[2025] UKUT 319 (AAC)

There is one domestic appellate authority that considers the proper interpretation of Article 3(2) of the GDPR. In Soriano v Forensic News LLC and others [2021] EWCA Civ 1952, [2022] QB 533 (“Soriano”), the claimant had joint Israeli and British citizenship and was domiciled in the UK. He brought a defamation claim against five defendants domiciled in the United States of America. The first defendant was a Californian corporation that owned and operated a news publication via a website, Twitter account, Facebook page and podcasts. The second to fifth defendants were journalists who contributed to the first defendant’s website. The claim related to online articles and social media posts published by the defendants that referred to Mr Soriano in unflattering terms.

The issue before the court was Mr Soriano’s application for permission to serve the claim on the defendants outside the jurisdiction, in relation to which an applicant has to show (amongst other criteria) that the claim has a real, as opposed to a fanciful, prospect of success. The judge granted the opposed application in part. On appeal to the Court of Appeal, Mr Soriano cross-appealed against the first instance judge’s refusal to allow service of his claims in data protection and malicious falsehood. The former of these challenges required the Court of Appeal to consider issues about the territorial scope of the GDPR.

The GDPR applied in the case because Mr Soriano brought his claim before 31 December 2020, when the post-Brexit transition period came to an end and the GDPR ceased to apply directly. Warby LJ, with whom the rest of the Court agreed, explained that the Court of Appeal’s decision was not merely of historic interest, because the claim extended to processing after 31 December 2020, some of the continued processing had taken place in the EU and the content of the GDPR had been adopted, with appropriate amendments within UK law, as the UK GDPR (see [73] of the judgment). Mr Soriano brought his claim on the basis that the data processing about which he complained fell within the ambit of Article 3 of the GDPR in terms of territorial scope.

At [77] to [78], Warby LJ addressed the meaning of Article 3(1). At [78], he explained that the jurisprudence relating to this part of the Directive was summarised by the European Data Protection Board (“EDPB”) in its guidelines (3/2018) on the territorial scope of the GDPR (Article 3) (version 2.1 – revised formatting on 07 January 2020) (“the EDPB Guidelines”), which he indicated are not binding, but relevant.

At [82] of Soriano, Warby LJ referred to page 20 of the EDPB Guidelines concerning Article 3(2)(b) (see [119] below) describing this as providing “some assistance”. At [100] to [104], Warby LJ analysed Article 3(2). He approached the issue on the basis that Article 3(2)(a) applies to the processing of personal data of data subjects in the Union whether or not they are the same individuals as those to whom the goods or services are offered, providing the two activities are “related to” one another (see [100]). At [101] he concluded that it was arguable that the journalistic processing Mr Soriano complained of was related to an offer made by the defendants to data subjects in the Union to provide them with services in relation to the form of journalistic output.

Turning to Article 3(2)(b), Warby LJ explained that, for similar reasons, it was also arguable that Mr Soriano’s case fell within this provision. Warby LJ rejected the argument that publishing articles containing Mr Soriano’s personal data was itself a form of “monitoring” within Article 3(2)(b) (so as to bring any processing related to the publication within scope). Warby LJ assessed this as artificial and said it distorted the meaning of the word “monitoring” as used in this context (see [102] of the judgment).

Warby LJ identified, however, a more compelling case under Article 3(2)(b), namely that someone who uses the internet to collect information about the behaviour in the EU of an individual who is in the EU, and then assembles, analyses and orders that information for the purposes of writing and publishing an article about that behaviour in (among other places) the EU, would thereby be engaging in “the monitoring of the [data subject’s] behaviour….within the Union” within the meaning of Article 3(2)(b). Warby LJ explained that the publication of personal data is clearly a form of “processing”, and the preparatory activities are plainly integral to that processing. He decided it follows that the GDPR applies in such a case on the footing that publication amounts to a “processing of personal data of [the data] subject” which is “related to” the monitoring (see [102] of the judgment).

Warby LJ assessed this interpretation against Recital (24) to the GDPR and the EDPB Guidelines and concluded it was not fanciful. He observed that the mere fact that the defendants created a collection of personal data relating to Mr Soriano’s behaviour in the EU might not be enough to amount to monitoring. However, what they were alleged to have done was to assemble, analyse, sort and reconfigure such data and then publish the results in articles. Warby LJ considered it arguable that those activities fell within the meaning of “monitoring” and therefore within the scope of the EDPB’s notions of “behavioural analysis and profiling” (see [103] of Soriano).

In Google LLC v Commission nationale de l’informatique et des libertes (CNIL) (Wikimedia Foundation Inc and others intervening) (Case C-507/17 – [2020] 1 WLR 1993) (“Google v CNIL”), the French data protection authority (“CNIL”) served notice on Google, requiring that when granting a request to remove links to certain web pages generated by searching the data subject’s name (a “de-referencing” request), Google had to apply it to links displayed by all versions of its search engines (not just those in France). Google refused to comply with the notice and only removed links displayed by versions of its search engine whose domain name corresponded to an EU member state, although it also proposed blocking internet users accessing search results from an IP address located in the state of residence of the data subject, no matter which domain name extension they used.

CNIL found that Google had failed to comply with its notice and imposed a financial penalty. Google sought annulment of that adjudication and appealed against the financial penalty. The French court stayed the proceedings and referred to the CJEU questions about the territorial scope of de-referencing in light of Articles 12 and 14 of the 95 Directive. Before the CJEU considered the reference, the 95 Directive was repealed, following which the GDPR applied, Article 17 of which contained the right to de-referencing.

As the CJEU indicated at [52], the processing in question was carried out within the framework of Google’s establishment in French territory, so the Court proceeded on the basis that the circumstances fell within the territorial scope of the 95 Directive and the GDPR. As regards the latter, see Article 3(1) of the GDPR at [51] above.As we shall return to in our analysis of Clearview’s reliance on this case, the CJEU was concerned with the territorial reach of the specific provisions in the 95 Directive and the GDPR addressing de-referencing.

The CJEU explained that the objective of the 95 Directive, and the GDPR, was to guarantee a high level of protection of personal data around the EU. At [57] of its judgment, the CJEU expressed the view that in a global world, internet users’ access (including non-EU users’ access) to links to information about a person whose centre of interests is based in the EU, is likely to have immediate and substantial effects on that person. The CJEU stated that these considerations are sufficient to justify the EU legislature having competence to lay down an obligation to de-reference on all the search engine operator’s versions (on request).

However, the CJEU observed that numerous third states do not recognise a right to de-referencing or take a different approach to that right (at [59] of the judgment). It also acknowledged that the right to protect personal data is not absolute, but must be considered in relation to its function in society and be balanced against other fundamental rights so that it is proportionate. The CJEU also commented that the balance between the right to privacy and protection of personal data (on the one hand) and freedom of internet users (on the other), is likely to vary significantly around the world (at [60] of the judgment).

At [62], the CJEU stated that it was not apparent from the wording of Article 12(b) and 14(a) of the 95 Directive (and Article 17 of the later Regulation) that for the purpose of ensuring the objective of the Directive or, as the case may be, the GDPR, the EU legislature would have chosen to give scope beyond the territory of the Member States to the rights protected by the EU legislation. Nor was it apparent that the EU legislature would have intended to impose a de-referencing obligation on Google and equivalent search engine operators that went beyond the EU Member States.

The CJEU also took into account that although the GDPR gives Member State authorities instruments and mechanisms that allow them to co-operate on a cross-border basis within the EU, EU law does not currently provide for these in relation to de-referencing outside the EU.

The CJEU therefore decided there was currently no obligation under EU law for a search engine operator who grants a de-referencing request by a data subject, to de-reference on all versions of its search engine (at [64]).

At [72] of its judgment, the CJEU emphasised that while EU law does not require de-referencing across all versions of the search engine, neither does it prohibit it. Thus, a supervisory or judicial authority of a Member State remains competent to weigh up, in light of national standards of protecting fundamental rights, a data subject’s right to privacy and personal data protection against the rights of freedom of information. The CJEU observed that it remains open to such an authority, after weighing those rights against each other, to order (where appropriate) the search engine operator to de-reference on all versions of its search engine.