In Soriano v Forensic News LLC and Others  EWHC 56 (QB) the High Court has found, in January 2021, that the processing of a British citizen and resident’s personal data by the defendants (a US publisher, some journalists and a blogger, who all made allegations about Mr Soriano in a series of publications including a podcast) did not breach EU data protection laws as the laws did not apply to them.
Even though there was evidence of a UK readership, the Court held that it was of “marginal relevance” to the question of whether a publisher’s activities were subject to the GDPR; and that there was nothing to suggest that Forensic News was targeting the UK as to its goods and services (the possible recorded sale of one baseball cap to a UK buyer notwithstanding). The court allowed the libel and misuse of private information aspects of Mr Soriano’s claim to continue but said that he had “no arguable case under the GDPR” (as well also dismissing claims of malicious falsehood and harassment).
You can read the Court’s full judgment here.
However, in summary, the Court’s views in this case, including as to the geographical application of the GDPR, establish three main takeaway points for all businesses:
- although in this case the High Court was considering the (then applicable to the UK) EU law’s application to US persons (the defendants), now that the UK has left the EU, similar potential situations may arise as to UK businesses’ activities in the EU (and vice versa under the UK GDPR which now carries on the approach of the EU GDPR);
- the Court’s decision that the placement of cookies for the purpose of behavioural advertising did not, as Soriano’s lawyers had unsuccessfully argued, amount to the monitoring of behaviour of EU citizens, which may be of some reassurance to data controllers operating businesses online; and
- UK businesses active in the EU market in the post-Brexit landscape should carefully analyse to which supervisory authority any notification should be made in the event of a data breach. It may be appropriate for both the ICO (in the UK) and the relevant European supervisory authority to investigate in parallel.
Earlier this month, the EDPB published new draft guidelines on examples regarding data breach notification. As to this, you can see The European Data Protection Board’s (EDPB) existing guidelines on personal data breach notification here with their newly published draft guidelines on examples regarding data breach notification here and which are open to public consultation until 2 March 2021.
If your business has any data protection concerns, we’d be happy to help.