UK High Court Sets High Bar for Extraterritorial Application of GDPR

January 25, 2021Alerts

The United Kingdom's High Court of Justice, in the case of Soriano, determined there was no real prospect of success on the merits in a case seeking extraterritorial applicability of the EU's General Data Protection Regulation to a U.S.- based publication that had a significant UK readership for certain of its posts.

The court focused on the Article 3.2 concept of "related to," holding that the website's "offering of products and services to individuals in the EU" via participation donation via an app is not "related to" the website's core activity (journalism) and that neither is the website's "monitoring and tracking of individuals in the EU" via cookies and trackers placed on its website.

Article 3.1: 'Establishment in the EU'

"Less than a handful of UK subscriptions to a platform which solicits payment for services on an entirely generic basis, and which in any event can be cancelled at any time, does not amount to arrangements which are sufficient in nature, number and type to fulfil the language and spirit of article 3.1 and amount to being 'stable,'" the court said in its ruling.

Key points:

  • A branch is not necessary but it is important that the company does not have any representatives or employees in the EU.
  • If your endeavor is not oriented toward the EU in any relevant respect, the fact that you have a not-insignificant number of users/customers is not enough.
  • For a website, the fact that the content is of interest to UK/EU readers is not relevant.
  • The EU citizenship of the owner of a non-EU enterprise is not relevant
  • Donations being sought in EU currency are not enough.
  • The fact that the website has a store that accepted shipping addresses in the EU is not enough.

Article 3.2(a): 'Offering of goods or services to individuals in the EU'

"There is nothing to suggest that the company is targeting the EU as regards to its goods or services," the court said in its opinion.

Key Points:

  • You must demonstrate that the offering of goods and services is related to the company's core activity. This is broader than the term "in the context of."
  • The fact that the UK/EU is a potential shipping destination for merchandise in the absence of actual purchases (other than one baseball cap) does not fulfil the requirements.
  • It's not enough to show that a company may have carried out some processing related to the offering of goods and services in the EU or that such processing may have been in the context of the company's core activity.

Article 3.2(b): 'Monitoring or tracking the behavior of individuals in the EU'

Having targeting cookies is not enough to determine that a company's core activity is "monitoring or tracking" for the purpose of jurisdiction.

Key Points:

  • There is an arguable case that use of cookies and trackers is for the purpose of behavioral profiling or monitoring in the context of directing advertising content.
  • However, use of cookies having nothing to do with the core activity in question (in this case, journalistic content), not "related to" it, can't be used to tack on jurisdiction on the monitoring prong.

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert or assistance with GDPR compliance issues, contact Odia at [email protected] or 215.444.7313.