Territorial application of the EU’s Data Protection Regulation
By Tabacks Regulatory Team
This article is the first in a series looking at the reach, and the limits, of various data protection regimes that may affect the activities of businesses based in South Africa and doing business in other countries, as well as businesses based elsewhere doing business with South African customers and suppliers.
A recent decision of the England and Wales High Court has provided companies outside the European Union with some much-needed guidance on the territorial scope of the Europeans Union’s General Data Protection Regulation (“GDPR”) and whether they are subject to the GDPR’s stringent data protection requirements and its territorial jurisdictional reach.
In a recent judgment, the Queen’s Bench Division of the Court considered how the territorial scope of the GDPR applied to a business not established in the EU. The High Court's consideration of the territorial scope of the GDPR was of major relevance to businesses not based in the EU.
One of the issues the court had to decide was whether the Claimant, Walter Soriano, could pursue a data protection claim that he had brought against Forensic News LLC (a company based in the USA), five journalists and a blogger in a trial before the London court. In order to decide the issues, the court had to consider the territorial reach of the GDPR.
The claims were based on allegations made against Soriano, which were included in a number of Forensic News publications. The allegations were published before the end of the transition period of Brexit, in other words, at a time when Britain was still a part of the EU. The court ruled that Soriano had no arguable case under the GDPR on the grounds that the provisions of the GDPR did not apply to Forensic News. The findings of the court in relation to data protection claims shed some light on interpreting the territorial jurisdiction of the GDPR.
Application of GDPR
There are two ways in which the GDPR can apply to processing of personal data by organisations:
First, in terms of Article 3.1, it applies if the processing of personal data takes place in the context of activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.
Second, in terms of Article 3.2, it applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services to such data subjects in the Union, irrespective of whether a payment by the data subject is required; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
The Court in its judgment considered these provisions of the GDPR. The Court analysed how the concept, “establishment” had been considered by the Court of Justice of the EU (“CJEU”) and in guidance produced by the European Data Protection Board.
The CJEU had confirmed that the presence or absence of a branch or subsidiary does not determine whether an entity is 'established' in the EU.” In paragraph 52 of the Court stated the following:
“The CJEU held that (1) the absence of a branch or subsidiary was not the determining factor (para 28), (2) the test for "establishment" would be satisfied if there was "any real and effective activity – even a minimal one – exercised through stable arrangements" (para 31), and (3) "both the degree of stability of the arrangements and the effective exercise of the activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned".
The Court found that Soriano had failed to show, as required by case law, that Forensic News’s activities in the EU, which consisted of soliciting of donations in Sterling and in Euro; a "store" with its own branded merchandising, accepting shipping addresses in the UK; and a subscription platform, from readers in the UK and the EU, amounted to arrangements which were sufficient in nature, number and type to satisfy the language and spirit of article 3.1 and amounted to being "stable arrangements”.
The Court went on to say that Soriano had failed to demonstrate adequately that the supply of products and services by Forensic News in the United Kingdom was connected to its core journalism operation, as was necessary to fulfil the criteria of Article 3.2. (a). In this regard, the Court held that there was nothing to indicate that the United Kingdom was targeted by Forensic News with respect to the products and services it provided.
Lastly, the Court further rejected Soriano's claims that Article 3.2(b) related to the core activities of Forensic News. The Court said that although Soriano had an arguable case that Forensic News’s use of cookies was for the purpose of behavioural profiling or monitoring, it was not done for the purpose of investigative journalism but purely in the context of directing advertisement content.
The Judge said the following in this regard;
“There is no evidence that the use of cookies has anything to do with the 'monitoring' which forms the basis of [Soriano's] real complaint: [Forensic News'] journalistic activities have been advanced not through any deployment of these cookies but by using the internet as an investigative tool.
In my judgment, that is not the sort of 'monitoring' that Article 3.2(b) has in mind; or, put another way, the monitoring that does properly fall within this provision – the behavioural profiling that informs advertising choices – is not related to the processing that [Soriano] complains about (assuming that carrying out research online about [Soriano] amounts to monitoring at all)."
The judgement in this case confirms the principle that a claimant seeking to apply the provisions of the GDPR to any particular organisation or activity must satisfy the strict jurisdictional requirements of article 3.