EWCA - Soriano v Forensic News LLC & Ors
|EWCA (UK) - Soriano v Forensic News LLC & Ors|
|Relevant Law:||Article 3(1) GDPR|
Article 3(2)(b) GDPR
|Parties:||Walter Tyvi Soriano|
Forensic News LLC
|National Case Number/Name:||Soriano v Forensic News LLC & Ors|
|European Case Law Identifier:|
|Appeal from:||EWHC (UK)|
Soriano v Forensic News LLC & Ors
|Original Source:||BAILII (in English)|
|Initial Contributor:||Frederick Antonovics|
The Court of Appeal ('CA') allowed a cross-appeal by a businessman whose data protection claim, amongst others, was originally rejected by the High Court, and notably held that an online newspaper which had Patreon subscribers paying in Sterling and Euro could be considered to have an 'establishment' in the UK and EU under Article 3(1) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
Note: A range of claims were made in this case, but only the facts relevant to the data protection claim are considered here.
This case is an appeal by the claimant in Soriano v Forensic News LLC & Ors  EWHC 56 (QB), who brought claims against the defendants under libel, misuse of private information, data protection, malicious falsehood, and harassment. The judge in this case allowed the claimant to pursue his claims in libel and some of the claims in misuse of private information, but he did not allow the bulk of the claims in misuse of private information, and any claim in data protection, malicious falsehood, or harassment. The defendants appealed the claims the judge allowed. The claimant cross-appealed, "arguing that he should also have been allowed to pursue the claims in data protection and malicious falsehood."
The appellant in this case is Walter Soriano, a businessman with ties to several governments. He was the subject of a series of 8 publications by the respondents, namely the owners of and contributors to Forensic News, which owns and operates an investigate journalism publication, and a blogger. The company's work is freely available and it is funded through "a mix of sources, including subscriptions, donations, merchandise sales and advertising revenue." Interestingly, all of the defendants were established or lived in the US.
Holding[edit | edit source]
The claimant originally alleged that the defendants acted as data controllers of his personal data and violated Articles 5(1)(a), 10, and 44 GDPR. For example, he alleged that one of the publications by Forensic News "bore the defamatory imputation that the claimant was 'guilty of receiving illegal kickbacks and other corrupt payments from the Russian state under the façade of security consultancy work for Sochi Airport during the Olympic Games held in 2014'." A further claim under Article 5(1)(d) GDPR alleged that this publication "was inaccurate because he 'did not receive any kickbacks or illegal payments from the Russian state in relation to the Sochi airport contract'."
Jurisdiction[edit | edit source]
First, the Court had to determine whether the GDPR was applicable in this case, as the data protection claims were brought on the basis that the processing of which he complained fell within the ambit of Article 3 GDPR. In other words, could Forensic News be considered to have an 'establishment' in the UK?
The judge at first instance rejected this argument, holding that the claims failed the 'Merits Test'. He held that:
- The claimant had failed to demonstrate a real prospect of showing that his claims fell within the territorial scope of the GDPR, as defined by Article 3.
- The fact that the defendant had no branch or subsidiary, employees or representatives in the UK was relevant but not only of marginal relevance.
- The test to determine the applicability of Article 3(1) GDPR to be "whether, taking the claimant's case at its reasonable pinnacle … he has the sufficient makings of an argument on 'stable arrangements' to enable him to pass through the merits portal". The claimant argued that the defendant soliciting UK citizens to subscribe to the news outlet's Patreon amounted to such a 'stable arrangement', but the judge found that this argument failed as it was based on "less than a handful of UK subscriptions to a platform which solicits payment for services on an entirely generic basis and which in any event can be cancelled at any time".
- It was not realistic that the claimant could prove that the processing activities complained of were "related to … the offering of goods or services … to such data subjects in the Union" within the meaning of Article 3(2)(a) GDPR, as the defendant was not targeting the UK for this purpose.
Thus, he held that there was no tenable case that the defendants had an "establishment" within the meaning of Article 3(1) GDPR in the EU and that it was therefore unnecessary to consider whether the processing at issue was "in the context of" any activities of such an establishment.
On appeal, the claimant contended that, contrary to the Judge's conclusions, he had an arguable case that the GDPR applied to the conduct complained of. He put forward three principal grounds of challenge:
- That the maintenance of a website which "specifically and successfully solicit[ed] subscriptions in GBP and EUR from readers and subscribers in the UK and EU" arguably amounted to a "real and effective activity – even a minimal one – exercised under stable arrangements". In other words, the Patreon subscriptions satisfied Article 3(1).
- That Article 3(2)(a) was arguably satisfied on the basis that the two activities in question, namely (i) the maintenance of the website offering goods and services to data subjects in the UK and EU and (ii) the journalistic processing of the claimant's personal data were "related to" one another.
- That Article 3(2)(b) could be satisfied on the footing that the journalistic processing complained of was "related to" the "monitoring of [the claimant's] behaviour" insofar as that behaviour took place within the EU.
The CA determined that the issue was "whether it [was] shown that the Judge was wrong to hold that the claimant's case on the three grounds [it had] identified failed the Merits Test." It highlighted that "there is no authority that assists directly on the meaning and effect of Article 3(1) [GDPR], nothing other than the EDPB Guidelines to help us with Article 3(2)" GDPR and that this was the first case in the EU on the territorial applicability of the GDPR under that provision. As such, it in turn assessed Article 3(1) and 3(2) GDPR, focusing on the meaning of the notions of 'establishment' and 'related to' respectively.
Article 3(1)[edit | edit source]
The CA judge first held that it was indeed arguable that the defendants had an "establishment" in the EU. It based this assessment on CJEU judgments which it deemed to have "set a low bar". It considered "a critical consideration" to be whether the data controller or processor envisaged offering services to data subjects in one or more Member States in the Union, and found that the defendants to have done "more than merely making their journalism accessible over the world wide web." It held that the three Patreon subscriptions in sterling and three in Euros that the company secured from the UK and EU could constitute "stable arrangements" within the meaning of Article 3(1) GDPR.
Article 3(2)[edit | edit source]
The CA approached this question "on the footing that Article 3(2)(a) GDPR applies to the processing of personal data of data subjects who are in the Union whether or not they are the same individuals as those to whom the goods or services are offered, providing the two activities are "related to" one another." It found that "on no reasonable view [was] the journalistic processing of which the claimant [complained] "related to" the offer of goods to data subjects within the Union." Such an approach to the interpretation of Article 3(2)(a) GDPR "would give it a breadth and scope beyond what is indicated by the words used and the Guidelines." . It nonetheless considered it "arguable that the journalistic processing complained of was "related to" an offer made by the defendants to data subjects in the Union to provide them with services in the form of journalistic output."
It also held it "arguable that the case falls within Article 3(2)(b) GDPR." It gave the example of "a more compelling case under Article 3(2) [GDPR constitutes] someone who uses the internet to collect information about the behaviour in the EU of an individual who is in the EU, and then assembles, analyses and orders that information for the purposes of writing and publishing an article about that behaviour in (among other places) the EU is thereby engaging in "… the monitoring of [the data subject's] behaviour … within the Union" within Article 3(2)(b)." It held that the publication of personal data clearly is therefore a form of "processing" and that it follows that the GDPR applies in such a case on the footing that publication amounts to a "processing of personal data of [the data subject]" which is "related to" the monitoring.
It concluded that as these issues seemed to need "further and definitive consideration in this case", the ICO should be invited to consider intervening to assist it.
Comment[edit | edit source]
This is the first appellate court decision to consider the territorial scope of the GDPR, and it will be interesting to see whether it will be endorsed by European courts in future proceedings.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.