.2
Under the threat of becoming liable for a breach of the GDPR and potential fines of up to €20m or four percent of global turnover (whichever the higher), many businesses based in the United States and other locations outside the European Union have simply taken a stance of refusing to deal with EU residents, including taking measures such as geo-blocking websites to EU-based visitors. Other businesses, in the United States and elsewhere, have found themselves contemplating whether they might be subject to the GDPR and how to react merely because they have made a new EU-based business connection, acquired the contact details of a potential customer in the European Union, or even become aware that an employee at a customer organization had moved to the European Union.
A court in the United Kingdom has now considered the limits of extraterritorial jurisdiction of the GDPR, which may provide some reassurance to overseas businesses that limited contact with EU residents via a website may not necessarily lead to them being subject to the GDPR.
In the recent case of Soriano v Forensic News,3 the High Court of England and Wales looked at the extent to which the U.S.-based news website defendant, Forensic News, could be regarded as being subject to either limb of the GDPR’s jurisdiction provisions in relation to its processing of the personal data of the UK-resident claimant as part of its journalistic activities. The facts of the case derive from the period prior to Brexit and the end of the transition period, while the United Kingdom was still subject to EU law, and therefore, the court applied the EU version of the GDPR and related jurisprudence and guidance.
The GDPR’s jurisdiction provisions are set out in Article 3 and have two elements: (1) an organization is “established” in the European Union for the purposes of the GDPR, or (2) the extraterritorial jurisdiction provisions, which apply when an organization located outside the European Union offers goods or services to EU residents or monitors their behavior. Although the main purpose of the Soriano case was to decide on whether the United Kingdom was the appropriate forum in which to litigate a range of other potential claims, including defamation, malicious falsehood, harassment, and misuse of private information, its interpretation of the jurisdiction of the GDPR is significant because it is one of the few judicial authorities that have been handed down on this issue so far.