Foreign website operators with even minimal business activity in the UK may be subject to the General Data Protection Regulation – Privacy

European Union: Foreign website operators with even minimal business activity in the UK could be subject to the General Data Protection Regulation

To print this article, all you need to do is be registered or log in to

The General Data Protection Regulation (“GDPR”) could apply to foreign website operators who have even a minimal business activity in the UK following the judgment of the Court of Appeal for England and Wales in Soriano v Forensic News LLC et al. [2021] EWCA Civil 1952.

Operators of overseas online platforms, apps and websites that collect information about UK or EU users may need to comply with GDPR data protection obligations and its strict processing principles. data, even if:

  • they have no physical presence in Europe, or

  • their content is not specifically oriented towards European customers,

provided they have any (even minimal) business activity in the UK or EU.

Background: the High Court judgment

The Court of Appeal for England and Wales has overturned an earlier High Court decision regarding the applicability of the GDPR to processing by an operator of a US journalistic website (see our client alert on the decision of the High Court).

In the January 2021 judgment, the first reported decision in the UK and EU on the interpretation of Article 3 of the GDPR, the High Court adopted a narrower interpretation of the territorial scope of the GDPR .

The High Court has suggested that operators of non-EEA and non-UK websites without a physical presence in Europe (such as branches, subsidiaries, employees or other representatives) and whose content is not specifically aimed at European customers (but could nonetheless be viewed by users in Europe), may fall outside the scope of the GDPR, its strict processing principles, obligations, penalties and related privacy claims.

Minimal business activity in the UK/EU can bring you into the scope of the GDPR

The Court of Appeal disagreed with the High Court. Because the US-based website was explicitly soliciting subscriptions in the UK (in pounds sterling) and in the EU (in euros) via a third-party platform, the Court of Appeal held that the Article 3(1) GDPR could apply to the website operator. .

The Court of Appeal noted that even minimal activity (with only three sterling subscriptions and three euro subscriptions in this case) can be “real and effective“and exercised through”stable arrangements” – the requirements set by case law under the old Data Protection Directive (which the GDPR replaced in 2018).

The Court of Appeal also suggested that the operator’s treatment of the US website in Soriano could fall within the scope of Article 3(2) because:

  • the website operator was providing a “service” to UK/EU readers and the journalistic treatment complained of in Soriano was “related to” an offer made by the website operator to UK/EU readers to provide them with the journalistic services (thus falling under Article 3(2)(a) GDPR) ; and

  • the website operator (and its employees) has “monitored” the applicant’s behavior in the UK/EU by collecting information about their behavior, analyzing the information and publishing website articles based on this information, including one which had the applicant’s name in its title (thus falling under Article 3(2)(b) GDPR).

What should foreign website and app operators do?

1. Determine if you are likely to fall within the scope of the GDPR. Does your website or app have any visitors or users in the UK or the EU?

  • If yes, do you have a commercial activity anything in the UK or EU as a result of operating your website or app, for example through online subscriptions, advertising, sales or donations?

  • Or, is your processing of data relating to UK or EU individuals related to the provision of services to UK or EU individuals (e.g. providing online content to users of your website or app)?

  • Or, do you “monitor” the behavior of any UK or EU person (online or offline) in the UK or EU and create content for your website or app based on the information collected?

2. Consider the documentation and processes (if any) you need to have in place to comply with UK GDPR and EU GDPR. For example:

  • Have you reviewed the personal data (if any) you collect about UK or EU individuals?

  • Have you identified the purpose(s) and a legal basis in the GDPR for processing this data?

  • Have you updated (if necessary) your website’s privacy notice to ensure it is compliant with UK GDPR and EU GDPR?

  • Have you considered appointing a UK or EU representative if your processing of EU personal data is not occasional?

What is the relevance of this decision in the UK and the EU after Brexit?

The Court of Appeal decided Soriano under the GDPR as it applied in the UK before the end of the Brexit transition period.

An amended version of GDPR known as “UK GDPR” came into force in the UK at the end of the Brexit transition period on December 31, 2020. The Court of Appeal ruling will continue to stand relevant to decisions of the UK and UK Information Commissioner’s Office. courts under the UK GDPR.

Although EU courts and data protection authorities are not bound by the decisions of UK courts, it is likely that the wider interpretation by the Court of Appeal for England and Wales of Article 3 on the territorial applicability of the GDPR will be considered persuasive by such bodies in any infringement proceedings against non-EU website operators.

Originally published February 3, 2022

Visit us at

Mayer Brown is a global provider of legal services comprised of law firms that are separate entities (the “Mayer Brown Firms”). The Mayer Brown firms are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, two limited liability companies established in Illinois in the United States; Mayer Brown International LLP, a limited company incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales under number OC 303359); Mayer Brown, a SELAS based in France; Mayer Brown JSM, a partnership of Hong Kong and its associated entities in Asia; and Tauil & Checker Advogados, a Brazilian legal partnership with which Mayer Brown is associated. “Mayer Brown” and the Mayer Brown logo are registered trademarks of Mayer Brown law firms in their respective jurisdictions.

© Copyright 2021. Mayer Brown Practices. All rights reserved.

This article by Mayer Brown provides information and commentary on interesting legal issues and developments. The foregoing is not a complete treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action regarding the matters discussed here.

POPULAR ARTICLES ON: European Union Privacy