The General Data Protection Regulation (“GDPR”) has extraterritorial reach, meaning that many organisations based outside the European Economic Area (“EEA”) and the United Kingdom (in the case of the UK GDPR) must comply with GDPR obligations for personal data processing activities which fall within the territorial scope of Article 3 of the GDPR. However, businesses have been lacking clarity regarding exactly how far GDPR’s extraterritorial reach goes.

The High Court of England and Wales has in Soriano v Forensic News LLC and Others [2021] EWHC 56 (QB) considered the applicability of Article 3 of the GDPR to a US website. The judgment gives some re-assurance to non-EEA and non-UK website operators without physical presence in Europe (such as branches, subsidiaries, employees or other representatives), whose content is not specifically oriented towards European customers but could nonetheless be accessed by users in Europe, that their processing of personal data from users in Europe might be beyond the reach of the GDPR, its strict processing principles, obligations, fines and related privacy claims.

Continue reading.