On January 15, the High Court of England and Wales issued a decision in Soriano v. Forensic News LLC interpreting and applying Article 3 of the EU General Data Protection Regulation — the provision that gives the EU's strict data protection law its extraterritorial reach and sets it apart from similar laws around the globe.
Despite the fact that we are approaching three years since the GDPR took effect, until Soriano, no data protection authority or court had seemingly been called on to interpret Article 3, leaving non-EU/U.K. businesses with only limited, pre-GDPR, authority to consult when assessing whether and when the regulation applies to their processing activities.
Considering that GDPR-regulated entities failing to comply with the regulation's strict data protection rules can be held liable to the tune of up to a whopping 4% of global annual turnover, the real-world insight into when and whether judges will apply the GDPR to the data-processing activities of companies outside the EU and the U.K. that Soriano provides should be welcomed by companies and privacy practitioners alike.
Now would be a good time for entities with a presence in the U.K. or the EU, no matter how limited, to reassess in-house, or with outside counsel, the GDPR risks their data-processing activities create.