Listen to this post

The French Data Protection Authority capped off 2022 by terminating an investigation into Lusha Systems, Inc.’s compliance with GDPR. CNIL concluded that the law did not apply to the US company’s activities. As many know, since GDPR was passed US companies have been concerned about the extent the law applies outside of the EU: it applies not only to those entities with operations in the EU, but also those outside of the region who are either offering goods or services to people in the EU or monitoring individuals in the EU. Here, CNIL concluded that Lusha was not offering goods or services to those in the EU, nor was it monitoring those in the EU.

The European Data Protection Board has issued guidance and examples on the scope of CNIL. These include “monitoring” situations, perhaps the trickiest fact pattern. However, the guidance gives examples of when GDPR would apply but not situations where it would not apply. The Lusha case is thus helpful to companies as they consider GDPR applicability.

The activities in question surrounded the company’s browser extension, which let users append phone numbers and email addresses to contacts on LinkedIn or Salesforce. To accomplish this, Lusha matched LinkedIn and Salesforce user profiles with contact information it had previously obtained from other users’ address books. (Specifically, users of its browser extension were prompted to share their address book data, the email addresses and phone numbers of which would go into Lusha’s database). Some of those individuals (from the users’ address books) resided in the EU.

In concluding that GDPR was inapplicable, CNIL noted that the users of the service were in the US, not the EU, and thus the services were not offered to EU individuals (even if some EU individuals’ information was being obtained by the service). With respect to the question of monitoring those in the EU, CNIL concluded that the pulling of contact information was not “monitoring.”

Putting it Into Practice: For US companies with no EU operations, this case is a good reminder that simply because your organization has information about EU individuals does not automatically mean GDPR applies. Instead, an analysis needs to be made of the extent to which you are offering goods or services to people in the EU, or are monitoring EU residents.