Something’s coming: GDPR territorial scope takes shape

If there’s one thing West Side Story teaches us, it’s that there are consequences for offering goods or services to (rumbles, dance challenges) or monitoring the behaviour of (Anybodys, Officer Krupke) people in another territory. The GDPR takes the same long-arm approach to territorial scope, with one key exception: unlike the Upper West Side circa 1955, the gym is not neutral territory.

But nearly three years since being introduced, Art. 3(2) of the GDPR continues to confuse organisations outside Europe – many of which are subject to light-touch data protection laws in their home jurisdictions. It hasn’t helped that the GDPR’s extra-territoriality rules haven’t been tested since May 2018. However, developments in recent weeks show that’s starting to change.      

Development #1. On 15 January, the English High Court issued the first UK judgment on the GDPR’s territorial scope, in Soriano v Forensic News and Others. In addition to dealing with the Art. 79(2) GDPR requirement that the individual bringing proceedings must have their habitual residence in the courts of that member state (which Mr. Soriano did), the court considered the application of Arts. 3(1) and 3(2) of the GDPR in some detail. 

• Art 3(1). Were the defendants (a U.S.-based website without employees or representatives in the UK) “established” in the UK? The court said no: a handful of website subscriptions did not create real and effective activity exercised through stable arrangements, even taking into account the wide concept of “establishment” formulated by the ECJ’s in Weltimmo.
• Art. 3(2). Did the defendants offer goods or services to, or monitor the behaviour of, individuals in the UK? Again, the court said no. Although the website is published in English, accepts donations in GBP and ships merchandise to the UK (some of the factors listed by recital 23 of the GDPR to indicate that an organisation may be offering goods or services), the court found that (i) the defendants did not target individuals in the UK, and (ii) the processing in question was not related to its core activities (that is, journalism).
• Although the court accepted there was an arguable case that website cookies could amount to profiling or monitoring for the purposes of the GDPR, it held that the use of cookies for behavioural advertising was not related to Mr. Soriano’s complaint. That’s generally good news for the many non-UK/EU organisations that drop advertising cookies as a matter of course – but a claim where the use of cookies is more closely linked to a company’s core activities will make for very interesting reading.

Development #2. On 25 January, Max Schrems’s privacy rights group, NOYB, filed two appeals against the Luxembourg regulator for its failure to enforce an individual’s GDPR complaint against two U.S. companies. The regulator had previously said that it couldn’t enforce the companies’ non-compliance because they had no EU presence and had not appointed a representative under Art. 27 of the GDPR. This isn’t the first time we’ve seen a regulator take this position. In 2018, the UK ICO wrote to a U.S. new organisation regarding its practice of denying free access to its website unless visitors consented to the placement of first- and third-party advertising cookies. “We hope that [you] will heed our advice, but if [you] choose not to, there is nothing more we can do in relation to this matter,” the ICO said at the time.

If a law has extra-territorial scope, but it won’t be enforced extra-territorially, does it make a sound? This is new territory for European regulators and courts in the GDPR context and will involve complex conflict of laws, jurisdictional and enforceability issues. I’m tempted to liquidate the GameStop stock I should have bought three weeks ago and wager that this one will go to the ECJ.