France: CNIL dismisses application of GDPR to US-based company
Nana Botchorichvili of IDEA Avocats reports on the investigation into Lusha Systems by the CNIL, which concluded that the company’s browser extension is not subject to the GDPR in France.
On 20 December 2022, France’s DPA, the CNIL, issued a decision stating that the GDPR does not apply to the processing of personal data by Lusha Systems Inc. This is a US-based company offering its clients in France a browser extension which enabled them to find out business contact details (phone number, e-mail address) of persons registered on LinkedIn or the Salesforce.com CRM platform(1).
The decision shows that the GDPR’s extraterritorial scope (Article 3.2) might not be as far-reaching as some may have feared, at least according to the CNIL. At the same time, the case raises questions as to what can be regarded as “monitoring of behaviour” of individuals in the EU, which is one of the conditions triggering the application of the GDPR to non-EU based companies.
International Report subscribers, please login to access the full article
If you wish to subscribe, please see our subscription information.