UK court: Long arm of GDPR can't reach California*

Image my composite of Atlantic Ocean by Tentotwo CC BY-SA 3.0

and "hand reach" from Pixabay by ArtsyBee, licensed

*[UPDATE, Jan. 30, 2022:] On December 21, 2021, the Court of Appeal allowed service on U.S. defendants without ultimately resolving the GDPR territorial scope question.  Read more from Paul Kavanaugh, Dylan Balbirnie, and Madeleine White at Dechert LLP.]

A High Court ruling in England limited the long-arm reach of European (now British) privacy law in a suite of tort claims against Forensic News, a California-based web enterprise doing "modern investigative journalism."

The complainant is a security consultant investigated by Forensic News and a witness in the U.S. Senate Intelligence Committee probe into Russian interference in the 2016 U.S. elections.  A British national, he accused Forensic News of "malicious falsehood, libel, harassment and misuse of private information," the latter based on violation of the British enactment of the European General Data Protection Regulation (GDPR).

The extraterritorial reach of the GDPR has been a hot topic lately in privacy law circles, as U.S. companies struggle to comply simultaneously with foreign and burgeoning state privacy laws, such as the California Consumer Privacy Act (CCPA).  

Forensic News has no people or assets in the UK, but the complainant tried to ground GDPR application in the news organization's website, which accepts donations in, and sells merch for, pounds and euros.  No dice, said the court; it's journalism that links Forensic to the plaintiff and to the UK, not the mail-order side show.

The case is Soriano v. Forensic News LLC, [2021] EWHC 56 (QB) (Jan. 15, 2021).  Haim Ravia, Dotan Hammer, and Adi Shoval at Pearl Cohen have commentary.