Operators Of Overseas Websites With Even A Minimal Commercial Activity In The UK Might Be Subject To The General Data Protection Regulation

• Published date: 07 February 2022
• Subject Matter: Privacy, Data Protection, Privacy Protection
• Law Firm: Mayer Brown
• Author: Mr Oliver Yaros and Ondrej Hajda

The General Data Protection Regulation ("GDPR") might apply to operators of overseas websites that have even a minimal commercial activity in the UK following the judgment of the Court of Appeal of England and Wales in Soriano v Forensic News LLC and Others [2021] EWCA Civ 1952.

Operators of overseas online platforms, apps and websites that collect information about UK or EU users might need to comply with the data protection obligations in the GDPR, and its strict data processing principles, even if:

• they have no physical presence in Europe, or
• their content is not specifically oriented towards European customers,

provided that they have some (even minimal) commercial activity in the UK or the EU.

Background: the High Court judgment

The Court of Appeal of England and Wales has overturned an earlier decision of the High Court about the applicability of the GDPR to a processing by an operator of a US journalistic website (see our client alert about the High Court decision).

In the January 2021 judgment, the first reported decision in the UK and the EU on the interpretation of Article 3 of the GDPR, the High Court adopted a narrower interpretation of the territorial scope of the GDPR.

The High Court suggested that non-EEA and non-UK website operators without physical presence in Europe (such as branches, subsidiaries, employees or other representatives), and whose content is not specifically oriented towards European customers (but could nonetheless be accessed by users in Europe), might be beyond the reach of the GDPR, its strict processing principles, obligations, fines and related privacy claims.

Minimal commercial activity in the UK / EU can bring you in scope of the GDPR

The Court of Appeal disagreed with the High Court. Because the US-based website explicitly solicited subscriptions from within the UK (in pounds sterling) and the EU (in euros) via a third-party platform, the Court of Appeal considered that Article 3(1) GDPR might apply to the website operator.

The Court of Appeal noted that even a minimal activity (with only three subscriptions in pounds sterling and three subscriptions in euros in this case) can be "real and effective" and exercised through "stable arrangements" - the requirements set out in the case law under the old Data Protection Directive (which the GDPR replaced in 2018).

The Court of Appeal also suggested that the processing by the US website operator in Soriano might fall within the scope of Article 3(2) on the basis that:

...