March 28, 2023

Volume XIII, Number 87


March 27, 2023

Subscribe to Latest Legal News and Analysis

CNIL Weighs in On GDPR Applicability to US Company

The French Data Protection Authority capped off 2022 by terminating an investigation into Lusha Systems, Inc.’s compliance with GDPR. CNIL concluded that the law did not apply to the US company’s activities. As many know, since GDPR was passed US companies have been concerned about the extent the law applies outside of the EU: it applies not only to those entities with operations in the EU, but also those outside of the region who are either offering goods or services to people in the EU or monitoring individuals in the EU. Here, CNIL concluded that Lusha was not offering goods or services to those in the EU, nor was it monitoring those in the EU.

The European Data Protection Board has issued guidance and examples on the scope of CNIL. These include “monitoring” situations, perhaps the trickiest fact pattern. However, the guidance gives examples of when GDPR would apply but not situations where it would not apply. The Lusha case is thus helpful to companies as they consider GDPR applicability.

The activities in question surrounded the company’s browser extension, which let users append phone numbers and email addresses to contacts on LinkedIn or Salesforce. To accomplish this, Lusha matched LinkedIn and Salesforce user profiles with contact information it had previously obtained from other users’ address books. (Specifically, users of its browser extension were prompted to share their address book data, the email addresses and phone numbers of which would go into Lusha’s database). Some of those individuals (from the users’ address books) resided in the EU.

In concluding that GDPR was inapplicable, CNIL noted that the users of the service were in the US, not the EU, and thus the services were not offered to EU individuals (even if some EU individuals’ information was being obtained by the service). With respect to the question of monitoring those in the EU, CNIL concluded that the pulling of contact information was not “monitoring.”

Putting it Into PracticeFor US companies with no EU operations, this case is a good reminder that simply because your organization has information about EU individuals does not automatically mean GDPR applies. Instead, an analysis needs to be made of the extent to which you are offering goods or services to people in the EU, or are monitoring EU residents.

Kathryn Smith also contributed to this article.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XIII, Number 38

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...