UK/US data protection claim highlights ambiguity of GDPR’s geographic scope

A data protection claim against US defendants highlights the uncertainty surrounding the territorial limits of the GDPR.

EU / European Union / GDPR data privacy, regulation, compliance
Olivier Le Moal / Getty Images

A decision by the UK Court of Appeal to allow a claim for contravention of the European Union’s General Data Protection Regulation (GDPR) to be served against US defendants has raised questions over the territorial limits of the regulations. The case emphasizes the broad geographic applicability of both the EU GDPR and the UK GDPR and the interpretations that exist. The UK Court of Appeal suggested that the UK’s independent information rights authority, the Information Commissioner’s Office (ICO), should assist in the case.

UK Court of Appeal allows GDPR claim against US news outlet

Soriano v Forensic News LLC is believed to be the first EU/UK claim on the territorial scope of the GDPR under Article 3(2). The claimant, Walter Soriano, a naturalized British citizen since 2009, commenced proceedings against US news outlet Forensic News and certain connected persons domiciled in the US

Soriano made claims under data protection law after the defendants published a series of articles and social media posts making several “unflattering” allegations about him. Under UK law, court permission is required to serve a claim outside of the nation’s jurisdiction, unless defendants agree to be served. In this case, the court had to decide whether the claimant’s allegations had a genuine prospect of success subject to Articles 3(1), 3(2)(a), and 3(2)(b) of the GDPR, rather than reaching a definitive conclusion on the territorial remit of the regulations.

The news came in the same week as it was revealed that European data protection authorities have issued GDPR fines totaling €1.1 billion ($1.2 billion) since January 28, 2021.

Case highlights ambiguity of the GDPR’s geographic scope

The case shines a light on continuing uncertainty regarding the geographic applicability of the GDPR. “Of particular note is the weight the court suggested must be given to an intention to offer goods/services to EU/UK individuals when considering whether a data controller has an “establishment” in the EU/UK,” wrote law firm Dechert LLP.

Many businesses that offer goods/services to data subjects in the EU/UK from abroad may be deemed to have an establishment in the EU/UK and may therefore need to comply with the GDPR not only in relation to the data of their EU/UK customers, but also any other individuals whose personal data is processed in relation to that establishment (such as staff), it added. The court also noted a need for “further and definitive consideration” of the issues and stated that the UK Information Commissioner should be invited to participate in the case.

Speaking to CSO, Egress data protection officer Kevin Tunison says it is important to note that the case was brought before the UK’s departure from the EU, therefore the precedent would be set against EU GDPR, and not necessarily UK GDPR. “This could limit the concern regarding territorial scope, at least in UK courts. However, this case does reassert that an EU citizen, while on EU soil, has those activities protected. That is how GDPR is intended to operate, but it is the first time that it has been tested in the courts. The judge has also suggested that the ICO intervene to consider assisting the court, so we could see ICO involvement due to the complexity of the case.”

Progression of the case will no doubt be an interesting one to watch, as it could shift or clarify Article 3.2, which defines the territorial scope of EU GDPR, Tunison adds. “If article 3.2 is altered, it may cause other legal challenges in other courts regarding sovereignty of non-EU nations. This could result in a backlash from the perceived over-reach of EU legislation.”

Copyright © 2022 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)